OpenStack Summit Portland April 2013 talk - Quantum and EC2

  • 919 views
Uploaded on

These slides are from the talk I gave at the OpenStack summit in Portland in April2013.

These slides are from the talk I gave at the OpenStack summit in Portland in April2013.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
919
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
86
Comments
2
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Various Entities and RelationshipsAttributes and data types Observation: When you have multiple subnets associated with a network, you can pick the subnet on which the instance will be attached to.Notes:Note Decoupling between the abstraction and the technology that’s used to implement network.Talk about what capabilities are enabled by this model.Attachment postPort is an attachment point to a quantum network The device id identifies the instance-id or router-id or the dhcp-server-id that is connected to this portIt could be between an instance and network or a router and a network or a dhcp server and the network.When you create a port you are creating an “attachment or a connection” and an IP will be
  • What are the various components of quantum?How do these components communicate with one another?Quantum API server:When the quantum API server starts up, it does the following sequence of actions: a) gathers the configuration options from the config files (quantum.conf and the plugin config file) For instance, from the config file it figures out a) the port and host IP on which the API server should listen on. b) the plugin abstraction module that it should load (This is the piece of code that is responsible for creating the logical network model used by the plugin) c) authentication strategy d) policy.json file for authorization b) Then it loads the plugin abstraction module. This module reads the plugin specific configuration file and creates the logical model used by the plugin in the DB. c) Establishes the AMQP connection to RabbitMQ d) Loads the extension modules – quota and Quantum L3 Router module (quantum.api.extensions.l3.py) e) Uses the eventlet python library to start up a wsgi server on the quantum host on port 9696 f) Now the API server is ready to listen to client requestsAPI calls:create_network: - Authentication and authorization is performed using the middleware with the keystone identity service - Creates a logical network using the quantum plugin module and persists it in the DB. Sets its admin state to up. - Allocates a unique ID of 32 Hex characters (using the UUID module) to the network - If the network_type is Vlan , plugin module allocates a Vlan ID to the network from the pool of Vlan ID - The calls returns the network information (ID, vlan) back to the caller. The network state in the database looks like this:+----------------------------------+--------------------------------------+--------+--------+----------------+--------+-------------------------------------| tenant_id | id | name | status | admin_state_up | shared |+----------------------------------+--------------------------------------+--------+--------+----------------+--------+------------------------------------| 244be8af89624b1e94c0136d5d557a9d | e32fbdbd-2757-4dd2-9b61-ebd20606752e | net123 | ACTIVE | 1 | 0 |-------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------+-------------- +------------------+-----------------+-----------------------| network_id | network_type | physical_network | segmentation_id |+--------------------------------------+--------------+------------------+-----------------+------------------------| e32fbdbd-2757-4dd2-9b61-ebd20606752e | vlan | datanet1 | 2000 |+--------------------------------------+--------------+------------------+-----------------+-------------------------2) create_subnet: - plugin module persists the subnet information in the database and allocates a static IP for the dhcp server’s port. - The plugin module sends a notification to the dhcp-agent to create a subnet (dnsmasq dhcp server) on this network. Messages the network ID and subnet information. - The dhcp agent makes an RPC call to the API server to obtain a portID and IP allocation for the port - Then it creates a Linux tap interface and binds the dnsmasq dhcp server to the subnet. The agent makes an RPC call to obtain the subnet information from the DB - Since overlapping ip addresses are permitted, the dhcp agent uses the linux namespace to create a logically isolated dhcp server for that network3) Boot a vm on a network:4) Create a router:Note: A linux name space is created using the ipnetns command. A linux namespace is a logically sepated copy of the linux network stack, which means separate routing tables, firewall rules and network devices. With routing you are creating a namespace named qrouter-XX and enabling ip forwarding on the linux kernel: sysctl -w net.ipv4.ip_forward=1. Some additonal notes:Ordinary update workflow is: 1) REST API request is accepted by Quantum and routed to the corresponding Extension and Plugin. 2) Plugin performs validation of request (schema conformance, values and references check, etc). If validation fails one of 40x codes is returned (depending on reason). 3)DB object is updated and object is moved to PENDING_UPDATE state. 4) Request is transformed into task and pushed into queue. 5) Plugin responses user with HTTP 202 reply. Steps 1-5 are done synchronously. 6) Agent picks message from the queue and forwards it to Driver. Driver changes configuration of load balancing device. 7) Once completed the response message is pushed into Plugin's queue. 8) Plugin retrieves message and updates DB with either "ACTIVE" or "ERROR" status
  • Typically a provider network.Create networkcreate subnet (provide subnet and gateway information)Provide segmentation ID in OpenVswitch (Vlan1)
  • Typically a provider network.Provider admin creates the networkThese networks can be shared or can be mapped to tenantsSmall/medium size networkRequirement:You need to trunk all the tenant vlans to your L3 switch (typically the aggregation switch).Your internal virtual networks (vlans) are exposed to your physical switch here. So you have 4kvlan limitations.
