150416 OpenStack Networking with Neutron Jieun, Kim
7 likes2,238 views
[OpenStack Korea Community Study Group, B Class] 2015년 상반기 첫번째 스터디, B Class 세번째 시간에 OpenStack neutron에 대하여 스터디를 진행 RDO - too much detail 참고
![[OpenStack]
OpenStack Networking with Neutron
김지은
yeswldms@gmail.com](https://image.slidesharecdn.com/150413openstacknetworkingwithneutron-150415200113-conversion-gate01/85/150416-OpenStack-Networking-with-Neutron-Jieun-Kim-1-320.jpg)
150416 OpenStack Networking with Neutron Jieun, Kim
- 1. [OpenStack] OpenStack Networking with Neutron 김지은 yeswldms@gmail.com
- 2. What is Network NameSpace? • • 네트워크 관련된 시스템 자원의 isolation을 제공 각각의 Network Device, IP address, IP routing tables, /proc/net directory, port numbers …
- 3. What is VLAN Tagging? • • 2계층 스위치 간 프레임 전달시 프레임이 어느 VLAN 소속인지 알려주는 VID 정보의 전달 방식 프레임 내에 관련정보를 tagging • 오픈스택 상에서 같은 Compute Node위에 있는 다른 인스턴스들간의 트래픽에 적용
- 4. What is GRE? • GRE port in OVS OVS lays finishing of GRE packet encapsulation on networking stack. • 오픈스택 상에서 다른 Compute Node위에 있는 다른 인스턴스들간의 트래픽에 적용
- 5. Network Guide • Network Connectivity Physical Hosts Management Network OpenStack Components 간 내부 통신 Data Network VM Data 간 통신, IP 할당 필요 API Network OpenStack API, Netwoking API 간 통신 제공 External Network VM의 외부연결
- 6. Lab Test Controller node eth0 Network node eth0 Compute node x eth0 eth1 eth2 eth1 Management Network + API Network : 10.0.0.0/24(NAT) Data Network : 10.0.1.0/24External Network : 192.168.1.0/24 GW : 192.168.1.254
- 7. Network Topology (demo) ext-net external network 192.168.1.0/24 demo-net tena nt1, internal net work 192.168.100.0/24 demo-net2 ten ant2, Internal n etwork 192.168.101.0/24 External Network 192.168.1.0/24 Tenant 1 Tenant 2
- 8. Lab Test – Too Much Detail • VLAN & GRE Compute Node Network Node test1 test2 test3 test4 qbr x qbr x eth 0 eth 0 vnet0 vnet1 br-int br-tun qvb x qvb x qvb x qvb x qvo x qvo x qvo x qvo x br-int br- tun eth 1 eth 1 br-tun br-int br-ex vlan tag: 1 Data Network 10.0.1.0/24 eth 0 Configured by L2 Agent vlan tag: 2 br-int br- tun Configured by L2 Agent OVS Represents the actual bridge interface in the Network Stack Packet Conversion (VLAN translation) br-ex phy-br-ex int-br-ex patch -tun patch -int patch -tun patch -int gre x gre x dnsmasq tap x vla qg x qr x ntag: 1 qg y qr y vla tag: 2 dnsmasq tap y n Configured by L3 Agent NAT with iptables Configured by DHCP Agent Assigned to each subnet Configured by DHCP Agent Assigned to each subnet qrouter x qrouter y qdhcp x qdhcp y tunneling Configured by Nova Compute WAN Configured by neutron ovs plugin agent GRE Capsulation Packet Conversion (GRE mode Tunnel Interface) Configured by neutron ovs plugin agent Just vice versa. - qbr Quantum BRidge - qvb Quantum Virtual Bridge side - qvo Quantum Virtual OVS side eth 0 eth 0 Neutron OVS SG Chain vnet2 vnet3 qbr x qbr x
- 9. Lab Test – Too Much Detail • VLAN & GRE – Compute Node Compute Node test1 test2 test3 test4 qbr x qbr x eth 0 eth 0 vnet0 vnet1 br-int br-tun qvb x qvb x qvb x qvb x qvo x qvo x qvo x qvo x br-int br- tun eth 1 vlan tag: 1 Data Network 10.0.1.0/24 vlan tag: 2 Packet Conversion (VLAN translation) patch -tun patch -int gre x tunneling Configured by Nova Compute Configured by neutron ovs plugin agent Packet Conversion (GRE mode Tunnel Interface) instance TAB device Linux bridge veth pair GRE Patch Port Physical NIC GRE port Virtual ETHernet pair, 가상 네트워크로 분리, Linux Bridge와 연결, Hypervisor가 br-int bridge와 연결 물리 NIC Vnet0은 Hypervisor내부에 있는 instance의 vNIC 와 연결 간단한 L2 스위칭 기능, 여러 물리/가상 NIC 연결 OVS Generic Routing Encapsulation, GRE tunneling port Open vSwitch, 가상 스위칭 기능 동작 eth 0 eth 0 Neutron OVS SG Chain vnet2 vnet3 qbr x qbr x Configured by L2 Agent Gre 터널링 포트, VLAN과는 따로 포트가 존재해야 함(TBC)
