Upload
subbarao-appanabhotla
View
231
Download
0
Embed Size (px)
Citation preview
7/25/2019 Yves Fauser OpenStack Networking
1/61
!"#$%&'() +#&,-.)/$0!"#$"%#& () *+# ,#*&($-%,. /+011#,.#2 0,3 2(145(,2 %, !6#,7*0/-
8"#2 9042#$
:#*&($- ;%$*401%($? 7@2*#? A,.%,##$ B ;C&0$#
!7DE FGHIJ K#$1%,J GLMHGNGI
7/25/2019 Yves Fauser OpenStack Networking
2/61
23# "#.4#(& 5&-.6
+O6PQQ#,N&%-%6#3%0N($.Q&%-%Q9%1#PR4$$%/0,#ST20U#1S)$(?ST77NV6.
7/25/2019 Yves Fauser OpenStack Networking
3/61
23# "#.4#(& 5&-.6
!"
;#$@ )#0*4$# $%/+ "7&%*/+ WX4,,#1%,.J Y(7J
?(,%*($%,. Z ?0,0.#?#,*J 04*(?0*#3 /(,*$(1
*+$(4.+ !6#,91(& 0,3 !;7DK[
=0$* () *+# \%,4] ^#$,#1 2%,/# _N_
!"
!6#,91(& 0,3 !;7DK W`9E aGIa[ %2 42#3
U#*#, !6#,;7&%*/+ 0,3 #]*#$,01 /(,*$(11#$2
:4?#$(42 !6#,7(4$/# 0,3 E(??#$/%01
/(,*$(11#$2 #?#$.#3 %, *+# 102* @#0$2
A]0?61#2b :!cJ K#0/(,J 91((31%.+*J
!6#,D0@\%.+*J ;C&0$# :7cJ K%. E(,*$(11#$J :AE
#*/N
!"
!6#,7*0/- 3$%"#2 *+# ,##3 )($ d#]%U1# 0,3 )02*
,#*&($- 3#61(@?#,* ?(3#12
X+# !6#,7*0/- :#4*$(, =$(V#/* (e#$2 0 ,#*&($-
0U2*$0/5(, *+0* #,0U1#2 !6#,7(4$/# =$(V#/*2
0,3 /(??#$/%01 %?61#?#,*05(,2 *( %,,("0*#
&%*+ 0,3 )($ !6#,7*0/-
7/25/2019 Yves Fauser OpenStack Networking
4/61
!"#$ 7%,/&(3
7/25/2019 Yves Fauser OpenStack Networking
5/61
!"#$ 7%,/&(3 8#'&9.#5 75: ;/$9./?0#
$%&'()% *+%, -./0'12 30,(4 5)067%
CfE \#0$,%,. K$%3.# c c
;\f: 2466($* WLGFNHY[ c W,05"# %, !;7[ 42%,. g"10,h
7*05/ \%,- f..$#.05(, W\fi[ c W,05"# %, !;7[ 42%,. g%)#,210"#h
D@,0?%/ \%,- f..$#.05(, W\fE=[ c W,05"# %, !;7[ 42%,. g%)#,210"#h
7466($* )($ CfEM%,MT= #,/0624105(, Wi`AJ ;c\f:J j[ c W,05"# %, !;7[ ;c\f: 2466($*
%, _Na ^#$,#1 k
%6$(4*#FX$0l/ /06*4$%,. Q 7=f: W`7=f: &%*+ #,/06N %,*( i`A[ c W,05"# %, !;7[ m2%,. 03"0,/#3
*$0l/ /(,*$(1
91(& ?(,%*($%,. W:#*91(&J 291(&J T=9TcJ j[ c W,05"# %, !;7[ #N.N 42%,.
%6*S,#>1(&
A]*#$,01 ?0,0.#?#,* %,*#$)0/#2 W!6#,91(& Z !;7DK[ c
C41561#MX0U1# )($&0$3%,. 6%6#1%,# &%*+ d(&M/0/+%,. #,.%,# c
=#$)($?0,/# %?6$("#?#,*2 W#N.N `77 7466($*[ c
+O6PQQ(6#,"2&%*/+N($.Q)#0*4$#2Q
+O62PQQ.%*+4UN/(?Q+(?#&($-Q(6#,"2&%*/+QU1(UQ?02*#$QnR8M!;7
7/25/2019 Yves Fauser OpenStack Networking
6/61
8)9'(, :;?
!"#$ 7%,/&(3 @!A%B
E(,o.4$05(, D0*0
T,*#$)0/#
W("23UJ E\TJ j[
91(& D0*0 T,*#$)0/#
W!6#,91(&J E\TJ j
U)&,>+
7/25/2019 Yves Fauser OpenStack Networking
7/61
5)9K :;
7/25/2019 Yves Fauser OpenStack Networking
8/61
D-66-$ 6/5(-$(#"E-$5 ,/&3 .#0'.?5 &-(-$&.-CC#.5
! C%2/(,/#65(, H[
X$0l/ &%11 d(& *+$(4.+ *+# /(,*$(11#$ /142*#$J 4,51 0 26#/%o/ d(& %2 %,2*011#3 %, *+# 2&%*/+*+$(4.+ !6#,91(&
! T* 3#6#,32p
! C(2* 0$/+%*#/*4$#2 3(,h* 2#,3 0,@ *$0l/ *( *+# /(,*$(11#$
W#N.N ;C&0$# :7c 3(#2,h* 3( %*[
!
T, 2(?# 0$/+%*#/*4$#2J &+#$# 033$#22 260/# %2 1%?%*#3 W#N.N EfCQXEfC %, 1(& #,3 X(`7&%*/+#2[J *+# /(,*$(11#$ .#*2 *+# o$2* )#& 30*0 60/-#*2J 0,3 *+#, %,2*0112 0 d(& %, *+#
R0$3&0$#N X+%2 %2 424011@ ,(* *+# /02# &+#, /(,*$(11%,. !;7J 02 !;7 +(132 *+# X0U1#2 %,*+# R@6#$"%2($2 C#?($@ W0,3 *+#$# %2 61#,*@p[
! C%2/(,/#65(, F[X+# /(,*$(11#$ %2 0 2%,.1# 6(%,* () )0%14$#
!
E(,*$(11#$2 0$# 424011@ 3#61(@#3 02 2/01# (4* /142*#$2! D#6#,3%,. (, *+# /+(2#, 0$/+%*#/*4$#J #"#, 0 /(?61#*# /(,*$(11#$ /142*#$ (4*0.#
3(#2,h* 0e#/* *$0l/ )($&0$3%,.
7/25/2019 Yves Fauser OpenStack Networking
9/61
!"#$8C-, '$? D-$&.-CC#.F'5#? +#&,-.)5
7/25/2019 Yves Fauser OpenStack Networking
10/61
G9CE"C# /$('.$'E-$5 -4 %H+
7( &+0* %2 7D:q T* 3#6#,32 (, *+# $# @(4 2*0,3p
+O6PQQ461(03N&%-%?#3%0N($.Q&%-%6#3%0Q/(??(,2Q)Q)LQK1%,3S?#,S0,3S#1#6+0,*_NV6.
