gre網絡細節
阿新 • • 發佈:2017-05-27
fde str fix switch .cn rule 網絡數 targe 1.7 
一、OpenStack網絡設備的命名規律:
1、TenantA的router和Linux網絡命名空間qrouter名稱
[email protected]:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http://localhost:5000/v2.0 router-list --field id --field name +--------------------------------------+-----------+ | id | name | +--------------------------------------+-----------+ | 680944ad-679c-4fe8-ae4b-258cd8ac337f | tenant-R1 | +--------------------------------------+-----------+
[email protected]:~# ip netns qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518 qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f
即租戶的虛擬路由器ID號和qrouter命名相對應。
2、TenantA的network和Linux網絡命名空間qdhcp名稱
[email protected]:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http://localhost:5000/v2.0 net-list --field id --field name+--------------------------------------+-------------+ | id | name | +--------------------------------------+-------------+ | 7c22bbd9-166c-4610-9a3d-3b8b92c77518 | tenantA-Net | | c8699820-7c6d-4441-9602-3425f2c630ec | Ext-Net | +--------------------------------------+-------------+
[email protected]:~# ip netns qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518 qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f
租戶虛擬網絡的ID號,與qdhcp命名相對應。
3、TenantA網絡端口和其它的網絡設備的名稱
[email protected]:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http://localhost:5000/v2.0 port-list
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
| 1653ec91-ad7d-40d9-b777-f74aec697026 | | fa:16:3e:51:a2:97 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.9"} |
| 2df7c3ed-dfbb-480d-9cd3-fdefa079e66a | | fa:16:3e:da:41:49 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.3"} |
| 81388454-30e0-45e4-b3dd-b7b2e8dbf067 | | fa:16:3e:f7:e6:9c | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.1"} |
| d7233b80-9d4b-4ef6-a60d-19b3be661069 | | fa:16:3e:75:e0:5a | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.10"} |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------------+
IP地址為10.0.0.9的虛擬機(ID為bec0b963-99c0-4a56-ae04-936d47e173eb)端口為1653ec91-ad7d-40d9-b777-f74aec697026,那麽與之相連的網絡設備tab ,qbr,qvb,qvo的命名都是加上port ID的前綴11個字符。
驗證:
通過查看libvirt XML定義文件/var/lib/nova/instances/<instance-id>/libvirt.xml可以看到qbr和tap。
<interface type="bridge">
<mac address="fa:16:3e:51:a2:97"/>
<model type="virtio"/>
<driver name="qemu"/>
<source bridge="qbr1653ec91-ad"/> //虛機TAP設備所掛接的linux bridge
<target dev="tap1653ec91-ad"/> //虛機所連接的interface
</interface>
通過virsh list查看qbr連接qvb和tap
[email protected]:~# brctl show
bridge name bridge id STP enabled interfaces
qbr1653ec91-ad 8000.22ca68904e2f no qvb1653ec91-ad
tap1653ec91-ad
qbrd7233b80-9d 8000.964cf783c9e1 no qvbd7233b80-9d
tapd7233b80-9d
virbr0 8000.000000000000 yes
同理,qr加上內部網關IP10.0.0.1的端口ID號前綴就是qrouter下的設備名了。
qg加上路由網關10.1.101.80端口號的前綴就是qrouter下的qg設備名了。
tap加上內網dhcp10.0.0.3的端口ID號前綴就是qdhcp下的設備名了。
可以使用下面這些命令驗證:
[email protected]:~# neutron port-list
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
| 1653ec91-ad7d-40d9-b777-f74aec697026 | | fa:16:3e:51:a2:97 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.9"} |
