Open vSwitch 101

Transcript

1. 101 Date: 2018/11/29 Place: ITRI Presenter: Samina (Shan-Jung Fu) Prepare

   Hands-On Environment: http://bit.ly/2PXFCST

2. First Part • Overview • Installation • Basic commands •

   Hands-On Second Part • Components & Architecture • Utilities • Modes Outline 2

3. • Overview ◦ What is Open vSwitch ◦ Why Open

   vSwitch • Installation • Basic commands • Hands-On First Part 3

4. • Production quality • Multi-Layer virtual switch (L2 - L4)

   • Enable massive network automation through programmatic extension • Support ◦ OpenFlow protocol ◦ Standard management interfaces & protocols (e.g. NetFlow, sFlow, IPFIX, RSPAN, CLI, LACP, 802.1ag) • Written in platform-independent C • Ref: http://docs.openvswitch.org/en/latest/intro/what-is-ovs/ What is Open vSwitch 4

5. Why Open vSwitch • Traffic between VMs and outside world

   ◦ In Linux Hypervisors it is through a bridge • Why Open vSwitch ◦ Multi-server virtualization deployments ◦ Dynamic endpoints ◦ Logical abstractions ◦ Integration or offloading with special purpose hardware 5

6. • Overview • Installation • Basic commands • Hands-On First

   Part 6

7. Installation 7 • From Source 1. Bootstrapping: Build the “configure”

   script 2. Configuring: Configure the package 3. Building: Install the executables & manpages into the running system 4. Starting: start ovs-vswitchd, config database & ovsdb-server • From Packages ◦ apt(yum) install openvswitch-switch ◦ apt install openvswitch-switch-dpdk • Ref: http://docs.openvswitch.org/en/latest/intro/install/

8. First Part 8 • Overview • Installation • Basic commands

   • Hands-On

9. • Print summary of the ovs database content (bridges, interfaces,

   ports, etc) ◦ $ ovs-vsctl show • Add a new bridge ◦ $ ovs-vsctl add-br BR_NAME • Delete existing bridge ◦ $ ovs-vsctl del-br BR_NAME • Add a new port in the specified bridge ◦ $ ovs-vsctl add-port BR_NAME PORT_NAME Basic commands 9

10. First Part 10 • Overview • Installation • Basic commands

    • Hands-On

11. Hands-On 11 Host 11 Network Namespace 1 (ns1) Network Namespace

    2 (ns2) Veth1 Veth2 OVS br0 10.0.9.1/24 10.0.9.2/24

12. $ $ $ $ $ $ $ $ • Answer:

    sudo ovs-vsctl add-br br0 sudo ovs-vsctl show sudo ip netns add ns1 && sudo ip netns add ns2 sudo ip netns sudo ip link add veth1 type veth peer name vpeerns1 sudo ip link add veth2 type veth peer name vpeerns2 sudo ip link set veth1 netns ns1 && sudo ip link set veth2 netns ns2 sudo ip netns exec ns1 ip link Hands-On (Cont.) 12

13. $ $ $ $ $ $ $ $ • Answer

    (Cont.): sudo ip link set vpeerns1 up && sudo ip link set vpeerns2 up sudo ip netns exec ns1 ip addr add 10.0.9.1/24 dev veth1 sudo ip netns exec ns2 ip addr add 10.0.9.2/24 dev veth2 sudo ip netns exec ns1 ip link set veth1 up sudo ip netns exec ns2 ip link set veth2 up sudo ovs-vsctl add-port br0 vpeerns1 && sudo ovs-vsctl add-port br0 vpeerns2 sudo ip netns exec ns1 ping 10.0.9.2 -c 3 Hands-On (Cont.) 13

14. sudo ovs-vsctl add-port br0 enp0s10 sudo ip addr del 10.0.9.10/24

    dev enp0s10 sudo ip addr add 10.0.9.10/24 dev br0 sudo ip link set br0 up sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo ip netns exec ns1 ip route add default via 10.0.9.10 sudo ip netns exec ns2 ip route add default via 10.0.9.10 # Set up SNAT (Source NAT) routing sudo iptables --flush sudo iptables --table nat --flush sudo iptables --table nat --delete-chain sudo iptables --table nat --append POSTROUTING --out-interface enp0s3 -j MASQUERADE sudo iptables --append FORWARD --in-interface br0 -j ACCEPT sudo ip netns exec ns1 ping 8.8.8.8 -c 3 $ $ $ $ $ $ $ $ $ $ $ $ $ Hands-On (Cont.) 14 • Answer (Cont.): If you want to ping 8.8.8.8 from ns

15. • Components & Architecture ◦ Overview ◦ OVSDB ◦ ovsdb-server

    ◦ ovs-vswitchd • Utilities • Modes Second Part 15

16. • Overview • OVSDB • ovsdb-server • ovs-vswitchd Components &

    Architecture Overview 16 Controller Off-box User space Kernel space ovs-vswitchd ovsdb-server OVS kernel module netlink OVSDB-mp OpenFlow OVSDB-mp Ref: https://benpfaff.org/papers/ovs-slides.pdf • OVSDB-mp: OVSDB Management Protocol