  • Typically a provider network.Provider admin creates the networkThese networks can be shared or can be mapped to tenantsSmall/medium size networkRequirement:You need to trunk all the tenant vlans to your L3 switch (typically the aggregation switch)Drawbacks:Load on the gateway router – filtering, mac-addresses, arp-tables etc. Limit scalabilityHard to provide additional services such as floating IP/ VPN connectivity etc. (cloud admin needs to configure on the physical router or the VPN gateway)Vlan limitations.
  • vRouter and subnets are managed by the providerSecurityDrawbacks – does not support overlapping IP addressesHow the API call works – create routerMapping between provider networks to virtual networks
  • overlapping IP addresses are supported Virtual routers reside on the network nodes
  • traffic pattern between services – Nova compute -> Quantum API Quantum Client -> Quantum API Quantum agents -> Controller (AMQP (rabbit) + MySQL) VMs -> DHCP server VM -> gateway (routing between subnets and to the internet) Overlay networking such as GRE tunnels to connect the broadcast domains together
  • VIP not only represents the IP address but also other parameters such as the IP/protocol/port.
  • Option 1: Embedded /Integrated services nodeOption 2: In-Path insertion mode

Transcript

  • 1. Naveen Joy Cloud Architect© 2012 Cisco and/or its affiliates. All rights reserved.© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  • 2. Name: Naveen Joy • 17+ years in IT • IT Operations (Networking & Sys Admin) - 15 yrs • Development/ Python hacking - 2+ yrs© 2012 Cisco and/or its affiliates. All rights reserved. 2
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. 3
  • 4. • How many are new to OpenStack networking (Quantum) ? • How many are experts in Quantum?© 2012 Cisco and/or its affiliates. All rights reserved. 4
  • 5. WAN Edge / DCI Core Aggregation/ Access Services Compute 4x10GE 4x10GE Storage TODAY© 2012 Cisco and/or its affiliates. All rights reserved. 5
  • 6. THE MOST DESIRABLE CLOUD NETWORK FEATURES ELASTIC SCALING APIs FOR PROGRAMMABILITY REDUCED COMPLEXITY CONSISTENT POLICIES HIGH AVAILABILITY© 2012 Cisco and/or its affiliates. All rights reserved. 6
  • 7. What does the conceptual network architecture for a cloud look like? Is it possible to transform my current network while preserving my existing investment? How can I implement Networking as a Service reliably using OpenStack Quantum?© 2012 Cisco and/or its affiliates. All rights reserved. 7
  • 8. WAN Edge / DCI Core Aggregation/ Implementation Access A detail Services P Application I Abstract Compute Network Properties 4x10GE 4x10GE Storage© 2012 Cisco and/or its affiliates. All rights reserved. 8
  • 9. Network abstraction enables programmability It’s about • Simplification – hiding unnecessary details • Defining two roles – client + implementer • Implementers can change without causing any changes in the client code GENERAL Client API Implementer Abstraction MODEL Quantum Quantum Quantum Quantum’s Client APIs Plugins Model© 2012 Cisco and/or its affiliates. All rights reserved. 9
  • 10. tip of the iceberg Subnet Network id:uuid-str id:uuid-str network_id:uuid-str name:string name:string admin_state_up:bool ip_version:int status:string 1 * cidr:string subnets:list(uuid-str) gateway_ip: string shared: bool dns_nameservers:list(str) tenant_id:uuid-str allocation_pools:list(dict) 1 host_routes:list(dict) enable_dhcp: bool Port tenant_id:uuid-str * id:uuid-str network_id:uuid-str 1 name:string admin_state_up:bool status:string mac_address:string * fixed_ips: list(dict) device_id:string device_owner: string tenant_id:uuid-str© 2012 Cisco and/or its affiliates. All rights reserved. 10
