Shulou(Shulou.com)06/03 Report--

The network service component of openstack is neutron, and its design goal is to achieve "network as a service".

Design: follow the principles of flexibility and automation based on "Software defined Network (SDN)"

Implementation: make full use of various network-related technologies in linux

Physical Network and Virtualized Network

The core work of Neutron is to abstract and manage the layer 2 physical network. After the physical server is virtualized, the network function of the virtual machine is provided by the virtual machine network card (vnic), the physical switch is also virtualized as a virtual switch (vswitch), and each vnic is connected to the port of the vswitch. Finally, these vswitch access the external physical network through the physical network card of the physical server.

Implementation Technology of linux Network Virtualization

Network virtualization is mainly divided into three parts:

Network Card Virtualization: TAP,TUN,VETH

Switch Virtualization: linux bridge,open vswitch

Network isolation: network-namespace

Linux Network Card Virtualization

TAP device: simulates a layer 2 network device that can receive and send layer 2 network packets

TUN device: simulates a layer 3 network device that can receive and send layer 3 network packets

VETH: virtual ethernet interface, usually in the form of pair, in which network packets sent by one end are received by the other, forming a channel between two bridges

TAP/TUN provides a data transmission mechanism in the user space of a host, and it has a virtual machine with a set of network interfaces, which are no different from physical interfaces. IP can be configured and traffic can be routed. The difference is that it only flows in the host.

Veth-pari is a pair of network devices, one end is connected to the protocol stack, one end is connected to each other, and the data is out of one end and in at the other. Its features are often used to connect different virtual network components and build large-scale virtual network topologies, such as connecting linux bridge,ovs, etc., for neutron, which can build very complex network forms.

Linux bridge

Linux brigde: a layer 2 network device that functions like a physical switch

Brigde can bind other network devices on the linux and virtualize them as ports

When a network device is bound to a bridge, it is equivalent to a physical switch port plugged into a network cable connected to the terminal.

Use the brctl command to configure linux brige

Open vswitch

Compared with linux bridge's small-scale host internal communication scenario, open vswitch is more suitable for large-scale multi-host communication scenario.

Network namespace

Network namespace can create multiple isolated network spaces, and they have independent network configuration information, such as network devices, routing tables, iptables and so on.

Virtual machines in different cyberspaces run as if they were in their own independent network.

Network namespace usually works with vrf (virtual routing fowarding Virtual Route forwarding), an ip technology that allows multiple instances of routing tables to coexist on the same router at the same time.

Veth allows you to connect two different network namespaces, and bridge allows you to connect multiple different network namespaces.

Neutron

As a virtual network service, it provides network connectivity and addressing services for openstack computing.

Neutron abstracts the network as follows:

Neutron supports many types of Network, including local,flat,vlan,vxlan and gre

Local: isolated from other networks and nodes, virtual machines in this network can only communicate with virtual machines located on the same node. Local networks mainly carry out stand-alone test flat: networks without vlan tags, in which virtual machines communicate with virtual machines located in the same network, and can vlan:802.1q label networks across multiple nodes, that is, they use the same vxlan with real vlan: tunnel-based overlay networks. The main purpose of this paper is to construct the second-tier data center network gre: subnet, a tunneling technology using ip packet encapsulation.

It is the subnet. Each subnet needs to define the ip address and range in the neutron.

Subnet must be associated with network. Dns, gateway ip, static routes can be attached.

Port

Port

Virtual switched port on a logical network switch

Virtual machines are attached to the network through port

Port can assign ip address and mac address

Router

Connect subnets of the same network or different network within a tenant, and connect internal and external networks

Fixed ip

Fixed ip, the ip assigned to each port, similar to the ip configured to the network card in a physical environment

Floating ip

Floating ip (floating ip) is a special port created by external network, which can bind the floating ip to the port in any network. The underlying layer will forward the floating ip traffic to the corresponding fixed ip on the port. The outside world can access the virtual machine through the floating ip, and the virtual machine can also access the outside world through the floating ip.

Physical network

Pytsical network, physical network.

In a physical network environment, each physical network can support one or more virtual networks in the neutron that are connected to different nodes of the openstack.

