neutron 网络通信原理(非分布式路由)

最新推荐文章于 2022-09-27 11:35:06 发布
最新推荐文章于 2022-09-27 11:35:06 发布
阅读量1.6k 收藏 8
点赞数 3
分类专栏: 云计算-openstack网络
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_35664258/article/details/88955135
版权

环境说明:
L2组件:openvswitch
路由:非DVR(分布式路由)模式
在这里插入图片描述

1、VM to VM

A:192.168.0.4
B:192.168.0.3
computeA:vm A所在宿主机
computeB:vm B所在宿主机
A ping B

通过arp协议获取目标主机mac

tap852eac19-fe: VM A的虚拟网卡设备
tapf88c6b30-dc:VM B的虚拟网卡设备

[root@compute2 ~]# tcpdump  -i tap852eac19-fe -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap852eac19-fe, link-type EN10MB (Ethernet), capture size 262144 bytes
23:38:00.954276 ARP, Request who-has 192.0.2.3 tell 192.0.2.4, length 28
23:38:00.957103 ARP, Reply 192.0.2.3 is-at fa:16:3e:9b:3e:da, length 28

在这里插入图片描述
说明:tap852eac19-fe(A)上监听到arp request请求:
23:51:19.260778 ARP, Request who-has 192.0.2.3 tell 192.0.2.4, length 28

[root@compute1 yum.repos.d]# tcpdump  -i tapf88c6b30-dc -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tapf88c6b30-dc, link-type EN10MB (Ethernet), capture size 262144 bytes
23:51:19.260778 ARP, Request who-has 192.0.2.3 tell 192.0.2.4, length 28
23:51:19.261317 ARP, Reply 192.0.2.3 is-at fa:16:3e:9b:3e:da, length 28
23:51:19.264230 IP 192.0.2.4 > 192.0.2.3: ICMP echo request, id 43265, seq 0, length 64
23:51:19.264533 IP 192.0.2.3 > 192.0.2.4: ICMP echo reply, id 43265, seq 0, length 64

说明:tapf88c6b30-dc(B)上监听到来自A的arp request请求:
23:51:19.260778 ARP, Request who-has 192.0.2.3 tell 192.0.2.4, length 28
B回复A的arp请求:
23:51:19.261317 ARP, Reply 192.0.2.3 is-at fa:16:3e:9b:3e:da, length 28

经过openvswitch br-int流表规则

[root@compute2 ~]# ovs-ofctl dump-flows br-int|more
NXST_FLOW reply (xid=0x4):
 cookie=0x97845993900e0631, duration=250447.688s, table=0, n_packets=521, n_bytes=50145, idle_age=5465, hard_age=65534, priority=0 actions=resubmit(,60)

转交到60号流表

 cookie=0x97845993900e0631, duration=248740.548s, table=60, n_packets=265, n_bytes=23864, idle_age=5653, hard_age=65534, priority=100,in_port=2 actions=load:0x2->NXM_NX_REG5[],load:0x1->NXM_NX_REG6[],resubmit(,71)

tap852eac19-fe对应交换机2号口,匹配以上规则后转交到71号流表

 cookie=0x97845993900e0631, duration=250635.284s, table=71, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=110,ct_state=+trk actions=ct_clear,resubmit(,71)

如果ct_state为trk状态,则去掉该标记,并重新提交到71号流表

cookie=0x97845993900e0631, duration=248740.548s, table=71, n_packets=70, n_bytes=2940, idle_age=5656, hard_age=65534, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:b2:23:f1,arp_spa=192.0.2.4 actions=resubmit(,94)
...
cookie=0x97845993900e0631, duration=250635.328s, table=71, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop

云平台中每台vm有分配好的ip及mac,以上流表判断A主机发起的arp请求的源mac及源ip是否正确,然提交到94号表
如果vm发出的ip或者mac不正确会被drop掉,也就杜绝了vm用户私自改ip或者mac的行为。

 cookie=0x97845993900e0631, duration=250635.274s, table=94, n_packets=263, n_bytes=23684, idle_age=5653, hard_age=65534, priority=1 actions=NORMAL