17. OVSDB Management Protocol 17 • Open vSwitch Database Management Protocol

    • RFC 7047 • Active connection: ◦ Unix domain socket ◦ TCP (Default port) ▪ 6632: Before v2.4.0 ▪ 6640: After v2.4.0 ◦ SSL or TLS • Overview • OVSDB • ovsdb-server • ovs-vswitchd

18. • Open vSwitch database server • Provides RPC interfaces to

    OVS databases (OVSDBs) • Supports JSON-RPC client connections over active or passive TCP/IP or Unix domain sockets • Default OVSDB file is /etc/open‐vswitch/conf.db • Ref: http://www.openvswitch.org/support/dist-docs/ovsdb-server.1.html ovsdb-server 18 OVSDB-mp OVSDB-mp • Overview • OVSDB • ovsdb-server • ovs-vswitchd

19. ovs-vswitchd 19 • Open vSwitch daemon • Manages & controls

    any number of OVS on local machine • Along with a companion Linux kernel module for flow-based switching • Default ovs-vswitchd connects to ovsdb-server method: unix:/var/run/open‐vswitch/db.sock • Ref: http://www.openvswitch.org/ support/dist-docs/ovs-vswitchd.8.html OVSDB-mp • Overview • OVSDB • ovsdb-server • ovs-vswitchd OVSDB-mp

20. • Can be configured with the following features: ◦ L2

    switching with MAC learning. ◦ NIC bonding with automatic failover and source MAC-based TX load balancing ("SLB"). ◦ 802.1Q VLAN support. ◦ Port mirroring, with optional VLAN tagging. ◦ NetFlow v5 flow logging. ◦ sFlow(R) monitoring. ◦ Connectivity to an external OpenFlow controller • Ref: http://www.openvswitch.org/support/dist-docs/ovs-vswitchd.8.html ovs-vswitchd 20 • Overview • OVSDB • ovsdb-server • ovs-vswitchd

21. Second Part 21 • Components & Architecture • Utilities ◦

    ovsdb-tool ◦ ovs-vsctl ◦ ovs-dpctl ◦ ovs-ofctl ◦ ovs-appctl • Modes

22. Utilities 22 Find from: http://docs.openvswitch.org/en/latest/ref/

23. • Open vSwitch database management utility • A command-line tool

    • Managing OVS database (OVSDB) files • Non-interaction directly w/ running OVS database servers ◦ ovsdb-client do this Utility - ovsdb-tool 23 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

24. • $ ovsdb-tool create DATABASE SCHEMA ◦ Reads an OVSDB

    SCHEMA & creates a new OVSDB DATABASE • $ ovsdb-tool show-log ◦ Prints a summary of the records in db's log More commands: • $ ovsdb-tool -h • $ man ovsdb-tool Utility - ovsdb-tool (Cont.) 24 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ ovsdb-tool create /path/conf.db vswitch.ovsschema $ ovsdb-tool show-log /etc/openvswitch/conf.db

25. Utility - ovs-vsctl 25 • Utility for querying and configuring

    ovs-vswitchd • A high-level interface • Connects to an ovsdb-server process ◦ Maintains an Open vSwitch configuration database • Queries & possibly applies changes to the database • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

26. • Open vSwitch Commands ◦ Work with an OVS as

    a whole ◦ $ ovs-vsctl show • Bridge Commands ◦ Examine and manipulate OVS bridges • Port Commands ◦ Examine and manipulate OVS ports Utility - ovs-vsctl (Cont.) 26 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ ovs-vsctl show $ ovs-vsctl add-br br0 $ ovs-vsctl add-port br0 eth0 $ ovs-vsctl add-br br0 -- add-port br0 eth0 Perform both operations in a single atomic transaction

27. Utility - ovs-vsctl (Cont.) • Interface Commands ◦ Examine the

    interfaces attached to an OVS bridge • OpenFlow Controller Connectivity ◦ Configured to communicate with one or more external OpenFlow controllers 27 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ sudo ovs-vsctl list-ifaces br0 enp0s10 vpeerns1 vpeerns2 $ sudo ovs-vsctl get-controller br0

28. • Manager Connectivity ◦ Manipulate the manager_options column in the

    Open_vSwitch table & rows in the Managers table • SSL Configuration ◦ After ovs-vswitchd was configured to connect over SSL, the parameters are required • Auto-Attach Commands • Database Commands More commands: • $ ovs-vsctl -h • $ man ovs-vsctl Utility - ovs-vsctl (Cont.) 28 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

29. Utility - ovs-dpctl 29 • Administer Open vSwitch datapaths •

    Not needed for managing datapaths in conjunction w/ ovs-vswitchd ◦ ovs-vswitchd does all the necessary management of OVS datapaths itself ◦ When ovs-vswitchd is running can interfere w/ ovs-dpctl operation • Useful for diagnostics ovs-vswitchd ovs-vsctl ovs-dpctl • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

30. • $ovs-dpctl [-s | --statistics] show [dp...] ◦ Prints a

    summary of configured datapaths Utility - ovs-dpctl (Cont.) 30 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ sudo ovs-dpctl show system@ovs-system: lookups: hit:1350 missed:504 lost:0 flows: 0 masks: hit:1454 total:0 hit/pkt:0.78 port 0: ovs-system (internal) port 1: br0 (internal) port 2: vpeerns1 port 3: vpeerns2 port 4: enp0s10

31. • $ ovs-dpctl dump-dps ◦ Prints the name of each

    configured datapath on a separate line. • $ ovs-dpctl [-m | --more] dump-flows [dp] [filter=filter] ◦ Prints to the console all flow entries in datapath dp's flow table ◦ With -m or --more, output includes all wildcarded fields More commands: • $ ovs-dpctl -h • $ man ovs-dpctl Utility - ovs-dpctl (Cont.) 31 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

32. Utility - ovs-ofctl 32 • Administer OpenFlow switches • A

    command line tool • Monitoring and administering OpenFlow switches • Show the current state of an OpenFlow switch ◦ Features ◦ Configuration ◦ table entries • Work with any OpenFlow switch, not just Open vSwitch • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

33. • OpenFlow Switch Management Commands ◦ Allow ovs-ofctl to monitor

    and administer an OpenFlow switch ◦ Show the current state of a switch, including features, configuration, and table entries ◦ Commands $ sudo ovs-ofctl show BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-tables BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-flows BR_NAME -O OpenFlow13 $ sudo ovs-ofctl dump-ports BR_NAME -O OpenFlow13 Utility - ovs-ofctl (Cont.) 33 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

34. More commands: • $ ovs-ofctl -h • $ man ovs-ofctl

    • If you want to use another features: ◦ OpenFlow 1.1+ Group Table Commands ◦ OpenFlow 1.3+ Switch Meter Table Commands ◦ OpenFlow Switch Flow Table Commands ◦ OpenFlow Switch Group Table Commands ◦ OpenFlow Switch Tunnel TLV Table Commands ◦ OpenFlow Switch Monitoring Commands ◦ OpenFlow Switch and Controller Commands Utility - ovs-ofctl (Cont.) 34 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

35. Utility - ovs-appctl 35 • Utility for configuring running Open

    vSwitch daemons • Control OVS daemons’ behavior and query OVS settings • Sends the command & prints the daemon's response on standard output • $ ovs-appctl list-commands ◦ Lists the commands supported by the target. • $ ovs-appctl bridge/dump-flows BR_NAME ◦ Dumps OpenFlow flows, including hidden flows. Useful for troubleshooting in-band issues. • $ ovs-appctl vlog/list ◦ Lists the known logging modules and their current levels. • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl

36. • $ ovs-appctl ofproto/trace BR_NAME BR_FLOW [OPTIONS] [-generate | packet]

    ◦ looks the packet up in the OpenFlow flow table ◦ http://docs.openvswitch.org/en/latest/topics/tracing/ • Examples ◦ Trace an ARP request on ingress port 1 ◦ Trace an ARP reply on ingress port 1 Utility - ovs-appctl (Cont.) 36 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ ovs-appctl ofproto/trace br0 in_port=1,arp,arp_op=1 $ ovs-appctl ofproto/trace br0 in_port=1,arp,arp_op=2

37. • Examples ◦ Trace an unicast ICMP echo request on

    ingress port 1 to destination MAC 00:00:5E:00:53:01 More commands: • $ ovs-appctl -h • $ man ovs-appctl • $ man ovs-vswitchd Utility - ovs-appctl (Cont.) 37 • ovsdb-tool • ovs-vsctl • ovs-dpctl • ovs-ofctl • ovs-appctl $ ovs-appctl ofproto/trace ofproto/trace br0 \ in_port=1,icmp,icmp_type=8,dl_dst=00:00:5E:00:53:01

38. Second Part 38 • Components & Architecture • Utilities •

    Modes

39. OVS bridge can be operated in two modes: • Normal

    Mode ◦ Acts as a layer 2 learning switch ◦ $ sudo ovs-vsctl add-br br0 -- set Bridge br0 Bridge "br0" Port "br0" Interface "br0" type: internal Modes 39

40. Modes 40 OVS bridge can be operated in two modes:

    • Flow Mode ◦ Switch makes forwarding decisions based on OpenFlow table entries ◦ $ sudo ovs-vsctl add-br br1 -- set Bridge br1 fail-mode=secure Bridge "br1" fail_mode: secure Port "br1" Interface "br1" type: internal

41. References • http://www.openvswitch.org/ • http://abregman.com/2016/10/18/open-vswitch-introduction-part-1/ • http://abregman.com/2016/10/19/open-vswitch-introduction-part-2/ • https://www.slideshare.net/FeiJiSiao/sdnds-twmeetup2 •

    https://www.usenix.org/system/files/conference/nsdi15/nsdi15-paper-p faff.pdf • https://www.slideshare.net/rajdeep/openvswitch-deep-dive 41

42. Thanks for your attention. Slides: http://bit.ly/ovs1129 GitHub, Telegram: @sufuf3 Twitter:

    @sufuf3149 42