OPENSTACK NEUTRON

개념 & OVS 시나리오

1

WHAT IS OPENSTACK?

2

3

OpenStack

• Open source project, 2010 부터~ • 3,654 contributors • 10 projects in integrated release • Production ready • Latest release 2015 Kilo(11th

release) • Apache 2 licensed

4

• A free and open-source cloud computing software platform.(2013)

• A cloud management platform.(2013) • A cloud operating system.(2014~)

OpenStack is …

5

6

OPENSTACK NETWORKING

7

Introduction to networking

• Basic networking – Ethernet – VLANs – Subnets and ARP – DHCP – IP – TCP/UDP/ICMP

* http://docs.openstack.org/networking-guide/intro_basic_networking.html 8

Introduction to networking

• Network components – Switches – Router – Firewalls – Load balancers

• Tunnel technologies – Generic routing encapsulation(GRE) – Virtual extensible local area

network(VxLAN)

* http://docs.openstack.org/networking-guide/intro_networking_components.html 9

Introduction to networking

• Network namespaces – Virtual routing and forwarding(VRF) – Linux network namespaces

• Network address translation – SNAT – DNAT – One-to-one NAT

* http://docs.openstack.org/networking-guide/intro_network_namespaces.html * http://docs.openstack.org/networking-guide/intro_network_address_translation.html 10

OpenStack networking concepts

• 다양한 네트워크 토폴로지, 생성 및 설정이 가능한 네트워크 와 서브넷

• 다른 OpenStack 서비스 명령이 가능(Compute) – 네트워크상에 가상 디바이스를 연결할 수 있음

• 각각의 tenant들은 여러 개의 private 네트워크를 가질 수 있음

• Tenant별로 자신의 IP 주소 설계를 선택할 수 있음 – 다른 tenant에서 사용하고 있는 IP 주소 overlap

• There are two types of networks – Tenant networks – Provider networks

11

Tenant & Provider networks • Tenant network

– 일반 유저에 의해 생성됨 – Neutron에 의해 지원하는 네트워크 isolation과 overlay 기술 적용

• Provider network – 관리자의 권한이 있는 유저에 의해 생성됨 – 기존 데이터센터의 물리 네트워크와 매핑

12

Tenant networks • Fully isolated by default, not shared with

other projects – Flat

• All instances reside on the same network • No VLAN tagging or other network segregation

– VLAN • VLAN IDs that correspond to VLANs present in

the physical network • They can communicate on the same Layer 2

VLAN – GRE and VXLAN

• Encapsulation protocols • Overlays network to activate and control

communication

13

Provider networks • Subnets

– A block of IP address and associated configuration state – 네트워크에 새로운 포트가 할당 시 IP 주소를 할당

• Ports – 하나의 단일 장치의 연결 포인트 – 가상 네트워크상의 가상 서버의 NIC – MAC and IP addresses

• Routers – A logical component that forwards data packets between

networks – L3 and NAT forwarding to provide external network

access for VMs on tenant networks • Security groups

– Inbound와 outbound 트래픽을 조절하기 위한 Compute 인스턴스를 위한 가상 방화벽

14

Overview and components

• Openstack Networking service, code-named Neutron

• Components – API server(Neutron-server) – OpenStack networking plug-in and

agents – Messaging queue

15

WHAT IS NEUTRON?

16

17

What is Neutron?

What is Neutron?

• An OpenStack project to provide “networking as a service” – Between Interface device (e.g.,

vNICs) managed by other OpenStack service(e.g., Nova)

– Starting in the Folsom release, Core component

18

Abstractions

19 * OpenStack Summit 2015 Vancouver – Virtual Networking in Openstack: Neutron 101 * OpenStack Summit 2014 Paris – Inside the architecture of Neutron

Basic Deployment

20

Database

Neutron-server Message Queue

L2 Agent

L3 Agent

DHCP Agent

L2 Agent

L3 Agent

DHCP Agent

L2 Agent

* OpenStack Summit 2014 Paris – Inside the Architecture of Neutron

Neutron components

21

API Server (Neutron sever)

Message Queue (AMQP, Qpid)

Plug-in (ML2)

Neutron components

• API server(Neutron-server) – Support Layer 2 networking and IP

address management(IPAM) – Extension for a Layer 3 router

• Layer 2 네트워크와 외부 네트워크 연결을 위한 게이트웨이 사이의 라우팅

22

Neutron components • OpenStack networking plug-in and

agents – Plugs and unplugs ports – Creates networks or subnets – Provides IP addressing – L3, DHCP, plug-in

• Messaging queue – Accepts and routes RPC requests – Neutron 서버와 각각의 hypervisor에서 실행되고 있는 Neutron agents 사이에 RPC를 위해 ML2 plug-in을 사용함

23

Neutron agents • neutron metadata agent

– Proxies metadata requests from instances even in isolated networks to nova-api

– metadata that tenant provides at the boot time • IP, hostname, ssh public key,

• L2 agent – Agent which talks with the Layer 2 plugin like

OVS(Open vSwitch) or LB(Linux Bridge) etc. • L3 agent

– Layer 3 agent which mainly responsible for the routing and NAT(used for floating IP <-> private IP conversions)

