Bridges and Tunnels: A Drive Through OpenStack Networking

Mark McClain@gtwmm

Where are we headed today?

• OpenStack Neutron

• Open Source Implementations

• Live Demo

• Community Initiatives Relating Neutron

• Look Ahead to Kilo

OpenStack

About OpenStack

• Open Source project founded in 2010

• 1,419 Unique Developers

• 10 Projects in Integrated Release (larger ecosystem on Stackforge)

• Production Ready

• Latest Release 2014.2- Juno (10th Release)

• Apache 2 Licensed

OpenStack

What does the user see?

Compute API

Network API

Storage APIGUI, CLI, API Libs

KVM

ML2 Plugin

Ceph

OpenStack Networking

Why Create Neutron?

• Rich Topologies

• Technology Agnostic

• Extensible

• Advance Services Support

• Load Balancing, VPN, Firewall

Challenges in the Cloud• High-density multi-tenancy

• VLANs have trouble scaling

• On-demand provisioning

• traditional solutions require manual configuration

• Need to place / move workloads

• state tied (IP address) tied to location

© Malcolm Leman | Dreamstime.com

Tackling these Challenges• Network virtualization

• Overlay tunneling

• VXLAN, GRE, STT

• Software Defined Networking (SDN)

• OpenFlow

• L2 Fabric Solution

• ???

CC BY-ND 2.0

Adam Kubalica

https://flic.kr/p/epZUi

The Basics

What does the user see?

Compute API

Network API

Storage APIGUI, CLI, API Libs

KVM

ML2 Plugin

Ceph

Abstractions

Net110.0.0.0/24

Nova

Neutron

L2 virtual network

virtual port

virtual server

virtual interface (VIF)

virtual subnet

VM110.0.0.2

VM210.0.0.2

Using the API…

VM110.0.0.2

VM210.0.0.2/172.16.7

VM3172.16.77.1

Tenant A Net1192.168.0.0/24

Tenant A Net2172.16.77.0/24

Public Net10.0.0.0/8

VM110.0.0.2

VM210.0.0.2/172.16.7

VM3172.16.77.1

Tenant B Net1192.168.0.0/24

Tenant B Net2172.16.77.0/24

Router Router

Design Goals

• Unified API

• Small Core

• Pluggable Open Architecture

• Extensible

Common Features

• Support for Overlapping IPs

• Tenant A: 192.168.0.0/24

• Tenant B: 192.168.0.0/24

• Configuration

• DHCP/Metadata

• Floating IPs

Security Groups• Support Overlapping IPs

• Ingress/Egress Rules

• IPv6

• VMs with multiple VIFs

• Plugin can offload

Architecture

OpenStack The Operator View

Basic Deployment

neutron-server

L2 AgentL2 AgentL2 AgentL2 AgentL2 AgentL2 Agent

L3 AgentL3 Agent

L3 AgentL3 Agent

Database

L3 Agent

DHCP Agent

L2 Agent

Message Queue

Adv Services

neutron-server

neutron-server

REST API SERVICE RPC SERVICE

PLUGIN

• PLUGIN

• Written in Python

• Only one active

• Must implement V2 API calls

• Optional database access

• Optional extension support

Monolithic Plugin

• Full implementation of core resources

• Two types:

• Proxy

• Direct control PLUGIN

ML2: Modular Layer 2 Plugin

• Full V2 Plugin Implementation

• Delegates calls to proper L2 drivers

• Two kinds of drivers

• Type Driver

• Mechanism Driver Mech Mgr

PLUGIN

Type Mgr

Plugin Extensions

• Add logical resources to the REST API

• Discovered by server at startup

• REST: /v2.0/extensions

• Common Extensions

• Binding, DHCP, L3, Provider, Quota, Security Group

• Other Extensions

• Allowed Addresses, Extra Routes, Metering

L2 Agent

L2 Agent

• Runs on hypervisor

• Communicates with server via RPC

• Watch and notify when devices added/removed

• Wires new devices

• Proper network segment

• Security Group Rules

• Open vSwitch

• Open Source Virtual Switch

• http://openvswitch.org

• Tenant Isolation

• VLAN, GRE, VXLAN

OVSDB

OVS L2 Agent

Neutron Server

OVS Agent

OVS

RPC

Isolation

VLAN

• 802.1Q

• limited

• underlay must support

GRE/VXLAN

• L2 encapsulated in L3

• routable

• overlay independence

Tunneling

A

D

CB

Tunneling with L2 Population

A

D

CB

L3 Agents

Network Node

L3 Agent

• Run on Network Node

• Uses Namespaces

• Metadata Agent (if enabled)