7/25/2019 Yves Fauser OpenStack Networking
11/61
R&'& +=&,%
R0$3&0$# 26#/%o/
K(4,3 U@ f7TEQXEfC 1%?%*2 %, 6+@2%/01 3#"%/#2
O
7/25/2019 Yves Fauser OpenStack Networking
12/61
R&'& +=&,%
R0$3&0$# 26#/%o/
K(4,3 U@ f7TEQXEfC 1%?%*2 %, 6+@2%/01 3#"%/#2
O
7/25/2019 Yves Fauser OpenStack Networking
13/61
%H+ D-$&.-CC#.5 L;'$?5('"#M @/$(-6"C# C/5&B!"#$%&'()# +&$,(&--#(. +&//#()01- +&$,(&--#(.
Ekk 0,3 =+@*+(,
/(,*$(11#$2 (6#, 2(4$/#3U@ :%/%$0
:!c &02 *+# o$2*
/(,*$(11#$ %, *+# g?0$-#*h+O6PQQ&&&N,(]$#6(N($.
E(??#$/%01 /(,5,405(, ()
:!c &%*+ 0 )(/42 (,r:#*&($- "%$*401%
7/25/2019 Yves Fauser OpenStack Networking
14/61
+#&,-.) A/.&9'C/N'E-$O
'$ L%H+ P""C/('E-$M
7/25/2019 Yves Fauser OpenStack Networking
15/61
What are the key components of network virtualization?
7/25/2019 Yves Fauser OpenStack Networking
16/61
+#&,-.) A/.&9'C/N'E-$ J P (3$/('C ?#I$/E-$
:#*&($- "%$*401%
7/25/2019 Yves Fauser OpenStack Networking
17/61
!"#$%&'() Q.-R#(&5 S+#&,-.)/$0
7/25/2019 Yves Fauser OpenStack Networking
18/61
%-6# -4 &3# T$.'? @')' UD-.#VB ".-R#(&5
T?0.#
$#6(
W.10,/#[
!UV#/*
7*($0.#
W7&%x[
:#*&($-
W:#4*$(,[
K1(/-
7*($0.#
W/%,3#$[
T3#,5*@
W-#@2*(,#[
D02+U(0$3
W+($%
7/25/2019 Yves Fauser OpenStack Networking
19/61
!"#$%&'() +#&,-.)/$0 F#4-.# +#9&.-$
nova-api(OS,EC2,Admin)
nova-console(vnc/vmrc)
nova-compute
NovaDB
nova-scheduler
nova-consoleauth
Hypervisor(KVM, Xen,
etc.)
Queue
nova-cert
\%U"%$*J c#,f=TJ #*/N
nova-metadata
! :("0 +02 %*2 (&, ,#*&($-%,. 2#$"%/# y
,("0M,#*&($-N T* &02 42#3 U#)($# :#4*$(,
!
:("0M,#*&($- %2 2511 6$#2#,* *(30@J0,3 /0, U# 42#3 %,2*#03 () :#4*$(,
nova-network
nova-volume
Network-Providers
(Linux-Bridge or OVS with
brcompat, dnsmasq, IPTables)
Volume-Provider(iSCSI, LVM, etc.)
!
:("0M,#*&($- 3(#2 M
! U02# \F ,#*&($- 6$("%2%(,%,.
*+$(4.+ \%,4] K$%3.# WU$/*1[
!
T= f33$#22 ?0,0.#?#,* )($
X#,0,*2 W%, 7Y\ DK[! /(,o.4$# DRE= 0,3 D:7 #,*$%#2 %,
3,2?02t
! /(,o.4$# )&M6(1%/%#2 0,3 :fX %,
T=X0U1#2 W,("0M/(?64*#[
!
:("0M,#*&($- (,1@ -,(&2 _ U02%/ :#*&($-MC(3#12b
!
910* Z 910* DRE= y 3%$#/* U$%3.%,. () T,2*0,/# *( #]*#$,01 #*+N T,*#$)0/#
&%*+ 0,3 &Q( DRE=
! ;\f: U02#3 y A"#$@ *#,0,* .#*2 0 ;\f:J DRE= #,0U1#3
T,26%$#3 U@
7/25/2019 Yves Fauser OpenStack Networking
20/61
+-7'=+#&,-.)/$0 J H.',F'()5 &3'&C#'? &- ?#7#C-" +#9&.-$
! :("0M:#*&($-%,. %2 ?%22%,. 0, 3#o,#3 f=T )($ /(,24?%,. ,#*&($-%,. 2#$"%/#2W*#,0,* f=T )($ 3#o,#3 *(6(1(.%#2 0,3 033$#22#2[
! :("0M:#*&($-%,. (,1@ 011(&2 )($ *+# _ 2%?61# ?(3#12b910*J 910*QDRE= 0,3 ;\f:QDRE=J 011 () *+(2# 0$# 1%?%*#3 %, 2/01# 0,3 d#]%U%1%*@ y#N.N ?0]N IGwI ;\f: TD 1%?%*
!
E1(2#3 2(145(,b :( 0U%1%*@ *( 42# ,#*&($- 2#$"%/#2 )$(? _$360$5#2 0,3Q($*( %,*#.$0*# &%*+ :#*&($- "#,3($2 ($ ("#$/(?# *+# 1%?%*05(,2 () :("0M:#*&($-
! :( 2466($* )($P
! f3"0,/#3 !6#, "7&%*/+ )#0*4$#2 1%-# :#*&($- ;%$*401%
7/25/2019 Yves Fauser OpenStack Networking
21/61
!"#$%&'() +#9&.-$ J QC90/$ D-$(#"&
Neutron
Core API
Neutron Service (Server)
\F ,#*&($- 0U2*$0/5(, 3#o,%5(, 0,3 ?0,0.#?#,*J T= 033$#22
?0,0.#?#,*
D#"%/# 0,3 2#$"%/# 0O0/+?#,* )$0?#&($-
D(#2 :!X 3( 0,@ 0/*401 %?61#?#,*05(, () 0U2*$0/5(,
Plugin API
Vendor/User Plugin
C062 0U2*$0/5(, *( %?61#?#,*05(, (, *+# :#*&($- W!"#$10@ #N.N :7c ($ 6+@2%/01 :#*&($-[ C0-#2 011 3#/%2%(,2 0U(4* z+(&z 0 ,#*&($- %2 *( U# %?61#?#,*#3
E0, 6$("%3# 033%5(,01 )#0*4$#2 *+$(4.+ f=T #]*#,2%(,2N
A]*#,2%(,2 /0, #%*+#$ U# .#,#$%/ W#N.N \_ `(4*#$ Q :fX[J ($ ;#,3($ 76#/%o/
Neutron
API Extension
A]*#,2%(, f=T
%?61#?#,*05(, %2
(65(,01
D-.# '$? 5#.7/(# "C90/$5
7/25/2019 Yves Fauser OpenStack Networking
22/61
D-.# '$? 5#.7/(# "C90/$5! E($# 614.%, %?61#?#,* *+# r/($#s :#4*$(, f=T )4,/5(,2
W1F :#*&($-%,.J T=fCJ j[
!
