centos ovn 搭建测试(三:负载均衡)
负载均衡功能验证
参考链接:
https://www.sdnlab.com/19245.html
https://www.jianshu.com/p/836f80e4cf4d
ovn 使用流表实现了一套简单的LB:
- 支持 sctp, tcp, or udp;
- 支持 health check
- 支持根据filed(eth_src、eth_dst、ip_dst、ip_src、tp_src、tp_dst ) 的hash,以及默认的dp_hash。
- OVN使用select类型的openflow group实现负载分担调度。
可见是一套L3&L4 Based LB,调度算法简单,没有实现7层 LB和其他调度算法。
这里解释一下 dp_hash和fields_hash:
- dp_hash: datapath hash可以理解为按包hash,这个hash值是由datapath来计算的,根据包hash的结果选择bucket,因为每个包都得计算hash值,所以比较耗费CPU;
- fields_hash: openvswitch根据fields进行hash计算选择一个bucket,然后给datapath安装流表,后续包直接在datapath 匹配安装的流表转发,这种hash算法可以理解了按流hash,hash计算时选择了哪些field,安装流时就匹配哪些field,其它都被mask掉了。如果流很多那么datapath就会被安装很多流,但是hash计算的工作量小,只有首包时计算一下。
LB 配置的位置
- logic sw lb 在使用LB 的client端vm的宿主机上完成调度封装,是分布式的
- logic router lb在网关上,是集中式的
OVN中的负载平衡可以应用于逻辑交换机或逻辑路由器。选择何种方式取决于您的具体要求。每种方法都有注意事项。
当应用于逻辑路由器时,需要牢记以下注意事项:
(1)负载平衡只能应用于“集中式”路由器(即网关路由器)。
(2)第1个注意事项已经决定了路由器上的负载平衡是非分布式服务。
应用于逻辑交换机时,需要牢记以下注意事项:
(1)负载平衡是“分布式”的,因为它被应用于潜在的多个OVS主机。
(2)仅在来自VIF(虚拟接口)的流量入口处评估逻辑交换机上的负载平衡。这意味着它必须应用在“客户端”逻辑交换机上,而不是在“服务器”逻辑交换机上。
(3)由于第2个注意事项,您可能需要根据您的设计规模对多个逻辑交换机应用负载平衡。
在逻辑交换机上配置负载均衡(负载均衡应该设置到用户的logical switch而不是server的logical switch)
# 所有ovn-nbctl全部在master节点上操作
# 配置逻辑交换机及逻辑port
# 创建logical switch
ovn-nbctl ls-add ls1
ovn-nbctl ls-add ls2
# 创建 logical port ls1-veth1
ovn-nbctl lsp-add ls1 ls1-veth1
ovn-nbctl lsp-set-addresses ls1-veth1 "aa:aa:aa:11:11:aa 1.1.1.100"
ovn-nbctl lsp-set-port-security ls1-veth1 aa:aa:aa:11:11:aa
# 创建 logical port ls1-veth3
ovn-nbctl lsp-add ls1 ls1-veth3
ovn-nbctl lsp-set-addresses ls1-veth3 "aa:aa:aa:11:11:bb 1.1.1.200"
ovn-nbctl lsp-set-port-security ls1-veth3 aa:aa:aa:11:11:bb
# 创建 logical port ls2-veth5
ovn-nbctl lsp-add ls2 ls2-veth5
ovn-nbctl lsp-set-addresses ls2-veth5 "aa:aa:aa:11:11:cc 2.1.1.10"
ovn-nbctl lsp-set-port-security ls2-veth5 aa:aa:aa:11:11:cc
# 配置逻辑路由器及逻辑port(全部master节点操作)
# 创建逻辑路由器 ovn-nbctl lr-add r1 # 创建逻辑路由器port ovn-nbctl lrp-add r1 r1-p1 00:00:00:00:10:00 1.1.1.1/24 ovn-nbctl lrp-add r1 r1-p2 00:00:00:00:20:00 2.1.1.1/24 # 创建逻辑交换机port并关联路由器port ovn-nbctl lsp-add ls1 ls1-p1 ovn-nbctl lsp-add ls2 ls2-p2 ovn-nbctl lsp-set-type ls1-p1 router ovn-nbctl lsp-set-type ls2-p2 router ovn-nbctl lsp-set-addresses ls1-p1 "00:00:00:00:10:00 1.1.1.1" ovn-nbctl lsp-set-addresses ls2-p2 "00:00:00:00:20:00 2.1.1.1" ovn-nbctl lsp-set-options ls1-p1 router-port=r1-p1 ovn-nbctl lsp-set-options ls2-p2 router-port=r1-p2
# 查看配置
[root@master ~]# ovn-nbctl show switch d0c5ff9c-e1fa-4a37-a986-eb54b44544d2 (ls1) port ls1-p1 type: router addresses: ["00:00:00:00:10:00 1.1.1.1"] router-port: r1-p1 port ls1-veth3 addresses: ["aa:aa:aa:11:11:bb 1.1.1.200"] port ls1-veth1 addresses: ["aa:aa:aa:11:11:aa 1.1.1.100"] switch b40260fb-befe-4cee-9a00-b803c6ef66ed (ls2) port ls2-veth5 addresses: ["aa:aa:aa:11:11:cc 2.1.1.10"] port ls2-p2 type: router addresses: ["00:00:00:00:20:00 2.1.1.1"] router-port: r1-p2 router cfa5807d-4acd-4428-8ddc-11e774d93dad (r1) port r1-p1 mac: "00:00:00:00:10:00" networks: ["1.1.1.1/24"] port r1-p2 mac: "00:00:00:00:20:00" networks: ["2.1.1.1/24"]
