作者:张华 发表于:2014-01-16
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99 )
OpenvSwitch OVN在本月(2015年1月)发布,它将tenant的概念引入openvswitch正式将手伸向neutron的地盘提供对L2/L3/L4网络虚拟化的支持. 看样子,neutron及openstack最好的归宿就是将精力集中在微内核,提供北向API,建立生态,外围的像这,像Service Framework都交给第三方去做。这样, ovs实现了一个和neutron几乎完全类似的控制平面ovn, neutron回归到只提供北向API, ovn作为ovs的控制平面给ovs提供原生的虚拟网络支持, 大大提高了OVS在实际应用环境中的性能和规模解决了neutron中rpc与namespace带来的性能问题. 其主要功能包括:
- L2/L3虚拟网络以及逻辑交换机(logical switch)
- L2/L3/L4 ACL
- IPv4/IPv6分布式L3路由
- ARP and IPv6 Neighbor Discovery suppression for known IP-MAC bindings
- Native support for NAT and load balancing using OVS connection tracking
- Native fully distributed support for DHCP
- Works with any OVS datapath (such as the default Linux kernel datapath, DPDK, or Hyper-V) that supports all required features (namely Geneve tunnels and OVS connection tracking)
- Supports L3 gateways from logical to physical networks
- Supports software-based L2 gateways
- Supports TOR (Top of Rack) based L2 gateways that implement the hardware_vtep schema
- Can provide networking for both VMs and containers running inside of those VMs, without a second layer of overlay networking
其架构如下:
OVN Database
|
|
(OVSDB Protocol)
|
+-------------------------------------------------------------------+
| | |
| | |
| ovn-controller |
| | | |
| | | |
| +--------------+ +--------------+ |
| | | |
| | | |
| (OVSDB Protocol) (OpenFlow) |
| | | |
| | | |
| ovsdb-server ovs-vswitchd |
| |
+---------------------------- Hypervisor ---------------------------+
至此,通过与neutron对比,它是做什么的,其原理我们就都清楚了。我们再着重看看它的数据库设计, 如下图:
1, PN, 相当于neutron中的provider network, ok,理解了。This contains all the information necessary to wire the
overlay, such as IP addresses, supported tunnel types, and security keys.
2, LN, 相当于neutron中的tenant network, 所有虚拟网络相关的东西,如logical switches and routers, ACLs, firewall rules
3, Bindings, 相当于neutron中的port binding,用于它和外界交换数据。
4, 数据库的选型
5, 云管理系统,写一个neutron plugin利用openstack来管理。
+----------------------------------------+
| Cloud Management System |
+----------------------------------------+
| |
| |
+------------------+ +------------------+ +------------------+
| Physical Network | | Logical Network | | Bindings |
| (PN) | | (LN) | | |
+------------------+ +------------------+ +------------------+
| | | | | |
| | | | | |
+----------+---------+----------------------+ |
| | | |
+-------|------------+----------+-----------+
| |
+----------------+ +----------------+
| | | |
| Hypervisor 1 | | Hypervisor 2 |
| | | |
+----------------+ +----------------+
再看一张图:
- Northbound DB: 管逻辑概念 ( logical switch,logical router,ACL,logical port )
- Southbound DB:管物理概念,如物理网络需要的概念overlay network, tunnels, encapsulation; 如openflow datapath部分; 如binding部分;
- CMS-OpenStack: 用于翻译OpenStack的数据模型到OVS的数据模型(networks/ports/security groups into logical switches/logical ports/ACL's)
- ovn-northd: 双向翻译Southbound DB数据模型与Southbound DB数据模型
- ovn-controller: 类似于 neutron 里面的 ovs-agent,它也是运行在每个 hypervisor上面,北向,ovn-controller 会把物理网络的信息写到 Southbound DB 里面,南向,它会把 Southbound DB 里面存的一些数据转化成 Openflow flow 配到本地的 OVS table 里面,来实现报文的转发。
- ovs-vswitchd 和 ovsdb-server是OVS的两个进程。
- ovn Chassis, Chassis是OVN新增的概念,OVS里面没有这个概念,Chassis可以是 HV,也可以是VTEP网关。
OVN与OpenStack集成的拓扑图如下:
- neutron networking-ovn plugin, 不再使用rpc, 改为ovsdb协议代替. Plugin使用ovsdb协议来把用户的配置写在Northbound DB里面,ovn-northd监听到Northbound DB配置发生改变,然后把配置翻译到Southbound DB里面,ovn-controller注意到 Southbound DB数据的变化,然后更新本地的流表。
- ovn相当于neutron ovs-agent实现了openflow的三层化, OVN里面报文的处理都是通过OVS OpenFlow 流表来实现的,而在Neutron 里面二层报文处理是通过 OVS OpenFlow 流表来实现,三层报文处理是通过 Linux TCP/IP协议栈来实现,用OpenFlow表来实现路由查找,ARP查找,TTL和MAC地址的更改。OVN的路由也是分布式的,路由器在每个计算节点上都有实例,和DVR一样。有了OVN之后,不需要neutron l3 agent了. 一个问题: ovn除了实现了中心化的SNAT与DNAT,还支持在计算节点上做SNAT与DNAT吗?
