1

Fulvio Risso,Matteo Bertrone, Mauricio Vasquez Bernal

Politecnico di Torino, Italy

COUPLING THE FLEXIBILITY OF OVN WITH THE EFFICIENCY OF IOVISOR: ARCHITECTURE AND DEMO

2

Datacenter Networking

• Datacenter networking nowadays requires a mix of different

technologies

– Linuxbridge, OvS, OpenFlow, Linux containers/Docker with native

services (e.g., DHCP), …

• Difficult to write and deploy new functions

3

The idea

• OVN

– Addresses the problem of

datacenter-wise orchestration

– Runs with different cloud

management systems

(OpenStack, Mesos, …)

– Bottom-layer technologies are

the usual suspects

• IOVisor

– Enables the creation of

powerful network functions

• Fast: running in kernel

• Dynamically injectable at

run-time

• More flexible than

OpenFlow actions

4

IOVisor

• Community-driven open source project

• Provides development tools that enable the

creation of modules (IOModules), which can be

dynamically injected in the kernel at run-time

• IOModules can be used to build networking

(e.g., network functions), security, and tracing

applications

5

IOModule

• eBPF is a virtual machine that extends the

classical BPF instruction set architecture

– Includes just-in-time (JIT) compiler and a

powerful verifier that avoids inconsistencies,

safety issues and hazards

– Now part of the Linux kernel

• An IOModule is an eBPF program that

performs a specific task

– Bridge, Router, NAT, etc.

• IOModules can be combined to create

complex services (service chain)

6

Hover

• Userspace daemon that interacts with the

Linux kernel and handles the lifecycle of

IOModules

• It exposes a REST API front-end for

dynamically loading, configuring, linking

different IOModules to create a service

chainVM1 VM2

Hover

IOModule(router)

IOModule(bridge)

Bridge Router

VM1 VM2

eth0

eth1

Service graph

User space

Kernel space

7

OpenStack

Neutron

OVN ML2Mechanism Driver

Northbound DB

Northd

SouthBound DB

Co

mp

ute

1

ovn-controllerNova Agent

VM2

Neutron Agent

VM1

OpenStack - OVN architecture

• Northbound DB: high-level description of network

services (logical switches, logical routers, etc.)

• northd: converts high-level descriptions from

northDB to flow-like descriptions in southDB

• Southbound DB: logical flows and bindings tables,

split per each compute node

• ovn-controller: executed on each hypervisor

– Pushes the flows in OvS

– Propagates any “physical” layer event (e.g., port

down) to the upper layers

• Open vSwitch: in charge of the dataplane

• Bidirectional communication across the entire

stackOVS

Nova

ovsdb-server

Co

mp

ute

2

Nova Agent

VM2

Neutron Agent

VM1OVS

ovsdb-server

ovn-controller

ovs-local-dbovs-local-db

8

IOVisor-OVN: architecture

OpenStack

Neutron

OVN ML2Mechanism Driver

Northbound DB

Northd

SouthBound DB

Compute 1

ovn-controllerNova Agent

VM2

Neutron Agent

VM1

Nova

ovsdb-server

ovs-local-db

Hover

IOModule(Dataplane)

IOModule(Dataplane)

IOVisor-OVN daemon

Hover restful APIs

Compute 2

ovn-controllerNova Agent

VM2

Neutron Agent

VM1

ovsdb-server

ovs-local-db

Hover

IOModule(Dataplane)

IOModule(Dataplane)

ovsdb protocol

• Starting point: keep OVN

control plane, remove OvS

dataplane

• IOVisor-OVN

– Reads info from existing

databases (NorthDB,

SouthDB, ovs-localDB(s))

– Maps changes (e.g., service

requests) into IOModules

– Exploits Hover to inject,

configure and bind IOModules

to network interfaces

ovs ovs

10

OpenStack

IOVisor-OVN: internals

• OVN Monitor: in charge of the

synchronization with OVN

databases

• Main Logic: processing logic

that reacts to DB changes and/or

notification coming from

hypervisors

• Hover Ctrl: talks with Hover

daemon running on each

hypervisor

OVN Monitor (ovsdb monitor for OVN NB, SB

and OvS databases)

Hover Ctrl(wrapper for Hover APIs)

Main Logic Local DB

IOModulesRepo

Logger CLI

IOVisor-OVN Daemon

Hover restful APIs

OVN

Ovs

db

pro

toco

l

Compute 1

OVN Controller

VM1

VM2

Hover

IOModule(Dataplane)IOModule

(Dataplane)

Compute 2

OVN Controller

VM1

VM2

Hover

IOModule(Dataplane)IOModule

(Dataplane)

11

OVN modifications

• Very limited

– OVN-controller does not have to propagate commands to OvS (e.g.,

flow rules)

– OVN does not have to start the OvS dataplane

• Some information are ignored

– E.g., flow rules (that are no longer used to create bridged networks)

12

IOVisor-OVN: current status (1)

• Proof of concept supports OpenStack creating a L2 network on a

single compute node through the ML2 OVN mechanism driver

– Reacts to the following changes in the OVN databases: a switch, a port

or a port security rule is added, modified or removed

– When appropriate, it injects and configures the L2Switch IOModule

through Hover (e.g., attaching the VM vNIC to the IOModule)

– Handles the dynamic mapping of logical names (e.g., “port12” coming

from Neutron) with actual names (e.g., “tap34” coming from the

hypervisor)

13

IOVisor-OVN: current status (2)

• Created a minimal IOModules repository

– L2 Switch with optional port security based on MAC and IP address

• CLI for debugging

– Status of each IOModule on the hypervisor

– Mapping of OVN info to IOModules

14

IOVisor-OVN: next steps

• Extend IOModules repository with more network functions

– Router

– NAT

• Extend the architecture to handle multiple hypervisors

• Investigate possible optimization strategies when distributed

network functions are needed

15

How to try OVN-IOVisor

• Full stack deployable through DevStack

– OpenStack, OVN*, Hover, IOVisor-OVN and all the associated

dependencies

• OVN*: vanilla OVN, with only OvS control plane (no data plane)

– Single compute node

• More info:

– https://github.com/netgroup-polito/iovisor-ovn/

16

Compute 1

OVN Controller

VM1

VM2

Demo Overview

• Single node DevStack setup, with

IOVisor-OVN as network backend

• Logical steps:

– Create an L2 Network

– Instantiate two VMs connected to that

network

– VM1 and VM2 can ping each other

– Now, change (manually) the IP address

on VM2

• Security rule no longer appropriate

– Ping does no longer work

HOVER

IOModuleL2Switch

OVN IOVisor-OVN

Horizon

L2 network

OpenStack

17

Demo

Start

18

Our generous sponsors

19

Links

• IOVisor Project

– https://www.iovisor.org/

• IOVisor-OVN

– https://github.com/netgroup-polito/iovisor-ovn

– https://github.com/netgroup-polito/iovisor-ovn/blob/master/INSTALL.md

• Customized versions of ovs and networking-ovn

– https://github.com/netgroup-polito/ovs

– https://github.com/netgroup-polito/networking-ovn

20