7#$"%/# 614.%,2 %?61#?#,*2 033%5(,01 ,#*&($- 2#$"%/#2W1_ $(45,.J \(03 K010,/%,.J 9%$#&011J ;=:[
! T?61#?#,*05(,2 ?%.+* /+((2# *( %?61#?#,* $#1#"0,* #]*#,2%(,2 %, *+# E($# 614.%,
%*2#1)
NeutronCore API
Function
Core L3 FW Core L3 FW Core L3 FW
Plugin
Core PluginCore
Plugin
FWplugin
Core
Plugin
FW
plugin
L3
plugin
!"#$%&'() +#9&.-$ QC90/$ C-('E-$5
7/25/2019 Yves Fauser OpenStack Networking
23/61
!"#$%&'() +#9&.-$ J QC90/$ C-('E-$5
# cat /etc/neutron/neutron.conf | grep "core_plugin"core_plugin= neutron.plugins.ml2.plugin.Ml2Plugin
# cat /etc/neutron/neutron.conf | grep "service_pluginsservice_plugins= neutron.services.l3_router.l3_router_plugin.L3RouterPlugin
# ls /usr/share/pyshared/neutron/plugins/
bigswitch cisco embrane__init__.py metapluginml2 nec openvswitch ryu
brocade common hyperv linuxbridgemidonet mlnx nicira plumgrid
# ls /usr/share/pyshared/neutron/services/firewall __init__.py l3_router loadbalancermetering provider_configuration.pyservice_base.py vpn
!"#$%&'() +#9&.-$ G-?9C'. QC90/$5
7/25/2019 Yves Fauser OpenStack Networking
24/61
!"#$%&'() +#9&.-$ J G-?9C'. QC90/$5! K#)($# *+# ?(3410$ 614.%, WC\F[J #"#$@ *#0? ($ "#,3($ +03 *( %?61#?#,* 0
/(?61#*# 614.%, %,/143%,. T=fCJ DK f//#22J #*/N
! X+# C\F =14.%, 2#60$0*#2 /($# )4,/5(,2 1%-# T=fCJ "%$*401 ,#*&($- %3 ?0,0.#?#,*J
#*/N )$(? "#,3($Q%?61#?#,*05(, 26#/%o/ )4,/5(,2J 0,3 *+#$#)($# ?0-#2 %* #02%#$)($ "#,3($2 ,(* *( $#%,"#,* *( &+##1 &%*+ $#.0$32 *( TD C0,0.#?#,*J DK 0//#22 j
! A]%25,. 0,3 )4*4$# ,(,M?(3410$ 614.%,2 0$# /011#3 r?(,(1%*+%/s 614.%,2
! C\F /0112 *+# ?0,0.#?#,* () ,#*&($- *@6#2 r*@6# 3$%"#$2sJ 0,3 *+# %?61#?#,*05(,26#/%o/ 60$* r?#/+0,%2? 3$%"#$2s
f$%2*0
E%2/(\%,4] K$%3.#
!;7 #*/N
Me
chanism
D
rivers
i`A
;\f:
;c\f:
#*/NType
Driver
s
Type Manager
Mechanism Manager
ML2 Plugin & API Extensions
!"#$%&'() +#9&.-$ G;W C-('E-$5
7/25/2019 Yves Fauser OpenStack Networking
25/61
!"#$%&'() +#9&.-$ G;W J C-('E-$5
# cat /etc/neutron/plugins/ml2/ml2_conf.ini | grep type_drivers# the neutron.ml2.type_driversnamespace.# Example: type_drivers= flat,vlan,gre,vxlan
type_drivers= gre
# cat /etc/neutron/plugins/ml2/ml2_conf.ini | grep mechanism_drivers# to be loaded from the neutron.ml2.mechanism_driversnamespace.# Example:mechanism_drivers= arista# Example:mechanism_drivers= cisco,logger
mechanism_drivers= openvswitch,linuxbridge
# ls /usr/share/pyshared/neutron/plugins/ml2/drivers/cisco l2pop mechanism_ncs.py mech_hyperv.py mech_openvswitch.pytype_gre.py type_tunnel.py type_vxlan.py __init__.py mech_agent.py mech_aristamech_linuxbridge.py type_flat.py type_local.py type_vlan.py
%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&
7/25/2019 Yves Fauser OpenStack Networking
26/61
%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&@XKWB
! C\F ?(3410$ =14.%,
!
n%*+ 2466($* )($ *+# *@6# 3$%"#$2P 1(/01J d0*J ;\f:J i`AJ ;c\f:
! f,3 *+# )(11(&%,. ?#/+0,%2? 3$%"#$2P f$%2*0J E%2/( :#]42J R@6#$M; f.#,*J \F
=(64105(,J \%,4]U$%3.#J !6#, "7&%*/+ f.#,*J X0%1M) :E7
! !6#, "7&%*/+ =14.%, y X+# ?(2* 42#3 W!6#, 7(4$/#[ 614.%, *(30@
! 7466($*2 i`A U02#3 !"#$10@2J :fXQ7#/4$%*@ .$(462J #*/N
!
D#6$#/05(, 610,,#3 )($ T/#+(42# $#1#02# %, )0"($ () C\F
! \%,4]U$%3.# =14.%,
! \%?%*#3 *( \F )4,/5(,01%*@J\_J d(05,. T=2 0,3 6$("%3#$ ,#*&($-2N:( 2466($* )($ !"#$10@2
! D#6$#/05(, 610,,#3 )($ T/#+(42# $#1#02# %, )0"($ () C\F
%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&
7/25/2019 Yves Fauser OpenStack Networking
27/61
%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&@WKWB
! ;C&0$# :7c W0-0 :%/%$0 :;=[ =14.%,
!
:#*&($- ;%$*401%
7/25/2019 Yves Fauser OpenStack Networking
28/61
+#, QC90/$5 K G;W H./7#.5 /$ T(#3-95# Y#C#'5#
! :#& C\F C#/+0,%2? D$%"#$2P
!
C#/+0,%2? D$%"#$ )($ !6#,D0@1%.+* E(,*$(11#$! K$(/03# C\F C#/+0,%2? D$%"#$ )($ ;Dc 7&%*/+ E142*#$
! :#& :#4*$(, =14.%,2
! TKC 7D:M;A E(,*$(11#$ =14.%,
! :40.# :#*&($-2 E(,*$(11#$ =14.%,
!
