Osdc2014 openstack networking yves_fauser

Click here to load reader

  • date post

    19-Aug-2014
  • Category

    Engineering

  • view

    647
  • download

    4

Embed Size (px)

description

This is my latest OpenStack Networking presentation. I presented it at OSDC 2014. It includes a lot of backup slides with CLI outputs that show how ML2 with the OVS agent creates GRE based overlay networks and logical routers

Transcript of Osdc2014 openstack networking yves_fauser

  • OpenStack Networking Overview of the networking challenges and solu5ons in OpenStack Yves Fauser Network Virtualiza5on Pla>orm System Engineer @ VMware OSDC 2014, Berlin, 08-10.04
  • The perfect storm hOp://en.wikipedia.org/wiki/File:Hurricane_Isabel_from_ISS.jpg
  • The perfect storm => Very feature rich vSwitch (Tunneling, QoS, monitoring & management, automated control through OpenFlow and OVSDB) Part of the Linux Kernel since 3.3 => OpenFlow and OVSDB (RFC 7047) is used between OpenVSwitch and external controllers Numerous OpenSource and Commercial controllers emerged in the last years Examples; NOX, Beacon, Floodlight, OpenDayLight, VMware NSX, Big Controller, NEC, etc. => OpenStack drives the need for exible and fast network deployment models The OpenStack Neutron Project oers a network abstrac5on that enables OpenSource Projects and commercial implementa5ons to innovate with and for OpenStack
  • Open vSwitch
  • Open vSwitch Features vs. Linux-Bridge Feature Open vSwitch Linux Bridge MAC Learning Bridge X X VLAN support (802.1Q) X (na5ve in OVS) using vlan Sta5c Link Aggrega5on (LAG) X (na5ve in OVS) using ifenslave Dynamic Link Aggrega5on (LACP) X (na5ve in OVS) using ifenslave Support for MAC-in-IP encapsula5on (GRE, VXLAN, ) X (na5ve in OVS) VXLAN support in 3.7 Kernel + iproute2 Trac capturing / SPAN (RSPAN with encap. into GRE) X (na5ve in OVS) Using advanced trac control Flow monitoring (NetFlow, sFlow, IPFIX, ) X (na5ve in OVS) e.g. using ipt_ne>low External management interfaces (OpenFlow & OVSDB) X Mul5ple-Table forwarding pipeline with ow-caching engine X Performance improvements (e.g. RSS Support) X hOp://openvswitch.org/features/ hOps://github.com/homework/openvswitch/blob/master/WHY-OVS
  • br-tun (ow tables) Linux IP stack + rouDng table 192.168.10.1 WEB WEB APP APP Cong/State DB ovsdb-server ovs-vswitchd eth0 MGMT eth1 kernel user Tunnel Ports (to Linux IP Stack) br-int (ow tables) Open vSwitch (OVS) Congura5on Data Interface (ovsdb, CLI, ) Flow Data Interface (OpenFlow, CLI, Transport Network Flows
  • Br-0 (ow tables) Linux IP stack + rouDng table 192.168.10.1 WEB WEB APP APP Cong/State DB ovsdb-server ovs-vswitchd eth0 MGMT eth1 kernel user Flows & Tunnel Ports (to Linux IP Stack) br-int (ow table) Open vSwitch with a controller cluster Transport Network TCP 6633 OpenFlow TCP 6632 OVSDB Controller Cluster
  • Common misconcepEons with regards to controllers Misconcep5on 1) Trac will ow through the controller cluster, un5l a specic ow is installed in the switch through OpenFlow It depends! Most architectures dont send any trac to the controller (e.g. VMware NSX doesnt do it) In some architectures, where address space is limited (e.g. CAM/TCAM in low end ToR Switches), the controller gets the rst few data packets, and then installs a ow in the Hardware. This is usually not the case when controlling OVS, as OVS holds the Tables in the Hypervisors Memory (and there is plenty!) Misconcep5on 2) The controller is a single point of failure Controllers are usually deployed as scale out clusters Depending on the chosen architecture, even a complete controller cluster outage doesnt aect trac forwarding
  • OpenFlow and Controller based Networks
  • MulEple incarnaEons of SDN So what is SDN? It depends on the were you stand! hOp://upload.wikimedia.org/wikipedia/commons/f/f8/Blind_men_and_elephant3.jpg
