centos ovn 搭建测试(八:SFC)
SFC 功能验证
该功能目前社区并未支持,未来计划是否支持上还不清楚,但是有业界大佬添加了SFC的功能。
仓库是:https://github.com/doonhammer/ovs.git,使用sfc.v30分支,ovs版本是2.9.90,系统 kernel 版本不能太高。
【but version newer than 4.15.x is not supported】
SFC详细配置可以参考:
https://gist.github.com/voyageur/a26943eced3324b302f1ffede45252bd
https://opnfv-ovn4nfv.readthedocs.io/en/latest/development/ovn-sfc-openstack.html
一.环境说明
centos:CentOS Linux release 7.8.2003 (Core)
kernel:4.12.10
openvswitch:2.9.90
二.源码编译
# 源码下载 git clone https://github.com/doonhammer/ovs.git git checkout sfc.v30 # 源码编译 ./boot.sh ./configure make rpm-fedora make rpm-fedora-kmod
三.安装
cd rpm/rpmbuild/RPMS/x86_64/ yum install *.rpm ../noarch/python-openvswitch-2.9.90-1.el7.noarch.rpm
四.网络拓扑
环境说明:
SFC1:ns-a ---> p2 ---> p4 ---> ns-b(ns-a ping ns-b)
SFC2:ns-a ---> p2 ---> p4 ---> p6 ---> p8 ---> ns-c(ns-a ping ns-c)
使用bridge作为模拟NFV转发,需要关闭环境IPv6模块,不然bridge会环路,环路后CPU很高,报文无法处理导致ping不通。
五.逻辑交换机及逻辑port配置
ovn-nbctl ls-add n1 ovn-nbctl lsp-add n1 n1-p1 ovn-nbctl lsp-set-addresses n1-p1 "00:00:00:00:00:11 1.1.1.10" ovn-nbctl lsp-add n1 n1-p2 ovn-nbctl lsp-set-addresses n1-p2 "00:00:00:00:00:22 1.1.1.20" ovn-nbctl lsp-add n1 n1-p3 ovn-nbctl lsp-set-addresses n1-p3 "00:00:00:00:00:33 1.1.1.30" ovn-nbctl lsp-add n1 n1-p4 ovn-nbctl lsp-set-addresses n1-p4 "00:00:00:00:00:44 1.1.1.40" ovn-nbctl lsp-add n1 n1-ap ovn-nbctl lsp-set-addresses n1-ap "00:00:00:00:00:77 1.1.1.70" ovn-nbctl lsp-add n1 n1-bp ovn-nbctl lsp-set-addresses n1-bp "00:00:00:00:00:88 1.1.1.80" ovn-nbctl lsp-add n1 n1-cp ovn-nbctl lsp-set-addresses n1-cp "00:00:00:00:00:99 1.1.1.90"
六.逻辑服务链配置
# lsp-pair-add SWITCH PORT-IN PORT-OUT [LSP-PAIR] ovn-nbctl lsp-pair-add n1 n1-p1 n1-p2 VNF1-PP1 # 创建逻辑链 ovn-nbctl lsp-chain-add n1 PC1 # 链中添加逻辑组 ovn-nbctl lsp-pair-group-add PC1 PG1 # 逻辑组中添加VNF,可以添加多个VNF,进行负载均衡 ovn-nbctl lsp-pair-group-add-port-pair PG1 VNF1-PP1 # 配置classifier # The path of the flow from or to the logical port. The valid values are "entry-lport" or "exit-lport". If the path is "entry-lport" the rules are applied to traffic leaving the entry-lport, if the path is "exit-lport" the port-chain is applied to traffic going to the lport. # The direction of the flows through the port chain, this can be either "uni-directional" or "bi-directional". ovn-nbctl lsp-chain-classifier-add n1 PC1 n1-bp 'entry-lport' 'bi-directional' PCC1 '' ovn-nbctl lsp-pair-add n1 n1-p3 n1-p4 VNF2-PP1 ovn-nbctl lsp-chain-add n1 PC2 ovn-nbctl lsp-pair-group-add PC2 PG2 ovn-nbctl lsp-pair-group-add PC2 PG3 ovn-nbctl lsp-pair-group-add-port-pair PG2 VNF2-PP1 ovn-nbctl lsp-pair-group-add-port-pair PG3 VNF1-PP1 ovn-nbctl lsp-chain-classifier-add n1 PC2 n1-cp 'entry-lport' 'bi-directional' PCC2 ''
七.配置ns-a,ns-b,ns-c
