OVN安装和配置
控制节点
代码语言:javascript复制yum install -y openvswitch-ovn-central.x86_64 openvswitch-ovn-common.x86_64 openvswitch-ovn-host.x86_64 openvswitch-ovn-vtep.x86_64
yum install -y python2-networking-ovn.noarch python2-networking-ovn-metadata-agent.noarch python2-networking-ovn-migration-tool.noarch
systemctl start openvswitch
/usr/share/openvswitch/scripts/ovs-ctl start --system-id="random"
ovn-nbctl set-connection ptcp:6641:192.168.56.101 -- set connection . inactivity_probe=60000
ovn-sbctl set-connection ptcp:6642:192.168.56.101 -- set connection . inactivity_probe=60000#控制节点会运行三个ovs-dbserver,原先的ovs-db, ovn-south-db, ovn-north-db
代码语言:javascript复制systemctl start ovn-northd
vim /etc/neutron/neutron.conf
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
service_plugins = networking_ovn.l3.l3_ovn.OVNL3RouterPlugin
router_distributed = False
vim /etc/neutron/plug.ini
mechanism_drivers = ovn
[ml2_type_geneve]
vni_ranges = 1:1000
[ovn]
ovn_nb_connection = tcp:192.168.56.101:6641
ovn_sb_connection = tcp:192.168.56.101:6642
ovn_l3_scheduler = leastloadedneutron-db-manage --subproject networking-ovn upgrade head
systemctl restart neutron-server计算节点
代码语言:javascript复制#计算节点
yum install -y openvswitch-ovn-central.x86_64 openvswitch-ovn-common.x86_64 openvswitch-ovn-host.x86_64 openvswitch-ovn-vtep.x86_64
yum install -y python2-networking-ovn.noarch python2-networking-ovn-metadata-agent.noarch python2-networking-ovn-migration-tool.noarch
/usr/share/openvswitch/scripts/ovs-ctl start --system-id="random"
ovs-vsctl set open . external-ids:ovn-bridge=br-int
ovs-vsctl set open . external-ids:ovn-remote=tcp:192.168.56.101:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve,vxlan
ovs-vsctl set open . external-ids:ovn-encap-ip=192.168.2.2
ovs-vsctl set open . external-ids:ovn-cms-options="enable-chassis-as-gw"
ovs-vsctl --may-exist add-br br-provider -- set bridge br-provider protocols=OpenFlow13
ovs-vsctl set open . external-ids:ovn-bridge-mappings=provider:br-provider
ovs-vsctl --may-exist add-port br-provider enp0s9
systemctl start ovn-controllerOVN实验
一个控制节点,两个计算节点,创建一个外网provider,两个内网net0和net1,一个路由器router
再创建两个VM分布在两个计算节点,分别连接到两个内网上,启用securitygroup
研究VM之间互通和VM流量出外网
openstack上信息如下
代码语言:javascript复制[root@controller ~]# openstack router list
-------------------------------------- -------- -------- ------- ----------------------------------
| ID | Name | Status | State | Project |
-------------------------------------- -------- -------- ------- ----------------------------------
| c9ea1061-4aa5-4a26-8025-ae463b4bd7e4 | router | ACTIVE | UP | 0b7065e7e73a4eb4971bf8a8f2816f2e |
-------------------------------------- -------- -------- ------- ----------------------------------
[root@controller ~]# openstack network list
-------------------------------------- ---------- --------------------------------------
| ID | Name | Subnets |
-------------------------------------- ---------- --------------------------------------
| 4cb371b8-bcff-41cc-8802-40915492fc5f | net1 | cfde54a6-f72f-4dd8-85a6-1abb6af9b3da |
| 772cb643-fb89-4c5b-96db-b3764c791649 | net0 | d0fe607d-e434-43a8-980e-d4c70a8af907 |
| 976e06f0-3573-439d-ac9c-2b7968f145c8 | provider | b05f6bf7-2c1b-4e21-975c-329b73a3775d |
-------------------------------------- ---------- --------------------------------------
