Date: 2018/11/29 Place: ITRI Presenter: Samina (Shan-Jung Fu) Prepare Hands-On Environment: http://bit.ly/2PXFCST Linux Network Virtualization

Outline ● Introduction ● Network Namespace ● Network Device Virtualization ● vEth ● Virtual Switching 2

● Introduction ○ OSI Model & Network Devices Review ○ Preface ○ What is Linux Network Virtualization? ● Network Namespace ● Network Device Virtualization ● vEth ● Virtual Switching Outline 3

OSI Model & Network Devices Review 4 ● Network Review ● Preface ● What is Linux NV

OSI Model & Network Devices Review 5 From: https://en.wikipedia.org/wiki/OSI_model ● Network Review ● Preface ● What is Linux NV

OSI Model & Network Devices Review (Cont.) 6 ● Network Review ● Preface ● What is Linux NV

OSI Model & Network Devices Review (Cont.) 7 Responsible for the transmission & reception of unstructured raw data between a device & a physical transmission medium ● NIC(Network interface controller) Card ● Repeater ● Ethernet hub Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer ● Network Review ● Preface ● What is Linux NV

Reliable transmission of data frames between two nodes connected by a physical layer ● L2 Switch OSI Model & Network Devices Review (Cont.) 8 ● Network Review ● Preface ● What is Linux NV Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer

Structuring and managing a multi-node network, including addressing, routing and traffic control ● L3 Switch ● Router OSI Model & Network Devices Review (Cont.) 9 ● Network Review ● Preface ● What is Linux NV Layer 3 Network Layer 2 Data Link Layer 1 Physical Layer

Preface ● Traditional environment 10 ● Network Review ● Preface ● What is Linux NV

Preface (Cont.) Let’s virtualize the traditional environment 11 ● Network Review ● Preface ● What is Linux NV

Preface (Cont.) Put the virtual environment into physical environment Two ways let vNIC link to NIC: ● vNIC link to NIC directly ● vNIC link to NIC via vSwitch 12 ● Network Review ● Preface ● What is Linux NV

Preface (Cont.) ● Virtualization: ○ Network Device Virtualization (vNIC) ○ Virtual Ethernet ○ Virtual Switching ● Linux Network Namespace: virtualize the network stack 13 ● Network Review ● Preface ● What is Linux NV

● Network Virtualization ○ The process of combining hardware & software network resources and network functionality into a single, software-based administrative entity, a virtual network. --- Wiki What is Linux Network Virtualization? 14 ● Network Review ● Preface ● What is Linux NV

What is Linux Network Virtualization? 15 ● Network Review ● Preface ● What is Linux NV ● Network Virtualization ○ External virtualization ○ Internal virtualization: ■ Config a single system w/ software containers to emulate a physical network with software. ■ Isolating applications to separate containers or pseudo-interfaces ■ On Linux host, combining hardware and software network resources & network functionality ■ A.k.a. Linux Network Virtualization

● Introduction ● Network Namespace ○ Introduction ○ ip-netns Introduction ○ ip-netns Hands-on ● Network Device Virtualization ● vEth ● Virtual Switching Outline 16

● Namespace: ○ Wraps a global system resource in an abstraction ○ Have their own isolated instance of the global resource ○ Implement containers What is Network Namespace? 17 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

● Network namespace provide isolation of the system resources associated w/ networking ○ network devices ○ IPv4 and IPv6 protocol stacks ○ IP routing tables ○ firewall rules ○ /proc/net directory ○ /sys/class/net directory ○ various files under /proc/sys/net ○ port numbers (sockets) ○ ... What is Network Namespace? 18 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

● Isolate the UNIX domain abstract socket namespace ● Logically another copy of the network stack, with its own routes, firewall rules, and network devices ● /proc/[pid]/ns/net What is Network Namespace? 19 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

What is Network Namespace? 20 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on ● /proc/net ○ http://man7.org/linux/man-pages/man5/proc.5.html ○ The files & directories expose info for the network namespace of which the process is a member.

