Look beyond - to talk about L2 agent such thing as child

Look beyond - to talk about L2 agent such thing as child

Foreword

On the back said OpenStack Neutron thing about the project in ML2 widget ML2 as the darling of the new generation of plug-H updated version of the core, which implements three core resource network / subnet / port, but also to achieve include Port Binding, etc. including part of the expansion of resources. ML2 plug-in is achieved by decoupling the virtual network type of network topology and the underlying mechanism, and extended in the form of Driver solve the issues related to traditional core plug.

And we know that the service provided by the neutron, the agents are plug-ins and corresponds, although we can only say ML2 solve the problem using the same network when using traditional core plug all nodes provider, but this does not mean different drive mechanisms can be used to provide proxy services provider with a different network, but in fact we do not need so much to consider, developers only need to develop drivers for the agent to corresponding.

ML2 Core Plugin and the agent responsible for connecting the instance to OpenStack Layer 2 virtual network, we have to talk about Linux Bridge and Open vSwitch agent content.

Service and Agent

In Neutron project, the official agency for referral services and given as: a common set of Neutron include multiple services and running the agent on one or more nodes (although some may not need any proxy settings). Each service provides some network or API service. Of particular note is:

1. Provide API endpoint (Endpoints) and used Neutron Server database to a single point of access. It is usually running on a controller node.
2. You can use Open vSwitch, Linux Bridge Layer2 agent or other technology-specific vendor providing network network for the project and isolation segment (corresponding to the physical network switcher understood). L2 agent running on each node is responsible for routing and protecting it in the virtual interface (typically compute nodes and network nodes).
3. Running on a network node Layer3 agents, to provide north-south and east-west routes, and some advanced services, such as FWaaS or *** aaS.

This article is based on the second floor to talk about the agency, it is mainly about Linux Bridge agent and Open vSwitch agent, both of which belong to L2 (Layer 2) agent.

What is Linux Bridge?

Linux Bridge is mature and reliable Neutron Layer 2 network virtualization technology to support local, flat, vlan, vxlan these four types of network, currently does not support gre.

Linux Bridge can be multiple NICs on a host bridging, acts as a switch, it can bridge the physical network adapter, but can be understood as a virtual network adapter for bridging the virtual machine network card is tap device (usually said to be the interface) this virtual machine is out of a network device, called a tap device, as a bridge port, tap interface has the same function as a physical interface logic, you may receive and transmit data packets. (Tap the specific principles and create paper for the time being do not talk too much, to understand the meaning of the following devices helps the example below)

1. Tap Interface (Tap interface): a virtual machine for bridging the card, essentially is to be understood as a device, e.g. name: tapXXX;
2. Bridge Linux (Linux Bridge): can be understood as physical network switcher, e.g. name: brqxxxx;
3. Interface VLAN (VLAN Interface): VLAN for the network bridge connections, named ethx.y (ethx physical NIC name, y is VLAN ID);
4. VXLAN Interface (VXLAN Interface): a bridge for connecting the network VXLAN named vxlana-z (az is VNID)
5. Physical network interface: for connection to a physical network hardware interface.

So how exactly is Linux Bridge proxy processing plugin (ML2) pass over the request it? (Note that this refers to the Linux Bridge)

For example talk about Linux Bridge is how to achieve Neutron Network

We lift under Linux Bridge and network-based flat vlan network to understand, starting with flat start, because relatively simple, start with easy understanding essence, while vlan network, it is more of a model to use, so they still need Learn to understand what the.

I would first look to understand the principles of Linux Bridge virtual switch, although relatively simple, but for no contact with linux virtual network of friends, the following content may not be more understanding. Referring next to FIG:

br0 - Linux Bridge, acts as the role of virtual switches, network card eth0 is responsible for connecting the physical and virtual NICs tap device vnet0 / vent1 to the same Layer 2 network, communication between virtual machines VM1 and VM2, and virtual machines and the external network (specific implementation process or to learn about network virtualization-related basic theory and operation understanding)

(1) a single flat-based network of Linux Bridge

We know, without a tag Flat network is a network, it must require physical network card directly connected to the host bridge Linux, which also shows that each network will be exclusively physical NIC Flat together, i.e. as shown above, eth1 bridged to brqxxxx, thereby providing a flat network as an example. The diagram shows a single flat network, if a plurality of flat networks need to add a physical network card of the eth2.

