SlideShare a Scribd company logo

Neutron Network Namespaces and IPtables--A Technical Deep Dive

Mirantis, profile picture
Mirantis

The document provides a technical deep dive into Neutron network namespaces and iptables, explaining their functionality and advantages, including the ability to manage overlapping IPs and support for multiple virtual routers per node. It details the implications of kernels that do not support namespaces, outlining deployment complications and restrictions. Additionally, troubleshooting steps for common issues related to namespace configurations and DHCP functionality are summarized.

Technology
1 of 30
Downloaded 1,279 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Neutron Network Namespaces and IPtables: Technical deep dive Damian Igbe Technical Instructor & Consultant © MIRANTIS 2013 PAGE 1
Presentation Outline • Introduction to Neutron & Neutron Namespaces • Deep Dive • Conclusions © MIRANTIS 2013 PAGE 2
What are Namespaces • Namespaces enables multiple instances of a routing table to co-exist within the same Linux box • Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent domains. © MIRANTIS 2013 PAGE 3
Namespaces Diagram © MIRANTIS 2013 PAGE 4
Namespaces Advantages • Overlapping IPs: A big advantage of namespaces implementation in neutron is that tenants can create overlapping IP addresses, a situation that gives freedom to cloud users because they are free to create any subnet of choice without fear of conflicting with that of another tenant. Linux network namespace is required on nodes running neutron-l3-agent or neutron-dhcp-agent if overlapping IPs is in use. Hence the hosts running these processes must support network namespaces. © MIRANTIS 2013 PAGE 5
Namespaces Advantages L3 Agent: The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node, that do not interfere with each other or with routing of the compute node on which they are hosted © MIRANTIS 2013 PAGE 6
What if Namespaces NOT supported? If the kernel does not support namespaces, the following limitations should be noted with Neutron: • Neutron-l3-agent is limited to providing a single virtual router per compute node. If namespaces is supported, a single deployed neutron-l3-agent should be able to host multiple virtual routers. • It is necessary to configure each neutron-l3-agent with the Universally Unique ID (UUID) identifying the router instance that it hosts. This complicates deployment, makes self-service provisioning of routers by tenants impractical. If namespaces is supported, the configuration with the UUID(s) of the router(s) it hosts is not required. •If the host does not support namespaces then the neutron-l3-agent and neutron-dhcp-agent should be run on different hosts. This is due to the fact that there is no isolation between the IP addresses created by the L3 agent and by the DHCP agent. A downside to this is that by manipulating the routing tables the user can ensure that these networks have access to one another. © MIRANTIS 2013 PAGE 7
Recognizing Namespaces • Every l2-agent/private network has an associated dhcp namespace and • Every l3-agent/router has an associated router namespace. © MIRANTIS 2013 PAGE 8
Multinode Network Topology © MIRANTIS 2013 PAGE 9
Ref. Architecture • Multinode Grizzy on Ubuntu 12.04 • libvirt/QEMU, • LibvirtHybridOVSBridgeDriver vif driver, • Quantum security groups, • Open vSwitch Neutron/Quantum plugin using • GRE • dnsmasq • IP namespaces enabled © MIRANTIS 2013 PAGE 10
Tenant 1 Network © MIRANTIS 2013 PAGE 11
Tenant 2 Network © MIRANTIS 2013 PAGE 12
Multinode Network Topology © MIRANTIS 2013 PAGE 13
On The Compute Node © MIRANTIS 2013 PAGE 14
On The Net Node © MIRANTIS 2013 PAGE 15
Net Namespaces © MIRANTIS 2013 PAGE 16
Illustration © MIRANTIS 2013 PAGE 17
Showing Net & Compute Node © MIRANTIS 2013 PAGE 18