以上流表放行数据包

综上:arp请求经过br-int交换机后,在判断源mac和ip正确的情况下会继续转给br-tun交换机

经过openvswitch br-tun流表规则

[root@compute2 ~]# ovs-ofctl dump-flows br-tun
 cookie=0x32d8a2805cd98d76, duration=265344.564s, table=0, n_packets=299, n_bytes=27222, priority=1,in_port="patch-int" actions=resubmit(,2)

br-tun 与 br-int通过patch port相连,以上流表将数据流提交至2号表

 cookie=0x32d8a2805cd98d76, duration=265344.562s, table=2, n_packets=242, n_bytes=23524, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
 cookie=0x32d8a2805cd98d76, duration=265344.560s, table=2, n_packets=57, n_bytes=3698, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
1、如果是广播提交至22号表,当A->B第一次发送ARP请求时即为广播

1 0.000000 fa:16:3e:b2:23:f1 Broadcast ARP 42 Who has 192.0.2.3? Tell 192.0.2.4

 cookie=0x32d8a2805cd98d76, duration=266936.530s, table=22, n_packets=61, n_bytes=3866, priority=1,dl_vlan=1 actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac8895b",output:"vxlan-0ac88961",output:"vxlan-0ac8895e"

以上流表即是将广播报文发送至所有的vxlan口,并使用vxlan的vni地址0x3,0x3是我们创建网络是自动分配的provider:segmentation_id

2、如果是单播提交至20号表
 cookie=0x32d8a2805cd98d76, duration=268075.909s, table=20, n_packets=102, n_bytes=10964, priority=2,dl_vlan=1,dl_dst=fa:16:3e:a8:6c:ec actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac8895b"
 cookie=0x32d8a2805cd98d76, duration=268075.906s, table=20, n_packets=0, n_bytes=0, priority=2,dl_vlan=1,dl_dst=fa:16:3e:56:f4:4e actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac88961"
 cookie=0x32d8a2805cd98d76, duration=268075.902s, table=20, n_packets=15, n_bytes=1302, priority=2,dl_vlan=1,dl_dst=fa:16:3e:8e:25:da actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac8895e"
 cookie=0x32d8a2805cd98d76, duration=268075.900s, table=20, n_packets=159, n_bytes=14350, priority=2,dl_vlan=1,dl_dst=fa:16:3e:9b:3e:da actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac8895e"
 cookie=0x32d8a2805cd98d76, duration=267149.096s, table=20, n_packets=9, n_bytes=618, priority=2,dl_vlan=1,dl_dst=fa:16:3e:80:e5:77 actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:"vxlan-0ac8895b"
 cookie=0x32d8a2805cd98d76, duration=269971.491s, table=20, n_packets=0, n_bytes=0, priority=0 actions=resubmit(,22)

20号流表是各种单播流表,会根据目标mac精确匹配出口

数据包进入compute B的虚拟交换机br-tun流程

 cookie=0x7ed8dc5da3d88808, duration=269042.009s, table=0, n_packets=235, n_bytes=19518, priority=1,in_port="vxlan-0ac88960" actions=resubmit(,4)

vxlan-0ac88960为computeA 与 computeB之间的vxlan隧道,以上流表将报文提交至4号表

 cookie=0x7ed8dc5da3d88808, duration=276504.241s, table=4, n_packets=451, n_bytes=45483, priority=1,tun_id=0x3 actions=mod_vlan_vid:1,resubmit(,10)

将外部vxlan的vni(tun_id=0x3)转换为内部vlan(mod_vlan_vid:1),并提交至10号流表

 cookie=0x7ed8dc5da3d88808, duration=291960.861s, table=10, n_packets=451, n_bytes=45483, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x7ed8dc5da3d88808,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:OXM_OF_IN_PORT[]),output:"patch-int"

待分析

cookie=0x740266734426ae73, duration=292713.084s, table=0, n_packets=920, n_bytes=90025, idle_age=2145, hard_age=65534, priority=0 actions=resubmit(,60)
cookie=0x740266734426ae73, duration=292713.084s, table=60, n_packets=109, n_bytes=8658, idle_age=2150, hard_age=65534, priority=3 actions=NORMAL