| 2df7c3ed-dfbb-480d-9cd3-fdefa079e66a | | fa:16:3e:da:41:49 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.3"} |
| 81388454-30e0-45e4-b3dd-b7b2e8dbf067 | | fa:16:3e:f7:e6:9c | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.1"} |
| accd8dbf-0f16-4aec-b797-bbb33abcdc83 | | fa:16:3e:97:ee:cb | {"subnet_id": "ef86e785-8cec-486a-b67f-dcbba5311293", "ip_address": "10.100.0.103"} |
| bfe7eaa4-26bc-4fe9-9da2-550abf44beaa | | fa:16:3e:e1:00:41 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.83"} |
| d7233b80-9d4b-4ef6-a60d-19b3be661069 | | fa:16:3e:75:e0:5a | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.10"} |
| eb60f9c4-2ddb-49ee-8b78-2fc2564a7600 | | fa:16:3e:78:39:e9 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.80"} |
| f6812a11-c4ce-4880-8566-2206afcc612a | | fa:16:3e:9e:75:a2 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.82"} |
+--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------+
[email protected]:~# ip netns exec qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qg-eb60f9c4-2d Link encap:Ethernet HWaddr fa:16:3e:78:39:e9
inet addr:10.1.101.80 Bcast:10.1.101.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe78:39e9/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:31953 errors:0 dropped:0 overruns:0 frame:0
TX packets:372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4158911 (4.1 MB) TX bytes:40876 (40.8 KB)
qr-81388454-30 Link encap:Ethernet HWaddr fa:16:3e:f7:e6:9c
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fef7:e69c/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:882 errors:0 dropped:0 overruns:0 frame:0
TX packets:832 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93440 (93.4 KB) TX bytes:96206 (96.2 KB)
[email protected]:~# ip netns exec qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518 ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3456 (3.4 KB) TX bytes:3456 (3.4 KB)
tap2df7c3ed-df Link encap:Ethernet HWaddr fa:16:3e:da:41:49
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:feda:4149/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:117 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11176 (11.1 KB) TX bytes:5865 (5.8 KB)
二、系統環境
環境見OpenStack三個節點icehouse-gre模式部署
1、系統中的網絡設備:
[email protected]:~# nova list --all-tenant
+--------------------------------------+-------+--------+------------+-------------+-----------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+-----------------------+
| f467ba96-09c4-4eb7-b79c-5391f326c7d1 | vm001 | ACTIVE | - | Running | tenantA-Net=10.0.0.10 |
| bec0b963-99c0-4a56-ae04-936d47e173eb | vm002 | ACTIVE | - | Running | tenantA-Net=10.0.0.9 |
+--------------------------------------+-------+--------+------------+-------------+-----------------------+
[email protected]:~# neutron net-list
+--------------------------------------+-------------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-------------+----------------------------------------------------+
| 7c22bbd9-166c-4610-9a3d-3b8b92c77518 | tenantA-Net | c37d8ed0-372e-4b24-9ba2-897c38c6ddbf 10.0.0.0/24 |