Troubleshooting Let us summarize the troubleshooting steps into 2: STEP1: Identify the correct namespace STEP2: Perform general troubleshooting around the identified namespace © MIRANTIS 2013 PAGE 19
Problem Have spin off an instance and it has an IP address from Horizon but cannot ssh (probabely because the interface has no assigned IP) to it so can only view from VNC © MIRANTIS 2013 PAGE 20
Detailed Troubleshooting steps for this Problem •Ensure that dnsmasq process is running: # pgrep -fl dnsmasq ( restart the quantum-dhcp-agent if not). • verify the IP address in the namespace, if dnsmasq is running: # ip netns [list]. •Identify the qdhcp-network <networkUUID> namespace: # ip netns exec qdhcp-<networkUUID> ip From the output, ensure that the IP on the interface is present and matches the one present for dnsmasq. To verify what the expected IP address is, use quantum-port-list and quantum port-show <portUUID>. •Determine the leases # /var/lib/quantum/dhcp/<networkUUID>/host Note: •If the dnsmasq configuration is correct, but dnsmasq is not responding with leases and the bridge/interface is created and running, pkill dnsmasq and restart quantum-dhcp-agent. •If dnsmasq does not include the correct leases, verify that quantum-server is running correctly and that it can communicate with dhcp-agent. If it is running correctly, and the bridge/interface is created and running, restart quantum-dhcpagent. © MIRANTIS 2013 PAGE 21
Network Node: • root@vmnet-mn:~# ovs-vsctl show • root@vmnet-mn:/# ovs-ofctl dump-flows br-tun The DHCP agent • The DHCP agent is configured to use OVS and dnsmasq: root@vmnet-mn:/# grep -v '^#|^s*$' /etc/quantum/dhcp_agent.ini © MIRANTIS 2013 PAGE 22
Network Node Cont. • root@vmnet-mn:~#pgrep –fl dnsmasq • root@vmnet-mn:/# ip netns | grep dhcp root@vmnet-mn:/# ip netns exec qdhcp-eeeee ifconfig • root@vmnet-mn:/# ip netns exec qdhcp6b71dbb8-e91c-47f0-92c4-47882007115d ping ip © MIRANTIS 2013 PAGE 23
Network Node • root@vmnet-mn:/# cat /var/lib/quantum/dhcp/e0fe9037-790a-4cb-9bf44b06f0cfcf5c/host Note that: • Dnsmasq logs to /var/log/syslog in this Ubuntu installation. © MIRANTIS 2013 PAGE 24
Compute Node • root@vmcom1-mn :/# ip link • root@vmcom1-mn :/# brctl show • root@vmcom1-mn :/# ovs-vsctl show • root@vmcom1-mn :/# ovs-ofctl dump-flows brtun • root@vmcom1-mn :/# iptables-save © MIRANTIS 2013 PAGE 25
Compute Node • root@vmcom1-mn :/# tcpdump -n -i eth2 © MIRANTIS 2013 PAGE 26
Controller Node • damian@vmcon-mn:/$ quantum net-show net1 • damian@vmcon-mn:/$ quantum subnet-show ad970f3f-4ceb-4565-b897-1cd0fe34cd5b • damian@vmcon-mn:/$ nova boot --flavor micro --image cirros-030-x86_64 --nic netid=6b71dbb8-e91c-47f0-92c4-47882007115d -security-groups test-vms test-instance1 • damian@vmcon-mn:/$ nova list © MIRANTIS 2013 PAGE 27
Controller Node • damian@vmcon-mn:/$ quantum port-list -device_id=44e362ba-e8a4-4bae-b0ea5477666632c9 • damian@vmcon-mn:/$ quantum port-show 9a41d8fa-a745-4411-b9f8-daa182f38527 © MIRANTIS 2013 PAGE 28
CONCLUSIONS QUESTIONS AND ANSWERS © MIRANTIS 2013 PAGE 29
Note • When a router or network is created, the namespaces don’t get created immediately. For network, the DHCP namespaces get created only when a vm is attached and for router the namespace is created when a gateway is set. It means that an activity must take place before the namespaces get created. • When a router or network is deleted, the associated namespaces are not deleted. They need to be manually deleted. © MIRANTIS 2013 PAGE 30

More Related Content

PDF
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Tanya Denisyuk
 
PDF
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
PPTX
Commication Framework in OpenStack
Sean Chang
 
PPTX
DCUS17 : Docker networking deep dive
Madhu Venugopal
 
PPTX
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
PDF
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
ODP
Testing Wi-Fi with OSS Tools
All Things Open
 
PDF
Container Orchestration from Theory to Practice
Docker, Inc.
 
