Openstack neutron learning

In the recent study openstack neutron things, and record some of their own understanding.

Network Fundamentals

Switches & Vlan
action switch is connected to the device, to achieve interoperability. between the network host is connected through a switch up for the first time when the host A to host B data transmission frame, first broadcasted, and the MAC address of host B match data will be received, and returned to A, to complete the communication. In this case the switch will be self-learning correspondence between the MAC address and the Port, the next frame data can be transmitted directly to the corresponding MAC address Port.

That switch is isolated by dividing vlan manner, openstack network tenant is also to isolate in this way. segmentation_id network attribute is the vlan_id, if the network does not share, then it is only the tenant can access.

When the switch is a vlan port after occupied, such as port switch A is accounted for over vlan10, B need to use a second switch, but also to divide vlan10 B, then A and B will be connected, the connection port set trunk port, this port from the trunk out of data will add vlan tag sign, only to receive the same vlan tag.

IP
Layer 2 network addressed through the MAC, the Layer 3 IP addressing.
IP consists of two parts, network number and host idertifier. For a vlan, if two ip of the network the same, it means they are in the same subnet subnet, they can communicate directly.
Assume that the IP is 192.168.1.2, the first 24 bits of network number, the netmask can be expressed as:
. 1) 255.255.255.0
2) 192.168.1.2/24
and the subnet CIDR expressed as: 192.168.1.0/24

The communication of different network, or routed through the gateway needs. A host is assumed to send packets to host B, host A check their route table, the packet is sent to the appropriate gateway (which is a router), and the router then queries its own routing table, then the corresponding data is sent to the host B to go.

The DHCP
Host by dynamically acquired from the network ip dhcp protocol, using OpenStack dnsmasq tool, dispensed through neutron dhcp agent ip, can be found from the log /var/log/daemon.log dispensing process is as follows:

1.The client sends a discover (“I’m a client at MAC address 08:00:27:b9:88:74, I need an IP address”)
2.The server sends an offer (“OK 08:00:27:b9:88:74, I’m offering IP address 10.10.0.112”)
3.The client sends a request (“Server 10.10.0.131, I would like to have IP 10.10.0.112”)
4.The server sends an acknowledgement (“OK 08:00:27:b9:88:74, IP 10.10.0.112 is yours”)

ARP
is the IP address and MAC address translation protocol. Suppose Host A sends a packet to Host B, but does not know the MAC address B, then A broadcasts an ARP request in the network, the process is as follows:

host A To: everybody (ff:ff:ff:ff:ff:ff). I am looking for the computer who has IP address 192.168.1.7. Signed: MAC address fc:99:47:49:d4:a0.

host B To: fc:99:47:49:d4:a0. I have IP address 192.168.1.7. Signed: MAC address 54:78:1a:86:00:a5.

A and B can then communicate on the floor, while the A records the mapping between the IP and MAC-B.
It can be viewed by arp -n.

---

openstack Knowledge Network

Technology Tunnel
OpenStack network implementations have Flat, VLAN, GRE, VXLAN
Flat : i.e. all devices connected to the same switch, can communicate with each other.
vlan : flat readily since the broadcast storm, the introduction vlan, vlan be divided Layer, isolated network.
VXLAN & GRE : Due to the limited number of vlan, only 4094, the public cloud is not enough. So the introduction of gre, vxlan.
gre and vxlan is a three-tunnel technology. By re-encapsulated packet in three layers, creating a tunnel between the nodes for transmission over UDP.

vswitch Open
Open vswitch is an implementation of the open source virtual switch.
ovs-vsctl show View Bridge

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

#ovs-vsctl show 3916f0fb-cc92-428f-bde4-5f83cc13205e Bridge br-ex Port "br-ex--br-eth1" trunks: [0] Interface "br-ex--br-eth1" type: patch options: {peer="br-eth1--br-ex"} Port br-ex Interface br-ex type: internal Bridge br-int fail_mode: secure Port br-int Interface br-int type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int}

Bridge diagram above, br-ex is connected to the network and external physical, br-int is the integration bridge, macro point of view, virtual machine, routing, DHCP, etc. are connected to the Port br-int in the bridge.

Namespace Network
Network namespace is supported by the linux kernel, network isolation mechanism, only the same namespace of the network can see each other.
This is an important way openstack neutron implementation mechanism.

1. Create a variety of network resources, such as dhcp, router, lbaas etc., are actually creating their own namespace. And their respective namespace has its own network interface.
2. Then open vswitch created bridge, the network interface resources in namespace bridge connected, for communication.

Router as an example, conventional external network subnet A: 172.16.0.0/24, network subnet B: 192.168.111.0/24, if you want two communication networks, a router needs to be created to connect the two networks.
Now the network topology is as follows:

When the network is created, view the existing namespace.

