openstack tap as a service浅尝辄止
介绍
openstack taas(tap as a service)可以用来做流量镜像,ovs bridge也可以用来做镜像,但只能是同个bridge上的port, taas可以把openstack上一些port的流量镜像到一个port上,不管这些port bind到哪些host,它是用万能的ovs流表来搞定的。
安装和配置
- controller
yum install -y python2-tap-as-a-service.noarch
vim /etc/neutorn/neutron.conf
service_plugins = router, taas
service_provider = TAAS:TAAS:neutron_taas.services.taas.service_drivers.taas_rpc.TaasRpcDriver:default
neutron-db-manage --subproject tap-as-a-service upgrade head
systemctl restart neutron-server- compute
yum install -y python2-tap-as-a-service.noarch
vim /etc/neutron/plugins/ml2/openvswitch_agent.ini
[agent]
extensions = taas
systemctl restart neutron-openvswitch-agent测试
#http_client和http_server在一台物理机上,monitor在另一台物理机上,
#目标是把http_client出来的流量镜像到另一台物理上的monitor_server
openstack server create --availability-zone bj2 --network net0 --image centos7-hw --flavor centos7-flavor http_client
openstack server create --availability-zone bj2 --network net0 --image centos7-hw --flavor centos7-flavor http_server
openstack server create --availability-zone bj3 --network provider --image centos7-hw --flavor centos7-flavor monitor_server
#这儿是port是monitor_server的port
[root@test25g04 nova]# neutron tap-service-create --name tap_service_test --port 418f3e00-e277-4b52-bd56-e41cdd14c917
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new tap_service:
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | c6265260-d1c2-4906-b692-89c9a6381d45 |
| name | tap_service_test |
| port_id | 418f3e00-e277-4b52-bd56-e41cdd14c917 |
| project_id | 02c0f9589cca400abd623868516c209b |
| status | ACTIVE |
| tenant_id | 02c0f9589cca400abd623868516c209b |
+-------------+--------------------------------------+
#这儿的port是http_client的port
[root@test25g04 nova]# neutron tap-flow-create --name tap_flow_test --port 8f19d429-136d-4e36-b0f9-c1091bfaeaf1 --tap-service tap_service_test --direction both
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
Created a new tap_flow:
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| description | |
| direction | BOTH |
| id | 66558dcd-51d4-42df-aeb8-02072382a1fa |
| name | tap_flow_test |
| project_id | 02c0f9589cca400abd623868516c209b |
| source_port | 8f19d429-136d-4e36-b0f9-c1091bfaeaf1 |
| status | ACTIVE |
| tap_service_id | c6265260-d1c2-4906-b692-89c9a6381d45 |
| tenant_id | 02c0f9589cca400abd623868516c209b |
| vlan_filter | |
+----------------+--------------------------------------+流表
taas创建了一个bridge br-tap,br-tap和br-int and br-tun建立了连接关系,原来的流量按原路径走,镜像的流量都要经过br-tap。
[root@test25g05 /home/huiwei]# ovs-vsctl show
61a16370-b8c7-4e14-a930-167fcf45f89b
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-tun
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
Port patch-tun-tap
Interface patch-tun-tap
type: patch
options: {peer=patch-tap-tun}
Port "vxlan-0a8e6136"
Interface "vxlan-0a8e6136"
type: vxlan
options: {df_default="true", egress_pkt_mark="0", in_key=flow, local_ip="10.162.97.117", out_key=flow, remote_ip="10.142.97.54"}
Port "vxlan-0aa26174"
Interface "vxlan-0aa26174"
type: vxlan
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port patch-int-tap
Interface patch-int-tap
type: patch
options: {peer=patch-tap-int}
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qr-055c4591-ec"
tag: 6
Interface "qr-055c4591-ec"
type: internal
Port "qvo382086e2-3b"
tag: 16
Interface "qvo382086e2-3b"
Bridge br-tap
Port br-tap
Interface br-tap
type: internal
Port patch-tap-tun
Interface patch-tap-tun
type: patch
