Open vSwitch 101 - Speaker Deck

Slide 1

Slide 1 text

101 Date: 2018/11/29 Place: ITRI Presenter: Samina (Shan-Jung Fu) Prepare Hands-On Environment: http://bit.ly/2PXFCST

Slide 2

Slide 2 text

First Part ● Overview ● Installation ● Basic commands ● Hands-On Second Part ● Components & Architecture ● Utilities ● Modes Outline 2

Slide 3

Slide 3 text

● Overview ○ What is Open vSwitch ○ Why Open vSwitch ● Installation ● Basic commands ● Hands-On First Part 3

Slide 4

Slide 4 text

● Production quality ● Multi-Layer virtual switch (L2 - L4) ● Enable massive network automation through programmatic extension ● Support ○ OpenFlow protocol ○ Standard management interfaces & protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag) ● Written in platform-independent C ● Ref: http://docs.openvswitch.org/en/latest/intro/what-is-ovs/ What is Open vSwitch 4

Slide 5

Slide 5 text

Why Open vSwitch ● Traffic between VMs and outside world ○ In Linux Hypervisors it is through a bridge ● Why Open vSwitch ○ Multi-server virtualization deployments ○ Dynamic endpoints ○ Logical abstractions ○ Integration or offloading with special purpose hardware 5

Slide 6

Slide 6 text

● Overview ● Installation ● Basic commands ● Hands-On First Part 6

Slide 7

Slide 7 text

Installation 7 ● From Source 1. Bootstrapping: Build the “configure” script 2. Configuring: Configure the package 3. Building: Install the executables & manpages into the running system 4. Starting: start ovs-vswitchd, config database & ovsdb-server ● From Packages ○ apt(yum) install openvswitch-switch ○ apt install openvswitch-switch-dpdk ● Ref: http://docs.openvswitch.org/en/latest/intro/install/

Slide 8

Slide 8 text

First Part 8 ● Overview ● Installation ● Basic commands ● Hands-On

Slide 9

Slide 9 text

● Print summary of the ovs database content (bridges, interfaces, ports, etc) ○ $ ovs-vsctl show ● Add a new bridge ○ $ ovs-vsctl add-br BR_NAME ● Delete existing bridge ○ $ ovs-vsctl del-br BR_NAME ● Add a new port in the specified bridge ○ $ ovs-vsctl add-port BR_NAME PORT_NAME Basic commands 9

Slide 10

Slide 10 text

First Part 10 ● Overview ● Installation ● Basic commands ● Hands-On

Slide 11

Slide 11 text

Hands-On 11 Host 11 Network Namespace 1 (ns1) Network Namespace 2 (ns2) Veth1 Veth2 OVS br0 10.0.9.1/24 10.0.9.2/24

Slide 12

Slide 12 text

$ $ $ $ $ $ $ $ ● Answer: sudo ovs-vsctl add-br br0 sudo ovs-vsctl show sudo ip netns add ns1 && sudo ip netns add ns2 sudo ip netns sudo ip link add veth1 type veth peer name vpeerns1 sudo ip link add veth2 type veth peer name vpeerns2 sudo ip link set veth1 netns ns1 && sudo ip link set veth2 netns ns2 sudo ip netns exec ns1 ip link Hands-On (Cont.) 12

Slide 13

Slide 13 text

$ $ $ $ $ $ $ $ ● Answer (Cont.): sudo ip link set vpeerns1 up && sudo ip link set vpeerns2 up sudo ip netns exec ns1 ip addr add 10.0.9.1/24 dev veth1 sudo ip netns exec ns2 ip addr add 10.0.9.2/24 dev veth2 sudo ip netns exec ns1 ip link set veth1 up sudo ip netns exec ns2 ip link set veth2 up sudo ovs-vsctl add-port br0 vpeerns1 && sudo ovs-vsctl add-port br0 vpeerns2 sudo ip netns exec ns1 ping 10.0.9.2 -c 3 Hands-On (Cont.) 13