| c8699820-7c6d-4441-9602-3425f2c630ec | Ext-Net | 2c4155c9-5a2e-471c-a4d8-40a86b45ab0a 10.1.101.0/24 |
+--------------------------------------+-------------+----------------------------------------------------+
[email protected]:~# neutron subnet-list
+--------------------------------------+------+---------------+-------------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+------+---------------+-------------------------------------------------+
| 2c4155c9-5a2e-471c-a4d8-40a86b45ab0a | | 10.1.101.0/24 | {"start": "10.1.101.80", "end": "10.1.101.100"} |
| c37d8ed0-372e-4b24-9ba2-897c38c6ddbf | | 10.0.0.0/24 | {"start": "10.0.0.2", "end": "10.0.0.254"} |
+--------------------------------------+------+---------------+-------------------------------------------------+
[email protected]:~# neutron router-list
+--------------------------------------+-----------+-----------------------------------------------------------------------------+
| id | name | external_gateway_info |
+--------------------------------------+-----------+-----------------------------------------------------------------------------+
| 680944ad-679c-4fe8-ae4b-258cd8ac337f | tenant-R1 | {"network_id": "c8699820-7c6d-4441-9602-3425f2c630ec", "enable_snat": true} |
+--------------------------------------+-----------+-----------------------------------------------------------------------------+
[email protected]:~# neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 1653ec91-ad7d-40d9-b777-f74aec697026 | | fa:16:3e:51:a2:97 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.9"} |
| 2df7c3ed-dfbb-480d-9cd3-fdefa079e66a | | fa:16:3e:da:41:49 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.3"} |
| 81388454-30e0-45e4-b3dd-b7b2e8dbf067 | | fa:16:3e:f7:e6:9c | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.1"} |
| bfe7eaa4-26bc-4fe9-9da2-550abf44beaa | | fa:16:3e:e1:00:41 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.83"} |
| d7233b80-9d4b-4ef6-a60d-19b3be661069 | | fa:16:3e:75:e0:5a | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.10"} |
| eb60f9c4-2ddb-49ee-8b78-2fc2564a7600 | | fa:16:3e:78:39:e9 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.80"} |
| f6812a11-c4ce-4880-8566-2206afcc612a | | fa:16:3e:9e:75:a2 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.82"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
[email protected]:~# ip netns qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518 qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f
一個外部網絡Ext-Net,它的子網是2c4155c9-5a2e-471c-a4d8-40a86b45ab0a,網段為10.1.101.0/24,分配池是10.1.101.80到10.1.101.100。
有一個租戶網絡tenantA-Net(TenantA的網絡,ID號為7c22bbd9-166c-4610-9a3d-3b8b92c77518,對應著qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518),它的子網是c37d8ed0-372e-4b24-9ba2-897c38c6ddbf,網段為10.0.0.0/24,分配池為10.0.0.2到10.0.0.254。
TenantA有一個私有路由器tenant-R1(ID號為680944ad-679c-4fe8-ae4b-258cd8ac337f,對應著qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f)
2、系統中的端口號
[email protected]:~# neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 1653ec91-ad7d-40d9-b777-f74aec697026 | | fa:16:3e:51:a2:97 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.9"} |
