技术并艺术着

张华的技术Blog

OpenvSwitch OVN子项目提前看(by quqi99)

作者:张华  发表于:2014-01-16
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

( http://blog.csdn.net/quqi99 )

        OpenvSwitch OVN在本月(2015年1月)发布,它将tenant的概念引入openvswitch正式将手伸向neutron的地盘提供对L2/L3网络虚拟化的支持(logical switches, distributed logical l3 processing, software and hardware gateway, in-kernel based security groups, and L2/L3/L4 ACLs, tunnel-based[VXLAN, NVGRE, Geneve, STT, IPSec]). 看样子,neutron及openstack最好的归宿就是将精力集中在微内核,提供北向API,建立生态,外围的像这,像Service Framework都交给第三方去做。
       其架构如下, ovn-controller相当于neutron中的l2/l3 agents,它运行在每一个hypervisor上,直接通过opflow协议在南向和ovs-vswitched打交道。ovn database相当于neutron db。

                               OVN Database
                                     |
                                     |
                             (OVSDB Protocol)
                                     |
   +-------------------------------------------------------------------+
   |                                 |                                 |
   |                                 |                                 |
   |                           ovn-controller                          |
   |                              |     |                              |
   |                              |     |                              |
   |               +--------------+     +--------------+               |
   |               |                                   |               |
   |               |                                   |               |
   |       (OVSDB Protocol)                        (OpenFlow)          |
   |               |                                   |               |
   |               |                                   |               |
   |         ovsdb-server                         ovs-vswitchd         |
   |                                                                   |
   +---------------------------- Hypervisor ---------------------------+


至此,通过与neutron对比,它是做什么的,其原理我们就都清楚了。我们再着重看看它的数据库设计, 如下图:
1, PN, 相当于neutron中的provider network, ok,理解了。This contains all the information necessary to wire the
    overlay, such as IP addresses, supported tunnel types, and security keys.
2, LN, 相当于neutron中的tenant network, 所有虚拟网络相关的东西,如logical switches and routers, ACLs, firewall rules
3, Bindings, 相当于neutron中的port binding,用于它和外界交换数据。
4, 数据库的选型
5, 云管理系统,写一个neutron plugin利用openstack来管理。

 +----------------------------------------+
     |        Cloud Management System         |     
     +----------------------------------------+
              |                     |
              |                     |
     +------------------+  +------------------+  +------------------+
     | Physical Network |  |  Logical Network |  |     Bindings     |
     |       (PN)       |  |       (LN)       |  |                  |
     +------------------+  +------------------+  +------------------+
             |  |                 |  |                   |  |
             |  |                 |  |                   |  |
             +----------+---------+----------------------+  |
                |       |            |                      |
                +-------|------------+----------+-----------+
                        |                       |
                +----------------+      +----------------+  
                |                |      |                |
                |  Hypervisor 1  |      |  Hypervisor 2  |
                |                |      |                |
                +----------------+      +----------------+


再看一张图:

Northbound DB: 管逻辑概念
Southbound DB:管物理概念,如物理网络需要的概念overlay network, tunnels, encapsulation; 如openflow datapath部分; 如binding部分;
CMS-OpenStack: 用于翻译OpenStack的数据模型到OVS的数据模型(networks/ports/security groups into logical switches/logical ports/ACL's)
ovn-northd: 双向翻译Southbound DB数据模型与Southbound DB数据模型


OVN与OpenStack集成的拓扑图如下:

目前ovn支持容器网络的两种模式:

1, 对等容器像对等VM一样,像neutron中的一个port插到network上,翻译成ovn里的概念就是logical port插到logical switch, neutron返回容器的IP->MAC
2, 容器的隔离性比VM差,在实际中很多在VM里再创建容器。ovn支持这种特殊的虚机里再部署容器的网络模式。见:https://review.openstack.org/#/c/176491/3/doc/source/containers.rst


