Shulou(Shulou.com)06/01 Report--

Hi! This is the second article of the TF Chinese community on the parsing of Tungsten Fabric architecture, explaining how TF works. This paper introduces the software architecture of TF controller and vRouter, and the interaction between vRouters and Tungsten Fabric controller when a virtual machine or container starts.

The Tungsten Fabric architecture parsing series is designed to help new entrants to the TF community to answer questions. We will systematically introduce the characteristics of TF, how it works, how to collect / analyze / deploy, how to orchestrate, and how to connect to the physical network.

Tungsten Fabric supports Orchestrator (choreographer)

The Tungsten Fabric controller integrates cloud management systems such as OpenStack or Kubernetes to ensure that when a virtual machine (VM) or container is created, it is provided with network connectivity according to the network and security policies specified in the controller or coordinator.

Tungsten Fabric consists of two main software:

Tungsten Fabric Controller-A set of software services that maintain network and network policy models, typically running on multiple servers for high availability.

Tungsten Fabric vRouter- is installed on each host running the workload (virtual machine or container), and vRouter performs packet forwarding and enforces network and security policies.

A typical deployment of Tungsten Fabric is shown in the following figure:

The Tungsten Fabric controller is integrated with the coordinator through a software plug-in, which implements the network service of the coordinator.

For example, OpenStack's Tungsten Fabric plug-in implements the Neutron API,kube-network-manager_ and _ CNI (Container Network Interface) components to listen for network-related events using Kubernetes K8s API.

Tungsten Fabric vRouter replaces the Linux bridge and IP table, or the Open vSwitch network on the computing host, and the controller configures vRouters to implement the required network and security policies.

If the packet of VM is to be forwarded to a different host, the vRouter is encapsulated with MPLS over UDP / GRE or VXLAN, where the target of the external header is the IP address of the host running the target VM. The controller is responsible for installing route sets in each VRF of each vRouter that implements the network policy.

For example, by default, virtual machines on the same network can communicate with each other, but not with virtual machines on different networks unless specifically allowed in the network policy. The communication between the controller and vRouters is realized through a widely used and flexible messaging protocol XMPP.

A key feature of cloud automation is that users can request resources for their applications without knowing the details of how or where to provide resources.

This is usually done through a portal that provides a set of service offerings that users can choose from and convert to API calls to the underlying system, including the cloud coordinator, to start a virtual machine or container with the necessary memory, disk, and CPU to meet the user's requirements.

A service offering can be as simple as a virtual machine with specific memory, disks allocated to it, and CPU, or it can include an entire application stack consisting of multiple preconfigured software instances.

Interaction with Orchestrator

The architecture of the Tungsten Fabric controller and vRouter, as well as the interaction with the coordinator, as shown in the following figure:

The figure shows a coordinator working hypervisor and virtual machine, which is similar to the information flow of the container coordinator, such as Kubernetes (Kubernetes container with Tungsten Fabric).

Each interface of the workload running on the host is connected to the VRF and contains the L2 and L3 forwarding tables of the corresponding network, which contains the IP address of that interface.

VRouter implements the integrated bridging and routing (IRB) functions performed by physical routers. VRouter has only VRF that has a network interface on that host, including Fabric VRF connected to the physical interface of the host. Using VRF allows different virtual networks to have overlapping IP and MAC addresses, without defining any network policies to allow traffic between them.

Tungsten Fabric virtualized networks use encapsulation tunneling to transport packets between VM on different hosts, while encapsulation and de-encapsulation occurs between Fabric VRF and VM VRF.

When you create a new virtual workload, you see an event in the orchestrator-specific plug-in and send it to the controller, which then sends a request to the agent to install the route in the VRF of the virtual network, and the agent configures it in the transponder.

The logical process for configuring a network on a new VM using a single interface is as follows:

Use UI, CLI, or northbound REST API to define the network and network policy in Orchestrator or Tungsten Fabric. A network is primarily defined as a pool of IP addresses, which is assigned to an interface when a VM is created. The user requests that the VM be started by the coordinator, including the network on which its interface is located. The coordinator selects the host of the new VM to run and instructs the compute agent on that host to obtain its image and start the VM. The Tungsten Fabric plug-in receives an event or API call from the coordinator's network service, instructing it to set up the network for the interface of the new VM that will be started. These instructions are converted into Tungsten Fabric REST calls and sent to the Tungsten Fabric controller. The Tungsten Fabric controller sends a request to the vRouter agent to connect the new VM virtual interface to the specified virtual network. The vRouter agent instructs the vRouter forwarder to connect the VM interface to the VRF of the virtual network. If it does not exist, create a VRF and the interface connects to it. The computing agent starts VM, which is typically configured to request IP addresses for each of its interfaces using DHCP. VRouter proxies the DHCP request and then responds to the interface IP address, default gateway, and DNS server address. Once the interface is up and has the IP address from DHCP, vRouter installs the IP and MAC address routing to VM and sets the next hop to the VM virtual interface. VRouter assigns a label to the interface and installs label routing in the MPLS table. The vRouter sends a XMPP message to the controller, which contains a route to the new VM. The route has the next hop of the IP address of the server running vRouter and specifies the encapsulation protocol using the label just assigned. As permitted by the network policy, the controller distributes new VM routes to other vRouters, including the VM on the same network and other networks. As permitted by the network policy, the controller sends routes from other VM to the vRouter of the new VM.

At the end of this process, the routes in the VRF of all vRouter in the updated data center already have information about the new VM.

Tungsten Fabric architecture parsing article 1: main features and use cases of TF

Follow Wechat: TF Chinese Community

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.