| 2df7c3ed-dfbb-480d-9cd3-fdefa079e66a | | fa:16:3e:da:41:49 | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.3"} |
| 81388454-30e0-45e4-b3dd-b7b2e8dbf067 | | fa:16:3e:f7:e6:9c | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.1"} |
| bfe7eaa4-26bc-4fe9-9da2-550abf44beaa | | fa:16:3e:e1:00:41 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.83"} |
| d7233b80-9d4b-4ef6-a60d-19b3be661069 | | fa:16:3e:75:e0:5a | {"subnet_id": "c37d8ed0-372e-4b24-9ba2-897c38c6ddbf", "ip_address": "10.0.0.10"} |
| eb60f9c4-2ddb-49ee-8b78-2fc2564a7600 | | fa:16:3e:78:39:e9 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.80"} |
| f6812a11-c4ce-4880-8566-2206afcc612a | | fa:16:3e:9e:75:a2 | {"subnet_id": "2c4155c9-5a2e-471c-a4d8-40a86b45ab0a", "ip_address": "10.1.101.82"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
[email protected]:~# ip netns
qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518
qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f
[email protected]:~# ip netns exec qrouter-680944ad-679c-4fe8-ae4b-258cd8ac337f ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qg-eb60f9c4-2d Link encap:Ethernet HWaddr fa:16:3e:78:39:e9
inet addr:10.1.101.80 Bcast:10.1.101.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe78:39e9/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:32619 errors:0 dropped:0 overruns:0 frame:0
TX packets:374 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4280629 (4.2 MB) TX bytes:40960 (40.9 KB)
qr-81388454-30 Link encap:Ethernet HWaddr fa:16:3e:f7:e6:9c
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fef7:e69c/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:1012 errors:0 dropped:0 overruns:0 frame:0
TX packets:914 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:106266 (106.2 KB) TX bytes:108626 (108.6 KB)
[email protected]:~# ip netns exec qdhcp-7c22bbd9-166c-4610-9a3d-3b8b92c77518 ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3456 (3.4 KB) TX bytes:3456 (3.4 KB)
tap2df7c3ed-df Link encap:Ethernet HWaddr fa:16:3e:da:41:49
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:feda:4149/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:126 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12344 (12.3 KB) TX bytes:6595 (6.5 KB)
neutron port-list出來一共7個端口
顯然1653ec91-ad7d-40d9-b777-f74aec697026(10.0.0.9)和d7233b80-9d4b-4ef6-a60d-19b3be661069(10.0.0.10)是虛擬機vm002和vm001的私有IP地址端口(虛擬機tap網絡設備端口)。
端口f6812a11-c4ce-4880-8566-2206afcc612a(10.1.101.82)和bfe7eaa4-26bc-4fe9-9da2-550abf44beaa(10.1.101.83)是兩個浮動IP。
端口81388454-30e0-45e4-b3dd-b7b2e8dbf067(10.0.0.1)和端口eb60f9c4-2ddb-49ee-8b78-2fc2564a7600(10.1.101.80)是qrouter上面的網絡端口。分別作TenantA的網絡環境中,子網(c37d8ed0-372e-4b24-9ba2-897c38c6ddbf,網段為10.0.0.0/24)的網關qr-81388454-30和外網通道qg-eb60f9c4-2d。【多個網絡對應多個qrouter,即qr和qg設備】
端口2df7c3ed-dfbb-480d-9cd3-fdefa079e66a(10.0.0.3)是qdhcp上面的網絡端口tap2df7c3ed-df,為TenantA的網絡環境中,子網(c37d8ed0-372e-4b24-9ba2-897c38c6ddbf,網段為10.0.0.0/24)動態分配私有IP地址,提供子網dhcp服務。【多個子網對應多個qdhcp,即tap設備】
3、網絡節點上的linux網橋和OVS網橋:
[email protected]:~# brctl show
bridge name bridge id STP enabled interfaces