  • Data plane Hardware specic Bound by ASIC/TCAM limits in physical devices Control plane Distributed protocols used OSPF, STP, etc. Populates the data plane with forward. entries Internal API The core concept of OpenFlow is control and data plane separa5on There are heated debates if the use of Hybrid approaches qualify for being real SDN The purist point of view is; Without the clear separa5on of control and data plane, one should not call his solu5on an SDN solu5on SDN dened Control / Data plane separaEon
  • Data plane Hardware specic Bound by ASIC/TCAM limits in physical devices Control plane Internal API Control plane Central management of forwarding tables Populates the data plane with forwarding entries using OpenFlow as an external southbound interface OpenFlow Controller The core concept of OpenFlow is control and data plane separa5on There are heated debates if the use of Hybrid approaches qualify for being real SDN The purist point of view is; Without the clear separa5on of control and data plane, one should not call his solu5on an SDN solu5on SDN dened Control / Data plane separaEon
  • SDN Controllers Landscape (incomplete list) OpenSource Controllers Commercial Controllers C++ and Phython controllers open sourced by Nicira NOX was the rst controller in the market hOp://www.noxrepo.org Commercial con5nua5on of NOX with a focus on Network virtualiza5on using Overlays hOp://www.projec>loodlight.org Java based controller Focused to enable apps to evolve independently of the control plane func5on Backed by BigSwitch Networks Engineers Commercial version of Floodlight controller by BigSwitch Networks with a focus on OpenFlow controlled Switch Fabrics hOps://openow.stanford.edu/display/Beacon/Home First Java based controller Basis of Floodlight hOp://www.opendaylight.org Java based controller community-led, open, industry-supported framework hOp://yuba.stanford.edu/~casado/of-sw.html And a lot more @: etc
  • Network VirtualizaEon, an SDN ApplicaEon
  • What are the key components of network virtualization?!
  • Network VirtualizaEon A technical deniEon Network virtualiza5on is: A reproduc5on of physical networks: Q: Do you have L2 broadcast / mul5cast, so apps do not need to be modied? Q: Do you have the same visibility and control over network behavior? A fully isolated environment: Q: Could two tenants decide to use the same RFC 1918 private IP space? Q: Could you clone a network (IPs, MACs, and all) and deploy a second copy? Physical network loca5on independent: Q: Can two VMs be on the same L2 logical network, while in dierent physical L2 networks? Q: Can a VM migrate without disrup5ng its security policies, packet counters, or ow state? Physical network state independent: Q: Do physical devices need to be updated when a new network/workloads is provisioned? Q: Does the applica5on depend on a feature in the physical switch specic to a vendor? Q: If a physical device died and was replaced, would applica5on details need to be known? Network virtualiza5on is NOT: Running network func5onality in a VM (e.g., Router or Load-balancer VM)
  • OpenStack Projects & Networking
  • Some of the Integrated (aka Core) projects Image repo (glance) Object Storage (Swix) Network (Neutron) Block Storage (cinder) Iden5ty (keystone) Dashboard (horizon) Provides UI for other projects Provides AuthenDcaDon and Service Catalog for other Projects Compute (nova) Provides Images Stores Images as Objects Provides volumes Provides network connecDvity
  • OpenStack Networking before Neutron nova-api (OS,EC2,Admin) nova-console (vnc/vmrc) nova-compute Nova DB nova-scheduler nova- consoleauth Hypervisor (KVM, Xen, etc.) Queue nova-cert Libvirt, XenAPI, etc. nova-metadata Nova has its own networking service nova-network. It was used before Neutron Nova-network is s5ll present today, and can be used instead of Neutron nova-network nova-volume Network-Providers (Linux-Bridge or OVS with brcompat, dnsmasq, I