4. Nova-network
Flat DHCP Network Manager
VM
VM
VLAN Network Manager
VM
VM
VM
VM
G/W
dnsmasq
G/W
Bridge
G/W
Bridge 1
Bridge 2
dnsmasq
vlan 100
eth0
vlan 101
eth0
dnsmasq
5. * Network NameSpace
without Network NameSpace
Process
with Network NameSpace
Process
Process
Process
Process
Process
Process
Process
Share
Routing table
Ford
NameSpace
Benz
NameSpace
Network
Resources
Network Resources
BMW
NameSpace
Network
Resources
Network
Resources
Address
Netfilter rules
eth0
eth1
Network Resources
eth2
eth0
eth1
eth2
Network NameSpace provides isolation of the system resources associated with networking. Thus, each network
namespace has its own network devices, IP addresses, IP routing tables, /proc/net directory, port numbers, and so on.
- http://lwn.net/Articles/531114/
6. Installation - OpenvSwitch plugin VLAN, GRE
External network 192.168.122.0/24
eth0
eth0
Controller node
eth0
Network node
Neutron server
Nova
Keystone
Glance
Horizon
Neutron
openvswitch-plugin
Neutron metadataagent
eth0
Compute node - 1
Compute node - 2
Neutron
openvswitch-plugin
Neutron
openvswitch-plugin
Nova compute
Nova compute
Neutron L3/dhcpagent
eth1
eth2
eth1
eth2
eth1
eth2
Management 192.168.20.0/24
Data 192.168.10.0/24
eth1
eth2
19. Neutron OVS plugin Security Group - VLAN, GRE
FORWARD
neutron-filter-top
neutron-openvswi-local
Security group is applied here
neutron-openvswi-FORWARD
neutron-openvswi-sg-chain
neutron-openvswi-iTAP_NUMBER
neutron-openvswi-sg-fallback
neutron-openvswi-oTAP_NUMBER
neutron-openvswi-sg-fallback
20. Neutron OVS plugin Security Group - VLAN, GRE
Chain neutron-openvswi-sg-chain (4 references)
target prot opt source
destination
neutron-openvswi-i21767f1f-4 all -- 0.0.0.0/0
0.0.0.0/0
neutron-openvswi-o21767f1f-4 all -- 0.0.0.0/0
0.0.0.0/0
neutron-openvswi-i7903fd30-7 all -- 0.0.0.0/0
0.0.0.0/0
neutron-openvswi-o7903fd30-7 all -- 0.0.0.0/0
0.0.0.0/0
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap21767f1f-45 --physdev-is-bridged
PHYSDEV match --physdev-in tap21767f1f-45 --physdev-is-bridged
PHYSDEV match --physdev-out tap7903fd30-74 --physdev-is-bridged
PHYSDEV match --physdev-in tap7903fd30-74 --physdev-is-bridged
Chain neutron-openvswi-i7903fd30-7 (1 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN icmp -- 0.0.0.0/0
0.0.0.0/0
RETURN tcp -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22
RETURN udp -- 50.50.1.3
0.0.0.0/0
udp spt:67 dpt:68
neutron-openvswi-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
Chain neutron-openvswi-o7903fd30-7 (2 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
MAC ! FA:16:3E:DB:08:63
RETURN udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:68 dpt:67
DROP
all -- !50.50.1.2
0.0.0.0/0
DROP
udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:67 dpt:68
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN all -- 0.0.0.0/0
0.0.0.0/0
neutron-openvswi-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
[1] Note, OpenStack uses iptables rules on the TAP devices such as “tap~~” to implement security groups.
However, Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an
Open vSwitch port.