Of course, confirm or change it in some configuration files, such as ML2 profile supports the corresponding type and so on. Not delve into here, I understand just fine. Continue from the bridge to the brqxxxxx began to realize what principle flat network. For the figure kvm if it do not understand, where you can ignore KVM (all written Kernel-based Virtual Machine-- kernel-based virtual machine, belonging to Type 2 virtualization, we do not need to go into details here, if interested can access relevant article data)

Linux Bridge and virtual machine instances need to establish a network connection, you need a device (an interface) as a medium, the device (an interface) is the tap. In fact, tap and tun often talked about together, both belonging to the virtual network device operating system kernel (note! Linux in everything is a file), just tap located on the second floor, while the tun on the third floor, but the difference between them only in that the structure of the package data is just not the same flag, which is a method how to distinguish them, but both of them function carried far. This paper space is limited, we do not continue to get to the bottom. Tap only needs to know the corresponding data link layer protocol is an Ethernet protocol (IEEE 802.3), thus tap devices are also sometimes referred to as "virtual Ethernet device."

(Centos7) to view information about tap the following command in the Linux system, you can understand:

[root@localhost ~]# modinfo tun   #查看是否有tun以及其相关信息
filename:       /lib/modules/3.10.0-693.el7.x86_64/kernel/drivers/net/tun.ko.xz
alias:          devname:net/tun
alias:          char-major-10-200
license:        GPL
author:         (C) 1999-2004 Max Krasnyansky <[email protected]>
description:    Universal TUN/TAP device driver
rhelversion:    7.4
srcversion:     4E9F57A6269CFD0F4BE4021
depends:        
intree:         Y
vermagic:       3.10.0-693.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        DA:18:7D:CA:7D:BE:53:AB:05:BD:13:BD:0C:4E:21:F4:22:B6:A4:9C
sig_hashalgo:   sha256
#显示如以上信息表明有相关信息
[root@localhost ~]# lsmod | grep tun  #是否已经加载
tun                    31621  1 #出现这些内容则什么已经加载过了

[root@localhost ~]# modprobe tun  #加载命令
[root@localhost ~]# lsmod | grep tun
tun                    31621  1 

tap network communication between the bridge and linux virtual machine instances, based on Linux Bridge was constructed across a single flat network.

But we know that flat network mode is not friendly for multi-tenant. So with vlan networks to achieve isolation tenant components of the network.

(2) vlan of network-based Linux Bridge

In fact, Linux Bridge for network-based and front flat vlan there are similarities, the difference is that different flat with vlan itself, as I said before flat network is a network without a tag, and vlan just the opposite. Look at the following figure:

3 the same virtual machine instance is connected to the bridge by brqxxxx tap device is Linux, and the physical NICs on the right will create a name for eth1 eth1.100 vlan interfaces (100, said ID number, as will be appreciated tag marks), and connected to the Linux bridge (brqxxxx), so that, examples of the data packet sent to the eth1.100 eth1 will be marked with the numeral 100. We can think about the NAT method port multiplexing address translation to achieve analogy understanding.

In this way, you create based on Linux Bridged, virtual network vlan100, of course, this can be divided into multiple vlan, for example eth1.101, eth1.102 ...... and so on, of course, need to connect a new Linux Bridge (brqyyyy).

When a vlan each network has its own bridge, this will achieve a network-based vlan of isolation. It should however be noted that the port is connected between the switch and the mode of the physical device eth1 need to do a trunk.

Having Linux Bridge, Open vSwitch come to talk about it.

What is Open vSwitch?