options: {peer=patch-tun-tap}
Port patch-tap-int
Interface patch-tap-int
type: patch
options: {peer=patch-int-tap}
ovs_version: "2.11.0"万能的流表,什么才能搞定,但也越来越复杂,复杂到最后就乱套了,试着把taas,sfc,ovn搞到一块看看。
#http_client和http_server所在的物理机
[root@test25g05 ~]# ovs-ofctl dump-flows br-int
cookie=0xea307a079a500fa5, duration=337644.102s, table=0, n_packets=0, n_bytes=0, priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
#http_client进出的流量打tag 3900,正常流量normal,镜像流量到br-tap
cookie=0xfbe4ec660f92b996, duration=80.962s, table=0, n_packets=3, n_bytes=238, priority=20,in_port="qvo8f19d429-13" actions=NORMAL,mod_vlan_vid:3900,output:"patch-int-tap"
cookie=0xfbe4ec660f92b996, duration=80.942s, table=0, n_packets=3, n_bytes=238, priority=20,dl_dst=fa:16:3e:6a:67:ff actions=NORMAL,mod_vlan_vid:3900,output:"patch-int-tap"
#br-tap上流表很容易看懂
[root@test25g05 ~]# ovs-ofctl dump-flows br-tap
cookie=0xaf2c7909d5bfc696, duration=337661.726s, table=0, n_packets=971253, n_bytes=66210052, priority=1,in_port="patch-tap-int" actions=resubmit(,1)
cookie=0xaf2c7909d5bfc696, duration=337661.709s, table=0, n_packets=0, n_bytes=0, priority=1,in_port="patch-tap-tun" actions=resubmit(,2)
cookie=0xaf2c7909d5bfc696, duration=337661.693s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xaf2c7909d5bfc696, duration=337661.677s, table=1, n_packets=963483, n_bytes=65518003, priority=0 actions=output:"patch-tap-tun"
cookie=0xaf2c7909d5bfc696, duration=337661.661s, table=2, n_packets=0, n_bytes=0, priority=0 actions=drop
[root@test25g05 ~]# ovs-ofctl dump-flows br-tun
#br-tap来的流量到table 30,table 30再到table 31 flood,vlan tag转换成了tun id,然后重新加了vlan tag 1,不知道为什么要flood
cookie=0x281e5831e57031b, duration=121990.112s, table=0, n_packets=181150, n_bytes=10519605, idle_age=1, hard_age=65534, priority=1,in_port=5 actions=resubmit(,30)
cookie=0xa46eb8d898c7157d, duration=337675.445s, table=30, n_packets=963502, n_bytes=65519241, priority=0 actions=resubmit(,31)
cookie=0xa46eb8d898c7157d, duration=337675.405s, table=31, n_packets=963502, n_bytes=65519241, priority=0 actions=move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:1,output:"vxlan-0a8e6136",output:"vxlan-0aa26174",output:"vxlan-0aa26176",output:"vxlan-0aad07ee"
cookie=0xa46eb8d898c7157d, duration=337675.389s, table=35, n_packets=0, n_bytes=0, priority=2,reg0=0 actions=resubmit(,36)
cookie=0xa46eb8d898c7157d, duration=337675.372s, table=35, n_packets=0, n_bytes=0, priority=1,reg0=0x1 actions=resubmit(,36)
cookie=0xa46eb8d898c7157d, duration=337675.355s, table=35, n_packets=2, n_bytes=204, priority=1,reg0=0x2 actions=resubmit(,37)
cookie=0xa46eb8d898c7157d, duration=337675.338s, table=36, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xa46eb8d898c7157d, duration=114.021s, table=37, n_packets=2, n_bytes=204, priority=1,tun_id=0xf3c actions=resubmit(,39)
cookie=0xa46eb8d898c7157d, duration=337675.321s, table=37, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0xa46eb8d898c7157d, duration=337675.304s, table=38, n_packets=0, n_bytes=0, priority=2,reg0=0 actions=output:"patch-tun-tap"
cookie=0xa46eb8d898c7157d, duration=337675.287s, table=38, n_packets=0, n_bytes=0, priority=1,reg0=0x1 actions=output:"patch-tun-tap",move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:2,IN_PORT
cookie=0xa46eb8d898c7157d, duration=337675.271s, table=39, n_packets=2, n_bytes=204, priority=1 actions=learn(table=30,hard_timeout=60,priority=1,NXM_OF_VLAN_TCI[0..11],load:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],load:0->NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[])