1 2	#ip netns list qrouter-f4b08cfc-52fd-4515-bc75-73ae5bb5b440

创建router实际上是创建了qrouter+networkId的一个namespace，然后再看这个namespace的网络接口。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

#ip netns exec qrouter-f4b08cfc-52fd-4515-bc75-73ae5bb5b440 ip a 16: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 17: qg-f16db07c-77: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether fa:16:3e:26:3f:c4 brd ff:ff:ff:ff:ff:ff inet 172.16.0.130/24 brd 172.16.0.255 scope global qg-f16db07c-77 inet6 fe80::f816:3eff:fe26:3fc4/64 scope link valid_lft forever preferred_lft forever 18: qr-675b6149-87: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN link/ether fa:16:3e:b2:89:91 brd ff:ff:ff:ff:ff:ff inet 192.168.111.1/24 brd 192.168.111.255 scope global qr-675b6149-87 inet6 fe80::f816:3eff:feb2:8991/64 scope link valid_lft forever preferred_lft forever

这个router的namespace中有qg-f16db07c-77和qr-675b6149-87两个接口。然后再看下ovs网桥的信息。

大专栏   Openstack neutron学习ss="highlight sql">

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

#ovs-vsctl show 3916f0fb-cc92-428f-bde4-5f83cc13205e Bridge br-ex Port "qg-f16db07c-77" Interface "qg-f16db07c-77" type: internal Port "br-ex--br-eth1" trunks: [0] Interface "br-ex--br-eth1" type: patch options: {peer="br-eth1--br-ex"} Port br-ex Interface br-ex type: internal Bridge br-int fail_mode: secure Port "qr-675b6149-87" tag: 1 Interface "qr-675b6149-87" type: internal Port "tap10a26320-68" tag: 1 Interface "tap10a26320-68" type: internal Port br-int Interface br-int type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int}

可以看到，qg-f16db07c-77接口接在br-ex网桥上，qr-675b6149-87接口接在br-int网桥上，所以通过这个router，把集成网桥和外网网桥连了起来。那么这个subnet就可以和外网通信了，和拓扑图的效果一样。

其中，这个subnet和外网通信的话，还涉及到NAT，查看这个router的iptables，其中有一条SNAT。

1 2	#ip netns exec qrouter-f4b08cfc-52fd-4515-bc75-73ae5bb5b440 iptables -t nat -S -A neutron-l3-agent-snat -s 192.168.111.0/24 -j SNAT --to-source 172.16.0.130

所以通过这个router，source是192.168.111.0/24这个subnet的话，会改成router的gateway的ip。并且router会记录修改的信息，这样从外网回来的数据包就能正确找到地址，先到router，再由router到source。

---

openstack neutron框架

下图是compute节点的网络框架图，网络类型是vlan类型。

我们换成下面这个简单点，容易理解的图来思考下过程。

1、 首先我们在openstack中创建个虚机，然后找到虚拟机的定义文件，查看bridge部分。

1 2 3 4 5 6 7 8

#cat /var/lib/nova/instances/71ee2b62-8585-4a22-943d-55497bf37df9/libvirt.xml < type="bridge"> <mac address="fa:16:3e:04:37:b0"/> <model type="virtio"/> <driver name="qemu"/> <source bridge="qbre90692e9-74"/> <target dev="tape90692e9-74"/> </>

可以看到虚拟通过 ‘tape90692e9-74’ 接口连接到了 ‘qbre90692e9-74’ 这个网桥上。
对应上图，qbre90692e9-74这个网桥对应图中的Linux Bridge，而Port tap也和虚机的网卡连接起来。这样就走通了instance和linux bridge的这条路。

2、 然后在compute节点上查看linux bridge。

1 2 3 4

#brctl show bridge name bridge id STP enabled interfaces qbre90692e9-74 8000.8a78413589c7 no qvbe90692e9-74 tape90692e9-74

发现之前的这个网桥有2个接口，除了和虚机相连的tap接口外，还有个qvb接口。

3、 然后在compute节点上查看open vswitch网桥。

1 2 3 4 5 6 7 8 9 10 11 12 13

#ovs-vsctl show Bridge br-int fail_mode: secure Port "qvoe90692e9-74" tag: 7 Interface "qvoe90692e9-74" Port br-int Interface br-int type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int}

br-int网桥中有个qvo接口，可以看到这个qvo和linux bridge中的qvb接口的后缀是一样的，因为它们是一对veth，它们是连通的。这样的话，linux bridge和br-int也相连了。
所以上图中的Port qvb和Port qvo这条路也走通了。

4, if the network is then vlan words, OVS bridge will see FIG br-ex above br-int and connected by a pair of bridge Veth, br-ex and then re-connected to the physical switch.
Because my test network is gre, my bridge br-int and br-tun is connected, there is not a map.

Wherein, before the bridge VM br-int and a spacer ovs a linux bridge, the virtual machine does not directly connect br-int, this is because of the need iptables function. If the open vswitch Tap device and directly connected by a virtual machine, then, the device can not be carried Tap the iptables. Linux bridge it is necessary to add a layer in the middle, is achieved by iptables linux bridge.

Neutron feel really very complicated, difficult to understand some things. I can only record the neutron learn a little fur under.

---

Reference address

openstack文档
openstack_understand_neutron