[email protected]:~# ovs-vsctl show 1c921779-83ff-4493-8def-df53783ebae2 Bridge br-ex Port "qg-eb60f9c4-2d" Interface "qg-eb60f9c4-2d" type: internal Port "eth2" Interface "eth2" Port br-ex Interface br-ex type: internal Bridge br-int fail_mode: secure Port br-int Interface br-int type: internal Port "tap2df7c3ed-df" tag: 10 Interface "tap2df7c3ed-df" type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int} Port "qr-81388454-30" tag: 10 Interface "qr-81388454-30" type: internal Bridge br-tun Port patch-int Interface patch-int type: patch options: {peer=patch-tun} Port "gre-0a00011f" Interface "gre-0a00011f" type: gre options: {in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"} Port "gre-0a000129" Interface "gre-0a000129" type: gre options: {in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.41"} Port br-tun Interface br-tun type: internal ovs_version: "2.0.2"
可以看出網絡節點沒有運行虛擬機,所以linux網橋為空。
OVS網橋br-int上面有qrouter的qr端口和qdhcp的tap端口;
OVS網橋br-ex上面有qrouter的qg端口,並且br-ex與物理網卡eth2相連;
OVS網橋br-tun只是patch網橋br-int和構建隧道平面。
4、compute節點上的linux網橋和OVS網橋:
[email protected]:~# virsh list
Id Name State
----------------------------------------------------
2 instance-00000029 running
3 instance-00000028 running
[email protected]:~# brctl show
bridge name bridge id STP enabled interfaces
qbr1653ec91-ad 8000.22ca68904e2f no qvb1653ec91-ad
tap1653ec91-ad
qbrd7233b80-9d 8000.964cf783c9e1 no qvbd7233b80-9d
tapd7233b80-9d
virbr0 8000.000000000000 yes
[email protected]:~# ovs-vsctl show ///查詢和更新ovs-vswitchd的配置
14b9e1b3-2d80-4380-92b0-f585cf9f74f7
Bridge br-tun //OVS Tunnel 橋br-tun
Port "gre-0a000129" //端口,連接GRE Tunnel
Interface "gre-0a000129"
type: gre
options: {in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.41"} //GRE Tunnel 是點到點之間建立的,這頭的IP是10.0.1.31,那頭的IP地址是10.0.1.41
Port "gre-0a000115" //端口,連接GRE Tunnel
Interface "gre-0a000115"
type: gre
options: {in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.21"} //GRE Tunnel 是點到點之間建立的,這頭的IP是10.0.1.31,那頭的IP地址是10.0.1.21
Port br-tun
Interface br-tun
type: internal
Port patch-int //端口patch-int,用來連接橋br-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int //OVS integration網橋 br-int
fail_mode: secure
Port "qvod7233b80-9d" //端口,用來連接【一個虛擬網卡的TAP設備連接的linux bridge】
tag: 1
Interface "qvod7233b80-9d"
Port "qvo1653ec91-ad" //端口,用來連接【一個虛擬網卡的TAP設備連接的linux bridge】
tag: 1
Interface "qvo1653ec91-ad"
Port patch-tun //端口,用來連接br-tun
Interface patch-tun
type: patch
options: {peer=patch-int} //和橋 br-tun上的patch-int是對等端口
Port br-int
Interface br-int
type: internal
ovs_version: "2.0.2"
[email protected]:~# ovs-ofctl show br-tun ///查詢和更新OpenFlow交換機和控制器
OFPT_FEATURES_REPLY (xid=0x2): dpid:0000d63ebd331948
n_tables:254, n_buffers:256
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: OUTPUT SET_VLAN_VID SET_VLAN_PCP STRIP_VLAN SET_DL_SRC SET_DL_DST SET_NW_SRC SET_NW_DST SET_NW_TOS SET_TP_SRC SET_TP_DST ENQUEUE
1(patch-int): addr:9a:0f:cb:ab:46:7a //端口 patch-int的ID 是 1
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
2(gre-0a000115): addr:e2:01:f1:7d:a5:af //端口 gre-0a000115的ID 是 2