Максим Барышиков-«WoT: Geographically distributed cluster of clusters»
Tanya Denisyuk
 
Anatomy of neutron from the eagle eyes of troubelshoorters
Sadique Puthen
 
Commication Framework in OpenStack
Sean Chang
 
DCUS17 : Docker networking deep dive
Madhu Venugopal
 
How to Troubleshoot OpenStack Without Losing Sleep
Sadique Puthen
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
Testing Wi-Fi with OSS Tools
All Things Open
 
Container Orchestration from Theory to Practice
Docker, Inc.
 

What's hot (19)

PDF
Small, Simple, and Secure: Alpine Linux under the Microscope
Docker, Inc.
 
PDF
[En] IPVS for Docker Containers
Andrey Sibirev
 
PDF
Breaking the RpiDocker challenge
Nicolas De Loof
 
PPTX
Docker summit : Docker Networking Control-plane & Data-Plane
Madhu Venugopal
 
PPT
Docker Multi Host Networking, Rachit Arora, IBM
Neependra Khare
 
PPTX
Multi tier-app-network-topology-neutron-final
Sadique Puthen
 
PDF
Leveraging the Power of containerd Events - Evan Hazlett
Docker, Inc.
 
PPTX
Docker Networking & Swarm Mode Introduction
Phi Huynh
 
PDF
Kubernetes Networking - Giragadurai Vallirajan
Neependra Khare
 
PDF
Docker 1.12 networking deep dive
Madhu Venugopal
 
PPTX
DockerCon US 2016 - Docker Networking deep dive
Madhu Venugopal
 
PDF
Microservices with Micronaut
QAware GmbH
 
PDF
LXC on Ganeti
kawamuray
 
PDF
Kubernetes Networking
CJ Cullen
 
PDF
Container Performance Analysis
Brendan Gregg
 
PDF
Debugging Network Issues
Apcera
 
PPTX
Docker Networking in OpenStack: What you need to know now
PLUMgrid
 
PPTX
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
PDF
Kubernetes Networking
Giragadurai Vallirajan
 
Small, Simple, and Secure: Alpine Linux under the Microscope
Docker, Inc.
 
[En] IPVS for Docker Containers
Andrey Sibirev
 
Breaking the RpiDocker challenge
Nicolas De Loof
 
Docker summit : Docker Networking Control-plane & Data-Plane
Madhu Venugopal
 
Docker Multi Host Networking, Rachit Arora, IBM
Neependra Khare
 
Multi tier-app-network-topology-neutron-final
Sadique Puthen
 
Leveraging the Power of containerd Events - Evan Hazlett
Docker, Inc.
 
Docker Networking & Swarm Mode Introduction
Phi Huynh
 
Kubernetes Networking - Giragadurai Vallirajan
Neependra Khare
 
Docker 1.12 networking deep dive
Madhu Venugopal
 
DockerCon US 2016 - Docker Networking deep dive
Madhu Venugopal
 
Microservices with Micronaut
QAware GmbH
 
LXC on Ganeti
kawamuray
 
Kubernetes Networking
CJ Cullen
 
Container Performance Analysis
Brendan Gregg
 
Debugging Network Issues
Apcera
 
Docker Networking in OpenStack: What you need to know now
PLUMgrid
 
[오픈소스컨설팅] Linux Network Troubleshooting
Open Source Consulting
 
Kubernetes Networking
Giragadurai Vallirajan
 
Ad

Viewers also liked (20)