  • 11. Client/Business Applications API API API API L2 (Folsom) Firewall (in-progress) Quantum L3 (Folsom) Load Balancer(Grizzly) Network Service VPN (in-progress) Other Services layer Network Abstraction DB Plugin [Network state] plugin – network communication Network Network Device 1 Network Device 3 Infrastructure Layer Network Device 2 Network Device n© 2012 Cisco and/or its affiliates. All rights reserved. 11
  • 12. RabbitMQ Queues amqp Performs Keystone OpenvSwitch Identity vSwitch plugin- configuration service agent on each host Driver Provides dhcp- DHCP services agent to tenant Keystone networks Auth_token middleware amqp Quantum Driver using dnsmasq Exchange Quantumclient Provides API L3- App Quantum Server OpenvSwitch L3 routing agent NAT (SNAT) plugin Floating IP (DNAT) API Driver Extension module modules (l3, LbaaS) Provides LB- Load Balancing agent Services to tenant applications Driver DB© 2012 Cisco and/or its affiliates. All rights reserved. 12
  • 13. Keystone Identity service Keystone plugin to Auth_token middleware controller communication e.g. REST API Controller to Switch communication API Quantum e.g. OpenFlow client API Server APIExternal Quantum Controlle External plugin r Controller API module cluster clusters Extenstion modules (l3, LbaaS) vSwitch vSwitch .. DB DB network infrastructure© 2012 Cisco and/or its affiliates. All rights reserved. 13
  • 14. © 2012 Cisco and/or its affiliates. All rights reserved. 14
  • 15. Compute Nodes Tenant1 Tenant2 Tenant3 DHCP VM VM VM service 5.0.0.3 5.0.0.4 5.0.0.4 5.0.0.2 Shared Quantum Quantum Network (name = hosting) network 5.0.0.0/22 mapped to an existing VLAN on OpenvSwitch 5.0.0.1 (VLAN 10) Existing physical Router/L3 switch gatewaygateway Router Router provides gateway services to VMs (Provider Managed Router) Internet© 2012 Cisco and/or its affiliates. All rights reserved. 15
  • 16. TenantA TenantB TenantC VM VM VM Compute 5.1.1.3 5.2.2.3 5.3.3.3 DHCP DHCP DHCP Nodes Service Service Service 5.1.1.2 5.2.2.2 5.3.3.2 Red Net Blue Net Green Net (Vlan Red) (Vlan Blue) (Vlan Green) 5.1.1.0/24 5.2.2.0/24 5.3.3.0/24 802.1q trunk to a network gateway 5.1.1.1 Quantum networks mapped to existing vlans 5.2.2.1 5.3.3.1 gateway gateway L3 Gateway Router Router (Provider Managed) Internet© 2012 Cisco and/or its affiliates. All rights reserved. 16
  • 17. Tenant TenantA TenantB TenantC Private VM 10.1.1.2 VM VM VM Compute 10.1.1.1 5.2.2.3 5.3.3.3 Nodes 5.1.1.3 DHCP DHCP DHCP Service Service Service TenantA 5.1.1.2 5.2.2.2 5.3.3.2 Network 10.1.1.0/24 Red Net Blue Net Green Net 5.1.1.0/24 5.2.2.0/24 5.3.3.0/24 802.1q trunk to an external gateway private Physical Router/L3 switch gatewa tenant y gateway provides gateway services Router created Router (Provider Managed) network Internet© 2012 Cisco and/or its affiliates. All rights reserved. 17
  • 18. (Has scalability and availability issues in Folsom) Tenant1 Tenant2 Tenant3 Tenant1 Tenant4 network VM VM VM VM VM 10.1.1.5 10.1.2.5 10.1.3.5 10.1.4.5 10.1.5.5 node Tenant1 net Tenant2 net Tenant3 net Tenant1 net Tenant4 net 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 10.1.4.0/24 10.1.5.0/24 Provider vRouter1 vRouter2 vRouter3 Managed (shared routers and subnets) External Network [L3 uplink] 20.1.1.0/24 gatewaygateway Physical Router/L3 switch Router Router provides gateway services to the virtual network layer (Provider Managed) Internet© 2012 Cisco and/or its affiliates. All rights reserved. 18
