Openstack Users Ja Sogabe e
-
Upload
rockerptit -
Category
Documents
-
view
11 -
download
0
description
Transcript of Openstack Users Ja Sogabe e
-
Multi-tenant IaaS using OpenStack + OpenContrail
Takashi Sogabe(@rev4t)
Internet Initiative Japan., Inc.
-
Who am I ?
Takashi Sogabe (@rev4t)
I develop services and devices at IIJ
Lately, I also verify software and implement network in order to create new services
I call myself full stack engineer
-
What do I want to do?
Contrail is now open source!
Quickest way for engineer to understand is to actually try
I want to view source codes with smirk on my face
First, create demo environment and play with it
-
What is OpenContrail ?
Its a software that can easily create IaaS that has scalability
Its an SDN product
It works with OpenStack, CloudStack
Control plane: BGP or XMPP
Data plane: MPLS over GRE
It appears to support MPLS over UDP and VXLAN as well
-
Source of Information
http://opencontrail.org/
Documents and packages are provided here
https://github.com/Juniper/contrail-controller
Source codes are provided openly at github
http://juni.pr/17tlcQh
Valuable information in Japanese regarding OpenContrail, posted by Juniper Arimura-san on J-NET
-
Why MPLS/BGP ?
They are mature technology so you can use it with peace of mind
ISPs are already using MPLS for IP-VPN services
Performance is maintained with lots of VPN connections in place
Its easy to establish inter-DC connections or hybrid clouds
Use of L3VPN router for external router makes it easy to interconnect
-
What else can you do?
Service Chaining
NFV in other words
You can combine Firewall or many other features in between VMs
Network Monitoring
You can monitor in-communication session information from web screen
If necessary, you can tcpdump from the web screen
Imagine overlay network version of Remote SPAN (RSPAN)
-
Minimum configuration needed for testing?
PC server * 1 unit
Juniper recommends 5 units or more
If its just testing purpose, 1 unit is enough
Router * 1 unit
One which can talk MPLS VPN
Juniper MX and SRX are examples
If you dont need External Router, then not necessary
-
Server configuration of demo environment
External Router(Gateway Router)
Contrail System OpenStack (controller, etc) OpenStack(nova-compute)
vRouter
Router for internet connection
192.168.192.0/24
.64
.79
10.0.0.1/24
-
OpenContrail Architecture
-
Install (1)
http://juni.pr/1alNn7h Building from source
git + repo Setting up is cumbersome so this is adequate for building only
devstack https://github.com/dsetia/devstack
Use of Binary package OS image provided by Juniper Rpm package (CentOS or Fedora) Juniper.net account is needed
Juniper says if you apply from online form, an account is created for you in a day or two
OS image is used for the demo this time Contrail Install Media for CentOS 90-day EVAL (Release 1.02) OpenStack Grizzly
-
Install (2)
1. Download OS image and install on PC
2. Run setup.sh cd /opt/contrail/contrail_packages; ./setup.sh
3. Create testbed file
4. Install system cd /opt/contrail/utils; fab install_contrail
(rebooted automatically)
cd /opt/contrail/utils; fab setup_all
(rebooted automatically)
-
Testbed file
cd /opt/contrail/utils/fabfile/testbeds cp testbed_singlebox_example.py testbed.py Edit vi testbed.py
ext_routers = *(srx1, 192.168.192.79)+ (if external router does not exist, comment out)
host1 = [email protected] host_build = [email protected] env.passwords = { host1: , host_build: , }
-
Install (3)
If installation is successful, you can log in Horizon and Contrail Web screen
Horizon
http://(host ip address)/
username: admin
password: contrail123
Contrail
http://(host ip address):8080/
username, password Same as Horizon
-
External Router configuration(1)
Interface configuration
interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.192.79/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.0.1/24; } } }
-
External Router configuration(2)
L3VPN configuration
routing-options { static { route 0.0.0.0/0 next-hop 192.168.192.5; } route-distinguisher-id 192.168.192.79; autonomous-system 64512; dynamic-tunnels { setup1 { source-address 192.168.192.79; gre; destination-networks { 192.168.192.0/24; } } } }
protocols { bgp { group contrail-controller { type internal; local-address 192.168.192.79; family inet-vpn { unicast; } neighbor 192.168.192.64; } } stp; }
-
