Test the connection between two containers connected via OVS bridge using Ping command. Extra configuration. If the containers are required to be connected to internet then a port is required to be added to the ethernet bridge of host which can be configured as per the command mentioned below. Before I begin, for those unfamiliar with Open vSwitch, please check out my friend David Mahler's YouTube page for comprehensive introductory videos. Over the past year I've spent some time compiling troubleshooting documents and procedures for all things cloud (OpenStack, SDN, Open vSwitch, etc).
Contents.ContextThere all quite a few different networking designs that can be created; but for the sake of keeping this simple we are going to work under the assumption that we are trying to configure a host OS on a computer that has 2 physical ethernet ports. The first port (eth0) is to be exclusively used by the host OS. The second port (eth1) is to be reserved for use by the vSwitch, which has the guest OS(s) attached to it. We also assume that the two physical ports are connected to a simple hardware ethernet switch, without anything advanced like VLAN tagging for instance.Background on OpenFlow and Open vSwitchOpen vSwitch has 3 service components to it: database, server and controller.
The database daemon keeps track of interfaces that are created or modified, so that after a reboot they can be automatically re-created and configured. The server daemon actually sets up and manages the network, as a well as interfaces with the switching functionality within the kernel.
The controller daemon may be the part that you are not very familiar with OpenFlow. In non-openflow switchers, there is the hardware that does all the work, and there is a controller. It is the 'brains' of the switch that contains all the logic used to determine how packets are routed. With OpenFlow, the controller logic and packet routing functionality are decoupled from each other. This allows for the centralization of the controller logic into one controller that provides the logic for any number of switches.
This provides the advantages of quicker deployment, cheaper hardware, and tight integration of both physical and virtual switchers. This also blurs the distinction between the roles of switcher and router. The controller daemon provides this functionality and can control multiple Open vSwitchers, as well as hardware switchers support OpenFlow. Or it can be turned off with the controller functionality provided by a controller elsewhere in the network.For the scope of this article, we will just assume that the controller daemon is only being used by the single virtual switch we are creating.System Setup KernelYou need to activate the following kernel options. NoteThe 'ptcp:' option is set to match how the controller is setup in /etc/conf.d/ovs-controller, which by default is configured to listen to IP socket connections on port 6633. If you are only using the controller on the local machine, you can set the controller to use a unix domain sockets. Generally, unix domain sockets are more light-weight with less overhead than IP sockets, so they can provide faster communication between controller and bridge.
If you want to go that route, you need to configure both the controller and bridge to use a unix socket. Please refer to the man pages for more details.One setting that is optional, but very highly recommended, is to turn on the spanning tree protocol. Root # /etc/init.d/virt-net.vbr0 startAt this point the virtual machine should be just like another computer on the network connected to the physical switch.ClosingThere is a lot of functionality available with Open vSwitch that this article does not touch. You can setup VLAN tagging, QoS rules, create re-routing rules, block IP address, block ports, and much more. Feel free to reference online documentation and man pages if you are interested in adding complex functionality to the controller.
Basic Test with OpenvSwitchThis tutorial creates a simple SDN test environment with two physical servers (or virtual machines instead).If you are confused with some concepts, read first.You need two physcial servers with namespace support for this tutorial. This tutorial assumes you are usingCentOS 7, but any Linux version in which “ip netns” command is available can be used.
If you want to tryVLAN networks, you may need to configure the physical switch port to “trunk mode”. If that is not possible,you can still use VXLAN isolation, in that case, you may use virtual machines (even in public cloud) to replacephysical servers.This toturial assumes you are using root account, if you run into priviledge problems with a non-root account,you may need sudo.Most of the setup steps should be done on both servers, or every server in the cluster, except:, and all the API calls with curl which create global objects (physical networks,physical ports, logical networks, subnets, virtual routers).
CautionIt is a huge security hole to open redis port on Internet without password protection: attackers cangrant full controll of your server by overwriting sensitive files like /.ssh/authorized with administrationcommands. Make sure you use private IP addresses, or configure iptables or your firewall correctly toallow connecting only from your servers.Newer versions of Redis also blocks this configuration with a “protect mode”, you may need to disableit after you configure iptables correctly. Curl - g - d 'type=vxlan&vnirange=`0`&id=vxlan' 'may run this command on any of your server nodes. All server nodes share the same data storage, so you createthe network configuration once and they can be used anywhere.The id of newly created physical network is “vxlan”, this is a convient name for further calls, but you can replaceit with any name you like. If you do not specify an id, VLCP creates a UUID for you.
Vnirange specify a listof VNI ranges, notice that different from range in Python, these ranges include both begin and end.For example, 0 is 0, which has 10001 VNIs enable. Network engineers are usually morefamilar with this type of ranges. NoteBy default, the management API supports HTTP GET (with query string), HTTP POST (with standard form data),and HTTP POST with JSON-format POST data.
Though use the HTTP GET/POST format is usually the easiest way tocall the API in Shell command-line, when integrating with other systems JSON-format POST may be moreconvient.`` quoted expression is a VLCP-specified extension. Some APIs need data types other than strings for itsparameters. When a string parameter is quoted by ``, VLCP recognizes it as a literal expression in Python.You may use numbers, string, tuples, list, dictionary, sets and any combinations of them in a quoted expression.‘’ have special meanings in curl, that is way we use -g option to turn it off. NoteVXLAN introduces extra overlay packet header into the packet, so we leave 50 bytes for the headerand set MTU=1450. If your underlay network supports larger MTU, you can set a larger MTU instead.The embedded DHCP service uses this configuration to generate a DHCP Option to set MTU on thelogical port (vNIC in a virtual machine). Vlcp-docker-plugin also uses this to generate MTUconfigurations for docker.You may use an extra parameter vni=10001 to explictly specify the VNI used by this logical network.If ommited, VLCP automatically assign a free VNI from the physical network VNI ranges.
The creation failsif all the VNIs in VNI ranges are used, or the specified VNI is used.Then, create a Subnet for each logical network. Ip netns exec vlcpns1 dhclient - x - pf / var / run / dhclient - vlcp - port1.
Pid - lf / var / lib / dhclient / dhclient - vlcp - port1. Leases vlcp - port1to stop it.You may also configure the IP addresses and MTU yourself, instead of acquiring from DHCP.It is not necessary to call createlogicalport API on the same server where the ovs port is created.The order is also not matter (if you use a fixed MAC address). If you delete the ovs port and re-createit on another server, all configurations are still in effect, so you can easily migrate a virtual machineor docker container easily without network loss.You may also choose to omit the id parameter to let VLCP generate an UUID for you. Then you canset the UUID to externalids:iface-id of the ovs port.Now you should see the logical ports in the same logical networks can ping each other, while logical ports fromdifferent logical networks cannot ping each other. Try it yourself. (Optional) Create VLAN Physical NetworksIf your server are connected to physical switches, and the ports your server connected to are configured to“trunk mode”, and there are VLANs correctly configured and permitted in the physical switches, you maycreate a VLAN physical network to connect your vNICs through VLAN network. Usually it is an easy way toconnect your vNICs to traditional networks.It is not that different to create a VLAN physical network from creating a VXLAN physical network.
We willassume your VLAN network is connected by a physical NIC or bonding device named bond0. NoteIf your VLAN network has external gateways, you may want to specify isexternal=`True` when creatingsubnets. When this subnet is connected to a virtual router, virtual router uses the external gatewayas the default gateway.
Static routes should be configured on the external gateway for other logicalnetworks connected to the virtual router. Or you may use NAT instead, though current version does notsupport NAT yet, it is not too difficult to implement a simple source NAT solution with iptables.