Training open stack networking -neutron
Download as PPTX, PDF1 like479 views
Neutron is OpenStack's networking component. It implements software-defined networking and virtual private networks. Key concepts discussed include networks, subnets, ports, routers, and their relationships. Linux networking technologies used by Neutron include Linux bridges, Open vSwitch, VLANs, VXLANs, and Linux namespaces. Security groups are implemented using iptables rules in the filter table to allow or deny traffic to instances.
Training open stack networking -neutron
- 1. OpenStack Networking-- Neutron Internal Training Haven(Yan Haifeng)/ Oct 17, 2015 Software Engineer Blog http://yanheven.github.io/ 1
- 2. 2 3 Router, Network, Subnet and Port Related Linux Technology Linux NameSpace 1 Neutron Agenda 2 5 Security Group 4 Iptables usage in Neutron
- 3. 1, Entities in Neutron 3
- 4. 1, Entities in Neutron âą NetworkïŒé犻ç L2 ćïŒćŻä»„æŻèæăé»èŸæäș€æąïŒćäžäžȘçœç»äžçäž»æșćœŒæ€ L2 ćŻè§ă âą External Network â arping 10.0.1.2 âą SubnetïŒé犻ç L3 ćïŒIP ć°ććăć ¶äžæŻäžȘæșćšæäžäžȘ IPïŒćäžäžȘćçœçäž»æșćœŒæ€ L3 ćŻè§ă â ping 10.0.1.2 â ping 10.0.0.7 âą PortïŒçœç»äžèæăé»èŸæäș€æąç«ŻćŁă ææèżäșćźäœéœæŻèæçïŒæ„æèȘćšçæçćŻäžæ ç€șidïŒ æŻæCRUDćèœïŒćč¶ćšæ°æźćșäžè·èžȘèź°ćœç¶æă âą Fixed ip âą Floating ip âą Router : èæè·Żç±ćšïŒçšäșèź©äž€äžȘäžćçäžć±çœç»é俥ă â Ping 10.2.0.3 4
- 5. 5 2, Linux Networking Technology
- 6. 2, Linux Networking Technology âą bridgeïŒçœæĄ„ïŒLinuxäžçšäșèĄšç€șäžäžȘèœèżæ„äžćçœç»èźŸć€çèæèźŸć€ïŒlinuxäžäŒ ç»ćźç°ççœæĄ„ ç±» 䌌äžäžȘhub èźŸć€ïŒèovs知çççœæĄ„äžèŹç±»äŒŒäș€æąæșă â sudo ovs-vsctl show â sudo ovs-vsctl list-br âą br-intïŒbridge-integrationïŒç»ŒćçœæĄ„ïŒćžžçšäșèĄšç€șćźç°äž»èŠć éšçœç»ćèœççœæĄ„ă âą br-exïŒbridge-externalïŒć€éšçœæĄ„ïŒéćžžèĄšç€șèŽèŽŁè·ć€éšçœç»é俥ççœæĄ„ă âą GREïŒGeneral Routing EncapsulationïŒäžç§éèżć°èŁ æ„ćźç°é§éçæčćŒăćšopenstackäžäžèŹ æŻćș äșL3çgreïŒćłoriginal pkt/GRE/IP/Ethernet âą VETHïŒèæethernetæ„ćŁïŒé枞仄pairçæčćŒćșç°ïŒäžç«Żććșççœć ïŒäŒèą«ćŠäžç«Żæ„æ¶ïŒćŻä»„ćœą æ 䞀äžȘçœæĄ„äčéŽçééă 6
- 7. 2, Linux Networking Technology âą qvbïŒneutron veth, Linux Bridge-side â bridge link âą qvoïŒneutron veth, OVS-side â sudo ovs-vsctl show âą TAPèźŸć€ïŒæšĄæäžäžȘäșć±ççœç»èźŸć€ïŒćŻä»„æ„ćććéäșć±çœć ă â bridge link âą TUNèźŸć€ïŒæšĄæäžäžȘäžć±ççœç»èźŸć€ïŒćŻä»„æ„ćććéäžć±çœć ă â ip tuntap âą iptablesïŒLinux äžćžžè§çćźç°ćźć šçç„çéČç«ćąèœŻä»¶ă âą VlanïŒèæ LanïŒćäžäžȘç©ç Lan äžçšæ çŸćźç°é犻ïŒćŻçšæ ć·äžș1-4094ă âą VXLANïŒäžć„ć©çš UDP ćèźźäœäžșćșć±äŒ èŸćèźźç Overlay ćźç°ăäžèŹèź€äžșäœäžș VLan ææŻç滶 䌞æ æżä»Łè ă âą namespaceïŒçšæ„ćźç°é犻çäžć„æșć¶ïŒäžć namespace äžçè”æșäčéŽćœŒæ€äžćŻè§ă â ip netns 7
- 9. 3, Linux NameSpace 9 âą ćš Linux äžïŒçœç»ććç©șéŽćŻä»„èą«èź€äžșæŻé犻çæ„æćçŹçœç»æ ïŒçœćĄăè·Żç±èœŹćèĄšăiptablesïŒççŻćąă çœç»ććç©șéŽç»ćžžçšæ„é犻çœç»èźŸć€ćæćĄïŒćȘææ„æćæ ·çœç»ććç©șéŽçèźŸć€ïŒæèœçć°ćœŒæ€ă âą ćŻä»„çšip netns ćœä»€æ„æ„çć·Čç»ććšçććç©șéŽ, ć execćŻä»„æ§èĄćç§çœç»çžć łćœä»€ïŒçœç»ææ„éèŻŻæ¶ç»ćžž çšć°ïŒćŻä»„çŽæ„èżæ„ć°VMă â Ping, route, ssh, tcpdump, arping, etc. evan@devstack:~$ ip netns qdhcp-8709f095-72c6-400e-ad68-6a413ab4d936 qrouter-b58c06ea-02ef-4066-bb8d-0d6ba1df29d9 qdhcp-27fb6448-5708-4054-a1ad-c3ba94069fe6 evan@devstack:~$ sudo ip netns exec qrouter-b58c06ea-02ef-4066-bb8d-0d6ba1df29d9 ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 8: qg-60277fd9-b3: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default 9: qr-023f7722-39: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default link/ether fa:16:3e:b2:3a:e0 brd ff:ff:ff:ff:ff:ff