Slide 14

Slide 14 text

sudo ovs-vsctl add-port br0 enp0s10 sudo ip addr del 10.0.9.10/24 dev enp0s10 sudo ip addr add 10.0.9.10/24 dev br0 sudo ip link set br0 up sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo ip netns exec ns1 ip route add default via 10.0.9.10 sudo ip netns exec ns2 ip route add default via 10.0.9.10 # Set up SNAT (Source NAT) routing sudo iptables --flush sudo iptables --table nat --flush sudo iptables --table nat --delete-chain sudo iptables --table nat --append POSTROUTING --out-interface enp0s3 -j MASQUERADE sudo iptables --append FORWARD --in-interface br0 -j ACCEPT sudo ip netns exec ns1 ping 8.8.8.8 -c 3 $ $ $ $ $ $ $ $ $ $ $ $ $ Hands-On (Cont.) 14 ● Answer (Cont.): If you want to ping 8.8.8.8 from ns

Slide 15

Slide 15 text

● Components & Architecture ○ Overview ○ OVSDB ○ ovsdb-server ○ ovs-vswitchd ● Utilities ● Modes Second Part 15

Slide 16

Slide 16 text

● Overview ● OVSDB ● ovsdb-server ● ovs-vswitchd Components & Architecture Overview 16 Controller Off-box User space Kernel space ovs-vswitchd ovsdb-server OVS kernel module netlink OVSDB-mp OpenFlow OVSDB-mp Ref: https://benpfaff.org/papers/ovs-slides.pdf ● OVSDB-mp: OVSDB Management Protocol

Slide 17

Slide 17 text

OVSDB Management Protocol 17 ● Open vSwitch Database Management Protocol ● RFC 7047 ● Active connection: ○ Unix domain socket ○ TCP (Default port) ■ 6632: Before v2.4.0 ■ 6640: After v2.4.0 ○ SSL or TLS ● Overview ● OVSDB ● ovsdb-server ● ovs-vswitchd

Slide 18

Slide 18 text

● Open vSwitch database server ● Provides RPC interfaces to OVS databases (OVSDBs) ● Supports JSON-RPC client connections over active or passive TCP/IP or Unix domain sockets ● Default OVSDB file is /etc/open‐vswitch/conf.db ● Ref: http://www.openvswitch.org/support/dist-docs/ovsdb-server.1.html ovsdb-server 18 OVSDB-mp OVSDB-mp ● Overview ● OVSDB ● ovsdb-server ● ovs-vswitchd

Slide 19

Slide 19 text

ovs-vswitchd 19 ● Open vSwitch daemon ● Manages & controls any number of OVS on local machine ● Along with a companion Linux kernel module for flow-based switching ● Default ovs-vswitchd connects to ovsdb-server method: unix:/var/run/open‐vswitch/db.sock ● Ref: http://www.openvswitch.org/ support/dist-docs/ovs-vswitchd.8.html OVSDB-mp ● Overview ● OVSDB ● ovsdb-server ● ovs-vswitchd OVSDB-mp

Slide 20

Slide 20 text

● Can be configured with the following features: ○ L2 switching with MAC learning. ○ NIC bonding with automatic failover and source MAC-based TX load balancing ("SLB"). ○ 802.1Q VLAN support. ○ Port mirroring, with optional VLAN tagging. ○ NetFlow v5 flow logging. ○ sFlow(R) monitoring. ○ Connectivity to an external OpenFlow controller ● Ref: http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.8.html ovs-vswitchd 20 ● Overview ● OVSDB ● ovsdb-server ● ovs-vswitchd

Slide 21

Slide 21 text

Second Part 21 ● Components & Architecture ● Utilities ○ ovsdb-tool ○ ovs-vsctl ○ ovs-dpctl ○ ovs-ofctl ○ ovs-appctl ● Modes

Slide 22

Slide 22 text

Utilities 22 Find from: http://docs.openvswitch.org/en/latest/ref/

Slide 23

Slide 23 text

● Open vSwitch database management utility ● A command-line tool ● Managing OVS database (OVSDB) files ● Non-interaction directly w/ running OVS database servers ○ ovsdb-client do this Utility - ovsdb-tool 23 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 24

