Tungsten Fabric introductory book series, from technology Daniel purse-phase grant of practical experience, as you compile TF presented by the Chinese community, to help the novice TF-depth understanding of the whole process of running, installation, integration and commissioning. If you have relevant experience or questions, please interact with us, and to further exchanges with the community geeks. More TF technical articles, please click on the button at the bottom male number> Learning> Article collection.
Author: Tatsuya Naganawa Translator: TF compilation group
Tungsten Fabric There are many different components. Next, I briefly describe their usage.
Overview
Overall, Tungsten Fabric contains seven kinds of roles, and (up to) 30 micro services, the role of the following:
- vRouter
- control
- config
- config-database
- Analytics (TF 5.1 from the beginning, can be further divided into analytics, analytics-snmp and analytics-alarm)
- analytics-database
- webui
Although many components, but in a simple use case, only four kinds of roles: vRouter, control, config, config-database. Of course, in most cases, webui also needed.
If you are interested only Tungsten Fabric control plane / data plane portion, may be omitted analytics. Only in this case, some functions (such as v1 service chain, haproxy load balancer and k8s ingress, SNAT, etc.) will not work.
control, vRouter
Control and vRouter Tungsten Fabric constitute a control plane and data plane, it can be said that this is the most important part Tungsten Fabric system.
Because control and vRouter use MPLS inside - ***, so I recommend at least Before delving into their details, skim through these materials:
- https://www.juniper.net/uk/en/training/certification/certification-tracks/sp-routing-switching-track?tab=jncis-sp
- https://www.juniper.net/uk/en/training/certification/certification-tracks/sp-routing-switching-track?tab=jncip-sp
Since most of the advanced features are in control of them, but vRouter is inherent in MPLS, these data will help clarify what they're trying to do.
Since both control and vrouter-agent used inside V4 BGP, so vRouter VRF according to the interior and extended community attributes (also referred to as a route target route-target) load required prefix. Thus, when creating the virtual machines on a container or vrouter, it can send a signal to V4 route control, route and map to all other vrouter, so that the data plane may automatically know where to send the packet.
Interestingly, vRouter virtual network may have multiple default gateways, and have the same IP and the same MAC! (The term Junos, the virtual-gateway-address and behavior similar.)
Since no VRRP to provide a default gateway for each virtual network, so it eliminates the bottleneck, and everything becomes completely distributed.
vRouter certain features may also be (e.g., based on state firewall, NAT, based ECMP flow, etc.) based on the process flow. This is an important distinction, because such behavior will introduce some adjustment points, such as the number of connections per second and the maximum number of streams. (In packet-based systems, PPS (packets per second) and throughput (and delay in some cases) is the key.) If these parameters are very important for your system, you may also want to check these parameters.
Note: You can choose to disable this behavior using "packet-mode" parameter in "ports" configuration.
config
Config also includes several components. Config-api provides an API endpoint Tungsten Fabric configuration, the endpoint uses many components, such as control, analytics and the like.
- vRouter not use it directly, since only the required data will be transferred from the control (via XMPP).
Which, schema-transformer and svc-monitor both processes are important things to do, so let me be described in detail.
schema-transformer
This process converts the logical-router, network-policy, service-chain and some abstract config parameter L3 language. It is one of the core components of Tungsten Fabric, MPLS- completed most of the work can not be simply explained.
For example, logical-router to create a new route-target ID within the ID will have the prefix for all virtual network. Thus, if the virtual to logical-router connected to the network, it receives all routes has logical-router. The use of MPLS in the internal behavior - ***, but route-target configuration is controlled by a schema-transformer.
Thus, in the following manner configured to transmit data plane:
edit config -> (rabbitmq) -> schema-transformer, which creates new route-target -> (internally edit config) -> (rabbitmq) -> control -> (xmpp) -> vrouter-agent -> (netlink) -> vrouter.koSchema-transformer is also responsible for all the things associated with the service chain (service-chain) of. I will not be in-depth study of all the details of the service chain, because there is no simple DC use cases (even if AWS VPC currently does not offer similar services). Although, from the heart, it's interesting to deal with all VRF prefix received, and I personally think it is worth a read.
Note: You can get all the details in the book. https://mplsinthesdnera.net/
svc-monitor
This process provides a number of services that must be used within the external process, such as haproxy load balancer, based on instance nova API v1 service chain for the iptables MASQUERADE SNAT and so on.
Inside, vrouter-agent having some logic to set or start haproxy iptables MASQUERADE, when the associated service is defined, svc-monitor will start these logic.
Svc-monitor select some vRouter to create these services, examples of some of the network functions of these elements and processing traffic. Selecting one of the output using the analytics-api (analytics / uves / vrouter), and then click on the option "Functional".
Although future versions may change, but there is one reason for such behavior analytics needed during installation Tungsten Fabric.
config-database
Tungsten Fabric using multiple databases. Most of the data is stored in Cassandra, if changed, will change to RabbitMQ notification content transmitted to other components, such as control, schema-transformer, svc-monitor and the like.