Openstack must communicate with a real physical network through physical network

Provider network

Created by the openstack administrator to directly correspond to a segment of the existing physical network in the data center

Providr network usually uses vlan or flat mode and can be shared among multiple tenants

Self-service network

Self-service network, also known as tenant network or project network, is created by openstack tenants and is completely virtual. It is only connected within the network and cannot be shared among tenants.

Self-servcie network usually uses vxlan or gre mode, and can communicate with provider network through virtual router's snat

The network segments in different self-service network can be the same, similar to the internal networks of different companies in the physical environment.

If self-service network needs to communicate with an external network, it needs to communicate through router, similar to the physical environment where a company accesses the Internet through a router or firewall.

External network

External network, also known as public network

It is a special provider network. The connected physical network is connected to the data center or internet, and the port in the network can access the external network.

Generally, the tenant's virtual router is connected to the network, and a floating ip binding virtual machine is created to realize the communication between the virtual machine and the public network.

Exernal netwok is similar to the direct use of public network ip network segments in a physical environment, except that the physical network corresponding to external network in openstack may not be directly connected to internet, but may only be an internal VPC in the data center.

Securiy group

The security group, whose role is a set of policies on neutron port, specifies the rules for virtual machine ingress and egress traffic

The security group is implemented based on linux iptables, and all traffic is denied by default. Only traffic with release rules is allowed to pass through.

There is a default default security group in every openstack project, which contains the following rules by default-deny all ingress traffic and allow all egress traffic

Neutron Architecture and components

Architecture diagram

Principles of neutron Architecture

Unified api Core minimizes pluggable Open Architecture Extensible

Message queue:neutron-sever exchanges messages with other neutron agents through message queue, but this message queue is not used for neutron-server to exchange messages with other openstack components such as nova

L2 agent: responsible for connecting ports (ports) and devices to a shared broadcast domain, usually running on hypervisor

L3 agent: responsible for connecting the tenant network to the data center or connecting to internet. In a real deployment environment, multiple L3 agent are generally required to run at the same time.

Dhcp agent: used to automatically configure virtual machine network

Advance service: provide lb (load balancing), firewall and other services

Architecture description

The architecture of neutron is based on plug-ins, and different plug-ins provide different network services, including the following components

Component-neutron server

Neutron server=apis+plugins, in this way, can freely connect different network backend capabilities.

Component-core plugin

Core plugin, which mainly refers to ml2 (modular layer 2) plugin, is an open architecture, which can integrate layer 2 network services supported by various manufacturers and back-end technologies under plugin.

There are two main types of drivers for ml2 plugin:

Typer driver: defines the network type, and each network type corresponds to a type driver

Mechanism driver: docking various layer 2 network technologies and physical switch devices, such as ovs,linux bridge, etc., to obtain relevant underlying network information from typer driver to ensure that the corresponding underlying technologies can correctly configure layer 2 network according to this information.

Component-service plugin

Serivce plugin is used to implement high-level network services, such as routing, load balancing, firewalls and * services.

L3 service plugin mainly provides routing, floating ip services and so on.

Component-agent

Neutron agent provides layer 2 and layer 3 network connections to virtual machines, completes the conversion between virtual networks and physical networks, and provides extended services.

Neutron Network Traffic Analysis

Neutron supports a variety of network technologies and types, and can freely combine various network models.

In production, openstack mainly uses the following two network models

Linux bridge+flat/vlan network

Provide simple network interworking, virtual network, routing, load balancing, etc. are provided by physical devices. The network is simple and efficient. It is suitable for small and medium-sized private cloud network environment open vswitch+vxlan network.

Provide multi-tenancy, large-scale network isolation capabilities, suitable for large-scale private cloud and public cloud network scenarios linux bridge+flat network

Flat network is similar to using a network cable to directly connect to a physical network. Openstack is not responsible for network isolation.

