From: Numan Siddique Date: Fri, 19 Feb 2016 14:31:53 +0000 (+0530) Subject: ovn: Add a section on containers in OVN Tutorial X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=a97eef91fb1babebc5bc682d55744f700b6e7ce6 ovn: Add a section on containers in OVN Tutorial Signed-Off-by: Numan Siddique Signed-off-by: Ben Pfaff --- diff --git a/tutorial/OVN-Tutorial.md b/tutorial/OVN-Tutorial.md index 1188faacb..2bcfc599d 100644 --- a/tutorial/OVN-Tutorial.md +++ b/tutorial/OVN-Tutorial.md @@ -709,6 +709,78 @@ though. perspective and also provides an example of what the resulting OpenFlow flows look like. +7) Container Ports +------------------ + +OVN supports containers running directly on the hypervisors and running +containers inside VMs. This example shows how OVN supports network +virtualization to containers when run inside VMs. Details about how to use +docker containers in OVS can be found [here][openvswitch-docker]. + +To support container traffic created inside a VM and to distinguish network +traffic coming from different container vifs, for each container a logical +port needs to be created with parent name set to the VM's logical port and +the tag set to the vlan tag of the container vif. + +Start with a simple logical switch with 3 logical ports. + +[View ovn/env7/setup.sh][env7setup]. + + $ ovn/env7/setup.sh + +Lets create a container vif attached to the logical port 'sw0-port1' and +another container vif attached to the logical port 'sw0-port2'. + +[View ovn/env7/add-container-ports.sh][env7contports] + + $ ovn/env7/add-container-ports.sh + +Run the `ovn-nbctl` command to see the logical ports + + $ovn-nbctl show + + +As you can see a logical port 'csw0-cport1' is created on a logical +switch 'csw0' whose parent is 'sw0-port1' and it has tag set to 42. +And a logical port 'csw0-cport2' is created on the logical switch 'csw0' +whose parent is 'sw0-port2' and it has tag set to 43. + +Bridge 'br-vmport1' represents the ovs bridge running inside the VM +connected to the logical port 'sw0-port1'. In this tutorial the ovs port +to 'sw0-port1' is created as a patch port with its peer connected to the +ovs bridge 'br-vmport1'. An ovs port 'cport1' is added to 'br-vmport1' +which represents the container interface connected to the ovs bridge +and vlan tag set to 42. Similarly 'br-vmport2' represents the ovs bridge +for the logical port 'sw0-port2' and 'cport2' connected to 'br-vmport2' +with vlan tag set to 43. + +This first trace shows a packet from 'csw0-port1' with a destination mac +address of 'csw0-port2'. You can see ovs bridge of the vm 'br-vmport1' tags +the traffic with vlan id 42 and the traffic reaches to the br-int because +of the patch port. As you can see below `ovn-controller` has added a flow +to strip the vlan tag and set the reg6 and metadata appropriately. + + $ ovs-ofctl -O OpenFlow13 dump-flows br-int + OFPST_FLOW reply (OF1.3) (xid=0x2): + cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=3,dl_vlan=42 actions=pop_vlan,set_field:0x3->reg5,set_field:0x2->metadata,set_field:0x1->reg6,resubmit(,16) + cookie=0x0, duration=2767.002s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=4,dl_vlan=43 actions=pop_vlan,set_field:0x4->reg5,set_field:0x2->metadata,set_field:0x2->reg6,resubmit(,16) + cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=3 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16) + cookie=0x0, duration=2767.001s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=4 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16) + +[View ovn/env7/packet1.sh][env7packet1]. + + $ ovn/env5/packet1.sh + + +The second trace shows a packet from 'csw0-port2' to 'csw0-port1'. + +[View ovn/env7/packet2.sh][env7packet2]. + + $ ovn/env5/packet1.sh + +You can extend this setup by adding additional container ports with two +hypervisors. Please see the tutorial 3 above. + [ovn-architecture(7)]:http://openvswitch.org/support/dist-docs/ovn-architecture.7.html [Tutorial.md]:https://github.com/openvswitch/ovs/blob/master/tutorial/Tutorial.md [ovn-nb(5)]:http://openvswitch.org/support/dist-docs/ovn-nb.5.html @@ -742,4 +814,9 @@ look like. [env5packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/packet2.sh [env6setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/setup.sh [env6acls]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/add-acls.sh +[env7setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/setup.sh +[env7contports]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/add-container-ports.sh +[env7packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet1.sh +[env7packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet2.sh [openstack-ovn-acl-blog]:http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/ +[openvswitch-docker]:http://openvswitch.org/support/dist-docs/INSTALL.Docker.md.txt diff --git a/tutorial/automake.mk b/tutorial/automake.mk index f41c406e4..7e835f23b 100644 --- a/tutorial/automake.mk +++ b/tutorial/automake.mk @@ -30,7 +30,10 @@ EXTRA_DIST += \ tutorial/ovn/env5/packet1.sh \ tutorial/ovn/env5/packet2.sh \ tutorial/ovn/env6/setup.sh \ - tutorial/ovn/env6/add-acls.sh - + tutorial/ovn/env6/add-acls.sh \ + tutorial/ovn/env7/add-container-ports.sh \ + tutorial/ovn/env7/packet1.sh \ + tutorial/ovn/env7/packet2.sh \ + tutorial/ovn/env7/setup.sh sandbox: all cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) diff --git a/tutorial/ovn/env7/add-container-ports.sh b/tutorial/ovn/env7/add-container-ports.sh new file mode 100755 index 000000000..482c969cb --- /dev/null +++ b/tutorial/ovn/env7/add-container-ports.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o xtrace + +# create a logical switch +ovn-nbctl lswitch-add csw0 + +# create a container port with parent set to sw0-port1 +ovn-nbctl lport-add csw0 csw0-cport1 sw0-port1 42 +ovn-nbctl lport-set-addresses csw0-cport1 00:00:00:00:01:01 +ovn-nbctl lport-set-port-security csw0-cport1 00:00:00:00:01:01 + +# create another container port with parent set to sw0-port1 +ovn-nbctl lport-add csw0 csw0-cport2 sw0-port2 43 +ovn-nbctl lport-set-addresses csw0-cport2 00:00:00:00:01:02 +ovn-nbctl lport-set-port-security csw0-cport2 00:00:00:00:01:02 + + +# Make lport1 as a patch port, other end connected to br-vmport1 +ovs-vsctl set interface lport1 type=patch +ovs-vsctl set interface lport1 options:peer=patch-lport1 + +ovs-vsctl set interface lport2 type=patch +ovs-vsctl set interface lport2 options:peer=patch-lport2 + + +# This represents ovs bridge inside a VM attached to lport1 +ovs-vsctl add-br br-vmport1 + +# create a patch port with peer set to lport1. +ovs-vsctl add-port br-vmport1 patch-lport1 +ovs-vsctl set interface patch-lport1 type=patch +ovs-vsctl set interface patch-lport1 options:peer=lport1 + +# create a container port on br-vmport1. Any traffic sent on this +# port will reach to the br-int of the host via the patch port +ovs-vsctl add-port br-vmport1 cport1 +ovs-vsctl set port cport1 tag=42 + +# This represents ovs bridge inside a VM attached to lport2 +ovs-vsctl add-br br-vmport2 +ovs-vsctl add-port br-vmport2 patch-lport2 +ovs-vsctl set interface patch-lport2 type=patch +ovs-vsctl set interface patch-lport2 options:peer=lport2 + +ovs-vsctl add-port br-vmport2 cport2 +ovs-vsctl set port cport2 tag=43 diff --git a/tutorial/ovn/env7/packet1.sh b/tutorial/ovn/env7/packet1.sh new file mode 100755 index 000000000..660566b96 --- /dev/null +++ b/tutorial/ovn/env7/packet1.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o xtrace + +# Trace a packet from csw0-port1 to csw0-port2. +ovs-appctl ofproto/trace br-vmport1 in_port=3,dl_src=00:00:00:0:01:01,dl_dst=00:00:00:00:01:02 -generate diff --git a/tutorial/ovn/env7/packet2.sh b/tutorial/ovn/env7/packet2.sh new file mode 100755 index 000000000..244fbbd47 --- /dev/null +++ b/tutorial/ovn/env7/packet2.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o xtrace + +# Trace a packet from csw0-port2 to csw0-port1. +ovs-appctl ofproto/trace br-vmport2 in_port=3,dl_src=00:00:00:0:01:02,dl_dst=00:00:00:00:01:01 -generate diff --git a/tutorial/ovn/env7/setup.sh b/tutorial/ovn/env7/setup.sh new file mode 100755 index 000000000..2df0f0ea3 --- /dev/null +++ b/tutorial/ovn/env7/setup.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -o xtrace + +# Create a logical switch named "sw0" +ovn-nbctl lswitch-add sw0 + +# Create two logical ports on "sw0". +ovn-nbctl lport-add sw0 sw0-port1 +ovn-nbctl lport-add sw0 sw0-port2 +ovn-nbctl lport-add sw0 sw0-port3 + +ovn-nbctl lport-set-addresses sw0-port1 00:00:00:00:00:01 +ovn-nbctl lport-set-addresses sw0-port2 00:00:00:00:00:02 +ovn-nbctl lport-set-addresses sw0-port3 00:00:00:00:00:03 + +ovn-nbctl lport-set-port-security sw0-port1 00:00:00:00:00:01 +ovn-nbctl lport-set-port-security sw0-port2 00:00:00:00:00:02 +ovn-nbctl lport-set-port-security sw0-port3 00:00:00:00:00:03 + +ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 +ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 +ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw0-port3