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
3(gre-0a000129): addr:8e:b1:ce:5f:51:9b
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
LOCAL(br-tun): addr:d6:3e:bd:33:19:48
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
可以看出計算節點compute節點上面運行2個虛擬機。
可以看到qbr1653ec91-adlinux網橋,qvb1653ec91-ad端口和tap1653ec91-ad端口。
OVS網橋br-int上有qvo端口,
OVS網橋br-tun只是patch網橋br-int和構建隧道平面。
三、虛擬機中數據流
下圖是典型的Neutron-OVS-GRE網絡模式圖。
有兩個計算節點Compute-01和Compute-02和一個網絡節點。
1、網絡設備簡介
tap:是vm連接qbr的接口,在qbr上。與此對應的是vm上的虛擬網卡。
qbr:就是Linux bridge
qvb:veth pari bridge side。qvb和qvo是qbr和ovs之間連通的一對接口。qvb是這對接口中在qbr那邊的接口。
qvo:veth pair openvswitch side。qvb和qvo是qbr和ovs之間連通的一對接口。qvb是這對接口中在ovs那邊的接口。
qr:l3 agent managed port,是router端的port。
qg:l3 agent managed port,是gateway端的port。
2、虛擬機通外網(虛擬機數據從計算節點到網絡節點到外網)
假設物理計算節點Compute-02上面的虛擬機VM-003的網卡eth0上有網絡數據包向外部物理路由器網關10.1.101.254發出,那麽數據流如下:
數據依次經過tap設備;Linux Bridge設備qbr;qvb和qvo虛擬網絡設備;到達物理計算節點的OVS網橋br-int上,被打上VLAN ID Tag;br-int將數據包attach到計算節點Compute02的OVS網橋br-tun上,將VLAN ID轉化為Tunnel ID;數據包再從計算節點Compute-02的OVS網橋br-tun與網絡節點Network-node上的OVS網橋br-tun構成的網絡隧道穿過(要通過物理網卡)將Tunnel ID轉化為VLAN ID,交付到網絡節點的OVS網橋br-int上;網絡節點上的br-int通過qr設備借助Linux網絡命名空間qrouter連通br-ex上的qg設備(這個過程router的NAT表將fixed IP地址轉化為floating IP地址),將數據包交付到OVS網橋br-ex上;最後br-ex通過網絡節點的外部物理網卡eth2把數據包送達到外部路由器網關。
3、計算節點中虛擬機之間數據流
(1) 同一個host上同一個子網內虛擬機之間的通信:
因為br-int是個虛擬的二層交換機,比如TenantA的兩個虛擬機vm001和vm002可以經過br-int橋直接通信,不需要通過br-tun。
(2)不同主機上同一個子網內虛擬機通信:
Compute1的虛擬機發出的數據包,經過qbr到達br-int,被打上vlan ID;到達br-tun,將VLAN ID轉化為Tunnel ID,從GRE Tunnel發出,到達compute2節點。
(3)虛擬機發送DHCP請求
compute節點數據包從br-int到br-tun通過GRE隧道到network節點br-tun,再經過br-int到qdhcp,qdhcp返回其fixed IP地址,原路返回。
4、分別介紹計算節點和網絡節點的網絡設備
計算節點:
(1)與虛擬機相連的tap設備
每個虛擬機都有一個虛擬網卡eth0,eth0和主機上的一個TAP設備連接,該TAP設備直接掛載在一個linux bridge qbr上,qbr和br-int相連。其實理想的情況下,tap設備能和br-int直接相連就好了,如圖中綠色框所示。因為OpenStack要借助TAP設備的iptables rules實現安全組,但是TAP和OVS網橋br-int直接連接的話,br-int不兼容iptables規則,所以OpenStack就用了一個變通的權宜之計,多加了一層linux bridge。導致OVS br-int和linux 網橋都是二層橋,但同時出現了。
Neutron使用tap設備的iptables來實現Security groups
查看虛擬機vm002的tap設備上的iptables:
[email protected]:~# iptables -S |grep tap1653ec91-ad -A neutron-openvswi-FORWARD -m physdev --physdev-out tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-o1653ec91-a -A neutron-openvswi-sg-chain -m physdev --physdev-out tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-i1653ec91-a -A neutron-openvswi-sg-chain -m physdev --physdev-in tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-o1653ec91-a
OpenStack Neutron在neutron-openvswi-sg-chain上實現security groups。
使用默認安全組的情況:
neutron-openvswi-i1653ec91-a控制進入虛擬機的traffic
[email protected]:~# iptables -S |grep neutron-openvswi-i1653ec91-a -N neutron-openvswi-i1653ec91-a -A neutron-openvswi-i1653ec91-a -m state --state INVALID -j DROP -A neutron-openvswi-i1653ec91-a -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-i1653ec91-a -p udp -m udp -m multiport --dports 1:65535 -j RETURN -A neutron-openvswi-i1653ec91-a -s 10.0.0.10/32 -j RETURN -A neutron-openvswi-i1653ec91-a -p icmp -j RETURN -A neutron-openvswi-i1653ec91-a -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN -A neutron-openvswi-i1653ec91-a -s 10.0.0.3/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i1653ec91-a -j neutron-openvswi-sg-fallback -A neutron-openvswi-sg-chain -m physdev --physdev-out tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-i1653ec91-a
