Networking in OpenStack for non-networking people: Neutron, Open vSwitch and friends
81 likesâ˘40,579 views
This document discusses networking in OpenStack and Neutron. It begins with an overview of the OSI model and networking in a virtual world using Open vSwitch. It then covers Neutron and how it provides high-level abstractions for networking while abstracting away the internals. The document demonstrates how to create subnets and attach instances using Neutron. It also discusses debugging networking issues through examining devices, tracking packets, and looking at DHCP and routing tables. Resources for further information are provided at the end.
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and friends
- 1. DAVE NEARY1 Networking in OpenStack for non- networking people: Neutron, OVS and friends Dave Neary [email protected] Open Source and Standards Red Hat
- 2. REDHAT OPENSTACK |2013DOC144908-20130513r1 AGENDA â Networking review: the OSI model â Networking in a virtual world â Neutron and OVS â Debugging and fixing networking issues
- 3. DAVE NEARY3 Networking: The OSI model Layer 1 Layer 7
- 4. DAVE NEARY4 Networking: The OSI model Layer 1 Layer 7 Cables Switching Routers Hardware Software TCP/IP SMTP
- 5. DAVE NEARY5 Switches and routers
- 6. DAVE NEARY6 Networking in a virtual world CC BY from OpenStack Operations Guide: http://bit.ly/OpenStackNetworking
- 7. DAVE NEARY7 Networking in a virtual world: Open vSwitch
- 8. DAVE NEARY9 Networking in a virtual world: Neutron â Abstracts away internals of switching and SDN provider â Provides high-level abstractions (router, subnet, network, gateway) â âLaw of Leaky Abstractionsâ applies
- 9. DAVE NEARY10 Neutron: Creating a subnet â neutron router-create router1 â neutron net-create net1 â neutron subnet-create net1 172.17.0.0/24 --name subnet1 â neutron router-interface-add router1 subnet1
- 10. DAVE NEARY11 Neutron: Attaching a public subnet â neutron net-create net2 --router-external=True â neutron subnet-create net2 192.168.0.0/24 --name subnet2 --enable_dhcp=False --allocation-pool start=192.168.0.32,end=192.168.0.63 --gateway=192.168.0.1 â neutron router-gateway-set router1 net2
- 11. DAVE NEARY12 Neutron: Floating IPs â To connect from an external machine to an instance, you need a routable IP address â Floating IP addresses are public aliases for private IP addresses â They survive changes in private IPs, enable load balancing, etc. â Equivalent to Elastic IPs in AWS
- 12. DAVE NEARY13 Neutron: Floating IPs â neutron floatingip-create net2 â neutron floatingip-list â neutron port-list â neutron floatingip-associate <floating-ip> <port>
- 13. DAVE NEARY14 Debugging network issues: Devices â ip a shows status of all physical and virtual devices â ovs-vsctl show shows interfaces and bridges in the virtual switch â ovs-dpctl show shows datapaths on the switch
- 14. DAVE NEARY15 Debugging network issues: Tracking packets â tcpdump is your friend â tcpdump -n -i <interface> -w <filename> â Set interface to vnet device, instance eth0, bridge device, or host ethernet device to see where packets are not getting through â -i any for all interfaces â iptables -L to check iptables rules
- 15. DAVE NEARY16 Debugging network issues: Network namespaces â Network namespaces allow VLANs to share overlapping address space â important for bigger deployments, and to provide multi-tenant networks â ip netns list â lists all known network namespaces â ip netns exec <namespace id> route -n â Shows routing table inside specific namespace â Execute arbitrary commands (incl. ssh, ping)
- 16. DAVE NEARY17 Debugging networking issues: DHCP â Scenario: Instance is not getting IP address â Step 1: nova console-log <instance name> â DHCP request sent, no reply received â Step 2: Verify neutron-dhcp-agent is running â Step 3: Check host logs (/var/log/messages and /var/log/neutron/*) â Step 4: If host is not seeing DHCP traffic: tcpdump -i all | grep -i dhcp
- 17. DAVE NEARY18 Debugging networking issues: Access/routing â Scenario: I can't SSH into an instance â Step 1: Security groups: port 22 TCP & all ICMP allowed? â Step 2: Is floating IP address routable from client? â route -n on client â Verify that public subnet in OpenStack is accessible from client (eg. for local LAN, that it matches 192.168.0.0/24) â Step 3: Bridges OK?
- 18. DAVE NEARY19 Debugging networking issues: Access/routing â Bridge issues: â ovs-vsctl show â is ethernet card attached to same bridge as public network? â neutron router show router1 â are the private subnet and public subnet connected to the router? â ip netns exec <public namespace id> ping <floating IP> - does the public network match the local LAN exactly? â ip netns exec <private namespace id> route -n â is traffic being correctly routed from the instance out?
- 19. DAVE NEARY20 Resources â OpenStack Network troubleshooting: http://bit.ly/OpenStackNetworking â OpenStack Networking: L3 workflow: http://bit.ly/L3Workflow â RDO Networking: http://bit.ly/RDONetworking â RDO: Neutron with an external network: http://bit.ly/RDONeutronExtNet â OpenStack Tales from the Crypt: http://bit.ly/OpenStackCrypt