Slide 24 text

● $ ovsdb-tool create DATABASE SCHEMA ○ Reads an OVSDB SCHEMA & creates a new OVSDB DATABASE ● $ ovsdb-tool show-log ○ Prints a summary of the records in db's log More commands: ● $ ovsdb-tool -h ● $ man ovsdb-tool Utility - ovsdb-tool (Cont.) 24 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ ovsdb-tool create /path/conf.db vswitch.ovsschema $ ovsdb-tool show-log /etc/openvswitch/conf.db

Slide 25

Slide 25 text

Utility - ovs-vsctl 25 ● Utility for querying and configuring ovs-vswitchd ● A high-level interface ● Connects to an ovsdb-server process ○ Maintains an Open vSwitch configuration database ● Queries & possibly applies changes to the database ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 26

Slide 26 text

● Open vSwitch Commands ○ Work with an OVS as a whole ○ $ ovs-vsctl show ● Bridge Commands ○ Examine and manipulate OVS bridges ● Port Commands ○ Examine and manipulate OVS ports Utility - ovs-vsctl (Cont.) 26 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ ovs-vsctl show $ ovs-vsctl add-br br0 $ ovs-vsctl add-port br0 eth0 $ ovs-vsctl add-br br0 -- add-port br0 eth0 Perform both operations in a single atomic transaction

Slide 27

Slide 27 text

Utility - ovs-vsctl (Cont.) ● Interface Commands ○ Examine the interfaces attached to an OVS bridge ● OpenFlow Controller Connectivity ○ Configured to communicate with one or more external OpenFlow controllers 27 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ sudo ovs-vsctl list-ifaces br0 enp0s10 vpeerns1 vpeerns2 $ sudo ovs-vsctl get-controller br0

Slide 28

Slide 28 text

● Manager Connectivity ○ Manipulate the manager_options column in the Open_vSwitch table & rows in the Managers table ● SSL Configuration ○ After ovs-vswitchd was configured to connect over SSL, the parameters are required ● Auto-Attach Commands ● Database Commands More commands: ● $ ovs-vsctl -h ● $ man ovs-vsctl Utility - ovs-vsctl (Cont.) 28 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 29

Slide 29 text

Utility - ovs-dpctl 29 ● Administer Open vSwitch datapaths ● Not needed for managing datapaths in conjunction w/ ovs-vswitchd ○ ovs-vswitchd does all the necessary management of OVS datapaths itself ○ When ovs-vswitchd is running can interfere w/ ovs-dpctl operation ● Useful for diagnostics ovs-vswitchd ovs-vsctl ovs-dpctl ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 30

Slide 30 text

● $ovs-dpctl [-s | --statistics] show [dp...] ○ Prints a summary of configured datapaths Utility - ovs-dpctl (Cont.) 30 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ sudo ovs-dpctl show system@ovs-system: lookups: hit:1350 missed:504 lost:0 flows: 0 masks: hit:1454 total:0 hit/pkt:0.78 port 0: ovs-system (internal) port 1: br0 (internal) port 2: vpeerns1 port 3: vpeerns2 port 4: enp0s10

Slide 31

Slide 31 text

● $ ovs-dpctl dump-dps ○ Prints the name of each configured datapath on a separate line. ● $ ovs-dpctl [-m | --more] dump-flows [dp] [filter=filter] ○ Prints to the console all flow entries in datapath dp's flow table ○ With -m or --more, output includes all wildcarded fields More commands: ● $ ovs-dpctl -h ● $ man ovs-dpctl Utility - ovs-dpctl (Cont.) 31 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 32

Slide 32 text

Utility - ovs-ofctl 32 ● Administer OpenFlow switches ● A command line tool ● Monitoring and administering OpenFlow switches ● Show the current state of an OpenFlow switch ○ Features ○ Configuration ○ table entries ● Work with any OpenFlow switch, not just Open vSwitch ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 33