External Router configuration(3)
VRF configuration
routing-instances { cusotomer-public { instance-type vrf; interface ge-0/0/1.0; vrf-target target:64512:10000; routing-options { static { route 0.0.0.0/0 next-hop 10.0.0.2; } } } }
-
External Router configuration(4)
If you use SRX, set forwarding mode as packet based
security { forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } }
root> show security flow status Flow forwarding mode: Inet forwarding mode: packet based Inet6 forwarding mode: packet based MPLS forwarding mode: packet based ISO forwarding mode: packet based Flow trace status Flow tracing status: off
If you use Flow base, it appears there is no way to add dynamic tunnel in the security zone
-
CREATING TENANT NETWORK USING OPENCONTRAIL
-
Network Configuration (1)
3 ways to configure
Configure from OpenContrail Web screen
Configure from OpenStack
However, some parameters cannot be configured usingneutron(quantum)
OpenContrail REST API
API server: http://(controller_host):8082/
There is no document at all at this time However, you can probably use most of it if you go through
Top level URL
-
Tenant network
vRouter
private 10.254.0.0/24
.253
.254
.254
public 10.255.0.0/24
test-private-1
test-public-1
.253
external network 10.0.0.0/24
.252
test-private-2
10.1.0.253 global 10.1.0.0/24
Floating-ip
.254
vRouter
External router
.252
test-public-2
.1
-
Create network (public)
-
Create IP address block (public)
-
Configure Global network
-
Activate test-public-1, test-public-2
-
Ping from test-public-1 to 10.0.0.1
-
Create Private network
-
Activate test-private-1, test-private-2
-
Ping from test-private-1 to test-public-1
-
Create Policy
-
Apply Policy
-
Again, Ping from test-private-1 to test-public-1
-
Create and assign Floating-ip
-
Ping from ext-router to test-public-1
root> ping 10.1.0.253 routing-instance cusotomer-public PING 10.1.0.253 (10.1.0.253): 56 data bytes 64 bytes from 10.1.0.253: icmp_seq=0 ttl=62 time=31.423 ms 64 bytes from 10.1.0.253: icmp_seq=1 ttl=62 time=2.510 ms ^C --- 10.1.0.253 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss
-
External router show route (1)
root> show route inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 192.168.192.5 via ge-0/0/0.0 10.1.0.1/32 *[Local/0] 1d 20:49:29 Reject 192.168.192.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/0.0 192.168.192.79/32 *[Local/0] 1d 20:49:20 Local via ge-0/0/0.0
-
External router show route (2)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.0/24 *[Tunnel/300] 1d 20:49:46 Tunnel 192.168.192.64/32 *[Tunnel/300] 00:56:35 > via gr-0/0/0.32769
-
External router show route (3)
cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 10.0.0.2 via ge-0/0/1.0 10.0.0.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/1.0 10.0.0.1/32 *[Local/0] 1d 20:49:19 Local via ge-0/0/1.0 10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16
-
External router show route (4)
mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 299792 *[VPN/170] 02:02:08 > to 10.0.0.2 via ge-0/0/1.0, Pop bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.64:2:10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16
-
Network Management(1)
-
Network Management (2)
-
Network Management (3)
You can monitor Flow information real-time
-
Network Management(4)
Verify Routing Table
-
Using Analyzer (1)
Imagine L3SW Remote SPAN(RSPAN) feature became more useful Specify network to capture packet and type of
packet Analyzer instance activates automatically
Administrator can peruse packet dump from OpenStack admin screen using Wireshark
You can also log in Compute Node, directly tcpdump tap interface, however, Analyzer is much more easier to use
-
Using Analyzer (2)
-
Using Analyzer (3)
-
Summary
Very easy to use admin screen You can monitor communications on overlay
Architecture that enables scalability Controller workload is small as communications by
each node is doen by itself on overlay
Use of Cassandra for backend database which allows scalability
Use of L3VPN routers for external router which allows scalability of uplinks I heard VXLAN can be used as well but it appears it cannot
be configured from admin screen yet
-
Things I would like to investigate further
Service Chaining
Measure scalability by increasing number of nodes
Terminate external router using VXLAN
I would like to try the version supporting Havana