Neutron design goal is to achieve "Network as a Service (Networking as a Service)". To achieve this goal, the design follows the principles-based SDN network virtualization, which is, in the realization of full use of a variety of network-related technologies on Linux systems.
SDN mode service - NeutronSDN (software-defined network), by using it, network administrators and cloud computing operators can dynamically define a virtual network device through the program. Openstack SDN network component is the Quantum. But because of copyright issues renamed Neutron.
Neutron basic concept of network
(1) neutwork
Layer network is an isolated broadcast domain. Neutron supports several types of network, including local, flat, VLAN, VxLAN and GRE.
local
local network to other network nodes and isolation. local network instance (instance) with only a communication instance, local networks on the same node on the same network primarily for stand-alone testing.
flat
flat network is no vlan tagging network. instance flat network can be located in the same instance of communication with the network, and may span multiple nodes.
vlan
vlan 802.1q tagging is a network of networks. vlan broadcast domain is a Layer, the same instance can communicate vlan, only different vlan router communication. vlan node across the network, is the most widely used type of network.
vxlan
vxlan overlay network is based on tunnel technology. vxlan network by a unique segmentation ID (also called VNI) vxlan distinguished from other networks. vxlan the packets are encapsulated in UDP packets by VNI for transmission. Because the floor of the three transmission packets, and can overcome the physical limitations vlan network infrastructure through the package.
(In the Overlay network technology refers to the virtualization model superimposed on the kind of network architecture, which is the basic frame is generally carried out at a large-scale network is not modified conditions, to achieve load applied on the network, and to other separating network traffic, and to IP-based network technology based .Overlay technique is to build a virtual network on top of an existing physical network, only the upper application associated with the virtual network.)
it
gre is vxlan a similar overlay network. The main difference is that instead of using an IP packet encapsulated in UDP.
(In the Overlay network technology refers to the virtualization model superimposed on the kind of network architecture, which is the basic frame is generally carried out at a large-scale network is not modified conditions, to achieve load applied on the network, and to other separating network traffic, and to IP-based network technology based .Overlay technique is to build a virtual network on top of an existing physical network, only the upper application associated with the virtual network.)
network must belong to a Project (Tenant tenant), Project You can create multiple network. It is one to many relationship between the network and the Project.
(2)subnet
subnet is an IPv4 or IPv6 addresses. instance an IP subnet from the distribution. Each subnet mask to define the scope and IP addresses.
network and subnet is one to many relationship. You can only belong to one subnet to a network; a network can have multiple subnet, which may be a different IP subnet segment, but can not overlap.
network A subnet A-a: 10.10.1.0/24 {"start": "10.10.1.1", "end": "10.10.1.50"}
subnet A-b: 10.10.2.0/24 {"start": "10.10.2.1", "end": "10.10.2.50"}
If the above IP address can overlap, then there may be two instance with the same IP, this will not conflict? The short answer is: No!
Specific reasons: because Neutron's router is implemented by Linux network namespace. network namespace is a network of isolation mechanism. Through it, each router has its own independent routing table. The above configuration has two results:
1. If the two subnet are routed through the same router, the router according to the configuration, only a subnet may be designated route.
2. If the above two are different subnet router route because the router routing tables are independent, the two can be routed subnet.
(3)port
port can be viewed as a port on the virtual switch. Defines the MAC address and IP address of the port, when the instance of the virtual network card VIF (Virtual Interface) to bind to the port, port will be assigned to the MAC and IP VIF.
subnet and port is one to many relationship. A port must belong to a subnet; a subnet can have multiple port.
Neutron function
Neutron provide network support for the entire OpenStack environment, including the floor of the exchange, three routing, load balancing, firewalls and VPN. Neutron provides a flexible framework to configure, either open source or commercial software can be used to implement these functions.
Floor of the exchange switching:
Instance can configure different IP subnet, Neutron's router (virtual router) instance to achieve inter-network communications. NAT router and routing is achieved via IP forwarding, iptables technology. We will discuss how to configure the router to enable communication between the Neutron instance, as well as with external networks in later chapters.
Nova the Layer Instance is connected to the virtual network by a virtual switch. Neutron supports multiple virtual switches, including Linux Bridge Linux native and Open vSwitch. Open vSwitch (OVS) is an open source virtual switch that supports standard management interfaces and protocols.
Three routing routing:
Instance can configure different IP subnet, Neutron's router (virtual router) instance to achieve inter-network communications. NAT router and routing is achieved via IP forwarding, iptables technology.
Load Balancing Load-Balancing:
Openstack version of the Grizzly first introduced Load-Balancing-as-a-Service (LBaaS), provides the ability to distribute the load to multiple instance of. LBaaS support a variety of load-balancing products and solutions, in the form of different implementations integrated Plugin to Neutron, the current default Plugin is HAProxy.
Firewall Firewalling:
Neutron instance to protect the security of the network and by the following two ways.
(1) Security Group
Iptables instance by limiting the network packet out.