[root@controller ~]# openstack server list
-------------------------------------- -------------- -------- ------------------------------- -------- ---------------
| ID | Name | Status | Networks | Image | Flavor |
-------------------------------------- -------------- -------- ------------------------------- -------- ---------------
| d24c09e0-a13a-4863-99fd-713353037dff | cirros-test1 | ACTIVE | net1=192.168.1.93, 10.0.3.201 | cirros | flavor-cirros |
| 3ccddf25-e419-45ce-afe6-873edb85eb05 | cirros-test0 | ACTIVE | net0=192.168.0.207 | cirros | flavor-cirros |
-------------------------------------- -------------- -------- ------------------------------- -------- ---------------
[root@controller ~]# openstack floating ip list
-------------------------------------- --------------------- ------------------ -------------------------------------- -------------------------------------- ----------------------------------
| ID | Floating IP Address | Fixed IP Address | Port | Floating Network | Project |
-------------------------------------- --------------------- ------------------ -------------------------------------- -------------------------------------- ----------------------------------
| b57bd802-fa4c-48ba-a026-7a711d20dc5c | 10.0.3.201 | 192.168.1.93 | ddd6b73e-9d49-42e0-b09b-94480e8df6c7 | 976e06f0-3573-439d-ac9c-2b7968f145c8 | 0b7065e7e73a4eb4971bf8a8f2816f2e |
-------------------------------------- --------------------- ------------------ -------------------------------------- -------------------------------------- ---------------------------------- 分别看NB,SB和ovs中的东西
OVN-NB DB上信息
代码语言:javascript复制[root@controller ~]# ovn-nbctl show
switch 3a0ea261-e893-456b-9d44-e16a33f6828d (neutron-4cb371b8-bcff-41cc-8802-40915492fc5f) (aka net1)
port ae2df452-455d-448e-af5c-a48a92113458
type: router
router-port: lrp-ae2df452-455d-448e-af5c-a48a92113458
port ddd6b73e-9d49-42e0-b09b-94480e8df6c7
addresses: ["fa:16:3e:a8:5b:17 192.168.1.93", "unknown"]
switch db3de706-68f7-4d3f-980c-912f10396ace (neutron-772cb643-fb89-4c5b-96db-b3764c791649) (aka net0)
port 6a3f0893-ab71-4ed9-a452-67a32e7ff9e1
type: router
router-port: lrp-6a3f0893-ab71-4ed9-a452-67a32e7ff9e1
port 78f8c183-6654-4590-81ab-a7e35039aa23
addresses: ["fa:16:3e:55:d6:07 192.168.0.207", "unknown"]
switch de10050a-898e-4cdc-9e36-98e637ef4280 (neutron-976e06f0-3573-439d-ac9c-2b7968f145c8) (aka provider)
port 7c053b5d-f6f1-42a8-9543-b8dc007df437
type: router
addresses: ["router", "unknown"]
router-port: lrp-7c053b5d-f6f1-42a8-9543-b8dc007df437
port provnet-976e06f0-3573-439d-ac9c-2b7968f145c8
type: localnet
addresses: ["unknown"]
router bf0c7544-7341-414a-b1c5-2883351a8ec6 (neutron-c9ea1061-4aa5-4a26-8025-ae463b4bd7e4) (aka router)
port lrp-7c053b5d-f6f1-42a8-9543-b8dc007df437
mac: "fa:16:3e:00:ac:5c"
networks: ["10.0.3.161/24"]
gateway chassis: [b79410ba-eb77-48e8-bf0f-efcb08c32227]
port lrp-6a3f0893-ab71-4ed9-a452-67a32e7ff9e1
mac: "fa:16:3e:c6:3b:84"
networks: ["192.168.0.1/24"]
port lrp-ae2df452-455d-448e-af5c-a48a92113458
mac: "fa:16:3e:22:79:f8"
networks: ["192.168.1.1/24"]
nat 2550fc99-cad7-4635-8436-c26f85cbccd5
external ip: "10.0.3.201"
logical ip: "192.168.1.93"
type: "dnat_and_snat"
nat 292c56af-a833-41d4-abad-ee6c9a6dd916
external ip: "10.0.3.161"