# 配置命名空间
# master:(配置server1) ip netns add ns1 ip link add veth1 type veth peer name veth2 ifconfig veth1 up ifconfig veth2 up ip link set veth2 netns ns1 ip netns exec ns1 ip link set veth2 address aa:aa:aa:11:11:aa ip netns exec ns1 ip addr add 1.1.1.100/24 dev veth2 ip netns exec ns1 ip link set veth2 up
ip netns exec ns1 ip r add default via 1.1.1.1 ovs-vsctl add-port br-int veth1 ovs-vsctl set Interface veth1 external_ids:iface-id=ls1-veth1 ip netns exec ns1 ip addr show # slaver:(配置server2) ip netns add ns2 ip link add veth3 type veth peer name veth4 ifconfig veth3 up ifconfig veth4 up ip link set veth4 netns ns2 ip netns exec ns2 ip link set veth4 address aa:aa:aa:11:11:bb ip netns exec ns2 ip addr add 1.1.1.200/24 dev veth4 ip netns exec ns2 ip link set veth4 up
ip netns exec ns2 ip r add default via 1.1.1.1 ovs-vsctl add-port br-int veth3 ovs-vsctl set Interface veth3 external_ids:iface-id=ls1-veth3 ip netns exec ns2 ip addr show # slaver:(配置client) ip netns add ns3 ip link add veth5 type veth peer name veth6 ifconfig veth5 up ifconfig veth6 up ip link set veth6 netns ns3 ip netns exec ns3 ip link set veth6 address aa:aa:aa:11:11:cc ip netns exec ns3 ip addr add 2.1.1.10/24 dev veth6 ip netns exec ns3 ip link set veth6 up
ip netns exec ns3 ip r add default via 2.1.1.1 ovs-vsctl add-port br-int veth5 ovs-vsctl set Interface veth5 external_ids:iface-id=ls2-veth5 ip netns exec ns3 ip addr show
# 启动web服务器
# master mkdir /tmp/www -p echo "i am master" > /tmp/www/index.html cd /tmp/www ip netns exec ns1 python -m SimpleHTTPServer 8000 # slaver mkdir /tmp/www -p echo "i am slaver" > /tmp/www/index.html cd /tmp/www ip netns exec ns2 python -m SimpleHTTPServer 8000
# 配置负载均衡
# master节点 ovn-nbctl lb-add lb1 1.1.1.50:8000 "1.1.1.100:8000,1.1.1.200:8000" tcp ovn-nbctl ls-lb-add ls2 lb1
# 查看LB配置
[root@master ~]# ovn-nbctl ls-lb-list ls2 UUID LB PROTO VIP IPs efed6f6f-cee7-438a-bc56-5d55a3c1449e lb1 tcp 1.1.1.50:8000 1.1.1.100:8000,1.1.1.200:8000
# 功能测试
[root@slaver ~]# ip netns exec ns3 curl 1.1.1.50:8000 i am master [root@slaver ~]# ip netns exec ns3 curl 1.1.1.50:8000 i am master [root@slaver ~]# ip netns exec ns3 curl 1.1.1.50:8000 i am slaver [root@slaver ~]# ip netns exec ns3 curl 1.1.1.50:8000 i am master [root@slaver ~]# ip netns exec ns3 curl 1.1.1.50:8000 i am slaver
# 可通过修改load balance的selection_fields为ip_src,这样只会根据源ip计算,这样同一个ns发出的报文只会发给同一个endpoint
待验证
[root@ovn-master ~]# ovn-sbctl dump-flows ls2 | grep ct_lb table=10(ls_in_stateful ), priority=120 , match=(ct.new && ip4.dst == 1.1.1.50 && tcp.dst == 8000), action=(ct_lb(1.1.1.100:8000,1.1.1.200:8000);) table=10(ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) table=7 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;)
# ovn-trace
[root@ovn-master ~]# ovn-trace --detailed --lb-dst=1.1.1.50:8000 --ct=est ls2 'inport=="ls2-veth5" && eth.src== aa:aa:aa:11:11:cc && eth.dst == 00:00:00:00:20:00 && ip4.src==2.1.1.10 && ip.ttl==64 && ip4.dst==1.1.1.50 && tcp.dst==8000' # tcp,reg14=0x1,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:cc,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.10,nw_dst=1.1.1.50,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=8000,tcp_flags=0 ingress(dp="ls2", inport="ls2-veth5") ------------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls2-veth5" && eth.src == {aa:aa:aa:11:11:cc}, priority 50, uuid 6ecbbab8 next; 4. ls_in_pre_lb (ovn-northd.c:3969): ip && ip4.dst == 1.1.1.50, priority 100, uuid 9d2daad0 reg0[0] = 1; next; 5. ls_in_pre_stateful (ovn-northd.c:3992): reg0[0] == 1, priority 100, uuid a2bffb6b ct_next; ct_next(ct_state=est|trk) ------------------------- 9. ls_in_lb (ovn-northd.c:4575): ct.est && !ct.rel && !ct.new && !ct.inv, priority 65535, uuid 086001ea reg0[2] = 1; next; 10. ls_in_stateful (ovn-northd.c:4607): reg0[2] == 1, priority 100, uuid 58fa64dc ct_lb; ct_lb ----- 17. ls_in_l2_lkup (ovn-northd.c:5359): eth.dst == 00:00:00:00:20:00, priority 50, uuid 3183656f outport = "ls2-p2"; output; egress(dp="ls2", inport="ls2-veth5", outport="ls2-p2") ------------------------------------------------------ 0. ls_out_pre_lb (ovn-northd.c:3977): ip, priority 100, uuid 0266402e reg0[0] = 1; next; 2. ls_out_pre_stateful (ovn-northd.c:3994): reg0[0] == 1, priority 100, uuid 7cfa5fe4 ct_next; ct_next(ct_state=est|trk /* default (use --ct to customize) */) --------------------------------------------------------------- 3. ls_out_lb (ovn-northd.c:4578): ct.est && !ct.rel && !ct.new && !ct.inv, priority 65535, uuid a900607d reg0[2] = 1; next; 7. ls_out_stateful (ovn-northd.c:4609): reg0[2] == 1, priority 100, uuid c7744075 ct_lb; ct_lb ----- 9. ls_out_port_sec_l2 (ovn-northd.c:5503): outport == "ls2-p2", priority 50, uuid bc275bd3 output; /* output to "ls2-p2", type "patch" */ ingress(dp="r1", inport="r1-p2") -------------------------------- 0. lr_in_admission (ovn-northd.c:6198): eth.dst == 00:00:00:00:20:00 && inport == "r1-p2", priority 50, uuid 3ea8bf63 next; 7. lr_in_ip_routing (ovn-northd.c:5780): ip4.dst == 1.1.1.0/24, priority 49, uuid b241f017 ip.ttl--; reg0 = ip4.dst; reg1 = 1.1.1.1; eth.src = 00:00:00:00:10:00; outport = "r1-p1"; flags.loopback = 1; next; 9. lr_in_arp_resolve (ovn-northd.c:7810): ip4, priority 0, uuid 87ecd08f get_arp(outport, reg0); /* No MAC binding. */ next; 13. lr_in_arp_request (ovn-northd.c:7994): eth.dst == 00:00:00:00:00:00, priority 100, uuid e23aaaa4 arp { eth.dst = ff:ff:ff:ff:ff:ff; arp.spa = reg1; arp.tpa = reg0; arp.op = 1; output; }; arp --- eth.dst = ff:ff:ff:ff:ff:ff; arp.spa = reg1; arp.tpa = reg0; arp.op = 1; output; egress(dp="r1", inport="r1-p2", outport="r1-p1") ------------------------------------------------ 3. lr_out_delivery (ovn-northd.c:8029): outport == "r1-p1", priority 100, uuid 2c45bb40 output; /* output to "r1-p1", type "patch" */ ingress(dp="ls1", inport="ls1-p1") ---------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4843): inport == "ls1-p1", priority 50, uuid 18f4bc34 next; 17. ls_in_l2_lkup (ovn-northd.c:5308): eth.mcast, priority 70, uuid e9f7ecb8 outport = "_MC_flood"; output; multicast(dp="ls1", mcgroup="_MC_flood") ---------------------------------------- egress(dp="ls1", inport="ls1-p1", outport="ls1-p1") --------------------------------------------------- /* omitting output because inport == outport && !flags.loopback */ egress(dp="ls1", inport="ls1-p1", outport="ls1-veth1") ------------------------------------------------------ 9. ls_out_port_sec_l2 (ovn-northd.c:5480): eth.mcast, priority 100, uuid 2439078a output; /* output to "ls1-veth1", type "" */ egress(dp="ls1", inport="ls1-p1", outport="ls1-veth3") ------------------------------------------------------ 9. ls_out_port_sec_l2 (ovn-northd.c:5480): eth.mcast, priority 100, uuid 2439078a output; /* output to "ls1-veth3", type "" */
# 流量trace,流表分析
[root@slaver ~]# ovs-appctl ofproto/trace br-int in_port=veth5,tcp,ct_state=new,dl_src=aa:aa:aa:11:11:cc,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.10,nw_dst=1.1.1.50,tp_dst=8000 -generate Flow: ct_state=new,tcp,in_port=7,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:cc,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.10,nw_dst=1.1.1.50,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=8000,tcp_flags=0 bridge("br-int") ---------------- 0. in_port=7, priority 100 set_field:0x8->reg13 set_field:0x4->reg11 set_field:0x2->reg12 set_field:0xa->metadata set_field:0x1->reg14 resubmit(,8) 8. reg14=0x1,metadata=0xa,dl_src=aa:aa:aa:11:11:cc, priority 50, cookie 0xdded0345 resubmit(,9) 9. metadata=0xa, priority 0, cookie 0x8b0017f4 resubmit(,10) 10. metadata=0xa, priority 0, cookie 0xe89b0c91 resubmit(,11) 11. metadata=0xa, priority 0, cookie 0x9ecd4c45 resubmit(,12) 12. ip,metadata=0xa,nw_dst=1.1.1.50, priority 100, cookie 0xca4afa66 load:0x1->NXM_NX_XXREG0[96] resubmit(,13) 13. ip,reg0=0x1/0x1,metadata=0xa, priority 100, cookie 0xeb3294df ct(table=14,zone=NXM_NX_REG13[0..15]) drop -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 14. -> Sets the packet to an untracked state, and clears all the conntrack fields. Final flow: tcp,reg0=0x1,reg11=0x4,reg12=0x2,reg13=0x8,reg14=0x1,metadata=0xa,in_port=7,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:cc,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.10,nw_dst=1.1.1.50,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=8000,tcp_flags=0 Megaflow: recirc_id=0,eth,ip,in_port=7,vlan_tci=0x0000/0x1000,dl_src=aa:aa:aa:11:11:cc,nw_dst=1.1.1.50,nw_frag=no Datapath actions: ct(zone=8),recirc(0x72) =============================================================================== recirc(0x72) - resume conntrack with default ct_state=trk|new (use --ct-next to customize) =============================================================================== Flow: recirc_id=0x72,ct_state=new|trk,ct_zone=8,eth,tcp,reg0=0x1,reg11=0x4,reg12=0x2,reg13=0x8,reg14=0x1,metadata=0xa,in_port=7,vlan_tci=0x0000,dl_src=aa:aa:aa:11:11:cc,dl_dst=00:00:00:00:20:00,nw_src=2.1.1.10,nw_dst=1.1.1.50,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=8000,tcp_flags=0 bridge("br-int") ---------------- thaw Resuming from table 14 14. metadata=0xa, priority 0, cookie 0xf5b40090 resubmit(,15) 15. metadata=0xa, priority 0, cookie 0xe0642e4 resubmit(,16) 16. metadata=0xa, priority 0, cookie 0x5a618e6d resubmit(,17) 17. metadata=0xa, priority 0, cookie 0xd6c4e562 resubmit(,18) 18. ct_state=+new+trk,tcp,metadata=0xa,nw_dst=1.1.1.50,tp_dst=8000, priority 120, cookie 0x28e7bdb3 group:1 -> no live bucket Final flow: unchanged Megaflow: recirc_id=0x72,ct_state=+new-est-rel-inv+trk,eth,tcp,in_port=7,nw_dst=1.1.1.50,nw_frag=no,tp_dst=8000 Datapath actions: hash(l4(0)),recirc(0x73)
在网关路由器上配置负载均衡
# 清除逻辑交换机上的LB配置
ovn-nbctl ls-lb-del ls2 lb1
ovn-nbctl lb-del lb1
# 新建LB
# master节点 ovn-nbctl lb-add lb1 2.1.1.50:8000 "1.1.1.100:8000,1.1.1.200:8000" tcp ovn-nbctl lr-lb-add r1 lb1
# LB关联到逻辑路由器上
ovn-nbctl lr-lb-add r1 lb1
# 查看配置
[root@master ~]# ovn-nbctl lr-lb-list r1 UUID LB PROTO VIP IPs efed6f6f-cee7-438a-bc56-5d55a3c1449e lb1 tcp 1.1.1.50:8000 1.1.1.100:8000,1.1.1.200:8000
# 功能验证
Not Work,待研究