7#$"%/# =14.%,2
! A?U$0,# 0,3 `03&0$# \K007 3$%"#$
! E%2/( ;=:007 3$%"#$
! ;0$%(42
! ;C&0$# :7c M DRE= 0,3 C#*030*0 7#$"%/#
! X+%2 1%2* %2 %,/(?61#*#J 61#02# 2## +#$# )($ ?($# 3#*0%12P+O62PQQU14#6$%,*2N104,/+603N,#*Q,#4*$(,Q%/#+(42#
+#9&.-$ J!A% P0#$& P.(3/(&9.#
7/25/2019 Yves Fauser OpenStack Networking
29/61
+#9&.-$ !A% P0#$& P.(3/(&9.#
! X+# )(11(&%,. /(?6(,#,*2 610@ 0 $(1# %, !;7 f.#,* f$/+%*#/*4$#
! :#4*$(,M!;7Mf.#,*P `#/#%"#2 *4,,#1 Z d(& 2#*46 %,)($?05(, )$(? !;7M=14.%, 0,3 6$(.$0?2 !;7 *( U4%13*4,,#12 0,3 *( 2*##$2 *$0l/ %,*( *+(2# *4,,#12
!
:#4*$(,MDRE=Mf.#,*P 7#*2 46 3,2?02t %, 0 ,0?#260/# 6#$ /(,o.4$#3 ,#*&($-Q24U,#*J0,3 #,*#$2 ?0/Q%6 /(?U%,05(, %, 3,2?02t 3+/6 1#02# o1#
! :#4*$(,M\_Mf.#,*P 7#*2 46 %6*0U1#2Q$(45,.Q:fX X0U1#2 W$(4*#$2[ 02 3%$#/*#3 U@ !;7 =14.%, ($ C\F !;7
?#/+S3$%"#$
! T, ?(2* /02#2 i`A ($ ;c\f: ("#$10@*4,,#12 0$# 42#3J U4* d0* 0,3 "10,
?(3#2 0$# 012( 6(22%U1#
@A .'&1B
V%(')Q
)6
3&]%) W U)&,>+
7/25/2019 Yves Fauser OpenStack Networking
30/61
! E#,*$01%6
3&]%) W U)&,>+
7/25/2019 Yves Fauser OpenStack Networking
31/61
+O62PQQ&&&Nd%/-$N/(?Q6+(*(2QHaF{LLwFB:G{QF{LL_Ia||LQ1%.+*U(]Q
7/25/2019 Yves Fauser OpenStack Networking
32/61
23'$) \-9]f,3 +0"# 0 .$#0* E(,)#$#,/#
!7DE FGHIJ K#$1%,J GLMHGNGI
7/25/2019 Yves Fauser OpenStack Networking
33/61
>'()9" %C/?#5
+#9&.-$ J P0#$& %&'&95
7/25/2019 Yves Fauser OpenStack Networking
34/61
0
!
X+%2 (4*64* 2+(&2 *+# :#4*$(, 0.#,*2 2*0*42 0x#$ 0 U02# %,2*01105(,
# neutron agent-list+--------------------------------------+--------------------+---------------+-------+----------------+
| id | agent_type | host | alive | admin_state_up |
+--------------------------------------+--------------------+---------------+-------+----------------+
| 1a58601c-ff41-4dc5-914f-d37ec5761b06 | L3 agent | os-controller | :-) | True |
| 416c854b-611b-42f9-b7b1-3bbe0bd840f2 | DHCP agent | os-controller | :-) | True || 57bed0b7-55da-455a-8351-fd28e05cf1dc | Open vSwitch agent | os-controller | :-) | True || 7b1ae4e8-7bc2-480e-82a7-0eb6a02b119f | Open vSwitch agent | os-compute-1 | :-) | True || d5d27e99-ba76-4e5f-bdfe-ef7d0638a52e | Open vSwitch agent | os-compute-2 | :-) | True |+--------------------------------------+--------------------+---------------+-------+----------------+
+#9&.-$ J !A% J 29$$#C %&.9(&9.#
7/25/2019 Yves Fauser OpenStack Networking
35/61
!
X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02
U##, /(,o.4$#3
# ovs-vsctl show
09d5b89a-600d-4da3-b761-11206456385a
Bridge br-ex
Port br-ex
Interface br-extype: internal
Port "eth2"
Interface "eth2"Bridge br-tun
Port br-tunInterface br-tun
type: internalPort patch-int
Interface patch-inttype: patch
options: {peer=patch-tun}
Port "gre-172.16.0.11"Interface "gre-172.16.0.11"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.11"}
Port "gre-172.16.0.12"Interface "gre-172.16.0.12"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.12"}
Bridge br-intPort patch-tun
Interface patch-tun
type: patchoptions: {peer=patch-int}
Port br-intInterface br-int
type: internalovs_version: "1.10.2"
+#9&.-$ J !A% J 29$$#C %&.9(&9.#
7/25/2019 Yves Fauser OpenStack Networking
36/61
!
X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02
U##, /(,o.4$#3
# ovs-vsctl show
09d5b89a-600d-4da3-b761-11206456385a
Bridge br-ex
Port br-ex
Interface br-extype: internal
Port "eth2"
Interface "eth2"Bridge br-tun
Port br-tunInterface br-tun
type: internalPort patch-int
Interface patch-inttype: patch
options: {peer=patch-tun}
Port "gre-172.16.0.11"Interface "gre-172.16.0.11"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.11"}
Port "gre-172.16.0.12"Interface "gre-172.16.0.12"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.12"}
Bridge br-intPort patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}Port br-int
Interface br-inttype: internal
ovs_version: "1.10.2"
# Interface to first compute node
Port "gre-172.16.0.11"Interface "gre-172.16.0.11"
type: greoptions:
{in_key=flow, local_ip="172.16.0.10",
out_key=flow, remote_ip="172.16.0.11"}
# Interface to second compute node
Port "gre-172.16.0.12"Interface "gre-172.16.0.12"
type: greoptions:
{in_key=flow, local_ip="172.16.0.10",out_key=flow, remote_ip="172.16.0.12"}
+#9&.-$ J !A% J 29$$#C %&.9(&9.#
7/25/2019 Yves Fauser OpenStack Networking
37/61
!
X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02
U##, /(,o.4$#3
# ovs-vsctl show
09d5b89a-600d-4da3-b761-11206456385a
Bridge br-ex
Port br-ex
Interface br-extype: internal
Port "eth2"
Interface "eth2"Bridge br-tun
Port br-tunInterface br-tun
type: internalPort patch-int
Interface patch-inttype: patch
options: {peer=patch-tun}
Port "gre-172.16.0.11"Interface "gre-172.16.0.11"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.11"}
Port "gre-172.16.0.12"Interface "gre-172.16.0.12"
type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.12"}
Bridge br-intPort patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}Port br-int
Interface br-inttype: internal
ovs_version: "1.10.2"
# Patch from br-tun table to br-int table
Port patch-intInterface patch-int
type: patch
options: {peer=patch-tun}
# patch from br-int table to br-tun table
Port patch-tunInterface patch-tun
type: patchoptions: {peer=patch-int}
+#9&.-$ J T$.$'C +#&,-.) D.#'E-$
7/25/2019 Yves Fauser OpenStack Networking
38/61
!
