ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
-
Upload
markmcclain -
Category
Technology
-
view
457 -
download
2
description
Transcript of ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
Bridges and Tunnels: A Drive Through OpenStack Networking
Mark McClain@gtwmm
Where are we headed today?
• OpenStack Neutron
• Open Source Implementations
• Live Demo
• Community Initiatives Relating Neutron
• Look Ahead to Kilo
OpenStack
About OpenStack
• Open Source project founded in 2010
• 1,419 Unique Developers
• 10 Projects in Integrated Release (larger ecosystem on Stackforge)
• Production Ready
• Latest Release 2014.2- Juno (10th Release)
• Apache 2 Licensed
OpenStack
What does the user see?
Compute API
Network API
Storage APIGUI, CLI, API Libs
KVM
ML2 Plugin
Ceph
OpenStack Networking
Why Create Neutron?
• Rich Topologies
• Technology Agnostic
• Extensible
• Advance Services Support
• Load Balancing, VPN, Firewall
Challenges in the Cloud• High-density multi-tenancy
• VLANs have trouble scaling
• On-demand provisioning
• traditional solutions require manual configuration
• Need to place / move workloads
• state tied (IP address) tied to location
© Malcolm Leman | Dreamstime.com
Tackling these Challenges• Network virtualization
• Overlay tunneling
• VXLAN, GRE, STT
• Software Defined Networking (SDN)
• OpenFlow
• L2 Fabric Solution
• ???
CC BY-ND 2.0
Adam Kubalica
https://flic.kr/p/epZUi
The Basics
What does the user see?
Compute API
Network API
Storage APIGUI, CLI, API Libs
KVM
ML2 Plugin
Ceph
Abstractions
Net110.0.0.0/24
Nova
Neutron
L2 virtual network
virtual port
virtual server
virtual interface (VIF)
virtual subnet
VM110.0.0.2
VM210.0.0.2
Using the API…
VM110.0.0.2
VM210.0.0.2/172.16.7
VM3172.16.77.1
Tenant A Net1192.168.0.0/24
Tenant A Net2172.16.77.0/24
Public Net10.0.0.0/8
VM110.0.0.2
VM210.0.0.2/172.16.7
VM3172.16.77.1
Tenant B Net1192.168.0.0/24
Tenant B Net2172.16.77.0/24
Router Router
Design Goals
• Unified API
• Small Core
• Pluggable Open Architecture
• Extensible
Common Features
• Support for Overlapping IPs
• Tenant A: 192.168.0.0/24
• Tenant B: 192.168.0.0/24
• Configuration
• DHCP/Metadata
• Floating IPs
Security Groups• Support Overlapping IPs
• Ingress/Egress Rules
• IPv6
• VMs with multiple VIFs
• Plugin can offload
Architecture
OpenStack The Operator View
Basic Deployment
neutron-server
L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent
L3 AgentL3 Agent
L3 AgentL3 Agent
Database
L3 Agent
DHCP Agent
L2 Agent
Message Queue
Adv Services
neutron-server
neutron-server
REST API SERVICE RPC SERVICE
PLUGIN
• PLUGIN
• Written in Python
• Only one active
• Must implement V2 API calls
• Optional database access
• Optional extension support
Monolithic Plugin
• Full implementation of core resources
• Two types:
• Proxy
• Direct control PLUGIN
ML2: Modular Layer 2 Plugin
• Full V2 Plugin Implementation
• Delegates calls to proper L2 drivers
• Two kinds of drivers
• Type Driver
• Mechanism Driver Mech Mgr
PLUGIN
Type Mgr
Plugin Extensions
• Add logical resources to the REST API
• Discovered by server at startup
• REST: /v2.0/extensions
• Common Extensions
• Binding, DHCP, L3, Provider, Quota, Security Group
• Other Extensions
• Allowed Addresses, Extra Routes, Metering
L2 Agent
L2 Agent
• Runs on hypervisor
• Communicates with server via RPC
• Watch and notify when devices added/removed
• Wires new devices
• Proper network segment
• Security Group Rules
• Open vSwitch
• Open Source Virtual Switch
• http://openvswitch.org
• Tenant Isolation
• VLAN, GRE, VXLAN
OVSDB
OVS L2 Agent
Neutron Server
OVS Agent
OVS
RPC
Isolation
VLAN
• 802.1Q
• limited
• underlay must support
GRE/VXLAN
• L2 encapsulated in L3
• routable
• overlay independence
Tunneling
A
D
CB
Tunneling with L2 Population
A
D
CB
L3 Agents
Network Node
L3 Agent
• Run on Network Node
• Uses Namespaces
• Metadata Agent (if enabled)
Network Node
Core
Hypervisor Hypervisor Hypervisor