neutron-openvswi-o1653ec91-a控制從虛擬機出去的traffic
[email protected]:~# iptables -S |grep neutron-openvswi-o1653ec91-a -N neutron-openvswi-o1653ec91-a -A neutron-openvswi-INPUT -m physdev --physdev-in tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-o1653ec91-a -A neutron-openvswi-o1653ec91-a -p udp -m udp --sport 68 --dport 67 -j RETURN -A neutron-openvswi-o1653ec91-a -j neutron-openvswi-s1653ec91-a -A neutron-openvswi-o1653ec91-a -p udp -m udp --sport 67 --dport 68 -j DROP -A neutron-openvswi-o1653ec91-a -m state --state INVALID -j DROP -A neutron-openvswi-o1653ec91-a -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-o1653ec91-a -j RETURN -A neutron-openvswi-o1653ec91-a -j neutron-openvswi-sg-fallback -A neutron-openvswi-sg-chain -m physdev --physdev-in tap1653ec91-ad --physdev-is-bridged -j neutron-openvswi-o1653ec91-a
添加一條security group規則允許使用TCP 22端口
[email protected]:~# neutron --os-tenant-name TenantA --os-username UserA --os-password password --os-auth-url=http://localhost:5000/v2.0 security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 --direction ingress default Created a new security_group_rule: +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | direction | ingress | | ethertype | IPv4 | | id | be3d6a06-be6b-4f51-b1a5-294ad2a0a261 | | port_range_max | 22 | | port_range_min | 22 | | protocol | tcp | | remote_group_id | | | remote_ip_prefix | | | security_group_id | 8bd8fb6b-7141-4900-8321-390cc1a5d999 | | tenant_id | 60a10cd7a61b493d910eabd353c07567 | +-------------------+--------------------------------------+
那麽tap設備的iptables會出現下面變化:
Connection to neutron failed: [Errno 111] Connection refused [email protected]:~# iptables -S | grep 22 -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A neutron-openvswi-i1653ec91-a -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-id7233b80-9 -p tcp -m tcp --dport 22 -j RETURN
(2)OVS一體化網橋br-int
br-int是OpenvSwitch創建的虛擬網橋,但在實際運行中它充當著虛擬交換機的角色。br-int上的端口tap設備將宿主機上的虛擬機連接到同一網絡交換層上。再透過本機OVS網橋br-tun的互聯協議可以將OpenStack系統架構中所有節點的br-int組織成一個更大的虛擬交換機BR-INT{compuer-01-br-int + compuer-02-br-int….}。
每一個使用neutron net-create 命令創建的network都有一個新的vlan ID。見ovsl-vsctl show命令顯示結果中的Port的tag值。
br-int處理從VM進出的traffic的vlan ID。
(3)OVS通道網絡br-tun
br-tun是OVS創建的虛擬網橋,它的作用是向下直接與br-int連接作為網絡數據的進出口;對上通過特定的通信協議與各個節點上的br-tun相連構成一個扁平的通信/通道層。如果把所有的br-int構建的抽象層定義為虛擬二層網絡,那麽所有的br-tun構成的抽象層便是虛擬三層網絡了。
br-tun使用OpenFlow規則處理vlan ID和Tunnel ID 的轉換
從下面OpenFlow rule tables可見兩種ID的轉化過程:
[email protected]:~# ovs-ofctl show br-tun
OFPT_FEATURES_REPLY (xid=0x2): dpid:0000d63ebd331948
n_tables:254, n_buffers:256
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: OUTPUT SET_VLAN_VID SET_VLAN_PCP STRIP_VLAN SET_DL_SRC SET_DL_DST SET_NW_SRC SET_NW_DST SET_NW_TOS SET_TP_SRC SET_TP_DST ENQUEUE
1(patch-int): addr:9a:0f:cb:ab:46:7a //端口patch-int的ID是 1
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