PDF
OpenStack Neutron Tutorial
mestery
 
PDF
Inside Architecture of Neutron
markmcclain
 
ODP
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Dave Neary
 
PPTX
Modular Layer 2 In OpenStack Neutron
mestery
 
PDF
Inside neutron 2
Robin Gong
 
PDF
OpenStack Architecture
Mirantis
 
PPTX
OpenStack Quantum Intro (OS Meetup 3-26-12)
Dan Wendlandt
 
PDF
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
Mirantis
 
PDF
Automating OpenStack Deployment with Fuel
Tomasz Zen Napierala
 
PPTX
How to write a Neutron Plugin - if you really need to
salv_orlando
 
PPTX
Openstack Basic with Neutron
KwonSun Bae
 
PDF
OpenStack Super Bootcamp.pdf
OpenStack Foundation
 
PDF
Openstack Summit Container Day Keynote
Boyd Hemphill
 
PPTX
Turning Containers into Cattle
Subbu Allamaraju
 
PPTX
Managing Container Clusters in OpenStack Native Way
Qiming Teng
 
PDF
Webinar container management in OpenStack
CREATE-NET
 
PPTX
Cloud init and cloud provisioning [openstack summit vancouver]
Joshua Harlow
 
PPTX
How to Monitor Application Performance in a Container-Based World
Ken Owens
 
PDF
Open Container Technologies and OpenStack - Sorting Through Kubernetes, the O...
Daniel Krook
 
PPTX
Architecting Ceph Solutions
Red_Hat_Storage
 
OpenStack Neutron Tutorial
mestery
 
Inside Architecture of Neutron
markmcclain
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Dave Neary
 
Modular Layer 2 In OpenStack Neutron
mestery
 
Inside neutron 2
Robin Gong
 
OpenStack Architecture
Mirantis
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
Dan Wendlandt
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
Mirantis
 
Automating OpenStack Deployment with Fuel
Tomasz Zen Napierala
 
How to write a Neutron Plugin - if you really need to
salv_orlando
 
Openstack Basic with Neutron
KwonSun Bae
 
OpenStack Super Bootcamp.pdf
OpenStack Foundation
 
Openstack Summit Container Day Keynote
Boyd Hemphill
 
Turning Containers into Cattle
Subbu Allamaraju
 
Managing Container Clusters in OpenStack Native Way
Qiming Teng
 
Webinar container management in OpenStack
CREATE-NET
 
Cloud init and cloud provisioning [openstack summit vancouver]
Joshua Harlow
 
How to Monitor Application Performance in a Container-Based World
Ken Owens
 
Open Container Technologies and OpenStack - Sorting Through Kubernetes, the O...
Daniel Krook
 
Architecting Ceph Solutions
Red_Hat_Storage
 
Ad

Similar to Neutron Network Namespaces and IPtables--A Technical Deep Dive (20)

PPTX
Neutron behind the scenes
inbroker
 
PPTX
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Trevor Roberts Jr.
 
PDF
Openstack Networking Internals - first part
lilliput12
 
PPTX
Manchester OpenStack Meetup: I have an OpenStack Cloud, now what? OpenStack 101
Kevin Jackson
 
PDF
Weird things we've seen with OpenStack Neutron
Nick Jones
 
PPTX
OpenStack: Virtual Routers On Compute Nodes
clayton_oneill
 
PPTX
OpenStack Quantum
openstackindia
 
PDF
Agile OpenStack Networking with Cisco Solutions
Cisco DevNet
 
PDF
Routed networks sydney
Miguel Lavalle
 
PPTX
Troubleshooting Tracebacks
James Denton
 
PDF
Open stack networking_101_part-2_tech_deep_dive
yfauser
 
PPTX
Addressing DHCP and DNS scalability issues in OpenStack Neutron
Vikram G Hosakote
 
PPTX
DevOops - Lessons Learned from an OpenStack Network Architect
James Denton
 
PDF
Integration of neutron, nova and designate how to use it and how to configur...
Miguel Lavalle
 
