Scribd
Upload
266 views50 pages

Where Did My Packets Go

Neutron is a core component of OpenStack that manages virtual networking and allows users to create networks and routers. It uses Linux networking components like TAP devices, veth pairs, Linux bridges, and Open vSwitch to connect virtual network interfaces and provide switching and routing. Network namespaces are used to isolate network stacks for different tenants and components like the DHCP agent and L3 agent. The key concepts allow instances on the same and different hosts to communicate within and across networks using tunnels, bridges, and the L3 agent router namespace which implements routing and floating IPs using iptables rules.

Uploaded by

pavani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
266 views50 pages

Where Did My Packets Go

Neutron is a core component of OpenStack that manages virtual networking and allows users to create networks and routers. It uses Linux networking components like TAP devices, veth pairs, Linux bridges, and Open vSwitch to connect virtual network interfaces and provide switching and routing. Network namespaces are used to isolate network stacks for different tenants and components like the DHCP agent and L3 agent. The key concepts allow instances on the same and different hosts to communicate within and across networks using tunnels, bridges, and the L3 agent router namespace which implements routing and floating IPs using iptables rules.

Uploaded by

pavani
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Neutron, Where did my

packets go ?
Mohamed Elsakhawy
SHARCNET / Compute Canada
SHARCNET/Compute Canada

- High Performance Computing


- Cloud Usage
- HPC
- Public/Private clouds
- ~7,000 core cloud deployments based on openstack
- Arbutus
- Located in Victoria, BC
Why this session ?

Neutron is a core component

Neutron is a hard-to-follow component

Understanding is key to troubleshooting


Before we start

Five main concepts/Linux virtual network devices

- TAP device
- veth pair
- Linux bridge
- Openvswitch
- Network namespaces
TAP device

- Software-only interface. i.e virtual


- Attached to a user-space program
- Accepts Ethernet frames
veth pair

- Two virtual NICs connected via a virtual wire


- Used to connect multiple virtual networking components
- Can connect network namespaces
Linux Bridge

- A virtual switch
- Physical and virtual interfaces
- Layer 2
Openvswitch

- More complicated virtual switch


- Virtual and physical interfaces
- Layer 2
- Openflow rules
Network Namespaces

- Isolated network stack


- Interfaces can be assigned to namespaces
- Separate routing tables
- 2 interfaces assigned to 2 different namespaces can have the same IP
- Neutron uses it to implement
- Dhcp-agent
- l3-agent
What does neutron do ?

- Allows user to create networks and routers


- Provides an api and manages the database
- Routes L3 traffic
- Provide floating IPs
- Switches L2 traffic
- Provides DHCP to instances
- Provides Metadata to instances
Which parts does that ?

- Allows user to create networks and routers neutron-server


- Provides an api and manages the database
- Routes L3 traffic
l3-agent
- Provide floating IPs
- Switches L2 traffic ml2-agent
- Provides DHCP to instances dhcp-agent
- Provides Metadata to instances metadata-agent
Meet neutron...
A typical VM looks like this
A typical VM looks like this
- VM1 has vNIC
- IPtables rules applied to tap
- qbr is a linux bridge
- connects tap and qvb
- qvb and qvo are veth pair
- br-int and br-tun
- OVS switches
- Connected via patch
Physically on a compute node - KVM
process
Physically on a compute node - qbr bridge

- A qbr bridge created per instance with two ports


- tap
- qvb
- IPtables rules applied on the tap device
Physically on a compute node: br-int & br-tun
Traffic in Neutron

- Instance <-> Instance , same network


- Instances living on the same host
- Instances living on different hosts
- Instance <-> Instance, different networks
- Instance <-> dhcp
- Instance <-> public network, i.e. Internet
- User <-> Instance, i.e. floating IPs
Scenario 1: Instance <-> Instance
- same network
- same host

VM1 / VM2

- Same tenant
- Same network
- Same VLAN ID
- Packets flow through br-int
VM test IP 10.0.0.5
VM test2 IP 10.0.0.9

- 2 VMs : test and test2


- Connected to network private
- Belong to the same subnet
- Same host
VMs Test & Test2: same network, same
host
Same VLAN ID, traffic flows normally
This was same host. How about different
hosts ?
Scenario 1: Instance <-> Instance
- same network
- different hosts
Two questions !