ip netns add ns-a ip link add veth1 type veth peer name veth2 ifconfig veth1 up ifconfig veth2 up ip link set veth2 netns ns-a ip netns exec ns-a ip link set veth2 address 00:00:00:00:00:77 ip netns exec ns-a ip addr add 1.1.1.70/24 dev veth2 ip netns exec ns-a ip link set veth2 up ovs-vsctl add-port br-int veth1 ovs-vsctl set Interface veth1 external_ids:iface-id=n1-ap ip netns add ns-b ip link add veth3 type veth peer name veth4 ifconfig veth3 up ifconfig veth4 up ip link set veth4 netns ns-b ip netns exec ns-b ip link set veth4 address 00:00:00:00:00:88 ip netns exec ns-b ip addr add 1.1.1.80/24 dev veth4 ip netns exec ns-b ip link set veth4 up ovs-vsctl add-port br-int veth3 ovs-vsctl set Interface veth3 external_ids:iface-id=n1-bp ip netns add ns-c ip link add veth5 type veth peer name veth6 ifconfig veth5 up ifconfig veth6 up ip link set veth6 netns ns-c ip netns exec ns-c ip link set veth6 address 00:00:00:00:00:99 ip netns exec ns-c ip addr add 1.1.1.90/24 dev veth6 ip netns exec ns-c ip link set veth6 up ovs-vsctl add-port br-int veth5 ovs-vsctl set Interface veth5 external_ids:iface-id=n1-cp
八.配置VNF
ip link add p1 type veth peer name p2 ip link add p3 type veth peer name p4 ip link add p5 type veth peer name p6 ip link add p7 type veth peer name p8 ifconfig p1 up ifconfig p2 up ifconfig p3 up ifconfig p4 up ifconfig p5 up ifconfig p6 up ifconfig p7 up ifconfig p8 up ovs-vsctl add-port br-int p1 ovs-vsctl set Interface p1 external_ids:iface-id=n1-p1 ovs-vsctl add-port br-int p3 ovs-vsctl set Interface p3 external_ids:iface-id=n1-p2 ovs-vsctl add-port br-int p5 ovs-vsctl set Interface p5 external_ids:iface-id=n1-p3 ovs-vsctl add-port br-int p7 ovs-vsctl set Interface p7 external_ids:iface-id=n1-p4 ip link set p2 address 00:00:00:00:00:11 ip link set p4 address 00:00:00:00:00:22 ip link set p6 address 00:00:00:00:00:33 ip link set p8 address 00:00:00:00:00:44 brctl addbr br1 brctl addbr br2 ifconfig br1 up ifconfig br2 up brctl addif br1 p2 brctl addif br1 p4 brctl addif br2 p6 brctl addif br2 p8
九.OVN配置查看
[root@ovn-master ~]# ovn-nbctl show switch bc2a834e-d162-44b8-aec6-376ffcdf62dc (n1) port n1-ap addresses: ["00:00:00:00:00:77 1.1.1.70"] port n1-p1 addresses: ["00:00:00:00:00:11 1.1.1.10"] port n1-p3 addresses: ["00:00:00:00:00:33 1.1.1.30"] port n1-p5 addresses: ["00:00:00:00:00:55 1.1.1.50"] port n1-p4 addresses: ["00:00:00:00:00:44 1.1.1.40"] port n1-bp addresses: ["00:00:00:00:00:88 1.1.1.80"] port n1-cp addresses: ["00:00:00:00:00:99 1.1.1.90"] port n1-p6 addresses: ["00:00:00:00:00:66 1.1.1.60"] port n1-p2 addresses: ["00:00:00:00:00:22 1.1.1.20"] [root@ovn-master ~]# ovn-sbctl show Chassis "52778a67-8232-4802-9d7c-57e08ce6890e" hostname: "ovn-node1" Encap geneve ip: "192.168.1.199" options: {csum="true"} Chassis "32b40428-bde1-4ba7-b5a7-aab310cd2baf" hostname: ovn-master Encap geneve ip: "192.168.1.200" options: {csum="true"} Port_Binding "n1-p2" Port_Binding "n1-cp" Port_Binding "n1-p1" Port_Binding "n1-ap" Port_Binding "n1-p4" Port_Binding "n1-bp" Port_Binding "n1-p3"