2(gre-0a000115): addr:e2:01:f1:7d:a5:af //端口gre-0a000115的ID是 2
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
3(gre-0a000129): addr:8e:b1:ce:5f:51:9b //端口gre-0a000129的ID是 3
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
LOCAL(br-tun): addr:d6:3e:bd:33:19:48
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
[email protected]:~# ovs-ofctl dump-flows br-tun NXST_FLOW reply (xid=0x4): cookie=0x0, duration=99058.105s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=1,in_port=3 actions=resubmit(,2)//從端口3即gre-0a000129進來的traffic會被重新執行table 2的rule cookie=0x0, duration=164986.43s, table=0, n_packets=303, n_bytes=29712, idle_age=7626, hard_age=65534, priority=1,in_port=1 actions=resubmit(,1)//從端口1即patch-int進來的traffic重新執行table1 cookie=0x0, duration=164981.72s, table=0, n_packets=188, n_bytes=28694, idle_age=7626, hard_age=65534, priority=1,in_port=2 actions=resubmit(,2)//從端口2即gre-0a000115進來的traffic重新執行table2 cookie=0x0, duration=164986.109s, table=0, n_packets=4, n_bytes=320, idle_age=65534, hard_age=65534, priority=0 actions=drop cookie=0x0, duration=164985.783s, table=1, n_packets=257, n_bytes=25328, idle_age=7626, hard_age=65534, priority=1,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)//重新執行table 20的rule cookie=0x0, duration=164985.31s, table=1, n_packets=46, n_bytes=4384, idle_age=7631, hard_age=65534, priority=1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,21) cookie=0x0, duration=164979.109s, table=2, n_packets=188, n_bytes=28694, idle_age=7626, hard_age=65534, priority=1,tun_id=0x2 actions=mod_vlan_vid:1,resubmit(,10)//從neutron node來的traffic,打上vlan ID 1,重新執行table 10 的rule cookie=0x0, duration=164984.991s, table=2, n_packets=8, n_bytes=648, idle_age=65534, hard_age=65534, priority=0 actions=drop cookie=0x0, duration=164984.676s, table=3, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop cookie=0x0, duration=164984.395s, table=10, n_packets=188, n_bytes=28694, idle_age=7626, hard_age=65534, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1///學習規則table20,從port1即patch-int發出 cookie=0x0, duration=164984.067s, table=20, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=resubmit(,21)//重新執行table 21的rule cookie=0x0, duration=164979.293s, table=21, n_packets=36, n_bytes=3576, idle_age=7631, hard_age=65534, dl_vlan=1 actions=strip_vlan,set_tunnel:0x2,output:3,output:2//去掉vlan ID,打上tunnel ID 2即neutron節點的tunnel ID,從端口2即gre端口發出 cookie=0x0, duration=164983.75s, table=21, n_packets=10, n_bytes=808, idle_age=65534, hard_age=65534, priority=0 actions=drop
網絡節點:
(1)OVS通道網橋br-tun
它與計算節點上的br-tun作用相同,只是作為通道層用於連接別的物理節點。唯一不同的是這個br-tun連接的是網絡節點的br-int,網絡節點br-int與計算節點的br-int區別較大。
(2)OVS一體化網橋br-int
br-int是OVS創建的虛擬網橋,也起到了虛擬交換機的作用。上面主要有兩類設備:一類是tap設備,另一類是qr設備。
linux網絡命名空間qdhcp和qrouter均由l3-agent所創建,用來隔離管理租戶的虛擬網絡和路由。
br-int的tap設備,ip地址為xxx.xxx.xxx.3與dnsmasq進程構成dhcp,為新創建的虛擬機動態分配私有IP地址。
br-int上的qr設備,IP地址一般為xxx.xxx.xxx.1與br-ex的qg設備構成qrouter,為租戶網絡做路由轉發,通過qg打通租戶內部的虛擬網絡和外部的物理網絡。
(3)OVS外部網橋
br-ex是OVS創建的虛擬網橋,網橋上有qg設備端口,它是打通租戶網絡和外部網絡的重要通道。另外br-ex與物理網卡(圖中是eth2)相連,通往internet網絡。
http://docs.openstack.org/admin-guide-cloud/content/under_the_hood_openvswitch.html
gre網絡細節