:(& &%11 /$#0*# 0 1(.%/01 \F ,#*&($-J &%*+(4* 0,@ 24U,#* 022%.,#3 *( %*
# neutron net-create Internal-Network
Created a new network:+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+| admin_state_up | True || id | 56a76117-8910-4d85-b91d-8e6842e0a510 || name | Internal-Network || provider:network_type | gre || provider:physical_network | |
| provider:segmentation_id | 1 |
| shared | False || status | ACTIVE |
| subnets | || tenant_id | b1178a03969b4f638937f5a632fb547a |+---------------------------+--------------------------------------+
# neutron net-list
+--------------------------------------+------------------+---------+
| id | name | subnets |
+--------------------------------------+------------------+---------+| 56a76117-8910-4d85-b91d-8e6842e0a510 | Internal-Network | |
+--------------------------------------+------------------+---------+
+#9&.-$ J T$.$'C %9F$#& D.#'E-$
7/25/2019 Yves Fauser OpenStack Networking
39/61
!
:(& &%11 /$#0*# 0,3 0O0/+ 0 ,#& 74U,#* *( *+# \F ,#*&($-J &%*+(4* 0,@ 24U,#* 022%.,#3 *( %*
# neutron subnet-create Internal-Network --name Internal-Subnet 10.12.13.0/24Created a new subnet:+------------------+------------------------------------------------+
| Field | Value |
+------------------+------------------------------------------------+| allocation_pools | {"start": "10.12.13.2", "end": "10.12.13.254"} |
| cidr | 10.12.13.0/24 |
| dns_nameservers | |
| enable_dhcp | True || gateway_ip | 10.12.13.1 || host_routes | || id | b4c95b8b-65a4-402e-8359-69b55d6c9bf1 || ip_version | 4 || name | Internal-Subnet |
| network_id | 56a76117-8910-4d85-b91d-8e6842e0a510 |
| tenant_id | b1178a03969b4f638937f5a632fb547a |
+------------------+------------------------------------------------+
# neutron subnet-list -c id -c cidr -c name+--------------------------------------+----------------+-----------------+| id | cidr | name |+--------------------------------------+----------------+-----------------+
| b4c95b8b-65a4-402e-8359-69b55d6c9bf1 | 10.12.13.0/24 | Internal-Subnet |
+--------------------------------------+----------------+-----------------+
# ip netns show#
! :(*#P X+# 3+/6 ,0?#260/# &%11 U# /$#0*#3 &+#, *+# o$2* %,2*0,/# U((*2
+#9&.-$ J #
7/25/2019 Yves Fauser OpenStack Networking
40/61
!
:(& &%11 /$#0*# 0 #]*#$,01 ,#*&($- 3#o,%5(,J 0,3 033 0, T= 24U,#* 0,3 6((1 *( %*
# neutron net-create External-Net --router:external=True
Created a new network:+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+| admin_state_up | True || id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || name | External-Net || provider:network_type | gre || provider:physical_network | |
| provider:segmentation_id | 2 |
| router:external | True || shared | False |
| status | ACTIVE || subnets | || tenant_id | b1178a03969b4f638937f5a632fb547a |+---------------------------+--------------------------------------+
+#9&.-$ J #
7/25/2019 Yves Fauser OpenStack Networking
41/61
!
:(& &%11 /$#0*# 0 #]*#$,01 ,#*&($- 3#o,%5(,J 0,3 033 0, T= 24U,#* 0,3 6((1 *( %*
# neutron subnet-create External-Net 172.16.65.0/24 \--allocation-pool start=172.16.65.100,end=172.16.65.150
Created a new subnet:
+------------------+----------------------------------------------------+
| Field | Value |+------------------+----------------------------------------------------+| allocation_pools | {"start": "172.16.65.100", "end": "172.16.65.150"} || cidr | 172.16.65.0/24 || dns_nameservers | || enable_dhcp | True |
| gateway_ip | 172.16.65.1 |
| host_routes | || id | 16eb9d34-819f-4525-99ab-ec9358ea132f |
| ip_version | 4 || name | || network_id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || tenant_id | b1178a03969b4f638937f5a632fb547a |+------------------+----------------------------------------------------+
+#9&.-$ J Y-9. D.#'E-$ XK^
7/25/2019 Yves Fauser OpenStack Networking
42/61
!
:(& &%11 /$#0*# 0 $(4*#$J 0,3 /(,,#/* %* *( *+# rm61%,-s W#]*#$,01 ,#*&($-[ /$#0*#3 #0$1%#$
# neutron router-create MyRouter
Created a new router:+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+| admin_state_up | True || external_gateway_info | || id | bda86e19-4831-4bfb-b3f4-bb79113ceab1 || name | MyRouter || status | ACTIVE |
| tenant_id | b1178a03969b4f638937f5a632fb547a |
+-----------------------+--------------------------------------+
# neutron router-gateway-set MyRouter External-NetSet gateway for router MyRouter
# neutron router-interface-add MyRouter Internal-SubnetAdded interface a86dfa2b-9ceb-43ba-90ea-fb67ef5c5d17 to router MyRouter.
+#9&.-$ J Y-9. D.#'E-$ WK^
7/25/2019 Yves Fauser OpenStack Networking
43/61
!
:(& &%11 /$#0*# 0 $(4*#$J 0,3 /(,,#/* %* *( *+# rm61%,-s W#]*#$,01 ,#*&($-[ /$#0*#3 #0$1%#$
# neutron router-show MyRouter+-----------------------+-----------------------------------------------------------------------------+| Field | Value |+-----------------------+-----------------------------------------------------------------------------+
| admin_state_up | True |
| external_gateway_info | {"network_id": "8998c547-ff7c-45f8-884a-a6d4bcaa5de7", "enable_snat": true} || id | bda86e19-4831-4bfb-b3f4-bb79113ceab1 || name | MyRouter || routes | || status | ACTIVE || tenant_id | b1178a03969b4f638937f5a632fb547a |
+-----------------------+-----------------------------------------------------------------------------+
# neutron router-port-list MyRouter -c fixed_ips+--------------------------------------------------------------------------------------+| fixed_ips |+--------------------------------------------------------------------------------------+| {"subnet_id": "b4c95b8b-65a4-402e-8359-69b55d6c9bf1", "ip_address": "10.12.13.1"} || {"subnet_id": "16eb9d34-819f-4525-99ab-ec9358ea132f", "ip_address": "172.16.65.100"} |
+--------------------------------------------------------------------------------------+
+#9&.-$ J Y-9. D.#'E-$ _K^
7/25/2019 Yves Fauser OpenStack Networking
44/61
!