PDF
Openstack Networking and ML2
Szlovencsak Attila
 
PDF
Network as a Service, Assaf Muller
Cloud Native Day Tel Aviv
 
PDF
Introduction to Software Defined Networking and OpenStack Neutron
Sana Khan
 
PDF
Open stack networking_101_part-1
yfauser
 
PPTX
Neutron DVR
Edgar Magana
 
PPTX
BRKDCT-2445 Agile OpenStack Networking with Cisco Solutions - Cisco Live! US ...
Rohit Agarwalla
 
Neutron behind the scenes
inbroker
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Trevor Roberts Jr.
 
Openstack Networking Internals - first part
lilliput12
 
Manchester OpenStack Meetup: I have an OpenStack Cloud, now what? OpenStack 101
Kevin Jackson
 
Weird things we've seen with OpenStack Neutron
Nick Jones
 
OpenStack: Virtual Routers On Compute Nodes
clayton_oneill
 
OpenStack Quantum
openstackindia
 
Agile OpenStack Networking with Cisco Solutions
Cisco DevNet
 
Routed networks sydney
Miguel Lavalle
 
Troubleshooting Tracebacks
James Denton
 
Open stack networking_101_part-2_tech_deep_dive
yfauser
 
Addressing DHCP and DNS scalability issues in OpenStack Neutron
Vikram G Hosakote
 
DevOops - Lessons Learned from an OpenStack Network Architect
James Denton
 
Integration of neutron, nova and designate how to use it and how to configur...
Miguel Lavalle
 
Openstack Networking and ML2
Szlovencsak Attila
 
Network as a Service, Assaf Muller
Cloud Native Day Tel Aviv
 
Introduction to Software Defined Networking and OpenStack Neutron
Sana Khan
 
Open stack networking_101_part-1
yfauser
 
Neutron DVR
Edgar Magana
 
BRKDCT-2445 Agile OpenStack Networking with Cisco Solutions - Cisco Live! US ...
Rohit Agarwalla
 

More from Mirantis (20)

PDF
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
PDF
Kubernetes Security Workshop
Mirantis
 
PDF
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
PDF
How to Build a Basic Edge Cloud
Mirantis
 
PDF
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
PDF
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
PDF
Comparison of Current Service Mesh Architectures
Mirantis
 
PDF
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
PDF
Demystifying Cloud Security Compliance
Mirantis
 
PDF
Mirantis life
Mirantis
 
PDF
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
Mirantis
 
PDF
Boris Renski: OpenStack Summit Keynote Austin 2016
Mirantis
 
PPTX
Digital Disciplines: Attaining Market Leadership through the Cloud
Mirantis
 
PPTX
Decomposing Lithium's Monolith with Kubernetes and OpenStack
Mirantis
 
PPTX
OpenStack: Changing the Face of Service Delivery
Mirantis
 
PPTX
Accelerating the Next 10,000 Clouds
Mirantis
 
PPTX
Containers for the Enterprise: It's Not That Simple
Mirantis
 
PPTX
Protecting Yourself from the Container Shakeout
Mirantis
 
PPTX
It's Not the Technology, It's You
Mirantis
 
PDF
OpenStack as the Platform for Innovation
Mirantis
 
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
Mirantis
 
Kubernetes Security Workshop
Mirantis
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
How to Build a Basic Edge Cloud
Mirantis
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
What's New in Kubernetes 1.18 Webinar Slides
Mirantis
 
Comparison of Current Service Mesh Architectures
Mirantis
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Mirantis
 