以上两条流表将arp广播报文广播至br-int上所有的port

综上

vm 至 vm之间是经过源宿主机的br-int -> br-tun 然后再到目标主机的br-tun -> br-int

2、VM至网关

网关mac地址为: fa:16:3e:80:e5:77

[root@compute2 ~]# ovs-ofctl dump-flows br-tun|grep  fa:16:3e:80:e5:77
 cookie=0x32d8a2805cd98d76, duration=269411.131s, table=20, n_packets=19, n_bytes=1542, idle_age=33, hard_age=65534, priority=2,dl_vlan=1,dl_dst=fa:16:3e:80:e5:77 actions=strip_vlan,load:0x3->NXM_NX_TUN_ID[],output:2
 cookie=0x32d8a2805cd98d76, duration=45.651s, table=20, n_packets=0, n_bytes=0, hard_timeout=300, idle_age=45, hard_age=32, priority=1,vlan_tci=0x0001/0x0fff,dl_dst=fa:16:3e:80:e5:77 actions=load:0->NXM_OF_VLAN_TCI[],load:0x3->NXM_NX_TUN_ID[],output:2

匹配第一条规则后,从2号口发出,下面查看下2号口信息

[root@compute2 ~]# ovs-ofctl show br-tun
 2(vxlan-0ac8895b): addr:32:31:9f:98:cd:e3
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
[root@compute2 ~]# ovs-vsctl show
        Port "vxlan-0ac8895b"
            Interface "vxlan-0ac8895b"
                type: vxlan
                options: {df_default="true", in_key=flow, local_ip="10.200.137.96", out_key=flow, remote_ip="10.200.137.91"}

2号口为计算节点至网络节点的隧道.

网络节点 br-tun流表

 cookie=0x6b35350f4b4390f1, duration=274641.568s, table=0, n_packets=183, n_bytes=16414, priority=1,in_port="vxlan-0ac88960" actions=resubmit(,4)
 ...
 cookie=0x6b35350f4b4390f1, duration=282494.521s, table=4, n_packets=602, n_bytes=58400, priority=1,tun_id=0x3 actions=mod_vlan_vid:4,resubmit(,10)
  cookie=0x6b35350f4b4390f1, duration=296771.381s, table=10, n_packets=602, n_bytes=58400, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x6b35350f4b4390f1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:OXM_OF_IN_PORT[]),output:"patch-int"

经过4号,10号流表后,数据包进入br-int,然后达到目标ip(qr-b7a085c1-92)

[root@controller ~]# ip netns
qrouter-b965e86d-5b28-4ef3-b72e-73daa05a821c
qdhcp-997f6e44-56fc-4146-bf7c-fa79313f70fb
qdhcp-f3ab28fd-f8e0-4601-9823-e6b8ab06c2d2
[root@controller ~]# ip netns qrouter-b965e86d-5b28-4ef3-b72e-73daa05a821c exec ip a
Command "qrouter-b965e86d-5b28-4ef3-b72e-73daa05a821c" is unknown, try "ip netns help".
[root@controller ~]# ip netns exec qrouter-b965e86d-5b28-4ef3-b72e-73daa05a821c ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
19: qg-5996ea59-13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:aa:76:6c brd ff:ff:ff:ff:ff:ff
    inet 203.0.113.120/24 brd 203.0.113.255 scope global qg-5996ea59-13
       valid_lft forever preferred_lft forever
    inet 203.0.113.125/32 brd 203.0.113.125 scope global qg-5996ea59-13
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:feaa:766c/64 scope link 
       valid_lft forever preferred_lft forever
20: qr-b7a085c1-92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:80:e5:77 brd ff:ff:ff:ff:ff:ff
    inet 192.0.2.1/24 brd 192.0.2.255 scope global qr-b7a085c1-92
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe80:e577/64 scope link 
       valid_lft forever preferred_lft forever

qr-b7a085c1-92口在qrouter-b965e86d-5b28-4ef3-b72e-73daa05a821c中

3、vm的浮动IP至vm

vm的浮动ip是在qrouter中进行NAT转换

Chain neutron-l3-agent-PREROUTING (1 references)
target     prot opt source               destination         
REDIRECT   tcp  --  0.0.0.0/0            169.254.169.254      tcp dpt:80 redir ports 9697
DNAT       all  --  0.0.0.0/0            203.0.113.125        to:192.0.2.4