:(& *+0* *+# $(4*#$ %2 /$#0*#3J 0,3 %,*#$)0/#2 0$# 022%.,#3 *( %*J &%11 2## 0 ,#& ,0?#260/#
# ip netns showqrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1
# ip netns exec qrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1 /bin/bash
# ip addr1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host
valid_lft forever preferred_lft forever
10: qg-f9d1f494-7f: mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:02:9a:1c brd ff:ff:ff:ff:ff:ffinet 172.16.65.100/24 brd 172.16.65.255 scope global qg-f9d1f494-7f
inet6 fe80::f816:3eff:fe02:9a1c/64 scope linkvalid_lft forever preferred_lft forever
11: qr-a86dfa2b-9c: mtu 1500 qdisc noqueue state UNKNOWNlink/ether fa:16:3e:7b:1a:92 brd ff:ff:ff:ff:ff:ffinet 10.12.13.1/24 brd 10.12.13.255 scope global qr-a86dfa2b-9c
inet6 fe80::f816:3eff:fe7b:1a92/64 scope linkvalid_lft forever preferred_lft forever
# netstat -rn
Kernel IP routing tableDestination Gateway Genmask Flags MSS Window irtt Iface0.0.0.0 172.16.65.1 0.0.0.0 UG 0 0 0 qg-f9d1f494-7f10.12.13.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-a86dfa2b-9c
172.16.65.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-f9d1f494-7f
+#9&.-$ J Y-9. D.#'E-$ ^K^ J !A% A/#,
7/25/2019 Yves Fauser OpenStack Networking
45/61
!
X+# !;7 2+(& &%11 ,(& 2+(& *+# *06 %,*#$)0/#2 *( *+# $(4*#$ :0?#260/#J 0,3 *( *+# #]*#$,01 %,*#$)0/#
root@os-controller:/home/localadmin# ovs-vsctl show09d5b89a-600d-4da3-b761-11206456385a
Bridge br-ex
Port "qg-f9d1f494-7f"
Interface "qg-f9d1f494-7f"
type: internalPort br-ex
Interface br-extype: internal
Port "eth2"Interface "eth2
.... SNIP ....
Bridge br-intPort patch-tun
Interface patch-tuntype: patchoptions: {peer=patch-int}
Port "qr-a86dfa2b-9c"
tag: 1
Interface "qr-a86dfa2b-9c"
type: internal
Port br-intInterface br-int
type: internalovs_version: "1.10.2"
# external router interface is patchedto br-ex, and therefore bridged out tointerface eth2
# Internal router interface is patched
to br-int, and therefore connected tothe br-int flow table
+#9&.-$ J `-./N-$ H'53F-'.? A/#,
7/25/2019 Yves Fauser OpenStack Networking
46/61
+-7' J >--& &,- T$5&'$(#5
7/25/2019 Yves Fauser OpenStack Networking
47/61
! :(& &%11 U((* *&( g/%$$(2h T,2*0,/#2J 0,3 /(,,#/* *+(2# *( *+# "%$*401 ,#*&($- /$#0*#3 #0$1%#$
# nova boot --flavor 1 --image 'CirrOS 0.3.1 \--nic net-id=56a76117-8910-4d85-b91d-8e6842e0a510 Instance1
+--------------------------------------+--------------------------------------+| Property | Value |
+--------------------------------------+--------------------------------------+
| OS-EXT-STS:task_state | scheduling |
| image | CirrOS 0.3.1 |
| OS-EXT-STS:vm_state | building || OS-EXT-SRV-ATTR:instance_name | instance-0000000b |
... SNIP ...
# nova boot --flavor 1 --image 'CirrOS 0.3.1' \
--nic net-id=56a76117-8910-4d85-b91d-8e6842e0a510 Instance2
+--------------------------------------+--------------------------------------+| Property | Value |+--------------------------------------+--------------------------------------+| OS-EXT-STS:task_state | scheduling || image | CirrOS 0.3.1 || OS-EXT-STS:vm_state | building |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000c |
... SNIP ...
+#9&.-$ J `-./N-$ H'53F-'.? A/#,
7/25/2019 Yves Fauser OpenStack Networking
48/61
+#9&.-$ J H`DQ +'6#5"'(# K ?$56'5a ".-(#55! fx#$ *+# o$2* T,2*0,/#2 &02 2*0$*#3 :#4*$(, /$#0*#3 *+# 3+/6 ,0?#260/# 0,3 2*0$*#3 0 3,2?02t
7/25/2019 Yves Fauser OpenStack Networking
49/61
fx#$ *+# o$2* T,2*0,/#2 &02 2*0$*#3J :#4*$(, /$#0*#3 *+# 3+/6 ,0?#260/# 0,3 2*0$*#3 0 3,2?02t
6$(/#22 %, %*
# ip netns showqdhcp-56a76117-8910-4d85-b91d-8e6842e0a510qrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1
# ip netns exec qdhcp-56a76117-8910-4d85-b91d-8e6842e0a510 /bin/bash
# ip addr... SNIP ...12: tap383cd579-5e: mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:de:5f:bf brd ff:ff:ff:ff:ff:ffinet 10.12.13.3/24 brd 10.12.13.255 scope global tap383cd579-5e
inet 169.254.169.254/16 brd 169.254.255.255 scope global tap383cd579-5e
inet6 fe80::f816:3eff:fede:5fbf/64 scope linkvalid_lft forever preferred_lft forever
# ps -ef | grep dnsmasqnobody 16209 1 0 22:29 ? 00:00:00 dnsmasq--no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap383cd579-5e --except-interface=lo --pid-file=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/host --dhcp-optsfile=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/opts--leasefile-ro --dhcp-range=set:tag0,10.12.13.0,static,86400s --dhcp-lease-max=256 --conf-file= --domain=openstacklocal
root 22102 15608 0 22:58 pts/0 00:00:00 grep --color=auto dnsmasq
# cat /var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/hostfa:16:3e:ee:1e:2f,host-10-12-13-2.openstacklocal,10.12.13.2fa:16:3e:7b:1a:92,host-10-12-13-1.openstacklocal,10.12.13.1
fa:16:3e:17:75:f6,host-10-12-13-4.openstacklocal,10.12.13.4
+#9&.-$ J T$5&'$(# (-$I0 IC#! R#$#h2 &+0* *+# ,#*&($- 60$* () *+# T,2*0,/# /(,o.4$05(, )($ ^;C 1((-2 1%-#
7/25/2019 Yves Fauser OpenStack Networking
50/61
R#$# 2 &+0* *+# ,#*&($- 60$* () *+# T,2*0,/# /(,o.4$05(, )($ ^;C 1((-2 1%-#
-- COMPUTE NODE 1 ---
# virsh list
Id Name State----------------------------------------------------
6 instance-0000000b running
# virsh dumpxml 6
instance-0000000b
... SNIP ...
... SNIP ...
# Instance Port id tap32141443-07
+#9&.-$ J !A% 7/#, 'b#. T$5&'$(#5 '.# (-$$#(?! :(& 1#*h2 #]0?%,# &+0* *+# 60*/+#2 0,3 d(& *0U1#2 1((- 1%-# (, !;7 0x#$ *+# T,2*0,/#2 $# 2*0$*#3
7/25/2019 Yves Fauser OpenStack Networking
51/61
6
-- COMPUTE NODE 1 ---
root@os-compute-1:/home/localadmin# ovs-vsctl show
Bridge br-int... SNIP ...