- 10. 3, Linux NameSpace 10 âą DHCP æćĄ â dhcpæćĄæŻéèżdnsmasqèżçšïŒèœ»éçș§æćĄćšïŒćŻä»„æäŸdnsădhcpătftpçæćĄïŒæ„ćźç°çïŒèŻ„èżçšç»ćźć°dhcpććç©șéŽäžç br-intçæ„ćŁäžăćŻä»„æ„ççžć łçèżçšă âą è·Żç±èœŹćæćĄ â routeræŻæäŸè·š subnet çäșèćèœçăæŻćŠçšæ·çć éšçœç»äžäž»æșæłèŠèźżéźć€éšäșèçœçć°ćïŒć°±éèŠrouteræ„èœŹćïŒć æ€ïŒ ææè·ć€éšçœç»çæ”ééœćż 饻ç»èżrouterïŒăçźćrouterçćźç°æŻéèżiptablesèżèĄçă â ćæ ·çïŒrouteræćĄäčèżèĄćšèȘć·±çććç©șéŽäžïŒ evan@devstack:~$ ip netns qdhcp-8709f095-72c6-400e-ad68-6a413ab4d936 qrouter-b58c06ea-02ef-4066-bb8d-0d6ba1df29d9 qdhcp-27fb6448-5708-4054-a1ad-c3ba94069fe6 evan@devstack:~$ ps -ef | grep 8709f095-72c6-400e-ad68-6a413ab4d936 evan@devstack:~$ sudo ip netns exec qrouter-b58c06ea-02ef-4066-bb8d-0d6ba1df29d9 iptables -t nat -S
- 12. 4, Iptables 12 âą NetfilteræŻLinux 2.4.xćŒć „çäžäžȘćçł»ç»ïŒćźäœäžșäžäžȘéçšçăæœè±ĄçæĄæ¶ïŒæäŸäžæŽć„çhookćœæ°ç 知çæșć¶ïŒäœżćŸèŻžćŠæ°æźć èżæ»€ăçœç»ć°ćèœŹæą(NAT)ććșäșćèźźç±»ćçèżæ„è·èžȘæäžșäșćŻèœ
- 13. 4, Iptables 13 âą ćè http://blog.chinaunix.net/uid-23069658-id-3160506.html âą iptablesćȘæŻLinuxéČç«ćąç知çć·„ć ·èć·ČïŒäœäș/sbin/iptablesăçæŁćźç°éČç«ćąćèœçæŻnetfilterïŒćźæŻ Linuxć æ žäžćźç°ć èżæ»€çć éšç»æă âą ć łäșćèźźæ éŁäșäžȘć łéźçčâABCDEâïŒNetfilterćšnetfilter_ipv4.häžć°èżäžȘäșäžȘçčçćœć
- 14. 4, Iptables 14 âą Iptables çć€çé»èŸ
- 15. 4, Iptables 15 âą Iptables ç»æéšć âą ćè http://www.cnblogs.com/ggjucheng/archive/2012/08/19/2646466.html
- 16. 4, Iptables rules for NAT 16 âą Iptables ćšRouteräžçäœçševan@devstack:~$ sudo ip netns exec qrouter-b58c06ea-02ef-4066-bb8d-0d6ba1df29d9 iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N neutron-postrouting-bottom -N neutron-vpn-agen-OUTPUT -N neutron-vpn-agen-POSTROUTING -N neutron-vpn-agen-PREROUTING -N neutron-vpn-agen-float-snat -N neutron-vpn-agen-snat -A PREROUTING -j neutron-vpn-agen-PREROUTING -A OUTPUT -j neutron-vpn-agen-OUTPUT -A POSTROUTING -j neutron-vpn-agen-POSTROUTING -A POSTROUTING -j neutron-postrouting-bottom -A neutron-postrouting-bottom -m comment --comment "Perform source NAT on outgoing traffic." -j neutron-vpn-agen-snat -A neutron-vpn-agen-OUTPUT -d 192.168.1.4/32 -j DNAT --to-destination 10.0.0.6 -A neutron-vpn-agen-POSTROUTING ! -i qg-60277fd9-b3 ! -o qg-60277fd9-b3 -m conntrack ! -- ctstate DNAT -j ACCEPT -A neutron-vpn-agen-PREROUTING -d 192.168.1.4/32 -j DNAT --to-destination 10.0.0.6 -A neutron-vpn-agen-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-vpn-agen-float-snat -s 10.0.0.6/32 -j SNAT --to-source 192.168.1.4 -A neutron-vpn-agen-snat -j neutron-vpn-agen-float-snat -A neutron-vpn-agen-snat -o qg-60277fd9-b3 -j SNAT --to-source 192.168.0.200 -A neutron-vpn-agen-snat -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-
- 17. 4, Security GroupïŒfilter table 17
- 18. 4, Security Group: filter table 18 âą INPUT chain â DHCP traffic allow â IP/MAC pair allow