(2) Firewall-as-a-Service
FWaaS, restricted access virtual router network packets, but also to achieve by iptables.
Neutron advantages:
SDN component architecture Openstack also falls within the pluggable type. It can control a variety of different types of plug-in switches, routers, firewalls, load balancer and firewall as a service to achieve many other features. Network defined by software, can be finer control of the entire cloud computing facilities.
Neutron deployment scenarios
Scheme 1: + computing node control node:
Control nodes: the deployment of services include: neutron server, core plugin's agent and service plugin's agent.
Compute nodes: the deployment of core plugin's agent, responsible for providing Layer 2 network function.
Here are a few points should be noted:
1. core plugin and service plugin has been integrated into the neutron server, no need to run a separate plugin service.
2. Control and compute nodes need to be deployed core plugin's agent, because in order to establish Layer 2 connections via the agent control nodes and compute nodes.
3 can be deployed more control nodes and compute nodes.
Scheme 2: network control node + + node computing node
In this deployment scenario, the OpenStack by the control node, the network node and compute nodes.
Control nodes: the deployment of neutron server service.
Network nodes: the deployment of services include: core agent plugin's agent and the service plugin.
Compute nodes: the deployment of core plugin's agent, responsible for providing Layer 2 network function.
The point of this scheme is to separate all the agent out from the control node, deployed on separate network nodes.
-
Only the control node responds to the API request by neutron server.
-
由独立的网络节点实现数据的交换,路由以及 load balance等高级网络服务。
-
可以通过增加网络节点承担更大的负载。
-
可以部署多个控制节点、网络节点和计算节点。
该方案特别适合规模较大的 OpenStack 环境。
OpenStack 至少包含下面几类网络流量
Management
API
VM
External
Management 网络
用于节点之间 message queue 内部通信以及访问 database 服务,所有的节点都需要连接到 management 网络。
API 网络(API,全称Application Programming Interface,即应用程序编程接口。
)
OpenStack 各组件通过该网络向用户暴露 API 服务。Keystone, Nova, Neutron, Glance, Cinder, Horizon 的 endpoints 均配置在 API 网络上。通常,管理员也通过 API 网络 SSH 管理各个节点。
VM 网络
VM 网络也叫 tenant 网络,用于 instance 之间通信。
VM 网络可以选择的类型包括 local, flat, vlan, vxlan 和 gre。
VM 网络由 Neutron 配置和管理。
External 网络
External 网络指的是 VM 网络之外的网络,该网络不由 Neutron 管理。 Neutron 可以将 router attach 到 External 网络,为 instance 提供访问外部网络的能力。 External 网络可能是企业的 intranet,也可能是 internet。
这几类网络只是逻辑上的划分,物理实现上有非常大的自由度。
我们可以为每种网络分配单独的网卡;也可以多种网络共同使用一个网卡;为提高带宽和硬件冗余,可以使用 bonding 技术将多个物理网卡绑定成一个逻辑的网卡
二、neutron 架构:
Neutron 由如下组件构成:
Neutron Server
对外提供 OpenStack 网络 API,接收请求,并调用 Plugin 处理请求。
Plugin
处理 Neutron Server 发来的请求,维护 OpenStack 逻辑网络状态, 并调用 Agent 处理请求。
Agent
处理 Plugin 的请求,负责在 network provider 上真正实现各种网络功能。
network provider
提供网络服务的虚拟或物理网络设备,例如 Linux Bridge,Open vSwitch 或者其他支持 Neutron 的物理交换机。
Queue
Neutron Server,Plugin(插件) 和 Agent 之间通过 Messaging Queue (消息队列)通信和调用。
Database
存放 OpenStack 的网络状态信息,包括 Network, Subnet, Port, Router 等。
归纳起来,Neutron Server 包括两部分:
1. 提供 API 服务。
2. 运行 Plugin。
即 Neutron Server = API + Plugins
三、ML2 Core Plugin 详解:
Moduler Layer 2(ML2):是 Neutron 在 Havana 版本实现的一个新的 core plugin,用于替代原有的 linux bridge plugin 和 open vswitch plugin。 作为新一代的 core plugin,提供了一个框架,允许在 OpenStack 网络中同时使用多种 Layer 2(二层网络交换机) 网络技术,不同的节点可以使用不同的网络实现机制。
ML2 对二层网络进行抽象和建模,引入了 type driver 和 mechansim driver。这两类 driver 解耦了 Neutron 所支持的网络类型(type)与访问这些网络类型的机制(mechanism),其结果就是使得 ML2 具有非常好的弹性,易于扩展,能够灵活支持多种 type 和 mechanism。
四、Neutron 架构框架总结:
与 OpenStack 其他服务一样,Neutron 采用的是分布式架构,包括 Neutorn Server、各种 plugin/agent、database 和 message queue。
1. Neutron server 接收 api 请求。
2. plugin/agent 实现请求。
3. database 保存 neutron 网络状态。
4. message queue 实现组件之间通信。