Open vSwitch Agent is an implementation of L2 Agent. Neutron and L2 Agent corresponding to the type of Bridge (floor), there are a variety of implementations, such as: neutron-linuxbridge-agent, neutron-openvswitch-agent and the like.

Compared with the linux bridge, Open vSwitch (may be referred to OVS) has several executive functions, and the performance is more optimized to support more features, now known as the mainstream in openstack field. But for OVS achieve network to understand more complex, so the earlier you start with Linux Bridge to start.

OVS supports all network types local, flat, vlan, vxlan, gre, geneve so on.

Let's look at OVS in a variety of network equipment:

（1）tap interface，命名为tapXXXX。
（2）linux bridge，命名为qbrXXXX。
（3）veth pair，命名为qvbXXXX，qvoXXXX。
（4）OVS integration bridge，命名为br-int，集成网桥，所有实例的虚拟网卡和其他虚拟网络设备都连接到该网桥。
（5）OVS patch ports，命名为int-br-ethX和phy-br-ethX（X为interface的序号）。
（6）OVS provider bridge，命名为br-ethX（X为interface的序号）。
（7）物理interface，命名为ethX（X为interface的序号）。
（8）OVS tunnel bridge，命名为br-tun，隧道（tunnel）网桥，基于隧道技术的 VxLAN 和 GRE 网络将使用该网桥进行通信

Note: OVS provider bridge will be used in flat and vlan network; OVS tunnel bridge will be used in vxlan and gre networks.

Wherein, the integrated neutron br-int bridge network, typically used to connect a bridge and tunnel bridge Linux, and mapping conversion between different network ID. For different network modes, which implements the functions are different.

Vlan network structure based on the following case to illustrate the principles of the process of OVS OVS achieved through the network.

(3) based on the vlan network OVS

PS I level in general, so the interception from the Internet to a map as a case, save some time, Wuguai ~ ^ _ ^! It is an example of the left side, corresponding to the color look Oh!

The link between the above three Needless to say, while the middle pair is veth What the hell is it?

Let's look at some of the small modules in the figure above.

1、qbrxxx:Linux网桥（Bridge）设备，qbrxxx位于实例和br-int网桥之间，主要负责网络安全组（Security Group）规则设置；
2、qvbxxx:Neutron的VETH设备，qvb表示Linux Bridge一侧的veth设备，qvb各个字母解释为：q-quantum, v-veth, b-bridge（quantum是Neutron的前身）；
3、qvoxxx:Neutron的VETH设备，qvo表示OpenVswitch一侧的veth设备，qvo各个字母的解释为：q-quantum, v-veth, o-openvswitch；

According to information on the Internet, veth pair is a virtual Ethernet device, VETH equipment always come in pairs, input data to its end, VETH will change the direction of the data and sends it to the core network core, complete injection data, after another One end will be able to read this data. Briefly, the output data are always input from the end VETH device from the other end.

Thus, in the Neutron, usually between two different bridges VETH of data transmission. That is, between the bridge and the Linux OVS veth integration bridge to provide communication for data transmission. And isolation ports through the allocated vlan ID.

PATCH look port integrated bridge between OVS OVS br-int and suppliers bridge, exactly where the previous Veth pair can be appreciated that the analogy, is also connected to two different Patch Port bridge, wherein the int-br- eth 1 is a Patch port integrated devices on the bridge, Patch Port devices on the phy-br-eth 1 supplier bridge. Vlan ID in the conversion therebetween doing, be appreciated that the analogy NAT.

View from outside to inside, i.e., when the uplink data packet, VLAN id flow table according to do the conversion, defined external vid id numbers into number used internally, i.e. 101--> 1,102 -> 2, and contrary to the outside from the terms. And this is the real part of the story based on the configured proxy.

To a small summary of it

This article is about the introduction to L2 agency through part of the case in Linux Bridge and OVS based on the principle of different types of networks for network services, which also includes the expansion complements the theoretical part of the knowledge of some Linux virtual network.