OVN架构和原理
OVN来源
ovn是轻量级的SDN controller,网络的事情交给SDN来完成,openstack neutron-server只提供api和db。
不再需要那么多agent(neutron-openvswitch-agent,neutron-l3-agent,neutron-dhcp-agent)等
ovn组件之间用自己方式通信,不再用RPC通信。
OVN架构
networking-ovn作为neutron-server的plugin,把neutron-server api请求写到ovn-north DB中。
ovn-northd监听ovn-north DB,然后把ovn-north DB翻译成ovn-south DB
ovn-controller监听ovn-south DB,获取信息然后操作ovs
ovn north DB
对应openstack neutron的数据库,都是逻辑的概念,由neutron plugin写数据库
logical switch等价于neutron network,logical router等价于neutron中的router
logical port 等价于openstack中的port,分为如下几类
logical port
其它都能在neutron中找到对应的东西
NB_Global Northbound configuration Logical_Switch L2 logical switch Logical_Switch_Port L2 logical switch port Address_Set Address Sets Load_Balancer load balancer ACL Access Control List (ACL) rule Logical_Router L3 logical router QoS QOS table Logical_Router_Port L3 logical router port Logical_Router_Static_Route Logical router static routes NAT NAT rules DHCP_Options DHCP options Connection OVSDB client connections. DNS Native DNS resolution SSL SSL configuration. Gateway_Chassis Gateway_Chassis configuration
ovn south DB
逻辑网络 物理网络 以及二者的对应关系
逻辑网络由ovn-northd写,物理网络和二者对应关系由ovn-controller写
SB_Global Southbound configuration Chassis Physical Network Hypervisor and Gateway Information Encap Encapsulation Types Address_Set Address Sets Logical_Flow Logical Network Flows Multicast_Group Logical Port Multicast Groups Datapath_Binding Physical-Logical Datapath Bindings Port_Binding Physical-Logical Port Bindings MAC_Bindin IP to MAC bindings DHCP_Options DHCP Options supported by native OVN DHCP DHCPv6_Options DHCPv6 Options supported by native OVN DHCPv6
ovn-northd
主要是把logical switch和logical router翻译成logical flow
logical flow有switch和router datapath,每个datapath又分为ingress和egress
流量依次经过每一个table,并且先ingress后egree
Logical Switch Datapaths Ingress Table 0: Admission Control and Ingress Port Security - L2 Ingress Table 1: Ingress Port Security - IP Ingress Table 2: Ingress Port Security - Neighbor discovery Ingress Table 3: from-lport Pre-ACLs Ingress Table 4: Pre-LB Ingress Table 5: Pre-stateful Ingress table 6: from-lport ACLs Ingress Table 7: from-lport QoS Marking Ingress Table 8: from-lport QoS Meter Ingress Table 9: LB Ingress Table 10: Stateful Ingress Table 11: ARP/ND responder Ingress Table 12: DHCP option processing Ingress Table 13: DHCP responses Ingress Table 14 DNS Lookup Ingress Table 15 DNS Responses Ingress Table 16 Destination Lookup Egress Table 0: Pre-LB Egress Table 1: to-lport Pre-ACLs Egress Table 2: Pre-stateful Egress Table 3: LB Egress Table 4: to-lport ACLs Egress Table 5: to-lport QoS Marking Egress Table 6: to-lport QoS Meter Egress Table 7: Stateful Egress Table 8: Egress Port Security - IP Egress Table 9: Egress Port Security - L2
Logical Router Datapaths Ingress Table 0: L2 Admission Control Ingress Table 1: IP Input Ingress Table 2: DEFRAG Ingress Table 3: UNSNAT Ingress Table 4: DNAT(Gateway Routers or Distributed Routers) Ingress Table 5: IPv6 ND RA option processing Ingress Table 6: IPv6 ND RA responder Ingress Table 7: IP Routing Ingress Table 8: ARP/ND Resolution Ingress Table 9: Gateway Redirect Ingress Table 10: ARP Request Egress Table 0: UNDNAT Egress Table 1: SNAT(Gateway Routers or Distributed Routers) Egress Table 2: Egress Loopback Egress Table 3: Delivery
ovn-controller
每个hypervisor上运行一个,连接到ovn south DB,然后把ovn south DB中获取的信息写到本地ovs DB中
然后作为ovs-vswitchd的controller,把logical flow转换成ovs flow
转发原理
hypervisor之间流量用geneve封装,和物理VTEP之间才用vxlan,geneve相比vxlan头部有TLV扩展,
可以跨hypervisor之间携带更多信息,如(logical datapath field, input port, output port, conntrack zone等)
ovn-controller在每一个hypervisor上创建一个br-int桥,VM直接连接到br-int桥上,ovn-controller还会在br-int
上添加tunnel口,用于和其它hypervisor和gateway互通
如果要和物理网络打通,还需要类似于neutron中的bridge mapping,单独创建一个bridge,bridge中绑定一个host
上的物理口,这个物理口和物理网络通着,最后br-int bridge和这个bridge用patch port互连,neutron中创建网络时
provider physical network指定这个物理口。
腾讯云开发者