ZooKeeper only need to lock to maintain the consistency of operations. For example, create a port needs to be assigned an IP address, its consistency is managed by ZooKeeper, so the IP address assignment is always one to one.
nodemgr
I think that so far, most of the important components are covered, so I will introduce other sections. What first look at nodemgr Yes.
Sources Nodemgr substantially status of each node, it checks usage, CPU usage, or the docker ps, and transmits analytics UVE NodeStatus.
This value may be a source contrail-status, and other logic (e.g. analytics-alarm or svc-monitor), which checks whether this value is selected when Functional vRouter. Hold these Functional and very important to ensure the normal operation of Tungsten Fabric.
If you have different roles assigned, the behavior of this component will be different. Therefore, it will behave differently installed on each node.
In addition, it will be the first time each node configuration (provision), which means to notify the IP config-api xxx has been assigned the role. Accordingly, even if not needed analytics function, the modules must also exist, at least the first node starts.
device-manager
This procedure is used to configure physical-router (based on the object in the config-database).
Internally, it uses the schema-transformer and svc-monitor the same logic, they subscribe to RabbitMQ to see whether the config change, when change occurs, AMQP client will start some logic:
- For schema-transformer, it updates more config;
- For svc-monitor, it will add some logic in the vRouters;
- For device-manager, it will update the physical-router configuration.
This behavior is controlled by the reaction_map, which defines how certain changes will be passed on to other configuration changes on some config object.
For example, when the update bgp-router,
'bgp_router': {
'self': ['bgp_router', 'physical_router'],
'bgp_router': ['physical_router'],
'physical_router': [],
},Based on the definition of "self", it will be referred to by the original object bgp-router, transmitted to bgp-router and physical-router.
- For bgp-router, represents the original objects bgp-router bgp-router the peer (Use the peer) of
Thereafter, the updated bgp-router passes it to the physical-router bgp-router object is located.
'bgp_router': {
(snip)
'bgp_router': ['physical_router'],
(snip)
},Bgp-router due to transfer events from, physical-router will not update any of the content, so the event where it stops, and with the original bgp-router's physical-router config and peer to peer (peer) of bgp-router will be updated.
'physical_router': {
(snip)
'bgp_router': [],
(snip)
},When the physical-router receive event updates, it calls push_conf function from the plug-in, create routes based on config config-database of objects.
- Currently, only MX / QFX has open-source plug-ins: https://github.com/Juniper/contrail-controller/tree/master/src/config/device-manager/device_manager/plugins/juniper
To enable this feature, you need to configure the knob in /etc/contrail/common_config.env in: DEVICE_MANAGER DEFAULTS push_mode = 0.
The following link describes the configuration process:
https://www.juniper.net/documentation/en_US/contrail5.0/topics/concept/using-device-manager-netconf-contrail.html
analytics
Tungsten Fabric analytics has many functions, but most of the features are optional, so I'll skip most of the components. If you are interested, check out the following link for information on SNMP, LLDP, etc. alarm:
- https://tungsten.io/sandesh-a-sdn-analytics-interface/
- https://tungsten.io/operational-state-in-the-opencontrail-system-uve-user-visible-entities-through-analytics-api/
- https://tungsten.io/contrail-alerts/
- https://tungsten.io/overlay-to-physical-network-correlation/
Analytics itself has interesting architecture, which covers logs, flows and stats.
- As far as I know, they usually involve different systems, such as for logs / flows for the EFK and the Prometheus stats.
If you need a tool to facilitate the use of all systems, Tungsten Fabric analytics will be a good choice.
Most important metrics and analysis services are marked UVE (visible to the user entity), and has a URL to provide data in JSON format.
- http: // (analytics-ip) : 8081 / analytics / uves provides all the available values.
If you need to Tungsten Fabric integrated with other monitoring systems, it may be a good starting point.
analytics-database
Analytics also uses a plurality of databases, e.g. Redis, Cassandra, Kafka (internally, it used to deploy ZooKeeper HA option).
If only analytics, you need only Redis database, even in this setting, most webui functions are available.
- Most features are visualized using UVE, even when not installed Cassandra also available.
If you need webui the "Query" function, you need to use Cassandra, this function can retrieve Cassndra database logs / flows or stats information.
Kafka UVE for transmitting to the analytics-alarms, therefore, to use an alarm function, it is necessary to Kafka.
webui
Finally, we get to say webui. Basically, this is just a simple WebUI, for viewing the state of the component, and the configuration parameters Tungsten Fabric.
It uses AJAX to update the behavior of some graphics require a long time for analytics-api query (for example Monitor> Dashboard access), covers both asynchronous operation by the webui-job process, which is quite interesting.
Tungsten Fabric introductory book series -
Tungsten Fabric architecture to resolve a series of articles -
The first chapter: TF Main features and use cases
The second: TF how it works
Part III: Detailed vRouter architecture
Part IV: TF service chain
Part V: vRouter deployment options
Part VI: TF how to collect, analyze, deploy?
Title VII: TF how the choreography
Part VIII: TF support API Glance
CHAPTER 9: How to connect to the physical network TF
tenth chapter: TF-based application security policy