● /sys/class/net ○ http://man7.org/linux/man-pages/man5/sysfs.5.html ○ Each of the entries in this directory is a symbolic link representing one of the real or virtual networking devices ○ Visible in the network namespace of the process that is accessing the directory What is Network Namespace? 21 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

● /proc/sys/net ○ http://man7.org/linux/man-pages/man5/proc.5.html ○ kernel network parameters ○ Contains networking stuff What is Network Namespace? 22 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

● /proc/[pid]/ns/net ○ http://man7.org/linux/man-pages/man5/proc.5.html ○ A subdirectory containing one entry for each network namespace ○ Supports being manipulated by setns What is Network Namespace? 23 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

ip-netns Introduction ● Process network namespace management ● http://man7.org/linux/man-pages/man8/ip-netns.8.html 24 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

Need sys-admin permission ● ip netns add NETNSNAME create a new named network namespace $ ip netns add net0 ● ip netns [ list ] show all of the named network namespaces $ ip netns (list) Net0 ● ip [-all] netns delete [ NAME ] Delete the name of a network namespace(s) $ ip netns del net0 ip-netns Introduction 25 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on $ ip netns add net0 $ ip netns (list) Net0 $ ip netns del net0

● ip [-all] netns exec [ NAME ] cmd … Run cmd in the named network namespace ip-netns Introduction (Cont.) 26 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on $ sudo ip netns exec net0 ip addr 1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: tunl0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 $ sudo ip -all netns exec ip addr netns: net0 1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: tunl0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0

$ sudo ip link set veth0 netns net0 $ sudo ip netns exec net0 ip addr 1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: tunl0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 12: veth0@if13: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ae:b1:57:40:af:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0 ● ip link set dev NAME netns NETNSNAME Assign an id to a peer network namespace ip-netns Introduction (Cont.) 27 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

ip-netns Hands-on 28 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on Network Namespace 0 (net0) Network Namespace 1 (net1) Veth0 Veth1 10.0.8.1/24 10.0.8.2/24 $ ip link add type veth // Create veth pair $ ip link // check veth pair were built Host

ip-netns Hands-on (Cont.) 29 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on ● Bring network interface up in network namespace ip netns exec NETNSNAME ip link set DEVNAME up ● Assign IP to network interface in network namespace ip netns exec NETNSNAME bash ip addr add x.x.x.x/24 dev DEVNAME ● Check route table in network namespace ip netns exec NETNSNAME ip route ● Ping each other netns IP ip netns exec NETNSNAME bash ping -c 3 x.x.x.x

ip-netns Hands-on (Cont.) 30 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on ● Answer sudo ip netns add net0 sudo ip netns add net1 sudo ip netns sudo ip link add type veth sudo ip link set veth0 netns net0 sudo ip link set veth1 netns net1 sudo ip netns exec net0 ip link set veth0 up sudo ip netns exec net1 ip link set veth1 up sudo ip netns exec net0 ip addr add 10.0.8.1/24 dev veth0 sudo ip netns exec net1 ip addr add 10.0.8.2/24 dev veth1 sudo ip netns exec net0 ping -c 3 10.0.8.2 sudo ip -all netns delete

ip-netns Hands-on (Cont.) If you want to try yo implement network namespace for your own, please refer to the links. ● https://bestsamina.github.io/posts/2018-01-14-container-li nux-namespace/ ● Golang: https://github.com/sufuf3/mygo-container/blob/master/namespace/net. go ● C: https://github.com/sufuf3/myc-container/blob/master/namespace/net.c 31 ● netns Introduction ● ip-netns Introduction ● ip-netns Hands-on

● Introduction ● Network Namespace ● Network Device Virtualization ○ virtio ○ TAP and TUN ○ I/O virtualization(Virtual Function I/O) ● vEth ● Virtual Switching Outline 32

virtio ● Virtual I/O Device (VIRTIO) ● The main platform for IO virtualization in KVM ● Network/block/balloon devices are supported for kvm ● Ref: ○ https://www.linux-kvm.org/page/Virtio ○ https://www.ibm.com/developerworks/cn/linux/l-virtio/in dex.html 33 ● virtio ● TAP and TUN ● I/O virtualization

● Provides packet reception & transmission for user space programs ● can be viewed as a simple Point-to-Point or Ethernet device ● Application: tunneling (is used by VTun), IPSec (pipsec) … ● https://github.com/torvalds/linux/blob/master/Documentati on/networking/tuntap.txt ● http://vtun.sourceforge.net/tun/faq.html#1.1 TAP and TUN 34 ● virtio ● TAP and TUN ● I/O virtualization

TAP and TUN(Cont.) ● TAP: ○ Simulates a link layer device ○ Works with Ethernet frames (read/write ethernet frames) ○ Support kernel Ethernet bridging ● TNU: ○ Simulates a network layer device ○ Works with IP frames (read/write IP packets) ○ Used with routing 35 ● virtio ● TAP and TUN ● I/O virtualization