logical ip: "192.168.0.0/24"
type: "snat"
nat e85f7b26-7bcd-4b58-ad5e-ba6099aa7c3f
external ip: "10.0.3.161"
logical ip: "192.168.1.0/24"
type: "snat"
[root@controller ~]# ovn-nbctl ls-list
3a0ea261-e893-456b-9d44-e16a33f6828d (neutron-4cb371b8-bcff-41cc-8802-40915492fc5f)
db3de706-68f7-4d3f-980c-912f10396ace (neutron-772cb643-fb89-4c5b-96db-b3764c791649)
de10050a-898e-4cdc-9e36-98e637ef4280 (neutron-976e06f0-3573-439d-ac9c-2b7968f145c8)
[root@controller ~]# ovn-nbctl acl-list 3a0ea261-e893-456b-9d44-e16a33f6828d
[root@controller ~]# ovn-nbctl acl-list db3de706-68f7-4d3f-980c-912f10396ace
[root@controller ~]# ovn-nbctl acl-list de10050a-898e-4cdc-9e36-98e637ef4280
[root@controller ~]# ovn-nbctl qos-list de10050a-898e-4cdc-9e36-98e637ef4280
[root@controller ~]# ovn-nbctl lr-list
bf0c7544-7341-414a-b1c5-2883351a8ec6 (neutron-c9ea1061-4aa5-4a26-8025-ae463b4bd7e4)
[root@controller ~]# ovn-nbctl lr-route-list bf0c7544-7341-414a-b1c5-2883351a8ec6
IPv4 Routes
0.0.0.0/0 10.0.3.2 dst-ip
[root@controller ~]# ovn-nbctl lr-nat-list bf0c7544-7341-414a-b1c5-2883351a8ec6
TYPE EXTERNAL_IP LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
dnat_and_snat 10.0.3.201 192.168.1.93
snat 10.0.3.161 192.168.1.0/24
snat 10.0.3.161 192.168.0.0/24
[root@controller ~]# ovn-nbctl dhcp-options-list
2f6405aa-59e3-4dcc-a1ad-e18a0494408a
85daf3cf-0703-4810-a5cc-374dd165c3cd
9a0a3bd6-3dcb-46c4-90a5-043abebb0eb4
[root@controller ~]#OVN-SB DB
代码语言:javascript复制[root@controller ~]# ovn-sbctl show
Chassis "b79410ba-eb77-48e8-bf0f-efcb08c32228"
hostname: "compute2"
Encap vxlan
ip: "192.168.2.3"
options: {csum="true"}
Encap geneve
ip: "192.168.2.3"
options: {csum="true"}
Port_Binding "ddd6b73e-9d49-42e0-b09b-94480e8df6c7"
Chassis "b79410ba-eb77-48e8-bf0f-efcb08c32227"
hostname: "compute1"
Encap vxlan
ip: "192.168.2.2"
options: {csum="true"}
Encap geneve
ip: "192.168.2.2"
options: {csum="true"}
Port_Binding "78f8c183-6654-4590-81ab-a7e35039aa23"
Port_Binding "cr-lrp-7c053b5d-f6f1-42a8-9543-b8dc007df437"
[root@controller ~]# ovn-sbctl dump-flows
Datapath: "neutron-4cb371b8-bcff-41cc-8802-40915492fc5f" aka "net1" (0c5826cf-1a88-4ca7-91e0-795a270578f1) Pipeline: ingress
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]), action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present), action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "ae2df452-455d-448e-af5c-a48a92113458"), action=(next;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "ddd6b73e-9d49-42e0-b09b-94480e8df6c7"), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;)
table=3 (ls_in_pre_acl ), priority=110 , match=(ip && inport == "ae2df452-455d-448e-af5c-a48a92113458"), action=(next;)
table=3 (ls_in_pre_acl ), priority=110 , match=(nd || nd_rs || nd_ra || icmp4.type == 3 || icmp6.type == 1 || (tcp && tcp.flags == 4)), action=(next;)
table=3 (ls_in_pre_acl ), priority=100 , match=(ip), action=(reg0[0] = 1; next;)compute1桥和流表
代码语言:javascript复制[root@compute1 ~]# ovs-vsctl show
a08c6f9b-b2f9-4378-80d1-c8dbdd02a9e0
Bridge br-provider
Port br-provider
Interface br-provider
type: internal
Port "enp0s8"
Interface "enp0s8"
Port "patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"
Interface "patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"
type: patch