21. Neutron OVS plugin NameSpace - VLAN, GRE
janghoon@Network-node:~$ sudo ip netns exec qrouter-cf5fe7b7-8fab-45de-ab1c-c0cd404ebed0 ifconfig
lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
qg-fa243f49-d6 Link encap:Ethernet HWaddr fa:16:3e:9f:4b:63
inet addr:192.168.122.50 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe9f:4b63/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
qr-bc654dc2-f1 Link encap:Ethernet HWaddr fa:16:3e:c7:ec:bd
inet addr:50.50.1.1 Bcast:50.50.1.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fec7:ecbd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
janghoon@Network-node:~$ sudo ip netns exec qrouter-cf5fe7b7-8fab-45de-ab1c-c0cd404ebed0 route
Kernel IP routing table
Destination Gateway
Genmask
Flags Metric Ref Use Iface
default
192.168.122.1 0.0.0.0
UG 0 0
0 qg-fa243f49-d6
50.50.1.0
*
255.255.255.0 U 0 0
0 qr-bc654dc2-f1
192.168.122.0 *
255.255.255.0 U 0 0
0 qg-fa243f49-d6
30. Neutron Ryu plugin Security Group
FORWARD
quantum-filter-top
quantum-ryu-agen-local
Security group is applied here
quantum-ryu-agen-FORWARD
quantum-ryu-agen-sg-chain
quantum-ryu-agen-iTAP_NUMBER
quantum-ryu-agen-sg-fallback
quantum-ryu-agen-oTAP_NUMBER
quantum-ryu-agen-sg-fallback
31. Neutron Ryu plugin Security Group
Chain quantum-ryu-agen-sg-chain (2 references)
target prot opt source
destination
quantum-ryu-agen-ib7fa734b-e all -- 0.0.0.0/0
quantum-ryu-agen-ob7fa734b-e all -- 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tapb7fa734b-e0 --physdev-is-bridged
PHYSDEV match --physdev-in tapb7fa734b-e0 --physdev-is-bridged
Chain quantum-ryu-agen-ib7fa734b-e (1 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN tcp -- 192.168.228.122 0.0.0.0/0
tcp dpt:80
RETURN udp -- 50.50.2.2
0.0.0.0/0
udp spt:67 dpt:68
quantum-ryu-agen-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
Chain quantum-ryu-agen-ob7fa734b-e (2 references)
target prot opt source
destination
DROP
all -- 0.0.0.0/0
0.0.0.0/0
MAC ! FA:16:3E:CF:DC:42
RETURN udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:68 dpt:67
DROP
all -- !50.50.2.4
0.0.0.0/0
DROP
udp -- 0.0.0.0/0
0.0.0.0/0
udp spt:67 dpt:68
DROP
all -- 0.0.0.0/0
0.0.0.0/0
state INVALID
RETURN all -- 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
RETURN all -- 0.0.0.0/0
0.0.0.0/0
quantum-ryu-agen-sg-fallback all -- 0.0.0.0/0
0.0.0.0/0
[1] Note, OpenStack uses iptables rules on the TAP devices such as “tap~~” to implement security groups,.
However, Open vSwitch is not compatible with iptables rules that are applied directly on TAP devices that are connected to an
Open vSwitch port.
32. Neutron Ryu plugin NameSpace
janghoon@network:~$ sudo ip netns exec qrouter-f7f07d55-4fd6-4f95-a45f-d6b1f0cf8d18 ifconfig
lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
qg-afcc5de0-46 Link encap:Ethernet HWaddr fa:16:3e:62:e4:4b
inet addr:192.168.122.50 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe62:e44b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
qr-33616671-f3 Link encap:Ethernet HWaddr fa:16:3e:ee:aa:8c
inet addr:50.50.2.1 Bcast:50.50.2.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:feee:aa8c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
janghoon@network:~$ sudo ip netns exec qrouter-f7f07d55-4fd6-4f95-a45f-d6b1f0cf8d18 route
Kernel IP routing table
Destination Gateway
Genmask
Flags Metric Ref Use Iface
default
192.168.122.1 0.0.0.0
UG 0 0
0 qg-afcc5de0-46
50.50.2.0
*
255.255.255.0 U 0 0
0 qr-33616671-f3
192.168.122.0 *
255.255.255.0 U 0 0
0 qg-afcc5de0-46
35. Neutron ML2
The Modular Layer 2 (ML2) plugin is a framework allowing OpenStack Networking to simultaneously utilize the variety
of layer 2 networking technologies found in complex real-world data centers. It currently works with the existing
openvswitch, linuxbridge, and hyperv L2 agents, and is intended to replace and deprecate the monolithic plugins
associated with those L2 agents.
Neutron
ML2 Plugin
TypeDriver
Cisco Nexus
Arista
Flat
OpenDaylight
VxLAN
Hyper-V
GRE
OpenvSwitch
VLAN
MechanismDriver
pSwitch
TypeDriver : TypeDrivers maintain any needed type-specific network state, and perform provider network validation
and tenant network allocation.
MechanismDriver : The MechanismDriver is responsible for taking the information established by the TypeDriver and
ensuring that it is properly applied given the specific networking mechanisms that have been enabled.
https://wiki.openstack.org/wiki/Neutron/ML2
37. * Another option
Cisco and Canonical are collaborating
to offer customers the Nexus 1000V
virtual networking solution on Ubuntu
Linux & Ubuntu OpenStack cloud
orchestration for the first time.
The solution will enable Nexus 1000V
customers to embrace Ubuntu
OpenStack, the largest commercial
distribution of the open source cloud
platform.
http://www.cisco.
com/c/en/us/products/collateral/switches/nexu
s-1000v-kvm/solution-overview-c22-730808.
html