Demystifying Cloud Security Compliance
Mirantis
 
Mirantis life
Mirantis
 
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
Mirantis
 
Boris Renski: OpenStack Summit Keynote Austin 2016
Mirantis
 
Digital Disciplines: Attaining Market Leadership through the Cloud
Mirantis
 
Decomposing Lithium's Monolith with Kubernetes and OpenStack
Mirantis
 
OpenStack: Changing the Face of Service Delivery
Mirantis
 
Accelerating the Next 10,000 Clouds
Mirantis
 
Containers for the Enterprise: It's Not That Simple
Mirantis
 
Protecting Yourself from the Container Shakeout
Mirantis
 
It's Not the Technology, It's You
Mirantis
 
OpenStack as the Platform for Innovation
Mirantis
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 

Neutron Network Namespaces and IPtables--A Technical Deep Dive

  • 1. Neutron Network Namespaces and IPtables: Technical deep dive Damian Igbe Technical Instructor & Consultant © MIRANTIS 2013 PAGE 1
  • 2. Presentation Outline • Introduction to Neutron & Neutron Namespaces • Deep Dive • Conclusions © MIRANTIS 2013 PAGE 2
  • 3. What are Namespaces • Namespaces enables multiple instances of a routing table to co-exist within the same Linux box • Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent domains. © MIRANTIS 2013 PAGE 3
  • 5. Namespaces Advantages • Overlapping IPs: A big advantage of namespaces implementation in neutron is that tenants can create overlapping IP addresses, a situation that gives freedom to cloud users because they are free to create any subnet of choice without fear of conflicting with that of another tenant. Linux network namespace is required on nodes running neutron-l3-agent or neutron-dhcp-agent if overlapping IPs is in use. Hence the hosts running these processes must support network namespaces. © MIRANTIS 2013 PAGE 5
  • 6. Namespaces Advantages L3 Agent: The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node, that do not interfere with each other or with routing of the compute node on which they are hosted © MIRANTIS 2013 PAGE 6
  • 7. What if Namespaces NOT supported? If the kernel does not support namespaces, the following limitations should be noted with Neutron: • Neutron-l3-agent is limited to providing a single virtual router per compute node. If namespaces is supported, a single deployed neutron-l3-agent should be able to host multiple virtual routers. • It is necessary to configure each neutron-l3-agent with the Universally Unique ID (UUID) identifying the router instance that it hosts. This complicates deployment, makes self-service provisioning of routers by tenants impractical. If namespaces is supported, the configuration with the UUID(s) of the router(s) it hosts is not required. •If the host does not support namespaces then the neutron-l3-agent and neutron-dhcp-agent should be run on different hosts. This is due to the fact that there is no isolation between the IP addresses created by the L3 agent and by the DHCP agent. A downside to this is that by manipulating the routing tables the user can ensure that these networks have access to one another. © MIRANTIS 2013 PAGE 7
  • 8. Recognizing Namespaces • Every l2-agent/private network has an associated dhcp namespace and • Every l3-agent/router has an associated router namespace. © MIRANTIS 2013 PAGE 8
  • 9. Multinode Network Topology © MIRANTIS 2013 PAGE 9
  • 10. Ref. Architecture • Multinode Grizzy on Ubuntu 12.04 • libvirt/QEMU, • LibvirtHybridOVSBridgeDriver vif driver, • Quantum security groups, • Open vSwitch Neutron/Quantum plugin using • GRE • dnsmasq • IP namespaces enabled © MIRANTIS 2013 PAGE 10
  • 11. Tenant 1 Network © MIRANTIS 2013 PAGE 11
  • 12. Tenant 2 Network © MIRANTIS 2013 PAGE 12