options: {peer="patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"}
Bridge br-int
fail_mode: secure
Port "patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"
Interface "patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"
type: patch
options: {peer="patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"}
Port "ovn-b79410-0"
Interface "ovn-b79410-0"
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.2.3"}
Port br-int
Interface br-int
type: internal
Port "tap78f8c183-66"
Interface "tap78f8c183-66"
ovs_version: "2.11.0"
[root@compute1 ~]#
[root@compute1 ~]# ovs-ofctl dump-flows br-int
cookie=0x0, duration=502952.443s, table=0, n_packets=82, n_bytes=6507, priority=100,in_port="ovn-b79410-0" actions=move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23],move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14],move:NXM_NX_TUN_METADATA0[0..15]->NXM_NX_REG15[0..15],resubmit(,33)
cookie=0x0, duration=3244.330s, table=0, n_packets=53, n_bytes=4620, priority=100,in_port="tap78f8c183-66" actions=load:0xa->NXM_NX_REG13[],load:0x1->NXM_NX_REG11[],load:0x5->NXM_NX_REG12[],load:0x2->OXM_OF_METADATA[],load:0x2->NXM_NX_REG14[],resubmit(,8)
cookie=0x0, duration=506852.785s, table=0, n_packets=14036, n_bytes=849448, priority=100,in_port="patch-br-int-to",vlan_tci=0x0000/0x1000 actions=load:0x8->NXM_NX_REG13[],load:0x3->NXM_NX_REG11[],load:0x7->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],load:0x1->NXM_NX_REG14[],resubmit(,8)
cookie=0x0, duration=506852.785s, table=0, n_packets=0, n_bytes=0, priority=100,in_port="patch-br-int-to",dl_vlan=0 actions=strip_vlan,load:0x8->NXM_NX_REG13[],load:0x3->NXM_NX_REG11[],load:0x7->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],load:0x1->NXM_NX_REG14[],resubmit(,8)
cookie=0xabb9facf, duration=506852.807s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x3,vlan_tci=0x1000/0x1000 actions=drop
cookie=0xcb7dd5cf, duration=506852.802s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop
cookie=0xd018baf0, duration=3566.794s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x2,vlan_tci=0x1000/0x1000 actions=drop
cookie=0x43bc5840, duration=3556.844s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x4,vlan_tci=0x1000/0x1000 actions=drop
cookie=0x5e54306c, duration=506852.805s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0xabb9facf, duration=506852.803s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x3,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0xcc73a6c9, duration=3566.794s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x2,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0x920ca92a, duration=3556.844s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x4,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0x9bb23761, duration=506852.804s, table=8, n_packets=316, n_bytes=24459, priority=50,reg14=0x2,metadata=0x1 actions=resubmit(,9)
cookie=0xa869d55f, duration=506852.803s, table=8, n_packets=14036, n_bytes=849448, priority=50,reg14=0x1,metadata=0x1 actions=resubmit(,9)compute2桥和流表
代码语言:javascript复制[root@compute2 ~]# ovs-vsctl show
18c8dc91-b0a8-434f-a46a-4fd3ab59e986
Bridge br-provider
Port br-provider
Interface br-provider
type: internal
Port "patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"
Interface "patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"
