介绍
openstack taas(tap as a service)可以用来做流量镜像,ovs bridge也可以用来做镜像,但只能是同个bridge上的port, taas可以把openstack上一些port的流量镜像到一个port上,不管这些port bind到哪些host,它是用万能的ovs流表来搞定的。
安装和配置
- controller
yum install -y python2-tap-as-a-service.noarch
vim /etc/neutorn/neutron.conf
service_plugins = router, taas
service_provider = TAAS:TAAS:neutron_taas.services.taas.service_drivers.taas_rpc.TaasRpcDriver:default
neutron-db-manage --subproject tap-as-a-service upgrade head
systemctl restart neutron-server- compute
yum install -y python2-tap-as-a-service.noarch
vim /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
extensions = taas
systemctl restart neutron-openvswitch-agent测试
代码语言:javascript复制#http_client和http_server在一台物理机上,monitor在另一台物理机上,
#目标是把http_client出来的流量镜像到另一台物理上的monitor_server
openstack server create --availability-zone bj2 --network net0 --image centos7-hw --flavor centos7-flavor http_client
openstack server create --availability-zone bj2 --network net0 --image centos7-hw --flavor centos7-flavor http_server
openstack server create --availability-zone bj3 --network provider --image centos7-hw --flavor centos7-flavor monitor_server
#这儿是port是monitor_server的port
[root@test25g04 nova]# neutron tap-service-create --name tap_service_test --port 418f3e00-e277-4b52-bd56-e41cdd14c917
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new tap_service:
------------- --------------------------------------
| Field | Value |
------------- --------------------------------------
| description | |
| id | c6265260-d1c2-4906-b692-89c9a6381d45 |
| name | tap_service_test |
| port_id | 418f3e00-e277-4b52-bd56-e41cdd14c917 |
| project_id | 02c0f9589cca400abd623868516c209b |
| status | ACTIVE |
| tenant_id | 02c0f9589cca400abd623868516c209b |
------------- --------------------------------------
#这儿的port是http_client的port
[root@test25g04 nova]# neutron tap-flow-create --name tap_flow_test --port 8f19d429-136d-4e36-b0f9-c1091bfaeaf1 --tap-service tap_service_test --direction both
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new tap_flow:
---------------- --------------------------------------
| Field | Value |
---------------- --------------------------------------
| description | |
| direction | BOTH |
| id | 66558dcd-51d4-42df-aeb8-02072382a1fa |
| name | tap_flow_test |
| project_id | 02c0f9589cca400abd623868516c209b |
| source_port | 8f19d429-136d-4e36-b0f9-c1091bfaeaf1 |
| status | ACTIVE |
| tap_service_id | c6265260-d1c2-4906-b692-89c9a6381d45 |
| tenant_id | 02c0f9589cca400abd623868516c209b |
| vlan_filter | |
---------------- -------------------------------------- 流表
taas创建了一个bridge br-tap,br-tap和br-int and br-tun建立了连接关系,原来的流量按原路径走,镜像的流量都要经过br-tap。
代码语言:javascript复制[root@test25g05 /home/huiwei]# ovs-vsctl show
61a16370-b8c7-4e14-a930-167fcf45f89b
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
Port patch-tun-tap
Interface patch-tun-tap
type: patch
options: {peer=patch-tap-tun}
Port "vxlan-0a8e6136"
Interface "vxlan-0a8e6136"
type: vxlan
options: {df_default="true", egress_pkt_mark="0", in_key=flow, local_ip="10.162.97.117", out_key=flow, remote_ip="10.142.97.54"}
Port "vxlan-0aa26174"
Interface "vxlan-0aa26174"
type: vxlan
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int-tap
Interface patch-int-tap
type: patch
options: {peer=patch-tap-int}
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qr-055c4591-ec"
tag: 6
Interface "qr-055c4591-ec"
type: internal
Port "qvo382086e2-3b"
tag: 16
Interface "qvo382086e2-3b"
