Shulou(Shulou.com)05/31 Report--

How to deeply understand the openstack network architecture, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

The openstack network is powerful and relatively more complex. This series of articles introduces the configuration of openstack through Oracle OpenStack TechPreview and illustrates the different network components of openstack through various scenarios and examples. The purpose of this article is to provide a panoramic view of the openstack network architecture and show how the modules work together. This will be very helpful for beginners of openstack and those who want to understand the principles of openstack networks. First of all, let's explain some basics and give some examples.

According to the latest icehouse user survey, Neutron based on open vswitch plug-ins is widely used in both production and POC environments, so we mainly analyze the configuration of this openstack network in this series of articles. Of course, we know that openstack networks support many configurations, and although neutron+open vswitch is the most commonly used configuration, we have never said that it is the best or the most efficient way. Neutron+open vswitch is just an example and a good entry point for anyone who wants to understand the openstack network. Even if you plan to use other types of network configurations, such as using different neutron plug-ins or not using neutron at all, this article is still a good start for you to understand openstack networks.

The configuration we use in the example is one provided by Oracle OpenStack Tech Preview. It is very easy to install, and it is a good reference. In this configuration, we use eth3 as the network of virtual machines on all servers, and all virtual machine traffic uses this network card. Oracle OpenStack Tech Preview uses VLAN for L2 isolation, which in turn provides tenant and network isolation. The following figure shows how we configure and deploy:

The first article will be a little longer, and we will focus on some basic concepts of openstack networks. We will discuss several components such as open vswitch, network namespaces, linux bridge, veth pairs, and so on. Note that it is not intended to cover all of these components here, but only to understand the openstack network architecture. You can learn more about these components through other resources on the network.

Open vSwitch (OVS)

It is used in Oracle OpenStack Tech Preview to connect the virtual machine to the physical network port (such as eth3 in the example above), as shown in the deployment figure above. OVS contains bridages and ports,OVS bridges unlike linux bridge (created using the brctl command). Let's first take a look at the structure of OVS, using the following command:

# ovs-vsctl show7ec51567-ab42-49e8-906d-b854309c9edf Bridge br-int Port br-int Interface br-int type: internal Port "int-br-eth3" Interface "int-br-eth3" Bridge "br-eth3" Port "br-eth3" Interface "br-eth3" type: internal Port "eth3" Interface "eth3" Port "phy-br-eth3" Interface "phy-br-eth3" ovs_version: "1.11.0"

We see a standard OVS deployed on compute node, with two bridges, each with several associated port. The above example is on a compute node without any virtual machines. We can see that eth3 is connected to a bridge called br-eth3, and we also see two port called "int-br-eth3" and "phy-br-eth3", which is actually a veth pair that connects two bridages as virtual network cables. We will discuss veth paris later.

When we create a virtual machine, a port is created on the br-int bridge, and the port is eventually connected to the virtual machine (we will discuss this connection later). Here is the OVS structure after starting a virtual machine:

# ovs-vsctl showefd98c87-dc62-422d-8f73-a68c2a14e73d Bridge br-int Port "int-br-eth3" Interface "int-br-eth3" Port br-int Interface br-int type: internal Port "qvocb64ea96-9f" tag: 1 Interface "qvocb64ea96-9f" Bridge "br-eth3" Port "phy-br-eth3" Interface "phy-br-eth3" Port "br-eth3" Interface "br-eth3" type: internal Port "eth3" Interface "eth3" ovs_version: "1.11.0"

The "br-int" bridge now has a new port "qvocb64ea96-9f" to connect to VM and is marked as vlan1. Each network card of the virtual machine needs to create a port on the "br-int" bridge.

Another useful command in OVS is dump-flows. Here is an example:

# ovs-ofctl dump-flows br-intNXST_FLOW reply (xid=0x4): cookie=0x0, duration=735.544s, table=0, n_packets=70, nasty bytes9976 people 17, priority=3,in_port=1,dl_vlan=1000 actions=mod_vlan_vid:1,NORMALcookie=0x0, duration=76679.786s, table=0, n_packets=0, naughtbytes0Letters 65534, hard_age=65534, priority=2,in_port=1 actions=dropcookie=0x0, duration=76681.36s, table=0, n_packets=68, nasty bytes7950

As mentioned above, the port connected to VM uses Vlan tag 1. The port on the virtual machine network (eth3) then uses tag1000. OVS modifies the vlan of all package between the VM and the physical network port. In openstack, OVS agent controls the flows in open vswitch, and the user does not need to operate. If you want to learn more about how to control the flow in open vswitch, you can refer to the description of ovs-ofctl in http://openvswitch.org.