OVN在OVS交换的基础上增加轻量的本地的分布式的控制平面。OVN类似于Midonet和DragonFlow (见: https://blog.csdn.net/quqi99/article/details/46715195 )。通过分布式数据库OVSDB来同步数据,从而消除大量的RPC调用, 关于OVSDB的介绍可参见:[1],[2],[3], 现在一个节点上一个ovsdb-server实例同时管Northbound and Southbound (sudo ovsdb-client dump OVN_Southbound)。可以采用插件来支持不同的分布式数据库,如OVSDB, etcd, cassandra, ramcloud, rdis, rethinkdb等。分布式数据库应该支持:事务、本地缓存、db references between tables,发布/订阅机制,一致性\锁等
- binding表: _uuid, chassis, logical_datapath, logical_port, mac, parent_port, tag, tunnel_key
- pipline表:代码逻辑流, 每个chassis节点上的ovn-controller负责转换逻辑流到openflow流
OVN二层流表的具体实现可参见[4]
一个SDN产品应该具备[8]:
- 可以通过Policy控制下面的网络拓扑。例如:在opencontrail中通过控制路由控制流量从网关接口流向隧道接口。
- 节点具备三层功能(类似neutron dvr),这样要求隧道有microsegment的能力(类似vlan)来识别不能tenant的流量,从而去掉namespace和veth设备。ovn默认使用Geneve作为隧道协议。
OVN安装
git clone http://github.com/openvswitch/ovs.git
cd ovs & git checkout -b ovn origin/ovn
./boot.sh && ./configure && make
make sandbox SANDBOXFLAGS="--ovn" # sandbox方便测试
OVN有用命令
$ ovn-nbctl show
lswitch f8e8c67c-ce4a-4f23-a01b-0eb31b4ab3e2 (neutron-7e78ba86-2114-47ac-8194-201936e3820a)
lport a5b967d4-296e-44dc-98b9-7336d0224e57
macs: fa:16:3e:8c:d0:a8
$ ovsdb-client dump OVN_Southbound
$ sudo ovs-ofctl -O OpenFlow13 dump-flows br-int
sudo ovn-nbctl lswitch-add sw0
sudo ovn-nbctl lport-add sw0 sw0-port1
sudo ovn-nbctl lport-set-macs sw0-port1 00:00:00:00:00:01
sudo ip tuntap add name tap0 mode tap
sudo ovs-vsctl add-port br-int tap0 -- set Interface tap0 external-ids:iface-id=sw0-port1
sudo ovs-vsctl show
sudo ovn-nbctl show
sudo ovn-nbctl lswitch-list
sudo ovn-nbctl lport-list sw0
sudo ovn-nbctl lport-add sw0 sw0-port2
sudo ovn-nbctl lport-set-macs sw0-port2 00:00:00:00:00:02
sudo ip tuntap add name tap2 mode tap
sudo ovs-vsctl add-port br-int tap2 -- set Interface tap2 external-ids:iface-id=sw0-port2
# Trace OpenFlow flows for a packet from port 1 to 2
sudo ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate
sudo ovs-vsctl add-port br-int geneve1 -- set interface geneve1 type=geneve options:remote_ip=192.168.203.151
devstack运行OVN以neutron ovn插件[5][6]
1, git clone http://git.openstack.org/openstack/networking-ovn.git
里面的devstack/local.conf.sample有我们想要的devstack的配置,我添加的是:
enable_plugin networking-ovn http://git.openstack.org/openstack/networking-ovn
enable_service ovn-northd
enable_service ovn-controller
# We have to disable the neutron L2 agent. OVN does not use the L2 agent.
disable_service q-agt
Reference
[1], http://keepingitclassless.net/2013/10/introduction-to-open-vswitch/
[2], http://networkstatic.net/getting-started-ovsdb/
[3], http://www.relaxdiego.com/2014/09/ovsdb.html
[4], http://galsagie.github.io/sdn/openstack/ovs/2015/05/30/ovn-deep-dive/
[5], http://blog.russellbryant.net/2015/05/14/an-ez-bake-ovn-for-openstack/
[6], http://blog.russellbryant.net/2015/04/08/ovn-and-openstack-integration-development-update/
[7], http://openvswitch.org/pipermail/dev/2015-January/050380.html
[8], http://openvswitch.org/support/slides/OVN-Vancouver.pdf
[9] https://www.slideshare.net/TrinathSomanchi/ovn-basics-and-deep-dive
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