TAP and TUN(Cont.) 36 ● virtio ● TAP and TUN ● I/O virtualization NIC eth0 Network Stack Socket API Network Stack Network Stack tunX tapX /sys/devices/virtual/ net/tapX APP APP Socket API Socket API raw ethernet L3 ethernet raw packets /sys/devices/virtual/ net/tunX User Space Kernel Space character device virtual Ethernet interface ip tuntap add name tap0 mode tap

I/O virtualization ● Enables the acceleration of virtualization at the hardware level ● SR-IOV: Single-root I/O Virtualization 37 ● virtio ● TAP and TUN ● I/O virtualization

I/O virtualization (Cont.) 38 ● virtio ● TAP and TUN ● I/O virtualization ● Hardware acceleration ● SR-IOV

Outline ● Introduction ● Network Namespace ● Network Device Virtualization ● vEth ○ Introduction ○ Hands-on ● Virtual Switching 39

vEth Introduction ● Virtual Ethernet Device ● always created in interconnected pairs ● ip link add P1-NAME type veth peer name P2-NAME ● http://man7.org/linux/man-pages/man4/veth.4.html 40 ● Introduction ● Hands-on NS1 NS2 veth0 veth1 NS1 veth0 Virtual Switch veth1

vEth Hands-on $ sudo ip link add veth2 type veth peer name veth3 $ ip link (or ip a) 68: veth3@veth2: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 0e:bf:5e:85:82:b2 brd ff:ff:ff:ff:ff:ff 69: veth2@veth3: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether d6:d3:4b:42:70:1b brd ff:ff:ff:ff:ff:ff $ ethtool -S veth3 NIC statistics: peer_ifindex: 69 $ sudo ip link delete veth3 41 ● Introduction ● Hands-on

Outline ● Introduction ● Network Namespace ● Network Device Virtualization ● vEth ● Virtual Switching ○ Linux Bridge Introduction ○ brctl Hands-on ○ Open vSwitch Introduction 42

Linux Bridge Introduction ● A kernel module ● A virtual switch ● Connect different networks of ethernets together ● Is administered using brctl command on Linux ● brctl ○ ethernet bridge administration 43 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro

● brctl: ethernet bridge administration ● brctl addbr ○ creates a new instance of the ethernet bridge ● brctl delbr ○ deletes the instance of the ethernet bridge ● brctl show ○ shows all current instances of the ethernet bridge Linux Bridge Introduction(Cont.) 44 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro

● brctl: ethernet bridge administration ● brctl addif BRNAME IFNAME ○ make the interface IFNAME a port of the bridge BRNAME ● brctl delif BRNAME IFNAME ○ detach the interface IFNAME from the bridge BRNAME Linux Bridge Introduction(Cont.) 45 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro

Host bectl Hands-on 46 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro Network Namespace 0 (net0) Network Namespace 1 (net1) Veth0 Veth1 Bridge br1 10.0.8.1/24 10.0.8.2/24

● Answer sudo ip netns add net0 && sudo ip netns add net1 sudo ip netns sudo ip link add veth0 type veth peer name veth_net0 sudo ip link add veth1 type veth peer name veth_net1 sudo ip link set veth0 netns net0 && sudo ip link set veth1 netns net1 sudo ip netns exec net0 ip link set veth0 up sudo ip netns exec net1 ip link set veth1 up sudo ip netns exec net0 ip addr add 10.0.8.1/24 dev veth0 sudo ip netns exec net1 ip addr add 10.0.8.2/24 dev veth1 sudo brctl addbr br0 sudo brctl addif br0 veth_net0 && sudo brctl addif br0 veth_net1 sudo ip link set veth_net0 up && sudo ip link set veth_net1 up sudo ip link set dev br0 up sudo ip netns exec net0 ping -c 3 10.0.8.2 sudo ip -all netns delete sudo ip link set dev br0 down && sudo brctl delbr br0 bectl Hands-on (Cont.) 47 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro

OVS Introduction ● A multilayer software switch 48 ● Linux Bridge Intro ● brctl Hands-on ● OVS Intro

References ● https://www.ibm.com/developerworks/linux/library/l-virtu al-networking/ ● https://www.kernel.org/doc/man-pages/ ● http://docs.openvswitch.org/en/latest/intro/what-is-ovs/ 49

Thanks for your attention. Slides: http://bit.ly/vnet1129 GitHub, Telegram: @sufuf3 Twitter: @sufuf3149 50