  • 19. 200.1.1.0/24 200.1.1.2/24 200.1.1.1/24 Tenant B Tenant A Router Instance1 Instance1 Internet Internet Gateway Default VPC Short Answer: They are similar. Key Idea: Networking is abstracted from tenants© 2012 Cisco and/or its affiliates. All rights reserved. 19
  • 20. Has scalability and availability issues in Folsom Tenant1 Tenant1 Tenant2 Tenant3 Tenant3 VM VM2 VM VM VM network 10.1.1.5 10.1.2.5 10.1.2.1 10.1.4.5 10.1.5.5 node Tenant1 Web Tenant1 DB Net Tenant3 Web Tenant2 net1 Tenant3 DB net Net 10.1.2.0/24 Net Tenant 10.1.2.0/24 10.1.5.0/24 10.1.1.0/24 10.1.4.0/24 created and managed vRouters vRouter vRouter vRouter and Tenant1 Tenant2 Tenant3 subnets External Network [L3 uplink] 20.1.1.0/24 gatewa Physical Router/L3 switch gateway y provides gateway services to Router Router the virtual network layer (Provider Managed) Internet© 2012 Cisco and/or its affiliates. All rights reserved. 20
  • 21. 10.1.1.0/24 (tenant assigned IP network) 10.1.1.2/24 10.1.1.3/24 Instance Instance Tenant Router 1 2 Internet Internet Gateway VPC for tenant A Tenant has control over networking - Network isolation, subnets, elastic IPs and routing© 2012 Cisco and/or its affiliates. All rights reserved. 21
  • 22. • How many networks do we need for deploying Quantum? Traffic generated by OpenStack components AMQP and MySQL traffic, Nova to Quantum API calls etc. Cloud Management traffic ssh, monitoring, logging, puppet/chef etc. Application Traffic between VMs via overlay tunnels or vlans VM communication with the Internet, floating IPs Traffic generated by tenants interacting directly with Quantum API Management network API network Data network External network© 2012 Cisco and/or its affiliates. All rights reserved. 22
  • 23. Tenants Internet Cloud Controller nova-api, nova-scheduler RabbitMQ/ MySQL Provider gateway Quantum Router / Compute Network API Firewall Nodes Nodes server External API Data Mgmt© 2012 Cisco and/or its affiliates. All rights reserved. 23
  • 24. Tenant Front end protocol e.g. SSL Load Balancer VIP Back end protocol e.g. HTTP Health Pool App App App Monitor Pool Members ping/TCP/http/https (e.g. Instances)© 2012 Cisco and/or its affiliates. All rights reserved. 24
  • 25. (available in Grizzly) Compute Nodes web pool App pool Tenant2 Tenant3 Tenant3 VM VM VM Network VM1 VM2 VM3 VM1 VM2 VM3 10.1.2.1 10.1.4.5 10.1.5.5 Nodes Web Tier App Tier Tenant2 net1 Tenant3 Tier1 Tenant3 net 10.1.1.0/24 10.1.2.0/24 10.1.2.0/24 10.1.4.0/24 10.1.5.0/24 LB vRouter vRouter vRouter LB Acme Coke Pepsi External Network [L3 uplink] gatewaygateway Physical Router/L3 switch Router Router provides gateway services to the virtual network layer (Provider Managed) Internet© 2012 Cisco and/or its affiliates. All rights reserved. 25
  • 26. These three features are mandatory! • Design to handle failures • Loosely couple your components • Implement elasticity© 2012 Cisco and/or its affiliates. All rights reserved. 26
  • 27. • Quantum is evolving • Production deployment and operations is hard • Plugins must be architected for the cloud • Be aware of L3 scalability and reliability issues in Folsom • Start slowly and do your research • Environments and requirements differ e.g. Start off with the basic networking model shown in this deck • Document your work • Contribute to the community© 2012 Cisco and/or its affiliates. All rights reserved. 27
  • 28. © 2012 Cisco and/or its affiliates. All rights reserved. 28