#monitor_server所在的物理机
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-tun
cookie=0x12e8ac5b0907bc12, duration=255266.548s, table=0, n_packets=5297, n_bytes=476843, priority=1,in_port="vxlan-0aa26174" actions=resubmit(,4)
#vxlan tunnel之间带vlan tag,不对劲,vlan tag搞到了reg0
cookie=0x7f3b66b35ed0fcf9, duration=239.509s, table=4, n_packets=6, n_bytes=500, priority=1,tun_id=0xf3c actions=move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_REG0[0..11],move:NXM_NX_TUN_ID[0..11]->NXM_OF_VLAN_TCI[0..11],resubmit(,35)
#不知道是没理解taas流表设计的原理,还是设计的就这么乱
cookie=0x7f3b66b35ed0fcf9, duration=255337.601s, table=35, n_packets=4, n_bytes=296, priority=2,reg0=0 actions=resubmit(,36)
cookie=0x7f3b66b35ed0fcf9, duration=255337.585s, table=35, n_packets=2, n_bytes=204, priority=1,reg0=0x1 actions=resubmit(,36)
cookie=0x7f3b66b35ed0fcf9, duration=255337.570s, table=35, n_packets=0, n_bytes=0, priority=1,reg0=0x2 actions=resubmit(,37)
cookie=0x7f3b66b35ed0fcf9, duration=239.480s, table=36, n_packets=6, n_bytes=500, priority=1,tun_id=0xf3c actions=resubmit(,38)
cookie=0x7f3b66b35ed0fcf9, duration=255337.556s, table=36, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x7f3b66b35ed0fcf9, duration=255337.542s, table=37, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x7f3b66b35ed0fcf9, duration=255337.527s, table=38, n_packets=4, n_bytes=296, priority=2,reg0=0 actions=output:"patch-tun-tap"
#不知道为什么还要给IN_PORT再搞回去
cookie=0x7f3b66b35ed0fcf9, duration=255337.513s, table=38, n_packets=2, n_bytes=204, priority=1,reg0=0x1 actions=output:"patch-tun-tap",move:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],mod_vlan_vid:2,IN_PORT
#不知道干什么的
cookie=0x7f3b66b35ed0fcf9, duration=255337.499s, table=39, n_packets=0, n_bytes=0, priority=1 actions=learn(table=30,hard_timeout=60,priority=1,NXM_OF_VLAN_TCI[0..11],load:NXM_OF_VLAN_TCI[0..11]->NXM_NX_TUN_ID[0..11],load:0->NXM_OF_VLAN_TCI[0..11],output:NXM_OF_IN_PORT[])
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-tap
cookie=0x1d39eaec29ac1d4d, duration=255323.016s, table=0, n_packets=308101, n_bytes=23353738, priority=1,in_port="patch-tap-int" actions=resubmit(,1)
cookie=0x1d39eaec29ac1d4d, duration=255323.001s, table=0, n_packets=6, n_bytes=500, priority=1,in_port="patch-tap-tun" actions=resubmit(,2)
cookie=0x1d39eaec29ac1d4d, duration=255322.986s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
cookie=0x1d39eaec29ac1d4d, duration=224.829s, table=1, n_packets=0, n_bytes=0, priority=1,dl_vlan=3900 actions=IN_PORT
cookie=0x1d39eaec29ac1d4d, duration=255322.971s, table=1, n_packets=308101, n_bytes=23353738, priority=0 actions=output:"patch-tap-tun"
cookie=0x1d39eaec29ac1d4d, duration=224.814s, table=2, n_packets=6, n_bytes=500, priority=1,dl_vlan=3900 actions=output:"patch-tap-int"
cookie=0x1d39eaec29ac1d4d, duration=255322.955s, table=2, n_packets=0, n_bytes=0, priority=0 actions=drop
[root@test25g06 huiwei]# ovs-ofctl dump-flows br-int
cookie=0x7015afff25d09fed, duration=255304.955s, table=0, n_packets=0, n_bytes=0, priority=65535,vlan_tci=0x0fff/0x1fff actions=drop
cookie=0x27b3fd60ae6602fa, duration=204.387s, table=0, n_packets=6, n_bytes=500, priority=25,in_port="patch-int-tap",dl_vlan=3900 actions=mod_vlan_vid:19,output:"qvo418f3e00-e2"本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
网络入侵防护系统
网络入侵防护系统(Network Intrusion Prevention System,NIPS),是基于腾讯安全服务内部数百条业务线的运维经验积累和大数据处理能力的结合,通过旁路部署的方式,提供了网络层 ACL (访问控制)和日志审计功能,解决云平台监管、ACL 控制、安全治理等问题,并辅助客户满足网安法,合规性要求。
腾讯云开发者