Bridge br-tap
Port br-tap
Interface br-tap
type: internal
Port patch-tap-tun
Interface patch-tap-tun
type: patch
options: {peer=patch-tun-tap}
Port patch-tap-int
Interface patch-tap-int
type: patch
options: {peer=patch-int-tap}
ovs_version: "2.11.0"万能的流表,什么才能搞定,但也越来越复杂,复杂到最后就乱套了,试着把taas,sfc,ovn搞到一块看看。
代码语言:javascript复制#http_client和http_server所在的物理机
[root@test25g05 ~]# ovs-ofctl dump-flows br-int
cookie=0xea307a079a500fa5, duration=337644.102s, table=0, n_packets=0, n_bytes=0, priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
#http_client进出的流量打tag 3900,正常流量normal,镜像流量到br-tap
cookie=0xfbe4ec660f92b996, duration=80.962s, table=0, n_packets=3, n_bytes=238, priority=20,in_port="qvo8f19d429-13" actions=NORMAL,mod_vlan_vid:3900,output:"patch-int-tap"
cookie=0xfbe4ec660f92b996, duration=80.942s, table=0, n_packets=3, n_bytes=238, priority=20,dl_dst=fa:16:3e:6a:67:ff actions=NORMAL,mod_vlan_vid:3900,output:"patch-int-tap"
#br-tap上流表很容易看懂
[root@test25g05 ~]# ovs-ofctl dump-flows br-tap
cookie=0xaf2c7909d5bfc696, duration=337661.726s, table=0, n_packets=971253, n_bytes=66210052, priority=1,in_port="patch-tap-int" actions=resubmit(,1)
cookie=0xaf2c7909d5bfc696, duration=337661.709s, table=0, n_packets=0, n_bytes=0, priority=1,in_port="patch-tap-tun" actions=resubmit(,2)
cookie=0xaf2c7909d5bfc696, duration=337661.693s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xaf2c7909d5bfc696, duration=337661.677s, table=1, n_packets=963483, n_bytes=65518003, priority=0 actions=output:"patch-tap-tun"
cookie=0xaf2c7909d5bfc696, duration=337661.661s, table=2, n_packets=0, n_bytes=0, priority=0 actions=drop
[root@test25g05 ~]# ovs-ofctl dump-flows br-tun
#br-tap来的流量到table 30,table 30再到table 31 flood,vlan tag转换成了tun id,然后重新加了vlan tag 1,不知道为什么要flood
cookie=0x281e5831e57031b, duration=121990.112s, table=0, n_packets=181150, n_bytes=10519605, idle_age=1, hard_age=65534, priority=1,in_port=5 actions=resubmit(,30)
cookie=0xa46eb8d898c7157d, duration=337675.445s, table=30, n_packets=963502, n_bytes=65519241, priority=0 actions=resubmit(,31)
cookie=0xa46eb8d898c7157d, duration=337675.405s, table=31, n_packets=963502, n_bytes=65519241, priority=0 actions=move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:1,output:"vxlan-0a8e6136",output:"vxlan-0aa26174",output:"vxlan-0aa26176",output:"vxlan-0aad07ee"
cookie=0xa46eb8d898c7157d, duration=337675.389s, table=35, n_packets=0, n_bytes=0, priority=2,reg0=0 actions=resubmit(,36)
cookie=0xa46eb8d898c7157d, duration=337675.372s, table=35, n_packets=0, n_bytes=0, priority=1,reg0=0x1 actions=resubmit(,36)
cookie=0xa46eb8d898c7157d, duration=337675.355s, table=35, n_packets=2, n_bytes=204, priority=1,reg0=0x2 actions=resubmit(,37)
cookie=0xa46eb8d898c7157d, duration=337675.338s, table=36, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xa46eb8d898c7157d, duration=114.021s, table=37, n_packets=2, n_bytes=204, priority=1,tun_id=0xf3c actions=resubmit(,39)
cookie=0xa46eb8d898c7157d, duration=337675.321s, table=37, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xa46eb8d898c7157d, duration=337675.304s, table=38, n_packets=0, n_bytes=0, priority=2,reg0=0 actions=output:"patch-tun-tap"
cookie=0xa46eb8d898c7157d, duration=337675.287s, table=38, n_packets=0, n_bytes=0, priority=1,reg0=0x1 actions=output:"patch-tun-tap",move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:2,IN_PORT