Network Node

Core

Hypervisor Hypervisor Hypervisor

L3 Agent How it’s implemented

• Manages Collection of Network Namespaces

• Isolated IP Stacks

• Forwarding Enabled

• net.ipv4.ip_forward=1

• Static Routing

• Metadata Proxy

lo

eth1

eth0

lo

qg-2

qr-1

lo

qg-b

qr-e

Host A B

br-ex

Load Balancer as a Service

• Service Plugin

• Driver based

• Agent w/Driver

• Agent communicates over RPC

• Open Source requires namespaces

• Others interact with other systems

LB Agent

HAProxy

VPN as a Service

• Service Plugin

• Driver based

• Agent w/Driver

• Communicates over RPC

• Openswan

L3 Agent

Router

Metadata Proxy

VPN Driver

Firewall as a Service

• Edgewall

• Service Plugin

• Driver based

• Agent w/Driver

• Communicates over RPC

• Experimental

L3 Agent

Router

Metadata Proxy

Firewall Driver

What’s New in Juno

IPv6

Distributed Virtual Routers

CC BY-ND 2.0

"Amicalola Falls" by Sean Morgan

https://www.flickr.com/photos/seanm1025/3646862123

IPv6

IPv6: Basics

Router Advertisement Support

IPAM Algorithms:

SLAAC

Sequential

RA secured with security groups

IPv6: SLAAC

RA Autoconfiguration

IPv6 address generated from EUI-64 address

No DHCP

IPv6: DHCPv6 Stateless

Same as SLAAC IP Address from EUI-64 address

DHCP enables clients to review extra options

IPv6: DHCPv6 Stateful

Most similar to existing v4 support

Backed by dnsmasq and radvd

IPv6: Dual vs Single Stack

Dual Stack

Applications have both v4/v6 access

Support by latest long term support releases

Single Stack v6

Metadata service does not work

Config drive required*

Distributed Virtual Routing

DVR: Overview

Network Node

Core

Hypervisor Hypervisor Hypervisor

Network Node

DVR: How it works

1) Operator deploys DVR L3 Agent Agent runs on each Hypervisor

2) Associate floating IP with instance

3) Profit!!!

DVR: How it works

1) Operator deploys DVR L3 Agent Agent runs on each Hypervisor

2) Associate floating IP with instance

3) Profit!!!

3) All N/S instance traffic is NAT’d directly from hypervisor

DVR: East/West

Network Node

Core

Hypervisor Hypervisor Hypervisor

DVR: North/South SNAT w/o Floating IP

Network Node

Core

Hypervisor Hypervisor Hypervisor

DVR: North/South SNAT w/ Floating IP

Network Node

Core

Hypervisor Hypervisor Hypervisor

Summary

Open vSwitch / Linux Bridge

Ryu OpenFlowController

• Unified API

• Small Core

• Pluggable Open Architecture

• Multiple Vendor Support

• Extensible

Open Source Alternatives

OpenDaylight

OpenDaylight

• Open source controller

• Project managed by Linux Foundation

• Latest release: Helium

• Integrates with Neutron via ML2

OpenDaylight

Live Demo

Community Initiatives

Group Based Policy

Group Based Policy: Before

W W W D D D A A A

Group Based Policy: Model

DDD

AAA

WWW

C1 C2 C3

PG Web PG App PG DB

GBP: Benefits

• Application focused networking — developer intent

• Improved automation

• Consistency

• Extensible Policy Model

• Not dependent on network technology

GBP: Open Source Stack

• OpenStack Ecosystem Project

• Companion Project to Neutron

• http://git.openstack.org/cgit/stackforge/group-based-policy

• OpenDaylight Project

Architecture

GBP PluginNeutronNova

API

Nova Compute

VM

OVS

Network Functions Virtualization (NFV)

NFV

• Traditional appliances to virtual instance(s)

• Commodity hardware

• Scale out vs Scale Up

• No need to provision for maximum capacity at deployment

• Started as working group at ETSI

• Formation of OPNFV

Current NFV Work

• Improvements to OpenStack Compute (Nova)

• CPU Pinning

• NUMA

• Large Page

• Planned additions to OpenStack Networking (Neutron)

• Trunk ports

• L2 Gateways

Looking Ahead to Kilo

• IPv6

• Prefix delegation

• Metadata Service

• IPAM

• BGP Speaker

• NFV Enhancements

• Paying Down Technical Debt

More Information

• Cloud Administrator Guide

• http://docs.openstack.org/admin-guide-cloud/content/ch_networking.html

• OpenStack Network v2.0 API

• http://developer.openstack.org/api-ref-networking-v2.html

• OpenDaylight Installation Guide

• https://wiki.opendaylight.org/view/OVSDB:Helium_and_Openstack_on_Fedora20

Thank You