- In the overlay network: How does different tenant networks traffic keep
isolated ?
- br-tun
- VLAN ID <-> VXLAN tunnel ID
- VXLAN tunnel ID unique per network
- Isnt it useless to send the traffic to every host ?
- br-tun learns !
- Which host has what VM it
- Updates the flows
VM test IP 10.0.0.5
VM test2 IP 10.0.0.9

- 2 VMs : test and test2


- Connected to network private
- Different hosts
Compute host 1
VM: test IP 10.0.0.5 VLAN ID removed outbound, TUN ID set to 0x39
VLAN ID 1 added inbound if TUN ID =0x39
Compute host 2
VM: test2 IP 10.0.0.9 VLAN ID removed outbound, TUN ID set to 0x39
VLAN ID 2 added inbound, if TUN ID = 0x39
Scenario 2: Instance <-> Instance
- different networks
- different hosts

Compute host1 Compute host2

VM1 / VM2

- Different networks
- i.e router
- Different hosts
A network node

A dhcp-enabled network has


a qdhcp namespace with a
tap interface

A router has a qrouter


namespace with a qr
interface for each
connected network

A router has one qg


interface for its gateway
How is the router implemented ?

- L3-agent Network Node

- Implemented inside network namespaces


- (qrouter-xxxxxx)
- Multiple network interfaces
- (qr-xxxx), one for each network subnet
- Routing rules for interfaces
- One gateway interface
- (qg-xxxx), one for public gateway
qrouter namespace
Two Instances, different networks, different
hosts

qdhcp with tap interface

qrouter with 2 qr interfaces

qdhcp with tap interface


qrouter namespace Router has 3 interfaces
qr-44edbf78-34: fa:16:3e:51:01:ce
qr-60828e45-4e: fa:16:3e:23:4f:b4
IP: 10.0.0.1
IP: 192.168.3.1
qg-916bdf6a-a3: fa:16:3e:e9:2e:04 IP:172.24.4.5
Compute host 1 Router has 3 interfaces
VM1: IP 192.168.3.3 qr-44edbf78-34: fa:16:3e:51:01:ce IP: 10.0.0.1
qr-60828e45-4e: fa:16:3e:23:4f:b4 IP: 192.168.3.1
qg-916bdf6a-a3: fa:16:3e:e9:2e:04 IP:172.24.4.5
Compute host 2 Router has 3 interfaces
qr-44edbf78-34: fa:16:3e:51:01:ce IP: 10.0.0.1
VM2: IP 10.0.0.9 qr-60828e45-4e: fa:16:3e:23:4f:b4 IP: 192.168.3.1
qg-916bdf6a-a3: fa:16:3e:e9:2e:04 IP:172.24.4.5
On network node
Traffic arriving on Tunnel ID
0x43 from VM1 , IP 192.168.3.3
0x39 from VM2, IP 10.0.0.9
General notes on qrouter

- One qr interface per network subnet attached


- Default gateway qg-xxxx
- One default gateway per router
- Network namespaces make it isolated
- Multiple tenants subnets can have overlapping ips
- Instances can be on same or different hosts. Doesnt matter !
- Different networks mean a router and the qrouter namespace is involved !
Scenario 3: Instance getting dhcp address
On the network node
Same example: 2 VMs , 2 networks To get DHCP IP on 192.168.3.0/24 network, we need a path between
compute host and tap6e56ae9a-e8 on the network node
- Tunnel ID mapping between compute hosts and network node
- dnsmasq provides the ips
Now weve covered ...

- Instance to Instance traffic


- Same network
- Different network
- Instance to dhcp-agent traffic

Yet to cover

- Instance to public network


- Public network to instance (floating IPs)
Scenario 4: Instance to public network

- A VM only knows about its default gateway, i.e. qr interface


- Traffic flows to the router namespace
- Routing to public network happens in the router
- qg interface !
Hows the qg interface connected
br-ex and br-int Openflow rules

- qg sends traffic to br-ex through the patch interface


- br-ex strips the vlan id out of traffic and sends it physical NIC to the public
network
- Incoming VM traffic from public network follows the same path, only VLAN
id is added in this case
Scenario 5: Floating IPs

- So far, qrouter only used routing tables


- But I mentioned iptables nat rules ?
Floating IPs: NAT
Demo: Outbound Traffic
Demo: Inbound traffic
Lastly...

- Want to learn ? packstack deployment


- Neutron is very logical
- tcpdump , ethtool & dummy/mirror interfaces are your friends
- Special thanks to
- draw.io
- Google
- Everyone who shares knowledge about openstack

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy