centos ovn 搭建测试(一:逻辑交换机)
参考链接:
https://github.com/openvswitch/ovs/blob/v2.10.0/Documentation/intro/install/general.rst
https://www.jianshu.com/p/1121fcd5ab82
# ovn-trace 参考链接
https://www.man7.org/linux/man-pages/man8/ovn-trace.8.html
centos 版本 CentOS Linux release 7.8.2003 (Core)
安装构建RPM包所需要的依赖包 yum install -y @'Development Tools' rpm-build yum-utils
依赖安装 yum install -y git wget firewalld-filesystem net-tools desktop-file-utils groff graphviz selinux-policy-devel python-sphinx python-twisted-core python-zope-interface python-six libcap-ng-devel unbound unbound-devel openssl-devel gcc make python-devel openssl-devel kernel-devel kernel-debug-devel autoconf automake rpm-build redhat-rpm-config libtool python-openvswitch libpcap-devel numactl-devel dpdk-devel
# 源码下载编译 git clone https://github.com/openvswitch/ovs.git git checkout v2.12.0 ./boot.sh ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc
rpm 编译安装 make rpm-fedora RPMBUILD_OPT="--without check" make rpm-fedora-ovn RPMBUILD_OPT="--without check"
make rpm-fedora-kmod RPMBUILD_OPT="--without check"
安装 cd rpm/rpmbuild/RPMS/x86_64 yum install ovn-* ../noarch/python-openvswitch-2.12.0-1.el7.noarch.rpm openvswitch-2.12.0-1.el7.x86_64.rpm -y
yum install openvswitch-kmod-2.12.0-1.el7.x86_64.rpm -y
# 启动ovs,ovn服务
# master节点操作 systemctl enable openvswitch systemctl enable ovn-northd systemctl enable ovn-controller systemctl start openvswitch systemctl start ovn-northd systemctl start ovn-controller systemctl status openvswitch systemctl status ovn-northd systemctl status ovn-controller
从节点不需要启动ovn-northd服务
# slaver节点操作
systemctl enable openvswitch
systemctl enable ovn-controller
systemctl start openvswitch
systemctl start ovn-controller
systemctl status openvswitch
systemctl status ovn-controller
#master:192.168.1.200
#slaver:192.168.1.199
# master节点配置 # 让ovsdb-server监听6641,6642端口(其实,就是ovs 链接上 ovn) ovn-nbctl set-connection ptcp:6641:192.168.1.200 ovn-sbctl set-connection ptcp:6642:192.168.1.200
ovs-vsctl set open . external-ids:ovn-remote=tcp:192.168.1.200:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=192.168.1.200
6641端口用于监听OVN北向数据库
6642端口用于监听OVN南向数据库
# 从节点配置
ovs-vsctl set open . external-ids:ovn-remote=tcp:192.168.1.200:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=192.168.1.199
# 状态查看
[root@master ~]# ovs-vsctl show 2402b6df-301b-4e1b-a2d6-0b2c0ebaa56e Bridge br-int fail_mode: secure Port "ovn-e530c5-0" Interface "ovn-e530c5-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.1.199"} Port br-int Interface br-int type: internal ovs_version: "2.12.0" [root@slaver ~]# ovs-vsctl show f4461800-e732-40ab-84da-d106ef666041 Bridge br-int fail_mode: secure Port "ovn-32b404-0" Interface "ovn-32b404-0" type: geneve options: {csum="true", key=flow, remote_ip="192.168.1.200"} Port br-int Interface br-int type: internal ovs_version: "2.12.0"
功能测试
# 创建逻辑交换机,测试port连通性
# master 节点操作 # 创建logical switch ovn-nbctl ls-add ls1 # 创建 logical port ls1-veth1 ovn-nbctl lsp-add ls1 ls1-veth1 ovn-nbctl lsp-set-addresses ls1-veth1 "aa:aa:aa:11:11:aa 1.1.1.100" ovn-nbctl lsp-set-port-security ls1-veth1 aa:aa:aa:11:11:aa # 创建 logical port ls1-veth3 ovn-nbctl lsp-add ls1 ls1-veth3 ovn-nbctl lsp-set-addresses ls1-veth3 "aa:aa:aa:11:11:bb 1.1.1.200" ovn-nbctl lsp-set-port-security ls1-veth3 aa:aa:aa:11:11:bb # 查看 ovn-nbctl show [root@master ~]# ovn-nbctl show switch 636b7ee7-08c7-4bb4-814c-e3db26cf194d (ls1) port ls1-veth1 addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"] port ls1-veth3 addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"]
# 配置命名空间 # master: ip netns add ns1 ip link add veth1 type veth peer name veth2 ifconfig veth1 up ifconfig veth2 up ip link set veth2 netns ns1 ip netns exec ns1 ip link set veth2 address aa:aa:aa:11:11:aa ip netns exec ns1 ip addr add 1.1.1.100/24 dev veth2 ip netns exec ns1 ip link set veth2 up ovs-vsctl add-port br-int veth1 ovs-vsctl set Interface veth1 external_ids:iface-id=ls1-veth1 ip netns exec ns1 ip addr show # slaver: ip netns add ns2 ip link add veth3 type veth peer name veth4 ifconfig veth3 up ifconfig veth4 up ip link set veth4 netns ns2 ip netns exec ns2 ip link set veth4 address aa:aa:aa:11:11:bb ip netns exec ns2 ip addr add 1.1.1.200/24 dev veth4 ip netns exec ns2 ip link set veth4 up ovs-vsctl add-port br-int veth3 ovs-vsctl set Interface veth3 external_ids:iface-id=ls1-veth3 ip netns exec ns2 ip addr show
# 测试验证 [root@slover ~]# ip netns exec ns2 ping 1.1.1.100 PING 1.1.1.100 (1.1.1.100) 56(84) bytes of data. 64 bytes from 1.1.1.100: icmp_seq=1 ttl=64 time=0.207 ms 64 bytes from 1.1.1.100: icmp_seq=2 ttl=64 time=0.220 ms 64 bytes from 1.1.1.100: icmp_seq=3 ttl=64 time=0.242 ms
# arp 请求,流标分析 # 使用 ovs-appctl ofproto/trace 工具分析 # ovs-appctl ofproto/trace br-int in_port=veth3,arp,arp_tpa=1.1.1.100,arp_op=1,dl_src=aa:aa:aa:11:11:bb,arp_sha=aa:aa:aa:11:11:bb
arp_op: 1>arp请求 2>arp回应
dl_src: 数据包源地址
arp_sha: arp请求源地址
输出结果如下:
[root@slaver ~]# ovs-appctl ofproto/trace br-int in_port=veth3,arp,arp_tpa=1.1.1.100,arp_op=1,dl_src=aa:aa:aa:11:11:bb,arp_sha=aa:aa:aa:11:11:bb Flow: arp,in_port=2,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:bb,dl_dst=00:00:00:00:00:00,arp_spa=0.0.0.0,arp_tpa=1.1.1.100,arp_op=1,arp_sha=aa:aa:aa:11:11:bb,arp_tha=00:00:00:00:00:00 bridge("br-int") ---------------- 0. in_port=2, priority 100 set_field:0x1->reg13 set_field:0x2->reg11 set_field:0x3->reg12 set_field:0x1->metadata set_field:0x2->reg14 resubmit(,8) 8. reg14=0x2,metadata=0x1,dl_src=aa:aa:aa:11:11:bb, priority 50, cookie 0x4516809e resubmit(,9) 9. metadata=0x1, priority 0, cookie 0x69a434c9 resubmit(,10) 10. arp,reg14=0x2,metadata=0x1,dl_src=aa:aa:aa:11:11:bb,arp_sha=aa:aa:aa:11:11:bb, priority 90, cookie 0x9c758ab1 resubmit(,11) 11. metadata=0x1, priority 0, cookie 0xd11d6a1c resubmit(,12) 12. metadata=0x1, priority 0, cookie 0x5ea99228 resubmit(,13) 13. metadata=0x1, priority 0, cookie 0x31645736 resubmit(,14) 14. metadata=0x1, priority 0, cookie 0x9e43efb6 resubmit(,15) 15. metadata=0x1, priority 0, cookie 0xdf5f1f28 resubmit(,16) 16. metadata=0x1, priority 0, cookie 0x910724b6 resubmit(,17) 17. metadata=0x1, priority 0, cookie 0xf3ea9e05 resubmit(,18) 18. metadata=0x1, priority 0, cookie 0x6a1b10cc resubmit(,19) 19. arp,metadata=0x1,arp_tpa=1.1.1.100,arp_op=1, priority 50, cookie 0x2af6bc00 move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[] -> NXM_OF_ETH_DST[] is now aa:aa:aa:11:11:bb set_field:aa:aa:aa:11:11:aa->eth_src set_field:2->arp_op move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[] -> NXM_NX_ARP_THA[] is now aa:aa:aa:11:11:bb set_field:aa:aa:aa:11:11:aa->arp_sha move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[] -> NXM_OF_ARP_TPA[] is now 0.0.0.0 set_field:1.1.1.100->arp_spa move:NXM_NX_REG14[]->NXM_NX_REG15[] -> NXM_NX_REG15[] is now 0x2 load:0x1->NXM_NX_REG10[0] resubmit(,32) 32. priority 0 resubmit(,33) 33. reg15=0x2,metadata=0x1, priority 100 set_field:0x1->reg13 set_field:0x2->reg11 set_field:0x3->reg12 resubmit(,34) 34. priority 0 set_field:0->reg0 set_field:0->reg1 set_field:0->reg2 set_field:0->reg3 set_field:0->reg4 set_field:0->reg5 set_field:0->reg6 set_field:0->reg7 set_field:0->reg8 set_field:0->reg9 resubmit(,40) 40. metadata=0x1, priority 0, cookie 0x7a33311a resubmit(,41) 41. metadata=0x1, priority 0, cookie 0x9aa791f4 resubmit(,42) 42. metadata=0x1, priority 0, cookie 0x1ebbfc83 resubmit(,43) 43. metadata=0x1, priority 0, cookie 0x5623deb1 resubmit(,44) 44. metadata=0x1, priority 0, cookie 0xfe796bb7 resubmit(,45) 45. metadata=0x1, priority 0, cookie 0x30d4ee1b resubmit(,46) 46. metadata=0x1, priority 0, cookie 0x1f61291 resubmit(,47) 47. metadata=0x1, priority 0, cookie 0x6baadad7 resubmit(,48) 48. metadata=0x1, priority 0, cookie 0x37250958 resubmit(,49) 49. reg15=0x2,metadata=0x1,dl_dst=aa:aa:aa:11:11:bb, priority 50, cookie 0xa5f7f156 resubmit(,64) 64. reg10=0x1/0x1,reg15=0x2,metadata=0x1, priority 100 push:NXM_OF_IN_PORT[] set_field:0->in_port resubmit(,65) 65. reg15=0x2,metadata=0x1, priority 100 output:2 pop:NXM_OF_IN_PORT[] -> NXM_OF_IN_PORT[] is now 2 Final flow: arp,reg10=0x1,reg11=0x2,reg12=0x3,reg13=0x1,reg14=0x2,reg15=0x2,metadata=0x1,in_port=2,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:aa,dl_dst=aa:aa:aa:11:11:bb,arp_spa=1.1.1.100,arp_tpa=0.0.0.0,arp_op=2,arp_sha=aa:aa:aa:11:11:aa,arp_tha=aa:aa:aa:11:11:bb Megaflow: recirc_id=0,eth,arp,in_port=2,vlan_tci=0x0000/0x1000,dl_src=aa:aa:aa:11:11:bb,dl_dst=00:00:00:00:00:00,arp_spa=0.0.0.0,arp_tpa=1.1.1.100,arp_op=1,arp_sha=aa:aa:aa:11:11:bb,arp_tha=00:00:00:00:00:00 Datapath actions: set(eth(src=aa:aa:aa:11:11:aa,dst=aa:aa:aa:11:11:bb)),set(arp(sip=1.1.1.100,tip=0.0.0.0,op=2/0xff,sha=aa:aa:aa:11:11:aa,tha=aa:aa:aa:11:11:bb)),3 This flow is handled by the userspace slow path because it: - Uses action(s) not supported by datapath.
根据流标分析得出,跨节点的ARP请求,数据包并不会封装ARP然后跨节点发送出去,直接在流表里面构造ARP回应,源port直接返回。
在table 64中,由于ovs的设计,veth3出去的流量不能直接返回veth3,不然会直接drop,所以在流标规则中 NXM_OF_IN_PORT 先入栈,然后设置0,再出栈 NXM_OF_IN_PORT,这样数据包就不会被ovs drop了。
# icmp 报文流表分析 [root@slaver ~]# ovs-appctl ofproto/trace br-int in_port=veth3,icmp,dl_dst=aa:aa:aa:11:11:aa,dl_src=aa:aa:aa:11:11:bb,nw_dst=1.1.1.100 Flow: icmp,in_port=2,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:bb,dl_dst=aa:aa:aa:11:11:aa,nw_src=0.0.0.0,nw_dst=1.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0 bridge("br-int") ---------------- 0. in_port=2, priority 100 set_field:0x1->reg13 set_field:0x2->reg11 set_field:0x3->reg12 set_field:0x1->metadata set_field:0x2->reg14 resubmit(,8) 8. reg14=0x2,metadata=0x1,dl_src=aa:aa:aa:11:11:bb, priority 50, cookie 0x4516809e resubmit(,9) 9. metadata=0x1, priority 0, cookie 0x69a434c9 resubmit(,10) 10. metadata=0x1, priority 0, cookie 0xef0328e4 resubmit(,11) 11. metadata=0x1, priority 0, cookie 0xd11d6a1c resubmit(,12) 12. metadata=0x1, priority 0, cookie 0x5ea99228 resubmit(,13) 13. metadata=0x1, priority 0, cookie 0x31645736 resubmit(,14) 14. metadata=0x1, priority 0, cookie 0x9e43efb6 resubmit(,15) 15. metadata=0x1, priority 0, cookie 0xdf5f1f28 resubmit(,16) 16. metadata=0x1, priority 0, cookie 0x910724b6 resubmit(,17) 17. metadata=0x1, priority 0, cookie 0xf3ea9e05 resubmit(,18) 18. metadata=0x1, priority 0, cookie 0x6a1b10cc resubmit(,19) 19. metadata=0x1, priority 0, cookie 0xbade306a resubmit(,20) 20. metadata=0x1, priority 0, cookie 0x635ad2c5 resubmit(,21) 21. metadata=0x1, priority 0, cookie 0x501ccd49 resubmit(,22) 22. metadata=0x1, priority 0, cookie 0x48021e7 resubmit(,23) 23. metadata=0x1, priority 0, cookie 0xd219abd1 resubmit(,24) 24. metadata=0x1, priority 0, cookie 0x18ca6e2a resubmit(,25) 25. metadata=0x1,dl_dst=aa:aa:aa:11:11:aa, priority 50, cookie 0x16a625f2 set_field:0x1->reg15 resubmit(,32) 32. reg15=0x1,metadata=0x1, priority 100 load:0x1->NXM_NX_TUN_ID[0..23] set_field:0x1->tun_metadata0 move:NXM_NX_REG14[0..14]->NXM_NX_TUN_METADATA0[16..30] -> NXM_NX_TUN_METADATA0[16..30] is now 0x2 output:1 -> output to kernel tunnel Final flow: icmp,reg11=0x2,reg12=0x3,reg13=0x1,reg14=0x2,reg15=0x1,tun_id=0x1,metadata=0x1,in_port=2,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:bb,dl_dst=aa:aa:aa:11:11:aa,nw_src=0.0.0.0,nw_dst=1.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0 Megaflow: recirc_id=0,eth,ip,tun_id=0/0xffffff,tun_metadata0=NP,in_port=2,vlan_tci=0x0000/0x1000,dl_src=aa:aa:aa:11:11:bb,dl_dst=aa:aa:aa:11:11:aa,nw_ecn=0,nw_frag=no Datapath actions: set(tunnel(tun_id=0x1,dst=192.168.1.200,ttl=64,tp_dst=6081,geneve({class=0x102,type=0x80,len=4,0x20001}),flags(df|csum|key))),2