Slide 33 text

● OpenFlow Switch Management Commands ○ Allow ovs-ofctl to monitor and administer an OpenFlow switch ○ Show the current state of a switch, including features, configuration, and table entries ○ Commands $ sudo ovs-ofctl show BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-tables BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-flows BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-ports BR_NAME -O OpenFlow13 Utility - ovs-ofctl (Cont.) 33 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 34

Slide 34 text

More commands: ● $ ovs-ofctl -h ● $ man ovs-ofctl ● If you want to use another features: ○ OpenFlow 1.1+ Group Table Commands ○ OpenFlow 1.3+ Switch Meter Table Commands ○ OpenFlow Switch Flow Table Commands ○ OpenFlow Switch Group Table Commands ○ OpenFlow Switch Tunnel TLV Table Commands ○ OpenFlow Switch Monitoring Commands ○ OpenFlow Switch and Controller Commands Utility - ovs-ofctl (Cont.) 34 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 35

Slide 35 text

Utility - ovs-appctl 35 ● Utility for configuring running Open vSwitch daemons ● Control OVS daemons’ behavior and query OVS settings ● Sends the command & prints the daemon's response on standard output ● $ ovs-appctl list-commands ○ Lists the commands supported by the target. ● $ ovs-appctl bridge/dump-flows BR_NAME ○ Dumps OpenFlow flows, including hidden flows. Useful for troubleshooting in-band issues. ● $ ovs-appctl vlog/list ○ Lists the known logging modules and their current levels. ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl

Slide 36

Slide 36 text

● $ ovs-appctl ofproto/trace BR_NAME BR_FLOW [OPTIONS] [-generate | packet] ○ looks the packet up in the OpenFlow flow table ○ http://docs.openvswitch.org/en/latest/topics/tracing/ ● Examples ○ Trace an ARP request on ingress port 1 ○ Trace an ARP reply on ingress port 1 Utility - ovs-appctl (Cont.) 36 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ ovs-appctl ofproto/trace br0 in_port=1,arp,arp_op=1 $ ovs-appctl ofproto/trace br0 in_port=1,arp,arp_op=2

Slide 37

Slide 37 text

● Examples ○ Trace an unicast ICMP echo request on ingress port 1 to destination MAC 00:00:5E:00:53:01 More commands: ● $ ovs-appctl -h ● $ man ovs-appctl ● $ man ovs-vswitchd Utility - ovs-appctl (Cont.) 37 ● ovsdb-tool ● ovs-vsctl ● ovs-dpctl ● ovs-ofctl ● ovs-appctl $ ovs-appctl ofproto/trace ofproto/trace br0 \ in_port=1,icmp,icmp_type=8,dl_dst=00:00:5E:00:53:01

Slide 38

Slide 38 text

Second Part 38 ● Components & Architecture ● Utilities ● Modes

Slide 39

Slide 39 text

OVS bridge can be operated in two modes: ● Normal Mode ○ Acts as a layer 2 learning switch ○ $ sudo ovs-vsctl add-br br0 -- set Bridge br0 Bridge "br0" Port "br0" Interface "br0" type: internal Modes 39

Slide 40

Slide 40 text

Modes 40 OVS bridge can be operated in two modes: ● Flow Mode ○ Switch makes forwarding decisions based on OpenFlow table entries ○ $ sudo ovs-vsctl add-br br1 -- set Bridge br1 fail-mode=secure Bridge "br1" fail_mode: secure Port "br1" Interface "br1" type: internal

Slide 41

Slide 41 text

References ● http://www.openvswitch.org/ ● http://abregman.com/2016/10/18/open-vswitch-introduction-part-1/ ● http://abregman.com/2016/10/19/open-vswitch-introduction-part-2/ ● https://www.slideshare.net/FeiJiSiao/sdnds-twmeetup2 ● https://www.usenix.org/system/files/conference/nsdi15/nsdi15-paper-p faff.pdf ● https://www.slideshare.net/rajdeep/openvswitch-deep-dive 41

Slide 42

Slide 42 text

Thanks for your attention. Slides: http://bit.ly/ovs1129 GitHub, Telegram: @sufuf3 Twitter: @sufuf3149 42