Interface 2 without vlan tag

Linux bridge+vlan network

Interface 2 requires multiple vlan, and the connected physical switch generally configures trunk mode and allows these vlan to pass through

Using linux bridge+vlan to implement provider network, network traffic can be divided into the following categories:

North-south traffic: traffic between virtual machines and external network traffic

East-west traffic: traffic between virtual machines

Traffic between the provider network and the external network, which is exchanged and routed by physical network devices

North-South Traffic Analysis of Virtual Machine using fixed ip

The following involves compute node 1:

Virtual machine (instance) packets are forwarded by virtual network cards (1) to ports on Provider Bridge via veth pair (2) Security group rules (3) check firewalls and record connection tracking Vlan subinterfaces (4) forward packets to physical network cards (5) physical network cards (5) vlan tag101 data packets and forward them to physical switch ports (6)

The following relate to physical network devices

The switch removes the vlan tag 101from the packet and forwards it to the router (7) the router routes the packet from the provider network gateway (8) to the external network gateway (9) and forwards the packet to the switch port (10) of the external network. The switch forwards the packet to the external network (11), the external network (12), receives the packet and analyzes the east-west traffic of the virtual machine in the same network.

Compute Node 1:

Virtual machine 1 packet is forwarded by virtual network card (1) to port on provider Bridge (2) security group (3) check firewall and record connection tracking Vlan subinterface (4) forward packet to physical network card (5) physical network card (5) hit data packet on vlan tag 101and forward it to physical switch port (6)

Physical equipment

The switch forwards the packet to the switch port connected to compute node 2 (7)

Compute Node 2

The physical network card (8) of the compute node 2 removes the vlan tag 101from the packet and then forwards it to the Vlan subinterface (9) the security group (10) checks the firewall and records the connection tracking virtual network card (11) forwards the packet to the virtual machine east-west traffic in different networks of the network card of the virtual machine 2 through veth pair

Compute Node 1

The virtual machine 1 is forwarded by the virtual machine network card (1) to the port on the provider bridg via veth pair (2) the security group (3) checks the firewall and records the connection tracking Vlan subinterface (4) forwards the packet to the physical network card (5) the physical network card (5), and forwards the packet to the physical switch port (6)

Physical equipment

The switch deletes the packet vlan tag 101and forwards it to the router (7) the router forwards the packet from the provider network1 gateway (8) to the provider network2 gateway (9) the router sends the packet to the switch port (10) the switch punches the packet on the vlan tag 102and then forwards it to the port (11) to which the compute node 1 is connected

The following relates to compute node 1

The physical network card (12) deletes the packet vlan tag 102and then forwards the Vlan subinterface (13) the security group (14) checks the firewall and records the connection tracking virtual network card (15) forwards the packet to the virtual machine 2 network card (16) open vswitch + vxlan via veth pair

Vxlan is a virtual expandable local area network and an oeverlay technology, which builds a virtual layer 2 network through a three-layer network.

North-South traffic of virtual machines using fixed ip

The virtual machine runs on compute node 1 and uses self-service network 1 to send packets to hosts on internet

Compute Node 1

Instance interface (1) forwards packets to security group bridge instance port (2) security group on security group bridge (3) handles packet firewall and connection tracking security group bridge OVS port (4) forwards packets to OVS integrated bridge (br-int) security group port (5) OVS integrated bridge adds internal vlan tags for (br-int) packets OVS integrated network Bridge pair Internal Tunnel (br-tun) ID switching Internal VLAN tagged OVS Integrated Bridge Patch Interface (6) forwards packets to OVS Tunnel Patch Interface (7) OVS Tunnel Bridge (8) uses vni 101to package the underlying physical interface (9) for overlay network (9) forwards packets to network nodes via overlay network (10)

Network node

The underlying network physical interface (11) forwards the packet to the OVS tunnel bridge (12) OVS tunnel bridge unpacks and adds an internal tunnel IDOVS tunnel bridge for internal VLAN tagging switching internal tunnel IDOVS tunnel bridge patch port (13) forwards the packet to the OVS integrated bridge interface patch port (14) the OVS integrated bridge port for self-service network (15) removes the internal VLAN tag and forwards the packet to Remember 101switch OVS bridge provider network port (21) forward packet to physical network interface (22) physical network interface forward packet through physical network device to Internet (23) externally access virtual machine with Floating IP

Just show the picture. )

Virtual machine east-west traffic in the same network

Virtual machine east-west traffic in different networks

Big head. Big head.

It seems that the Internet really takes a lifetime to learn.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.