Open vSwitch Introduction
1 like1,049 views
The document provides an introduction to Open vSwitch (OVS) by Hungwei Chiu, explaining its function in networking and its integration with Kubernetes. It details the differences between routers and switches, outlines the TCP/IP model, and discusses the OpenFlow protocol as a communication interface between control and forwarding layers in a software-defined networking architecture. The document also addresses challenges in Kubernetes networking with OVS, including pod communication and policy management.
Open vSwitch Introduction
- 2. Who Am I • HungWei Chiu (hwchiu) • Open Networking Foundation • Member of Technical Staff • https://hwchiu.com • Kubernetes/Container • Networking/Linux/Kernel • Co-Organizer of SDNDS-TW/ CNTUG
- 3. Agenda • What/How • TCP/IP Model • Linux Bridge • What/How • Open vSwitch • Open vSwitch in Kubernetes
- 5. Data Link Switch v.s Router TCP/IP Model Network Transport Application Physical Data Link Physical Data Link Network Physical Data Link Network Transport Application Physical Client Server Switch Router
- 6. Router v.s Switch • Both • Store and forward packets • Network layer • Data Link layer • Router: • Routing table • Routing algorithms • Switch • Switch table • Learning algorithms
- 9. Data Link Switch v.s Router TCP/IP Model Network Transport Application Physical Data Link Physical Data Link Network Physical Data Link Network Transport Application Physical Client Server Switch Router eth0 Linux Bridge br0 Container 172.17.8.1 172.17.8.56 10.1.2.3 Linux Host Container 172.17.8.57 Container to WAN
- 10. Linux Host Switch v.s Router TCP/IP Model Data Link Network Transport Application Physical Data Link Physical Data Link Network Physical Data Link Network Transport Application Physical Client Server Switch Router Container WAN Linux Bridge Linux Bridge Instances veth function call function call
- 11. Docker eth0 Linux Bridge br0 Container 172.17.8.1 172.17.8.56 10.1.2.3 Linux Host Container 172.17.8.57 net_dev Kernel object Packet Linux Bridge br0 • Received Packets • ebtables • iptables • Forward to net_dev (172.17.9.1) Packet: 172.17.8.56 -> 172.17.8.1
- 12. Docker eth0 Linux Bridge br0 Container 172.17.8.1 172.17.8.56 10.1.2.3 Linux Host Container 172.17.8.57 net_dev Kernel object Linux Kernel • Received Packet • Iptables • Routing tables • ARP tables • Forward to eth0 (10.1.2.3) Packet: 172.17.8.56 -> 172.17.8.1 Packet
- 13. Tables • Arp Table (Learning MAC/IP) • Linux Bridge • Forwarding Table (Forward by MAC) • Netfilter • Iptables (Layer 3, NAT…etc) • Ebtables (Layer 2 filter…etc) • Linux Kernel • Routing table (Routing by IP (Destination/Source))
- 14. Control • Arp • arp • Forwarding • brctl show/brctl showman’s • Routing • route • ip route • netfilter • iptables/ebtables • iptables-save/iptables-restore …etc
- 15. Multiple Nodes Host Agent • No Standard Protocol Host Agent Host Agent Host Agent Host Controller Agent • Execute commands • API Call (netlink)
- 16. Open vSwitch
- 18. Openflow • Maintained by Open Networking Foundation (ONF) • The first standard communication interface defined between control and forwarding layers of an SDN architecture. https://en.wikipedia.org/wiki/OpenFlow
- 19. Openflow controller Openflow Enabled Switch Security Channel Flow Table Openflow Enabled Switch Security Channel Flow Table Openflow protocol Architecture
- 20. Format Rule Action Stats • Forward packet to ports • Encapsulate and forward to controller • Modify fields • Normal Pipeline • Extension Packet/Bytes counter Switch Port Layer 2 Header Layer 3 Header Layer 4 Header
- 21. Example Switch Port dst_mac Layer 3 Layer 4src_mac Action port 3*** * 00:11:32:…. Switching Switch Port src_ip Layer 4Layer 2 Action port 4*** * Routing dst_ip 140.113.2.4 Switch Port src_ip Layer 4Layer 2 Action drop*1.2.0.0/16* * Firewall dst_ip 140.113.2.4
- 22. Compare • Linux • Arp Table (Learning MAC/IP) • Linux Bridge • Forwarding Table (Forward by MAC) • Netfilter • Iptables (Layer 3, NAT…etc) • Ebtables (Layer 2 filter…etc) • Linux Kernel • Routing table (Routing by IP (Destination/Source)) • Openflow • Rules • Switch Port • Layer 2/3/4 Header • Action • Forward/Drop • Normal Pipeline • Modify fields • …etc • Stats • Counter
- 24. Docker eth0 Open vSwith Ovsbr0 Container 172.17.8.1 172.17.8.56 Linux Host Container 172.17.8.57
- 25. Flows Switch Port Layer 2 Layer 3 Layer 4eth_type Action …*…* Arp ARP Switch Port Layer 3 Header Layer 4 HeaderLayer2 Action • Change src/dst Mac • Forward to port…..…..* * Routing Switch Port Layer 3 Header Layer 4 Action * * NAT * Layer2 ….. ….. • Change src/dst IP • Forward to port
- 26. Open vSwtich • Need to prepare all flow rules • Without Linux Kernel (mostly) • Openflow controller • Program your logic • CLI • Difficult to maintain all logics.
- 27. Other functions • Linux • Tunneling • GRE/VXLAN/GRE/ STT/NVGRE • iptables extension • nfqueue ..etc • 802.1q VLAN • Linux • Link Aggregation with/ without LACP • QoS • Traffic Shaping • Socket Applications • VPN, other networking functions.
- 29. Kubernetes & OVS
- 30. Kubernetes & Networking • Pod communication • Pod to Pod • Pod to Wan • Service • ClusterIP • NodePort • NetworkPolicy CNI Flannel • Linux Bridge • ARP Table • Routing Table • Iptables Iptables Implemented by CNI.
- 31. Challenge • CNI • Pod to Pod • Same Node • Different Node • Overlay ? • Pod to Wan • NAT
- 32. Challenge • Kube-proxy (service) • Monitor service object • Create/Update/Remove rules • Translate policy to OpenFlow rules and apply to all switches. • NetworkPolicy • Monitor network policy object • Create/Update/Remove rules • Translate policy to OpenFlow rules and apply to all switches.
- 33. Challenge • Additional controller • Open vSwitch controller • Openflow • OVSDB • …etc • Kubernetes controller
- 34. Projects • K-vswitch • SONA-CNI • Ovn-kubernetes • ..etc
- 35. https://github.com/k-vswitch/k-vswitch k-vswitch
- 37. Why OVS?
- 38. Why • Networking performance? • Open vSwitch + DPDK (Kernel Bypass) • Hardware offloading • Service chain? • Rewrite packets header • Redirect packets within different Pods • Networking Traffic Monitor? • Latency • Counters
- 39. K8S Node Pod Pod Pod eth0 Openflow Switch Openflow Switch Openflow Switch Data network K8S Node Pod Pod Pod eth0 K8S Node Pod Pod Pod eth0 Openflow Controller Reference Architecture
- 40. Do I Need It?
- 41. One • Learn how system works • Computing/Storage/Networking • Linux • Increase your value • Don’t rely on Framework or Tools • Helm/Operator …etc • Never be the Yaml Engineer
- 42. Q&A