type: patch
options: {peer="patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"}
Port "enp0s9"
Interface "enp0s9"
Bridge br-int
fail_mode: secure
Port "ovn-b79410-0"
Interface "ovn-b79410-0"
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.2.2"}
Port "tapddd6b73e-9d"
Interface "tapddd6b73e-9d"
Port "patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"
Interface "patch-br-int-to-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8"
type: patch
options: {peer="patch-provnet-976e06f0-3573-439d-ac9c-2b7968f145c8-to-br-int"}
Port br-int
Interface br-int
type: internal
ovs_version: "2.11.0"
[root@compute2 ~]#
[root@compute2 ~]# ovs-ofctl dump-flows -O OpenFlow13 br-provider
cookie=0x0, duration=503290.470s, table=0, n_packets=152, n_bytes=9196, priority=0 actions=NORMAL
[root@compute2 ~]# ovs-ofctl dump-flows -O OpenFlow13 br-int
cookie=0x0, duration=503307.117s, table=0, n_packets=72, n_bytes=6030, priority=100,in_port="ovn-b79410-0" actions=move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23],move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14],move:NXM_NX_TUN_METADATA0[0..15]->NXM_NX_REG15[0..15],resubmit(,33)
cookie=0x0, duration=3530.312s, table=0, n_packets=51, n_bytes=4424, priority=100,in_port="tapddd6b73e-9d" actions=set_field:0x1->reg13,set_field:0x4->reg11,set_field:0x3->reg12,set_field:0x4->metadata,set_field:0x2->reg14,resubmit(,8)
cookie=0x0, duration=3530.313s, table=0, n_packets=152, n_bytes=9196, priority=100,in_port="patch-br-int-to",vlan_tci=0x0000/0x1000 actions=set_field:0x8->reg13,set_field:0x6->reg11,set_field:0xa->reg12,set_field:0x1->metadata,set_field:0x1->reg14,resubmit(,8)
cookie=0x0, duration=3530.313s, table=0, n_packets=0, n_bytes=0, priority=100,in_port="patch-br-int-to",dl_vlan=0 actions=pop_vlan,set_field:0x8->reg13,set_field:0x6->reg11,set_field:0xa->reg12,set_field:0x1->metadata,set_field:0x1->reg14,resubmit(,8)
cookie=0xabb9facf, duration=3530.268s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x3,vlan_tci=0x1000/0x1000 actions=drop
cookie=0xd018baf0, duration=3530.265s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x2,vlan_tci=0x1000/0x1000 actions=drop
cookie=0xcb7dd5cf, duration=3530.261s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop
cookie=0x43bc5840, duration=3530.261s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x4,vlan_tci=0x1000/0x1000 actions=drop
cookie=0x5e54306c, duration=3530.264s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0xabb9facf, duration=3530.263s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x3,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0xcc73a6c9, duration=3530.263s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x2,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0x920ca92a, duration=3530.261s, table=8, n_packets=0, n_bytes=0, priority=100,metadata=0x4,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
cookie=0xd70a9258, duration=3530.269s, table=8, n_packets=2, n_bytes=196, priority=50,reg14=0x1,metadata=0x2 actions=resubmit(,9)
cookie=0x9bb23761, duration=3530.264s, table=8, n_packets=0, n_bytes=0, priority=50,reg14=0x2,metadata=0x1 actions=resubmit(,9)由于ovn logical flow和ovs flow太多了,只粘贴了部分,大家感受一下,ovn和openstack原来的agent相比流表爆发性增长,因为所有的功能都用流表实现了。