OVN在OVS交换的基础上增加轻量的本地的分布式的控制平面。OVN类似于Midonet和未来的DragonFlow。
通过分布式数据库OVSDB来同步数据,从而消除大量的RPC调用, 关于OVSDB的介绍可参见:[1],[2],[3], 现在一个节点上一个ovsdb-server实例同时管Northbound and Southbound (sudo ovsdb-client dump OVN_Southbound)。可以采用插件来支持不同的分布式数据库,如OVSDB, etcd, cassandra, ramcloud, rdis, rethinkdb等。分布式数据库应该支持:事务、本地缓存、db references between tables,发布/订阅机制,一致性\锁,
binding表: _uuid, chassis, logical_datapath, logical_port, mac, parent_port, tag, tunnel_key
pipline表:代码逻辑流, 每个chassis节点上的ovn-controller负责转换逻辑流到openflow流
OVN二层流表的具体实现可参见[4]

一个SDN产品应该具备[8]:
1, 可以通过Policy控制下面的网络拓扑。例如:在opencontrail中通过控制路由控制流量从网关接口流向隧道接口。
2,节点具备三层功能(类似neutron dvr),这样要求隧道有microsegment的能力(类似vlan)来识别不能tenant的流量,从而去掉namespace和veth设备。ovn默认使用Geneve作为隧道协议。

OVN安装:
git clone http://github.com/openvswitch/ovs.git
cd ovs & git checkout -b ovn origin/ovn
./boot.sh && ./configure && make
make sandbox SANDBOXFLAGS="--ovn" # sandbox方便测试

OVN有用命令:
$ ovn-nbctl show
    lswitch f8e8c67c-ce4a-4f23-a01b-0eb31b4ab3e2 (neutron-7e78ba86-2114-47ac-8194-201936e3820a)
        lport a5b967d4-296e-44dc-98b9-7336d0224e57
            macs: fa:16:3e:8c:d0:a8
$ ovsdb-client dump OVN_Southbound
$ sudo ovs-ofctl -O OpenFlow13 dump-flows br-int
sudo ovn-nbctl lswitch-add sw0
sudo ovn-nbctl lport-add sw0 sw0-port1
sudo ovn-nbctl lport-set-macs sw0-port1 00:00:00:00:00:01
sudo ip tuntap add name tap0 mode tap
sudo ovs-vsctl add-port br-int tap0 -- set Interface tap0 external-ids:iface-id=sw0-port1
sudo ovs-vsctl show
sudo ovn-nbctl show
sudo ovn-nbctl lswitch-list
sudo ovn-nbctl lport-list sw0
sudo ovn-nbctl lport-add sw0 sw0-port2
sudo ovn-nbctl lport-set-macs sw0-port2 00:00:00:00:00:02
sudo ip tuntap add name tap2 mode tap
sudo ovs-vsctl add-port br-int tap2 -- set Interface tap2 external-ids:iface-id=sw0-port2
# Trace OpenFlow flows for a packet from port 1 to 2
sudo ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate
sudo ovs-vsctl add-port br-int geneve1 -- set interface geneve1 type=geneve options:remote_ip=192.168.203.151

devstack运行OVN以neutron ovn插件[5][6]:
1, git clone http://git.openstack.org/openstack/networking-ovn.git
   里面的devstack/local.conf.sample有我们想要的devstack的配置,我添加的是:
enable_plugin networking-ovn http://git.openstack.org/openstack/networking-ovn
enable_service ovn-northd
enable_service ovn-controller
# We have to disable the neutron L2 agent. OVN does not use the L2 agent.
disable_service q-agt


目前,ovn还不具备l3功能(http://openvswitch.org/pipermail/dev/2015-July/057242.html ), 所以仍然要使用neutron的l3-agent。



[1], http://keepingitclassless.net/2013/10/introduction-to-open-vswitch/
[2], http://networkstatic.net/getting-started-ovsdb/
[3], http://www.relaxdiego.com/2014/09/ovsdb.html
[4], http://galsagie.github.io/sdn/openstack/ovs/2015/05/30/ovn-deep-dive/
[5], http://blog.russellbryant.net/2015/05/14/an-ez-bake-ovn-for-openstack/
[6], http://blog.russellbryant.net/2015/04/08/ovn-and-openstack-integration-development-update/
[7], http://openvswitch.org/pipermail/dev/2015-January/050380.html
[8], http://openvswitch.org/support/slides/OVN-Vancouver.pdf

阅读更多
版权声明:本文为博主原创文章,如需转载,请注明出处! https://blog.csdn.net/quqi99/article/details/42773417
个人分类: OpenStack Networking
想对作者说点什么? 我来说一句

OVN架构详解

2018年01月19日 171KB 下载

没有更多推荐了,返回首页

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