• DHCP agent – provide IP address to an instance that looks for his

address

24

L2 Agent • Runs on compute node • Configures the local vbridges(br-int,

br-tun) • Communicates with server via RPC • Watch and notify when devices

added/removed • Wires new devices

– Proper network segment – Security Group rules

25

L3 Agent

• Run on Network node • Uses namespace • Metadata Agent • Layer 3 forwarding • Floating IP

26

Neutron on each Nodes

27

Controller Node Network Node Compute Node

Neutron Server

neutron-openvswitch-agent

QPID

neutron-openvswitch-agent

neutron-dhcp-agent

neutron-l3-agent

neutron-metadata-agent

neutron-openvswitch-agent

Management Network

Data Network Ext. Network API Network

Open vSwitch, VLAN Scenario

• Network Diagram

28

Open vSwitch, VLAN Scenario

• Configuration – physnet1: public network – physnet2: data network

• ovs_neutron_plugin.ini

29

Compute host - 1

Open vSwitch, VLAN Scenario

• Compute host config

30

Compute host - 2

Open vSwitch, VLAN Scenario

• Compute host config

31

• Create the private network net01 • Create the subnet • Connect it to the router01 router • Configure VLAN ID 101 on the

physical switch

• Create the private network net02 • Create the subnet • Connect it to the router01 router • Configure VLAN ID 102 on the

physical switch

Compute host - 3 • Create the shared router • Define the public network • Create the subnet • Set the default gateway

Open vSwitch, VLAN Scenario

• Types of network devices – TAP device (vnet 0)

• hypervisors implement a virtual network interface card (VIF or vNIC)

– veth (qvbXXX, qvoXXX) • A pair of directly connected virtual

network interfaces – Linux bridge

• A simple MAC learning switch • Multiple network interfaces devices

32

Compute host - 4

Open vSwitch, VLAN Scenario

• Types of network devices – Open vSwitch

• Virtual switch • Network interface devices connect to

Open vSwitch bridge’s ports • The ports can be configured like a

physical switch’s ports • VLAN configurations

33

Compute host - 5

Open vSwitch, VLAN Scenario

• Integration bridge (br-int) – All guests running on the compute host

connect to this bridge – Networking implements isolation

• Physical connectivity bridge br-eth1 – Provides connectivity to the physical

NIC eth1 – It connects to the integration bridge by

a veth pair: int-br-eth1, phy-br-eth1

34

Compute host - 6

Open vSwitch, VLAN Scenario

• VLAN translation – net01 and net02 VLAN ids of 1 & 2 – Open vSwitch agent configuring

flow rules on br-int and br-eth1 to do VLAN translation

• Security groups – iptables & Linux bridge – vnet0: OpenStack uses iptables rules

on the TAP devices

35

Compute host - 7

Open vSwitch, VLAN Scenario

• Network host config – eth0: external network – eth1: data network – ovs_neutron_plugin.ini

36

Network host - 1

Open vSwitch, VLAN Scenario

37

Network host - 2

Open vSwitch, VLAN Scenario

• Open vSwitch internal ports – Open vSwitch: internal port – Assign one or more IP address – Internal ports: tapXXX, qr-YYY, qr-

ZZZ, and tapWWW • Each internal port has a separate IP

address

• DHCP agent – Uses a process called dnsmasq

38

Network host - 3

Open vSwitch, VLAN Scenario

• L3 agent (routing) – Uses Open vSwitch internal ports – Route the packets across the

interfaces – Uses iptables to implement floating

IPs to do the NAT(network address translation)

39

Network host - 4

Open vSwitch, VLAN Scenario

• Overlapping subnets and network namespaces

40

Network host - 4

Open vSwitch, VLAN Scenario

• Overlapping subnets and network namespaces – 만약! 사용자에게 자신의 논리적 네트워크와 서브넷 생성을 허용한다면?

41

Network host - 5

Open vSwitch, VLAN Scenario

• Linux network namespace – An isolated environment with its own

networking stack – Its own network interfaces, routes,

and iptables rules – To prevent collisions

• Physical networks on the network host <-> logical networks used by the virtual machines

• Across different logical networks

42

Network host - 6

Open vSwitch, VLAN Scenario

• Linux network namespace – Qdhcp-AAA

• Contains the tapXXX • The dnsmasq process that listens

– Qrouter-BBBB • Contains the qr-YYY, qr-ZZZ, and qg-VVV • Corresponding routes

– Qdhcp-CCC • Contains the tapWWW • The dnsmasq process that listens

43

Network host - 7

Kairos OpenStack Project

44

Kairos Service

45

Kairos Network

46

Reference • OpenStack Summit

– Virtual Networking in OpenStack: Neutron 101 – 2015 – Neutron L2 and L3 agents: How they work and how Kilo improves

them - 2015 – Inside the Architecture of Neutron - 2014

• OpenStack Document – OpenStack Installation Guide(Kilo) – OpenStack Networking Guide – OpenStack Cloud Administrator Guide – http://docs.openstack.org/developer/neutron/devref/services_and_agen

ts.html • OpenStack Korea User Community

– http://www.slideshare.net/jonghoseo12/150114-open-stack-korea-session2

• Blog – http://youngmind.tistory.com/

• Wiki – https://wiki.openstack.org/wiki/Neutron

47

Question?

scshin@kisti.re.kr 신승찬

48