十.功能验证
[root@ovn-master ~]# ip netns exec ns-a ping 1.1.1.80 -c 3 PING 1.1.1.80 (1.1.1.80) 56(84) bytes of data. 64 bytes from 1.1.1.80: icmp_seq=1 ttl=64 time=0.074 ms 64 bytes from 1.1.1.80: icmp_seq=2 ttl=64 time=0.070 ms 64 bytes from 1.1.1.80: icmp_seq=3 ttl=64 time=0.068 ms --- 1.1.1.80 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2082ms rtt min/avg/max/mdev = 0.068/0.070/0.074/0.010 ms [root@ovn-master ~]# ip netns exec ns-a ping 1.1.1.90 -c 3 PING 1.1.1.90 (1.1.1.90) 56(84) bytes of data. 64 bytes from 1.1.1.90: icmp_seq=1 ttl=64 time=0.064 ms 64 bytes from 1.1.1.90: icmp_seq=2 ttl=64 time=0.070 ms 64 bytes from 1.1.1.90: icmp_seq=3 ttl=64 time=0.079 ms --- 1.1.1.90 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2053ms rtt min/avg/max/mdev = 0.064/0.071/0.079/0.006 ms
通过p1-p8、br1和br2上抓包,及br1和br2 up/down 操作可以验证icmp报文的流量路径符合预期。
十一. ovn-trace 验证路径
1)验证ns-a到ns-b路径
①n1-ap ---> n1-p2,如果网桥成功转发后,流量将会到达p1--->n1-p1
[root@ovn-master ~]# ovn-trace n1 'inport == "n1-ap" && eth.src == 00:00:00:00:00:77 && eth.dst == 00:00:00:00:00:88' # reg14=0x7,vlan_tci=0x0000,dl_src=00:00:00:00:00:77,dl_dst=00:00:00:00:00:88,dl_type=0x0000 ingress(dp="n1", inport="n1-ap") -------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4087): inport == "n1-ap", priority 50, uuid 5532c1f8 next; 11. ls_in_chain (ovn-northd.c:3692): eth.dst == 00:00:00:00:00:88, priority 100, uuid b939c5c3 outport = "n1-p2"; output; egress(dp="n1", inport="n1-ap", outport="n1-p2") ------------------------------------------------ 10. ls_out_port_sec_l2 (ovn-northd.c:4549): outport == "n1-p2", priority 50, uuid f2f816cb output; /* output to "n1-p2", type "" */
②n1-p1 ---> n1-bp
[root@ovn-master ~]# ovn-trace n1 'inport == "n1-p1" && eth.src == 00:00:00:00:00:77 && eth.dst == 00:00:00:00:00:88' # reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:77,dl_dst=00:00:00:00:00:88,dl_type=0x0000 ingress(dp="n1", inport="n1-p1") -------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4087): inport == "n1-p1", priority 50, uuid 3f36e0bf next; 11. ls_in_chain (ovn-northd.c:3717): eth.dst == 00:00:00:00:00:88 && inport == "n1-p1", priority 150, uuid f51ba58e next; 17. ls_in_l2_lkup (ovn-northd.c:4422): eth.dst == 00:00:00:00:00:88, priority 50, uuid f16f7723 outport = "n1-bp"; output; egress(dp="n1", inport="n1-p1", outport="n1-bp") ------------------------------------------------ 10. ls_out_port_sec_l2 (ovn-northd.c:4549): outport == "n1-bp", priority 50, uuid af31f9d5 output; /* output to "n1-bp", type "" */
2)验证ns-a到ns-c路径
① n1-ap ---> n1-p2,如果网桥成功转发后,流量将会到达p1--->n1-p1
[root@ovn-master ~]# ovn-trace n1 'inport == "n1-ap" && eth.src == 00:00:00:00:00:77 && eth.dst == 00:00:00:00:00:99' # reg14=0x7,vlan_tci=0x0000,dl_src=00:00:00:00:00:77,dl_dst=00:00:00:00:00:99,dl_type=0x0000 ingress(dp="n1", inport="n1-ap") -------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4087): inport == "n1-ap", priority 50, uuid 5532c1f8 next; 11. ls_in_chain (ovn-northd.c:3692): eth.dst == 00:00:00:00:00:99, priority 100, uuid 420b3640 outport = "n1-p2"; output; egress(dp="n1", inport="n1-ap", outport="n1-p2") ------------------------------------------------ 10. ls_out_port_sec_l2 (ovn-northd.c:4549): outport == "n1-p2", priority 50, uuid f2f816cb output; /* output to "n1-p2", type "" */
②n1-p1 ---> n1-p4,如果网桥成功转发后,流量将会到达p1--->n1-p3
[root@ovn-master ~]# ovn-trace n1 'inport == "n1-p1" && eth.src == 00:00:00:00:00:77 && eth.dst == 00:00:00:00:00:99' # reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:77,dl_dst=00:00:00:00:00:99,dl_type=0x0000 ingress(dp="n1", inport="n1-p1") -------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4087): inport == "n1-p1", priority 50, uuid 3f36e0bf next; 11. ls_in_chain (ovn-northd.c:3746): eth.dst == 00:00:00:00:00:99 && inport == "n1-p1", priority 150, uuid d94804de outport = "n1-p4"; output; egress(dp="n1", inport="n1-p1", outport="n1-p4") ------------------------------------------------ 10. ls_out_port_sec_l2 (ovn-northd.c:4549): outport == "n1-p4", priority 50, uuid c5059dbc output; /* output to "n1-p4", type "" */
③n1-p3 ---> n1-cp
[root@ovn-master ~]# ovn-trace n1 'inport == "n1-p3" && eth.src == 00:00:00:00:00:77 && eth.dst == 00:00:00:00:00:99' # reg14=0x3,vlan_tci=0x0000,dl_src=00:00:00:00:00:77,dl_dst=00:00:00:00:00:99,dl_type=0x0000 ingress(dp="n1", inport="n1-p3") -------------------------------- 0. ls_in_port_sec_l2 (ovn-northd.c:4087): inport == "n1-p3", priority 50, uuid 61232acb next; 11. ls_in_chain (ovn-northd.c:3717): eth.dst == 00:00:00:00:00:99 && inport == "n1-p3", priority 150, uuid 63c1f326 next; 17. ls_in_l2_lkup (ovn-northd.c:4422): eth.dst == 00:00:00:00:00:99, priority 50, uuid 59e78ff3 outport = "n1-cp"; output; egress(dp="n1", inport="n1-p3", outport="n1-cp") ------------------------------------------------ 10. ls_out_port_sec_l2 (ovn-northd.c:4549): outport == "n1-cp", priority 50, uuid 45d1f786 output; /* output to "n1-cp", type "" */
两个SFC流量路径符合预期。
十二.思考
SFC功能在项目上完整实施是一个比较复杂研发过程,如果没有ovn,可以通过插件灵活控制流量下发,不过目前有社区OVN-SFC的源码参考,所以通过定义逻辑服务链控制流表对于研发也不是难事,但是一个完整的SFC需要考虑的因素比较多,例如复杂均衡,链路探测,故障BYPASS,负载故障如何切换等等,都是有一定的开发量。同时两端的ns-a、ns-b、ns-c在项目中不是这么玩的,两端多了虚拟机或者namespace,不是可取的方案,应该被替到,期望的是交换机的流量可以直接引到SFC的头结点或者有个统一的VIP调度节点引到流量到不同的SFC链上。所以目前验证的这些功能是基础的,后续业务上线还是有一定的开发工作量。