203.0.113.125 to:192.0.2.4

weixin_35664258
关注
专栏目录
基于OpenStack的分布式虚拟路由流量统计设计研究.pdf
08-09
综上所述,本文所介绍的设计研究,以OpenStack的Neutron服务框架为基础,结合L3Metering和Ceilometer监控项目,提出了一套新的分布式虚拟路由网络架构下的流量统计方法。这一设计不仅能够提高网络性能和可扩展性,还...
Neutron二层网络服务实现原理
aa43795381的博客
01-31 601
网络网络(network)是一个隔离的二层网段,类似于物理网络世界中的虚拟 LAN (VLAN)。更具体来讲,它是为创建它的租户而保留的一个广播域,或者被显式配置为共享网段。端口和子网始终被分配给某个特定的网络。根据网络的类型,Neutron network 可以分为: VLAN network(虚拟局域网) :基于物理 VLAN 网络实现的虚拟网络。共享同一个物理网络的多个 ...
Neutron 分布式虚拟路由Neutron Distributed Virtual Routing)
查理王的博客
05-01 1716
本系列会分析OpenStack 的高可用性(HA)概念和解决方案: (1)OpenStack 高可用方案概述 (2)Neutron L3 Agent HA - VRRP (虚拟路由冗余协议) (3)Neutron L3 Agent HA - DVR (分布式虚机路由器) (4)Pacemaker 和 OpenStack Resource Agent (RA) (5)RabbitMQ HA...
openstack(ip netns)
张金玉的专栏
11-01 1203
(1) [root@master02 ~]# ip netns list qrouter-77b673f5-df4f-45dd-ba21-366f375a8024 qdhcp-38dfa7d3-bdb5-4edb-b2bc-409d3fb0082e (2)[root@master02 ~]# ip netns exec qrouter-77b673f5-df4f-45dd-ba21-366f37...
openstack安全组ovs实现原理
weixin_35664258的博客
03-26 2980
ddd
neutron DVR 通信流程
weixin_35664258的博客
04-15 994
A:192.168.1.5 B:192.168.2.7 A ping B 数据包首先到达A的网关qr1:192.168.1.1 [root@compute2 ~]# ip netns exec qrouter-37842dc4-50bf-44b0-9559-00fe2cd7bac8 ip nei 192.168.1.2 dev qr-e6a45441-da lladdr fa:16:3e:14:...
通向高可用与分布式的OpenStack网络之路
07-28
接着是Neutron的legacy模式,它需要网络节点进行路由,使用overlay网络技术如GRE或VxLan。这带来了组网上的自由和灵活性,以及丰富功能,但同样存在单点故障和水平扩展有限的问题。 Neutron的Provider模式则完全...
OpenStack-Neutron架构
02-01
Neutron通过高度灵活的API接口为用户提供了一个可扩展的网络服务,允许用户定义自己的网络环境,包括网络、子网、路由规则等。在Neutron中,网络资源被抽象出来,形成了一个资源池,为每个租户提供独立的虚拟网络...
16-搭建 OpenStack 实验环境 1
08-08
Neutron 的 L3 服务在此网络中起到关键作用,它使得 VM 可以与外部网络通信。 接下来的步骤将是实际部署这两个虚拟机,配置各个服务,确保它们能够正常交互并提供 OpenStack 的核心功能。这包括安装 DevStack,配置...
OpenStack in Action
04-15
数字版,有目录。 Summary OpenStack in Action offers the real world use cases and step-by-step instructions you can take to develop your own cloud platform from from inception to deployment. This book guides you through the design of both the physical hardware cluster and the infrastructure services you'll need to create a custom cloud platform. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the Technology OpenStack is an open source framework that lets you create a private or public cloud platform on your own physical servers. You build custom infrastructure, platform, and software services without the expense and vendor lock-in associated with proprietary cloud platforms like Amazon Web Services and Microsoft Azure. With an OpenStack private cloud, you can get increased security, more control, improved reliability, and lower costs. About the Book OpenStack in Action offers real-world use cases and step-by-step instructions on how to develop your own cloud platform. This book guides you through the design of both the physical hardware cluster and the