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}Port "tap32141443-07"
tag: 6Interface "tap32141443-07"
Bridge br-tun
... SNIP ...
Port "gre-172.16.0.12"
Interface "gre-172.16.0.12"
type: greoptions: {in_key=flow, local_ip="172.16.0.11", out_key=flow, remote_ip="172.16.0.12"}
Port patch-intInterface patch-int
type: patchoptions: {peer=patch-tun}
Port "gre-172.16.0.10"
Interface "gre-172.16.0.10"type: greoptions: {in_key=flow, local_ip="172.16.0.11", out_key=flow, remote_ip="172.16.0.10"}
ovs_version: "1.10.2"
# Instance Port id tap32141443-07
# Instance Port mapping into br-intflow-table
+#9&.-$ J !A% c-,5 (.#'? &3.-903 .--&,.'" Fd !A%=P0#$&! !;7 d(&2 0,3 %,*#$)0/#2 .#* /$#0*#3 *+$(4.+ $((*&$066#$ U@ *+# !;7 f.#,*
7/25/2019 Yves Fauser OpenStack Networking
52/61
. . 66 @ .
-- COMPUTE NODE 1 ---
# tail -f /var/log/syslog
Apr 6 23:51:34 os-compute-1 ovs-vsctl: 00001|vsctl|INFO|Called as ovs-vsctl --timeout=5 -- --may-exist add-port br-int tap60b3782b-80 -- set Interface tap60b3782b-80 "external-ids:attached-mac=\"fa:16:3e:64:20:31\"" -- set Interface tap60b3782b-80 "external-ids:iface-id=\"60b3782b-8096-497d-96a4-f3a8dc187eb6\"" -- set Interface tap60b3782b-80 "external-ids:vm-id=\"17f0fdee-3ecd-440f-8e77-c43d2fcda9de\"" -- set Interface tap60b3782b-80 external-ids:iface-status=active
Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'mod-flows,'br_tun,'hard_timeout=0,idle_timeout=0,priority=1,table=21,dl_vlan=6,actions=strip_vlan,set_tunnel:1, output 3,2'] (filter match = ovs-ofctl)
Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'add-flow', 'br-tun', 'hard_timeout=0,idle_timeout=0,priority=1,table=2,tun_id=1,actions=mod_vlan_vid:6,resubmit(,10)'] (filter match = ovs-ofctl)
Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-vsctl', '--timeout=2', 'set', 'Port', 'tap60b3782b-80', 'tag=6'] (filter match = ovs-vsctl)
Apr 6 23:51:37 os-compute-1 ovs-vsctl: 00001|vsctl|INFO|Called as /usr/bin/ovs-vsctl --timeout=2 setPort tap60b3782b-80 tag=6
Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'del-flows', 'br-int', 'in_port=7'] (filter match = ovs-ofctl)
+#9&.-$ J !A% J GPD C#'.$/$0! !;7 &%*+ !;7 f.#,* 2511 42#2 /1022%/ CfE \#0$,%,. *( 4,3#$2*0,3 $# &+%/+ CfE f33$#22 %2 %, *+#
7/25/2019 Yves Fauser OpenStack Networking
53/61
:#*&($-
-- COMPUTE NODE 1 ---
# ovs-appctl fdb/show br-int
port VLAN MAC Age
4 6 fa:16:3e:64:20:31 4-1 6 fa:16:3e:de:5f:bf 4
# ovs-appctl dpif/show br-intbr-int (system@ovs-system):
lookups: hit:1461 missed:343
flows: cur: 0, avg: 8.634, max: 39, life span: 7746(ms)hourly avg: add rate: 0.654/min, del rate: 0.658/min
overall avg: add rate: 0.775/min, del rate: 0.775/min
br-int 65534/1: (internal)patch-tun 1/none: (patch: peer=patch-int)tap60b3782b-80 7/4:
# ovs-appctl dpif/show br-tun
br-tun (system@ovs-system):lookups: hit:568 missed:364flows: cur: 0, avg: 9.707, max: 39, life span: 5976(ms)
hourly avg: add rate: 0.730/min, del rate: 0.731/minoverall avg: add rate: 0.817/min, del rate: 0.817/min
br-tun 65534/2: (internal)
gre-172.16.0.10 2/3: (gre: key=flow, local_ip=172.16.0.11, remote_ip=172.16.0.10)
gre-172.16.0.12 3/3: (gre: key=flow, local_ip=172.16.0.11, remote_ip=172.16.0.12)
patch-int 1/none: (patch: peer=patch-tun)
+#9&.-$ J !A% J 2'FC# %&.9(&9.#! !;7 f.#,* 6$(.$0?2 0 /(?61#] X0U1# 2*$4/*4$# %,*( !;7
7/25/2019 Yves Fauser OpenStack Networking
54/61
+O62PQQ&%-%N(6#,2*0/-N($.Q&%-%Q!"2Md(&M1(.%/
+#9&.-$ J TQ2'FC# Y9C#5 J D-6"9 +-?#5 J %#(9./&d e:! X+# )(11(&%,. (4*64* 2+(&2 &+0* :#4*$(, /(,o.4$#2 %,*( T=X0U1#2 (, *+# /(?64*# ,(3# *( %?61#?#,*
7/25/2019 Yves Fauser OpenStack Networking
55/61
2#/4$%*@ .$(462
-- COMPUTE NODE 1 ---
# iptables L
SNIP
Chain neutron-openvswi-i7fff0812-9 (1 references)target prot opt source destinationDROP all -- anywhere anywhere state INVALID
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED
RETURN tcp -- anywhere anywhere tcp multiport dports tcpmux:65535RETURN icmp -- anywhere anywhereRETURN udp -- anywhere anywhere udp multiport dports 1:65535RETURN udp -- 10.12.13.3 anywhere udp spt:bootps dpt:bootpc SNIP
Chain neutron-openvswi-o7fff0812-9 (2 references)
target prot opt source destinationRETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps
neutron-openvswi-s7fff0812-9 all -- anywhere anywhereDROP udp -- anywhere anywhere udp spt:bootps dpt:bootpcDROP all -- anywhere anywhere state INVALIDRETURN all -- anywhere anywhere state RELATED,ESTABLISHEDRETURN all -- anywhere anywhere
Chain neutron-openvswi-s7fff0812-9 (1 references)target prot opt source destinationRETURN all -- 10.12.13.2 anywhere MAC FA:16:3E:43:C6:20DROP all -- anywhere anywhere
+#9&.-$ J TQ2'FC# Y9C#5 J D-6"9 +-?#5 J %#(9./&d e:! X+# )(11(&%,. (4*64* 2+(&2 &+0* :#4*$(, /(,o.4$#2 %,*( T=X0U1#2 (, *+# /(?64*# ,(3# *( %?61#?#,*
7/25/2019 Yves Fauser OpenStack Networking
56/61
2#/4$%*@ .$(462
-- COMPUTE NODE 1 ---
# iptables L
SNIP
Chain neutron-openvswi-i7fff0812-9 (1 references)target prot opt source destinationDROP all -- anywhere anywhere state INVALID
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED
RETURN tcp -- anywhere anywhere tcp multiport dports tcpmux:65535RETURN icmp -- anywhere anywhereRETURN udp -- anywhere anywhere udp multiport dports 1:65535RETURN udp -- 10.12.13.3 anywhere udp spt:bootps dpt:bootpc SNIP
Chain neutron-openvswi-o7fff0812-9 (2 references)
target prot opt source destinationRETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps
neutron-openvswi-s7fff0812-9 all -- anywhere anywhereDROP udp -- anywhere anywhere udp spt:bootps dpt:bootpcDROP all -- anywhere anywhere state INVALIDRETURN all -- anywhere anywhere state RELATED,ESTABLISHEDRETURN all -- anywhere anywhere
Chain neutron-openvswi-s7fff0812-9 (1 references)target prot opt source destinationRETURN all -- 10.12.13.2 anywhere MAC FA:16:3E:43:C6:20DROP all -- anywhere anywhere
# Inbound rule to Instances
# Default outbound allow dhcp
# Port Security Rule onlyallow Instance MAC outbound
+#9&.-$ J '?? c-'E$0=/" &- /$5&'$(#! n# &%11 ,(& 033 0 d(05,.M%6 *( 0, %,2*0,/#
7/25/2019 Yves Fauser OpenStack Networking
57/61
# neutron floatingip-create External-NetCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | || floating_ip_address | 172.16.65.101 || floating_network_id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || id | 5d3a71e6-f94e-4c9f-9389-474abc559900 || port_id | || router_id | |
| tenant_id | 94fa9a0f01f24ba2983d06575add8764 |
+---------------------+--------------------------------------+
# nova list
+--------------------------------------+---------------+--------+------------+-------------+---------
| ID | Name | Status | Task State | Power State | Networks|+--------------------------------------+---------------+--------+------------+-------------+----------| af2d9b9f-3e25-4242-82f9-b059778cf217 | Instance1 | ACTIVE | None | Running | Internal-Network=10.12.13.2 || 2206f513-9313-4c87-be09-3cfacbc6d2a2 | Instance2 | ACTIVE | None | Running | Internal-Network=10.12.13.4 |+--------------------------------------+---------------+--------+------------+-------------+----------
# nova add-floating-ip Instance1 172.16.65.101#
+#9&.-$ J '?? c-'E$0=/" &- /$5&'$(#! n# &%11 ,(& 033 0 d(05,.M%6 *( 0, %,2*0,/#
7/25/2019 Yves Fauser OpenStack Networking
58/61
# nova show Instance1+--------------------------------------+----------------------------------------------------------+| Property | Value |+--------------------------------------+----------------------------------------------------------+
| status | ACTIVE |
| updated | 2014-04-08T00:08:23Z || OS-EXT-STS:task_state | None || OS-EXT-SRV-ATTR:host | os-compute-1 || key_name | None || image | CirrOS 0.3.1 (55438187-bc0e-4245-b4a7-edb338cf47bd) |
... SNIP ...|
| accessIPv4 | |
| accessIPv6 | |
| Internal-Network network | 10.12.13.2, 172.16.65.101 || progress | 0 || OS-EXT-STS:power_state | 1 || OS-EXT-AZ:availability_zone | nova |
| config_drive | |+--------------------------------------+----------------------------------------------------------+
+#9&.-$ Jc-'E$0=/"O .-9. $'6#5"'(#! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2
7/25/2019 Yves Fauser OpenStack Networking
59/61
# ip netns exec qrouter-c6687e7c-ab1c-4336-ab1e-8021f9c59925 /bin/bash
# ip addr
1: lo: mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host
valid_lft forever preferred_lft forever13: qg-92d91e4c-2d: mtu 1500 qdisc noqueue state UNKNOWN
link/ether fa:16:3e:58:f6:2c brd ff:ff:ff:ff:ff:ff
inet 172.16.65.100/24 brd 172.16.65.255 scope global qg-92d91e4c-2d
inet 172.16.65.101/32 brd 172.16.65.101 scope global qg-92d91e4c-2dinet6 fe80::f816:3eff:fe58:f62c/64 scope link
valid_lft forever preferred_lft forever
14: qr-8abeb2b0-a6: mtu 1500 qdisc noqueue state UNKNOWNlink/ether fa:16:3e:18:6e:93 brd ff:ff:ff:ff:ff:ffinet 10.12.13.1/24 brd 10.12.13.255 scope global qr-8abeb2b0-a6inet6 fe80::f816:3eff:fe18:6e93/64 scope link
valid_lft forever preferred_lft forever
# Router IP
# configured floating-ip
+#9&.-$ Jc-'E$0=/"O TQ2'FC#5 +P2! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2
7/25/2019 Yves Fauser OpenStack Networking
60/61
# iptables -t nat -L
...SNIP ...
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destinationDNAT all -- anywhere 172.16.65.101 to:10.12.13.2
Chain neutron-l3-agent-POSTROUTING (1 references)target prot opt source destinationACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)target prot opt source destinationREDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
DNAT all -- anywhere 172.16.65.101 to:10.12.13.2
Chain neutron-l3-agent-float-snat (1 references)target prot opt source destinationSNAT all -- 10.12.13.2 anywhere to:172.16.65.101
Chain neutron-l3-agent-snat (1 references)target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhereSNAT all -- 10.12.13.0/24 anywhere to:172.16.65.100
Chain neutron-postrouting-bottom (1 references)target prot opt source destinationneutron-l3-agent-snat all -- anywhere anywhere
+#9&.-$ Jc-'E$0=/"O TQ2'FC#5 +P2! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2
7/25/2019 Yves Fauser OpenStack Networking
61/61
# iptables -t nat -L
...SNIP ...
Chain neutron-l3-agent-OUTPUT (1 references)target prot opt source destination
DNAT all -- anywhere 172.16.65.101 to:10.12.13.2
Chain neutron-l3-agent-POSTROUTING (1 references)target prot opt source destinationACCEPT all -- anywhere anywhere ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)target prot opt source destinationREDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697
DNAT all -- anywhere 172.16.65.101 to:10.12.13.2
Chain neutron-l3-agent-float-snat (1 references)target prot opt source destinationSNAT all -- 10.12.13.2 anywhere to:172.16.65.101
Chain neutron-l3-agent-snat (1 references)target prot opt source destination
neutron-l3-agent-float-snat all -- anywhere anywhereSNAT all -- 10.12.13.0/24 anywhere to:172.16.65.100
Chain neutron-postrouting-bottom (1 references)target prot opt source destinationneutron-l3-agent-snat all -- anywhere anywhere
# floating-ip DNAT
# floating-ip SNAT
# default SNAT for allinstances