- 10. Lab Test – Too Much Detail • VLAN & GRE – Compute Node Compute Node test1 test2 test3 test4 qbr x qbr x eth 0 eth 0 vnet0 vnet1 br-int br-tun qvb x qvb x qvb x qvb x qvo x qvo x qvo x qvo x br-int br- tun eth 1 vlan tag: 1 Data Network 10.0.1.0/24 vlan tag: 2 Packet Conversion (VLAN translation) patch -tun patch -int gre x tunneling Configured by Nova Compute Configured by neutron ovs plugin agent Packet Conversion (GRE mode Tunnel Interface) eth 0 eth 0 Neutron OVS SG Chain vnet2 vnet3 qbr x qbr x Configured by L2 Agent Neutron OVS SG chain : managed Neutron Security Groups 인스턴스와의 inbound/outbound 트래픽을 컨트롤 Security Groups - iptables, Linux Bridge : OpenStack은 SG를 사용하기 위해 iptables rules를 사용 : 현재 OVS는 iptables rule이 적용되지 않음 : TAB Device와 Linux Bridge를 거치게하여, iptables 를 사용하도록 하는 방법으로 보안을 강화 Linux Bridge : 방화벽 브릿지 : firewall rules와 호환 br-int(OVS) : 통합브릿지 : 방화벽 브릿지에 등록(qvo XXX) : VLAN 환경에서의 트래픽의 tagging/untagging 수행 br-tun(OVS) : 터널브릿지 : br-int(통합브릿지)로부터의 VLAN 태깅된 트래픽을 GRE 터널로 번역 : rules – vlan id와 tunneling id의 트래픽 맵핑 수행
- 11. Lab Test – Too Much Detail • VLAN & GRE – Network Node Network Node eth 1 br-tun br-int br-ex Data Network 10.0.1.0/24 eth 0 br-int br- tun Configured by L2 Agent br-ex phy-br-ex int-br-ex patch -tun patch -int gre x dnsmasq tap x vla qg x qr x ntag: 1 qg y qr y vla tag: 2 dnsmasq tap y n Configured by L3 Agent NAT with iptables Configured by DHCP Agent Assigned to each subnet Configured by DHCP Agent Assigned to each subnet qrouter x qrouter y qdhcp x qdhcp y tunneling WAN Configured by neutron ovs plugin agent Just vice versa. dnsmasq Internal Port veth pair GRE Patch Port Physical NIC GRE port Virtual ETHernet pair, 가상 네트워크로 분리, Linux Bridge와 연결, Hypervisor가 br-int bridge와 연결 물리 NIC OVS bridge’s internal ports OVS ??? 정확한 기능이 뭐고, br-int 및 br-tun과 다른점은? Generic Routing Encapsulation, GRE tunneling port Open vSwitch, 가상 스위칭 기능 동작 Port에 붙어서 DHCP 서비스 제공 Network Namespace, qrouter ~ : connection to the outside(NAT) qdhcp ~ : dhcp service namespace
- 12. Lab Test – Too Much Detail Network Node eth 1 br-tun br-int br-ex Data Network 10.0.1.0/24 eth 0 br-int br- tun Configured by L2 Agent br-ex phy-br-ex int-br-ex patch -tun patch -int gre x dnsmasq tap x vla qg x qr x ntag: 1 qg y qr y vla tag: 2 dnsmasq tap y n Configured by L3 Agent NAT with iptables Configured by DHCP Agent Assigned to each subnet Configured by DHCP Agent Assigned to each subnet qrouter x qrouter y qdhcp x qdhcp y tunneling WAN Configured by neutron ovs plugin agent Just vice versa. qDHCP namespace : DHCP 서버는 네트워크 namespace안에서 dnsmasq로 동작 : Network namespace는 호스트와는 별개의 네트워크 스택 (interfaces, routing tables, iptables rules)을 가질 수 있는 리눅스 커널의 기능 : dnsmasq qRouter namespace : Neutron router는 라우팅과 서브넷사이에서 수행되는 라우팅테 이블, iptables에 설정된 network namespace : 라우터 기능을 수행 : Netfilter nat table - namespace내부의 라우터에 존재 인스턴스들의 floaing ip를 책임진다 External traffic : 외부로의 트래픽은 네임스페이스의 qg인터페이스를 경유하는 br-ex를 경유 : int-br-ex port(br-int)와 phy-br-ex port(br-ex)를 통해 qg를 거 치지 않고 바로 나갈 수 있음
- 13. Lab Test – Too Much Detail • VLAN & GRE – Network Node NAT to host address : 만약 br-ex에게 public cloud를 할당하기 위해 게이트웨이 어드레스를 설정한다면(NAT를 사용하고싶으면) 그러면 네트워크 노드의 아이피를 통해 “external”트래픽을 사용할 수 있는 포워딩과 NAT룰을 생성할 수 있다. Direct network connction : 바로 floating ip대역에 다이렉트로 외부 네트웍을 사용할거라면 # ip addr add 172.24.4.225/28 dev br-ex # ovs-vsctl add-port br-ex eth2
- 14. Lab Test – Too Much Detail Controller Node > used demo tenant > External Network : ext-net > Private Network : demo-net, demo-net2 > Instance : test1, test2, test3, test4
- 15. Lab Test – Too Much Detail Compute Node - Bridges & Ports
- 16. Lab Test – Too Much Detail Network Node - Bridges & Ports
- 17. Lab Test – Too Much Detail Network Node – Network Namespace(qRouter, qDHCP) Compute Node – br-tun(터널브릿지의 table)
- 18. Lab Test – Too Much Detail Network Node – qDHCP namespace interface
- 19. Lab Test – Too Much Detail Network Node – qRouter namespace interface
- 20. Lab Test – Too Much Detail • VLAN & GRE – Network Node Network Node - qRouter namespace iptables
- 21. 이상입니다.