L3 Agent How it’s implemented
• Manages Collection of Network Namespaces
• Isolated IP Stacks
• Forwarding Enabled
• net.ipv4.ip_forward=1
• Static Routing
• Metadata Proxy
lo
eth1
eth0
lo
qg-2
qr-1
lo
qg-b
qr-e
Host A B
br-ex
Load Balancer as a Service
• Service Plugin
• Driver based
• Agent w/Driver
• Agent communicates over RPC
• Open Source requires namespaces
• Others interact with other systems
LB Agent
HAProxy
VPN as a Service
• Service Plugin
• Driver based
• Agent w/Driver
• Communicates over RPC
• Openswan
L3 Agent
Router
Metadata Proxy
VPN Driver
Firewall as a Service
• Edgewall
• Service Plugin
• Driver based
• Agent w/Driver
• Communicates over RPC
• Experimental
L3 Agent
Router
Metadata Proxy
Firewall Driver
What’s New in Juno
IPv6
Distributed Virtual Routers
CC BY-ND 2.0
"Amicalola Falls" by Sean Morgan
https://www.flickr.com/photos/seanm1025/3646862123
IPv6
IPv6: Basics
Router Advertisement Support
IPAM Algorithms:
SLAAC
Sequential
RA secured with security groups
IPv6: SLAAC
RA Autoconfiguration
IPv6 address generated from EUI-64 address
No DHCP
IPv6: DHCPv6 Stateless
Same as SLAAC IP Address from EUI-64 address
DHCP enables clients to review extra options
IPv6: DHCPv6 Stateful
Most similar to existing v4 support
Backed by dnsmasq and radvd
IPv6: Dual vs Single Stack
Dual Stack
Applications have both v4/v6 access
Support by latest long term support releases
Single Stack v6
Metadata service does not work
Config drive required*
Distributed Virtual Routing
DVR: Overview
Network Node
Core
Hypervisor Hypervisor Hypervisor
Network Node
DVR: How it works
1) Operator deploys DVR L3 Agent Agent runs on each Hypervisor
2) Associate floating IP with instance
3) Profit!!!
DVR: How it works
1) Operator deploys DVR L3 Agent Agent runs on each Hypervisor
2) Associate floating IP with instance
3) Profit!!!
3) All N/S instance traffic is NAT’d directly from hypervisor
DVR: East/West
Network Node
Core
Hypervisor Hypervisor Hypervisor
DVR: North/South SNAT w/o Floating IP
Network Node
Core
Hypervisor Hypervisor Hypervisor
DVR: North/South SNAT w/ Floating IP
Network Node
Core
Hypervisor Hypervisor Hypervisor
Summary
Open vSwitch / Linux Bridge
Ryu OpenFlowController
• Unified API
• Small Core
• Pluggable Open Architecture
• Multiple Vendor Support
• Extensible
Open Source Alternatives
OpenDaylight
OpenDaylight
• Open source controller
• Project managed by Linux Foundation
• Latest release: Helium
• Integrates with Neutron via ML2
OpenDaylight
Live Demo
Community Initiatives
Group Based Policy
Group Based Policy: Before
W W W D D D A A A
Group Based Policy: Model
DDD
AAA
WWW
C1 C2 C3
PG Web PG App PG DB
GBP: Benefits
• Application focused networking — developer intent
• Improved automation
• Consistency
• Extensible Policy Model
• Not dependent on network technology
GBP: Open Source Stack
• OpenStack Ecosystem Project
• Companion Project to Neutron
• http://git.openstack.org/cgit/stackforge/group-based-policy
• OpenDaylight Project
Architecture
GBP PluginNeutronNova
API
Nova Compute
VM
OVS
Network Functions Virtualization (NFV)
NFV
• Traditional appliances to virtual instance(s)
• Commodity hardware
• Scale out vs Scale Up
• No need to provision for maximum capacity at deployment
• Started as working group at ETSI
• Formation of OPNFV
Current NFV Work
• Improvements to OpenStack Compute (Nova)
• CPU Pinning
• NUMA
• Large Page
• Planned additions to OpenStack Networking (Neutron)
• Trunk ports
• L2 Gateways
Looking Ahead to Kilo
• IPv6
• Prefix delegation
• Metadata Service
• IPAM
• BGP Speaker
• NFV Enhancements
• Paying Down Technical Debt
More Information
• Cloud Administrator Guide
• http://docs.openstack.org/admin-guide-cloud/content/ch_networking.html
• OpenStack Network v2.0 API
• http://developer.openstack.org/api-ref-networking-v2.html
• OpenDaylight Installation Guide
• https://wiki.opendaylight.org/view/OVSDB:Helium_and_Openstack_on_Fedora20
Thank You