- 19. 19 evan@devstack:~$ sudo iptables -t filter -S INPUT -P INPUT ACCEPT -A INPUT -j neutron-openvswi-INPUT -A INPUT -j nova-api-INPUT evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-INPUT -N neutron-openvswi-INPUT -A neutron-openvswi-INPUT -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o48cd91af-b -A neutron-openvswi-INPUT -m physdev --physdev-in tap4c44aad9-49 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o4c44aad9-4 -A neutron-openvswi-INPUT -m physdev --physdev-in tapc2702f4f-c6 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-oc2702f4f-c -A neutron-openvswi-INPUT -m physdev --physdev-in tap020fc191-56 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o020fc191-5 evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-o48cd91af-b -N neutron-openvswi-o48cd91af-b -A neutron-openvswi-o48cd91af-b -p udp -m udp --sport 68 --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN -A neutron-openvswi-o48cd91af-b -j neutron-openvswi-s48cd91af-b -A neutron-openvswi-o48cd91af-b -p udp -m udp --sport 67 --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP -A neutron-openvswi-o48cd91af-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-openvswi-o48cd91af-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-openvswi-o48cd91af-b -j RETURN -A neutron-openvswi-o48cd91af-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg- fallback evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-s48cd91af-b -N neutron-openvswi-s48cd91af-b -A neutron-openvswi-s48cd91af-b -s 10.2.0.3/32 -m mac --mac-source FA:16:3E:EB:43:32 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN -A neutron-openvswi-s48cd91af-b -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
- 20. 4, Security Group: filter table 20 âą FORWARD chain â Security rules evan@devstack:~$ sudo iptables -t filter -S FORWARD -P FORWARD ACCEPT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-FORWARD evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-FORWARD -N neutron-openvswi-FORWARD -A neutron-openvswi-FORWARD -m physdev --physdev-out tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-out tap4c44aad9-49 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev
- 21. 21 evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-sg-chain -N neutron-openvswi-sg-chain -A neutron-openvswi-sg-chain -m physdev --physdev-out tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i48cd91af-b -A neutron-openvswi-sg-chain -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o48cd91af-b -A neutron-openvswi-sg-chain -m physdev --physdev-out tap4c44aad9-49 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i4c44aad9-4 -A neutron-openvswi-sg-chain -m physdev --physdev-in tap4c44aad9-49 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o4c44aad9-4 -A neutron-openvswi-sg-chain -m physdev --physdev-out tapc2702f4f-c6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-ic2702f4f-c -A neutron-openvswi-sg-chain -m physdev --physdev-in tapc2702f4f-c6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-oc2702f4f-c -A neutron-openvswi-sg-chain -m physdev --physdev-out tap020fc191-56 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i020fc191-5 -A neutron-openvswi-sg-chain -m physdev --physdev-in tap020fc191-56 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o020fc191-5 -A neutron-openvswi-sg-chain -j ACCEPT evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-i48cd91af-b -N neutron-openvswi-i48cd91af-b -A neutron-openvswi-i48cd91af-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-openvswi-i48cd91af-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN -A neutron-openvswi-i48cd91af-b -s 10.2.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i48cd91af-b -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-i48cd91af-b -p icmp -j RETURN -A neutron-openvswi-i48cd91af-b -m set --match-set NIPv4fc1d3a02-5217-4f13-91aa- src -j RETURN -A neutron-openvswi-i48cd91af-b -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg- fallback