infrastructure services you'll need. You'll learn how to select and set up virtual and physical servers, how to implement software-defined networking, and technical details of designing, deploying, and operating an OpenStack cloud in your enterprise. You'll also discover how to best tailor your OpenStack deployment for your environment. Finally, you'll learn how your cloud can offer user-facing software and infrastructure services. What's Inside Develop and deploy an enterprise private cloud Private cloud technologies from an IT perspective Organizational impact of self-service cloud computing About the Reader No prior knowledge of OpenStack or cloud development is assumed. About the Author Cody Bumgardner is the Chief Technology Architect at a large university where he is responsible for the architecture, deployment, and long-term strategy of OpenStack private clouds and other cloud computing initiatives.
OpenStack网络实现原理图文详解
最新发布
背锅神童的博客
09-27 2457
openstack、ovs、DVR、虚拟路由
openstack nova和neutron之间的event通信机制
qq_33970713的博客
04-15 951
1 前言 在看openstack中的nova代码的时候,创建虚拟机和热迁移的时候,nova侧会创建event时间机制,然后会wait阻塞,直至neutron发送相应的通知消息。代码如下: def _create_guest_with_network(self, context, xml, instance, network_info, block_device_info, power_on=True,
neutron router试验
走在左边
03-17 502
上接 [url]http://haoningabc.iteye.com/blog/2282452[/url] liberty装好之后,做一个neutron的关于router的试验 建立router neutron net-list neutron subnet-list neutron net-create private ip netns #这之后建立命名空间 ...
OpenStack OVS GRE/VXLAN网络
不积跬步,无以至千里;不积小流,无以成江海!
08-13 4003
学习或者使用OpenStack普遍有这样的现象:50%的时间花费在了网络部分;30%的时间花费在了存储方面;20%的时间花费在了计算方面。OpenStack网络是不得不逾越的鸿沟,接下来我们一起尝试努力穿越这个沟壑吧……J 主要参考: RDO官网对GRE网络的分析: http://openstack.redhat.com/Networking_in_too_much_detail Open
Neutron总结-openvswitch+vxlan网络
创新是灵魂,执行是生命。
05-23 1万+
本篇文章介绍如何规划及创建openvswitch+vxlan网络,实现实例间及实例与外部的通讯。
理解 OpenStack 高可用(HA):Neutron 分布式虚拟路由(下)
qq_34043421的博客
05-25 1164
1. 代码分析DVR 代码修改包括几部分: DVR Router network namespace 的创建和删除 DVR Router 相关的 flows DVR Router 的 ARP 表 1.1 DVR Router 相关 network namespace 的创建和删除1.1.1 qrouter 在计算和网络节点上的删除和创建 对于每一个 DVR Router,在每个分布了和 route...
深入理解openstack网络架构(3)-----路由
热门推荐
追寻神迹
11-30 1万+
原文地址: https://blogs.oracle.com/ronen/entry/diving_into_openstack_network_architecture2前文中,我们学习了openstack网络使用的几个基本网络组件,并通过一些简单的use case解释网络如何连通的。本文中,我们会通过一个稍微复杂(其实仍然相当基本)的use case(两个网络路由)探索网络的设置。 路由使
openstack 命令行管理十六 - 网络测试 (备忘)
Terry Tsang
02-19 5756
 注: 192.168.48.142 为 floating ip ping 测试[root@station140 ~(keystone_admin)]# ping 192.168.48.142 PING 192.168.48.142 (192.168.48.142) 56(84) bytes of data. 64 bytes from 192.168.48.142: icmp_seq=
OpenStack Neutron网络详解:原理与实战指南
9. **分布式路由(DVR)**:针对分布式虚拟路由器的场景进行了深入解析,包括网络节点配置、工作流程以及相关的工具如easyOVS。 10. **安装配置与源码**:提供了书籍的在线阅读链接、PDF和ePub版本下载,并提及了...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值