  • 13. Multinode Network Topology © MIRANTIS 2013 PAGE 13
  • 14. On The Compute Node © MIRANTIS 2013 PAGE 14
  • 15. On The Net Node © MIRANTIS 2013 PAGE 15
  • 18. Showing Net & Compute Node © MIRANTIS 2013 PAGE 18
  • 19. Troubleshooting Let us summarize the troubleshooting steps into 2: STEP1: Identify the correct namespace STEP2: Perform general troubleshooting around the identified namespace © MIRANTIS 2013 PAGE 19
  • 20. Problem Have spin off an instance and it has an IP address from Horizon but cannot ssh (probabely because the interface has no assigned IP) to it so can only view from VNC © MIRANTIS 2013 PAGE 20
  • 21. Detailed Troubleshooting steps for this Problem •Ensure that dnsmasq process is running: # pgrep -fl dnsmasq ( restart the quantum-dhcp-agent if not). • verify the IP address in the namespace, if dnsmasq is running: # ip netns [list]. •Identify the qdhcp-network <networkUUID> namespace: # ip netns exec qdhcp-<networkUUID> ip From the output, ensure that the IP on the interface is present and matches the one present for dnsmasq. To verify what the expected IP address is, use quantum-port-list and quantum port-show <portUUID>. •Determine the leases # /var/lib/quantum/dhcp/<networkUUID>/host Note: •If the dnsmasq configuration is correct, but dnsmasq is not responding with leases and the bridge/interface is created and running, pkill dnsmasq and restart quantum-dhcp-agent. •If dnsmasq does not include the correct leases, verify that quantum-server is running correctly and that it can communicate with dhcp-agent. If it is running correctly, and the bridge/interface is created and running, restart quantum-dhcpagent. © MIRANTIS 2013 PAGE 21
  • 22. Network Node: • root@vmnet-mn:~# ovs-vsctl show • root@vmnet-mn:/# ovs-ofctl dump-flows br-tun The DHCP agent • The DHCP agent is configured to use OVS and dnsmasq: root@vmnet-mn:/# grep -v '^#|^s*$' /etc/quantum/dhcp_agent.ini © MIRANTIS 2013 PAGE 22
  • 23. Network Node Cont. • root@vmnet-mn:~#pgrep –fl dnsmasq • root@vmnet-mn:/# ip netns | grep dhcp root@vmnet-mn:/# ip netns exec qdhcp-eeeee ifconfig • root@vmnet-mn:/# ip netns exec qdhcp6b71dbb8-e91c-47f0-92c4-47882007115d ping ip © MIRANTIS 2013 PAGE 23
  • 24. Network Node • root@vmnet-mn:/# cat /var/lib/quantum/dhcp/e0fe9037-790a-4cb-9bf44b06f0cfcf5c/host Note that: • Dnsmasq logs to /var/log/syslog in this Ubuntu installation. © MIRANTIS 2013 PAGE 24
  • 25. Compute Node • root@vmcom1-mn :/# ip link • root@vmcom1-mn :/# brctl show • root@vmcom1-mn :/# ovs-vsctl show • root@vmcom1-mn :/# ovs-ofctl dump-flows brtun • root@vmcom1-mn :/# iptables-save © MIRANTIS 2013 PAGE 25
  • 26. Compute Node • root@vmcom1-mn :/# tcpdump -n -i eth2 © MIRANTIS 2013 PAGE 26
  • 27. Controller Node • damian@vmcon-mn:/$ quantum net-show net1 • damian@vmcon-mn:/$ quantum subnet-show ad970f3f-4ceb-4565-b897-1cd0fe34cd5b • damian@vmcon-mn:/$ nova boot --flavor micro --image cirros-030-x86_64 --nic netid=6b71dbb8-e91c-47f0-92c4-47882007115d -security-groups test-vms test-instance1 • damian@vmcon-mn:/$ nova list © MIRANTIS 2013 PAGE 27
  • 28. Controller Node • damian@vmcon-mn:/$ quantum port-list -device_id=44e362ba-e8a4-4bae-b0ea5477666632c9 • damian@vmcon-mn:/$ quantum port-show 9a41d8fa-a745-4411-b9f8-daa182f38527 © MIRANTIS 2013 PAGE 28
  • 30. Note • When a router or network is created, the namespaces don’t get created immediately. For network, the DHCP namespaces get created only when a vm is attached and for router the namespace is created when a gateway is set. It means that an activity must take place before the namespaces get created. • When a router or network is deleted, the associated namespaces are not deleted. They need to be manually deleted. © MIRANTIS 2013 PAGE 30