- 22. 4, Security Group: filter table 22 âą OUTPUT chain evan@devstack:~$ sudo iptables -t filter -S OUTPUT -P OUTPUT ACCEPT -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-OUTPUT -N neutron-openvswi-OUTPUT evan@devstack:~$ sudo iptables -t filter -S neutron-filter-top -N neutron-filter-top -A neutron-filter-top -j neutron-openvswi-local evan@devstack:~$ sudo iptables -t filter -S neutron-openvswi-local -N neutron-openvswi-local
- 23. 4, Security Group 23 âą Rules for a VM: Vm çPort id ć9äœ evan@devstack:~/devstack$ nova list +--------------------------------------+-----------+---------+------------+-------------+---------------------------------------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-----------+---------+------------+-------------+---------------------------------------------------------------------+ | fe0fc496-7a3a-4fc7-a929-0cfb7c3cf4ff | c-p2-s1 | SHUTOFF | - | Shutdown | private-2=10.2.0.3 | evan@devstack:~/devstack$ neutron port-list +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------------------------------+ | id | name | mac_address | fixed_ips | +--------------------------------------+------+-------------------+-------------------------------------------------------------------------------------------------------------+ | 48cd91af-b66e-4579-bae3-c85638ff7922 | | fa:16:3e:eb:43:32 | {"subnet_id": "3f1dd2ad-c7b6-43ae-a56f-341616b2e689", "ip_address": "10.2.0.3"} | evan@devstack:~/devstack$ sudo iptables -S | grep 48cd91af-b6 -A neutron-openvswi-FORWARD -m physdev --physdev-out tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain -A neutron-openvswi-FORWARD -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain -A neutron-openvswi-INPUT -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o48cd91af-b -A neutron-openvswi-sg-chain -m physdev --physdev-out tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi- i48cd91af-b -A neutron-openvswi-sg-chain -m physdev --physdev-in tap48cd91af-b6 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi- o48cd91af-b evan@devstack:~/devstack$ sudo iptables -S | grep neutron-openvswi-i48cd91af-b -N neutron-openvswi-i48cd91af-b -A neutron-openvswi-i48cd91af-b -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP -A neutron-openvswi-i48cd91af-b -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." - j RETURN -A neutron-openvswi-i48cd91af-b -s 10.2.0.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN -A neutron-openvswi-i48cd91af-b -p tcp -m tcp --dport 22 -j RETURN -A neutron-openvswi-i48cd91af-b -p icmp -j RETURN -A neutron-openvswi-i48cd91af-b -m set --match-set NIPv4fc1d3a02-5217-4f13-91aa- src -j RETURN
- 24. THE END 24
- 25. Next 25 âą Tenant Network Type Introduction â FLAT, LOCAL â VLAN â GRE â VXLAN âą LBAAS âą FWAAS âą DVR