Integration with OVN container and OpenStack

Others 2019-07-04 23:24:27 views: null

Isolation between the vessel weaker than the isolation between the virtual machines, and therefore in some circumstances, be deployed to different tenants separate containers in a virtual machine, as an additional security measure. This document describes the virtual machine created in the container, and how they can be safely used as part of the logical network. This may include logical network created virtual machine, the container, and as an end physical machine. For a better understanding and integration of OpenStack OVN container, this document describes an example of a task from the beginning to the end of the stream.

  • OpenStack tenant create a VM (for example, VM-A) having a single network interface. Its management logic network interface belongs. A virtual machine is used to carry the container. OpenStack Nova choose to create a VM-A on which the Hypervisor.

  • A Neutron port may have been created in advance, and with a request to create a new virtual machine passed along Nova. If not, Nova will send a request to create a new port Neutron. Neutron logical port ID from the VM-A will also be used as the virtual machine's virtual network interface (virtual network interface - VIF) of vif-id.

  • When creating VM-A in the Hypervisor, which interface VIF Open vSwitch added to the integration of the bridge. This will be in Open_vSwitchthe database Interfaceto create a row in the table. As document integration guide: the (Open vSwitch located at a position code documentation topics / integration), the virtual machine associated with the network interface vif-id added to the Interfacetable to create a new row of external_ids:iface-idcolumns.

  • Since the VM-A belonging to a logical network, it is obtained an IP address. This IP address is used to generate in the VM container (either manually or by vessel scheduling system), it is also used to monitor the health of the container has been created.

  • Neutron initiate a call to the tenant by using certificates, available with the virtual machine network interface associated vif-id.

  • This procedure assumes the task component called "container network plugin" is. If you Docker to as the container, it is conceivable that the plug is a Docker wrapper or a Docker own function, which can be partially understood how to perform processes described herein work, so that the container is connected to a logic network management Neutron. The remaining part of this process does not yet exist logic components called "container network plugin" network plug container.

  • Neutron calls to all tenants are required documents. These calls can be initiated from within the tenant's virtual machine (virtual machine as part of the network container plug), can also be initiated from the outside tenant virtual machine (if tenants do not want to use a temporary Keystone token from the inside of the tenant VMs). For simplicity, this document is a way to call a method for initiating interpretation workflow before use.

  • The virtual machine need to carry containers Open vSwitch virtual switch. The only job is marked inside the VM Open vSwitch switch (tag) network traffic from the container.

  • When the need to create a container having a network interface within the VM, desirable to interface to a particular logical switch, VM virtual machine "container network widget" choose any VLAN unused (this VLAN tag only unique in the virtual machine this limits the number of interfaces of all the containers not more than 4,096 in a single virtual machine). The VLAN tag is stripped by the Hypervisor in OVN, and only as OVN context (or metadata).

  • Then "container network plug-in" Neutron initiate calls to create a logical port. In addition to all this input to create a port call Neutron required, together sent vif-id and VLAN tagging as input.

  • In turn, Neutron vif-id will verify whether the tenant discussed above. OVN then use a specific plug-in creates a new record in Logical_Switch_Port table OVN Northbound database. Neutron response to return the IP address and MAC address of the network interface. Neutron become so IPAM system, and provides unique IP and MAC address information and for different containers VM on the same logical network.

  • Create a logical port for container Neutron API calls will significantly increase the time to create the container. Here, however, can be optimized. You can create a logical port in advance by the container is responsible for scheduling system for reuse. Additional Neutron API calls only if the port needs to be connected to different logical networks need to call.

  • When the container was finally removed, the virtual machine in the "container network plug-in" may initiate a call to delete Neutron its port. Neutron then deletes OVN Northbound database Logical_Switch_Portentry in the table.

For example, consider Docker containers. Docker itself is not due to the current "Container network plug-in" characteristics, this example uses a hypothetical Docker package initiates calls to Neutron

  • Create a logical switch:
      $ ovn-docker --cred=cca86bd13a564ac2a63ddf14bf45d37f create network LS1

The above command will initiate a call Neutron with credentials to create a logical switch. If the logic switch from outside the virtual machine has been created, it can no longer perform the above operations.

  • Tenant list of available networks:

    $ ovn-docker --cred=cca86bd13a564ac2a63ddf14bf45d37f list networks

  • Created on a container, and is associated to a port created before the switch, as a logical port:

    $ ovn-docker --cred=cca86bd13a564ac2a63ddf14bf45d37f --vif-id=$VIF_ID \
    --network=LS1 run -d --net=none ubuntu:14.04 /bin/sh -c \
    "while true; do echo hello world; sleep 1; done"

The above command will initiate a call to the Neutron, with all currently required to create a logical port input parameters. Neutron add this information to the OVS, and returns the MAC address of the port and IP address. Then, ovn-docker veth creates a pair of the ports, wherein one end of the connector into the receptacle as "eth0", as the other end of the interface port of the local bridge OVS, as a selected access VLAN access port.

Guess you like

Origin blog.csdn.net/sinat_20184565/article/details/94654601
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com