cookie=0xa46eb8d898c7157d, duration=337675.271s, table=39, n_packets=2, n_bytes=204, priority=1 actions=learn(table=30,hard_timeout=60,priority=1,NXM_OF_VLAN_TCI[0..11],load:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],load:0->NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[])
#monitor_server所在的物理机
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-tun
cookie=0x12e8ac5b0907bc12, duration=255266.548s, table=0, n_packets=5297, n_bytes=476843, priority=1,in_port="vxlan-0aa26174" actions=resubmit(,4)
#vxlan tunnel之间带vlan tag,不对劲,vlan tag搞到了reg0
cookie=0x7f3b66b35ed0fcf9, duration=239.509s, table=4, n_packets=6, n_bytes=500, priority=1,tun_id=0xf3c actions=move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_REG0[0..11],move:NXM_NX_TUN_ID[0..11]->NXM_OF_VLAN_TCI[0..11],resubmit(,35)
#不知道是没理解taas流表设计的原理,还是设计的就这么乱
cookie=0x7f3b66b35ed0fcf9, duration=255337.601s, table=35, n_packets=4, n_bytes=296, priority=2,reg0=0 actions=resubmit(,36)
cookie=0x7f3b66b35ed0fcf9, duration=255337.585s, table=35, n_packets=2, n_bytes=204, priority=1,reg0=0x1 actions=resubmit(,36)
cookie=0x7f3b66b35ed0fcf9, duration=255337.570s, table=35, n_packets=0, n_bytes=0, priority=1,reg0=0x2 actions=resubmit(,37)
cookie=0x7f3b66b35ed0fcf9, duration=239.480s, table=36, n_packets=6, n_bytes=500, priority=1,tun_id=0xf3c actions=resubmit(,38)
cookie=0x7f3b66b35ed0fcf9, duration=255337.556s, table=36, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x7f3b66b35ed0fcf9, duration=255337.542s, table=37, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x7f3b66b35ed0fcf9, duration=255337.527s, table=38, n_packets=4, n_bytes=296, priority=2,reg0=0 actions=output:"patch-tun-tap"
#不知道为什么还要给IN_PORT再搞回去
cookie=0x7f3b66b35ed0fcf9, duration=255337.513s, table=38, n_packets=2, n_bytes=204, priority=1,reg0=0x1 actions=output:"patch-tun-tap",move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:2,IN_PORT
#不知道干什么的
cookie=0x7f3b66b35ed0fcf9, duration=255337.499s, table=39, n_packets=0, n_bytes=0, priority=1 actions=learn(table=30,hard_timeout=60,priority=1,NXM_OF_VLAN_TCI[0..11],load:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],load:0->NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[])
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-tap
cookie=0x1d39eaec29ac1d4d, duration=255323.016s, table=0, n_packets=308101, n_bytes=23353738, priority=1,in_port="patch-tap-int" actions=resubmit(,1)
cookie=0x1d39eaec29ac1d4d, duration=255323.001s, table=0, n_packets=6, n_bytes=500, priority=1,in_port="patch-tap-tun" actions=resubmit(,2)
cookie=0x1d39eaec29ac1d4d, duration=255322.986s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x1d39eaec29ac1d4d, duration=224.829s, table=1, n_packets=0, n_bytes=0, priority=1,dl_vlan=3900 actions=IN_PORT
cookie=0x1d39eaec29ac1d4d, duration=255322.971s, table=1, n_packets=308101, n_bytes=23353738, priority=0 actions=output:"patch-tap-tun"
cookie=0x1d39eaec29ac1d4d, duration=224.814s, table=2, n_packets=6, n_bytes=500, priority=1,dl_vlan=3900 actions=output:"patch-tap-int"
cookie=0x1d39eaec29ac1d4d, duration=255322.955s, table=2, n_packets=0, n_bytes=0, priority=0 actions=drop
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-int
cookie=0x7015afff25d09fed, duration=255304.955s, table=0, n_packets=0, n_bytes=0, priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
cookie=0x27b3fd60ae6602fa, duration=204.387s, table=0, n_packets=6, n_bytes=500, priority=25,in_port="patch-int-tap",dl_vlan=3900 actions=mod_vlan_vid:19,output:"qvo418f3e00-e2"