Network Namespaces (netns)

Network namespace is a very cool feature on linux, and it has many uses. It is widely used in openstack network. The network namespace has a separate network configuration isolation container, and the network cannot be seen by other namespaces. Network namespaces can be used to encapsulate special network functions or to complete complex network settings while isolating network services. In Oracle OpenStack Tech Preview we use the latest R3 Enterprise Kernel, which provides full support for netns.

Through the following example, we show how to use the netns command to control the network namespaces. Define a new namespace:

# ip netns add my-ns# ip netns listmy-ns

We said that namespace is an isolated container, and we can do various operations in namspace, such as the ifconfig command.

# ip netns exec my-ns ifconfig-alo Link encap:Local Loopback LOOPBACK MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0b) TX bytes:0 (0.0b)

We can run any command in namespace, such as the tcddump command that is very useful for debug, and we use the ping, ssh, iptables commands. Connect namespace to external: there are many ways to connect to namespace and namespace directly, and we focus on the methods we use in openstack. Openstack uses a combination of OVS and network namespace. OVS defines interfaces, and then we add these interfaces to namespace.

# ip netns exec my-ns ifconfig-alo Link encap:Local Loopback LOOPBACK MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0b) TX bytes:0 (0.0b) my-port Link encap:Ethernet HWaddr 22:04:45:E2:85:21 BROADCAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0b) TX bytes:0 (0.0b)

Now we can add more ports to OVS bridge and connect to other namespace or other devices such as physical network cards. Neutron uses network namespace to implement network services, such as DHCP, routing, gateway, firewall, load balance and so on. We will discuss more details in the next article.

Linux bridge and veth pairs

Linux bridge is used to connect OVS port to virtual machines. Ports is responsible for connecting OVS bridge to linux bridge or both to the virtual machine. Linux bridage is mainly used for security group enhancement. Security groups are implemented through iptables, and iptables can only be used for linux bridage, not OVS bridage.

Veth is widely used in openstack network, and it is also a good tool for debug network problems. The Veth pair is a simple virtual network cable, so it usually appears in pairs. Usually one end of the Veth pair is connected to the bridge and the other end is connected to the other bridge or left to be used as a network port.

In this example, we will create some veth pairs, connect them to bridge, and test connectivity. This example is for the usual Linux server rather than the openstack node: create a veth pair, and notice that we define the names of both ends:

# ip link add veth0 type veth peer name veth2# ifconfig-a..veth0 Link encap:Ethernet HWaddr 5E:2C:E6:03:D0:17 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0b) TX bytes:0 (0.0b) veth2 Link encap:Ethernet HWaddr E6:B6:E2:6D:42:B8 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0b) TX bytes:0 (0.0b)..

To make the example more meaningful, we will create the following configuration:

Veth0 = > veth2 = > br-eth4 = > eth4 = > eth3 on another Linux server

Br-eht3: a basic Linux bridge, connecting veth2 and eth4eth4: a physical network port without setting IP, which is connected to a physical network eth3 on the remote Linux server, connected to a VPC and configured with IP (50.50.50.1). Once we have created this configuration, we will test network connectivity through the remote IP of veth0 ping 50.50.50.1:

# brctl addbr br-eth4# brctl addif br-eth4 eth4# brctl addif br-eth4 veth2# brctl showbridge name bridge id STP enabled interfacesbr-eth4 8000.00505682e7f6 no eth4 veth2# ifconfig veth0 50.50.50.5 ping-I veth0 50.50.50.51PING 50.50.50.51 (50. 50.50.51) from 50.50.50.50 veth0: 56 (84) bytes of data.64 bytes from 50.50.50.51: icmp_seq=1 ttl=64 time=0.454 ms64 bytes from 50.50.50.51: icmp_seq=2 ttl=64 time=0.298 ms# ethtool-S veth2NIC statistics:peer_ifindex: 1percent ip link..12: veth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

If the naming is not as obvious as in the example, so that we cannot support both ends of the veth device, we can use the ethtool command to query. The ethtool command returns the index number, and use the ip link command to view the corresponding devices:

# ethtool-S veth2NIC statistics:peer_ifindex: 1 qdisc pfifo_fast state UP qlen ip link..12: veth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

We quickly learned about the OVS/ network namespaces/Linux bridges/veth pair. These components are widely used in the openstack network architecture, and understanding these components can help us understand different network scenarios.

After reading the above, have you mastered how to understand the openstack network architecture in depth? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.