Networking in OpenStack for non-networking people: Neutron, Open vSwitch and friends


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Networking in OpenStack for non-networking people: Neutron, Open vSwitch and friends

  1. 1. DAVE NEARY1 Networking in OpenStack for non- networking people: Neutron, OVS and friends Dave Neary Open Source and Standards Red Hat
  2. 2. REDHAT OPENSTACK |2013DOC144908-20130513r1 AGENDA ● Networking review: the OSI model ● Networking in a virtual world ● Neutron and OVS ● Debugging and fixing networking issues
  3. 3. DAVE NEARY3 Networking: The OSI model Layer 1 Layer 7
  4. 4. DAVE NEARY4 Networking: The OSI model Layer 1 Layer 7 Cables Switching Routers Hardware Software TCP/IP SMTP
  5. 5. DAVE NEARY5 Switches and routers
  6. 6. DAVE NEARY6 Networking in a virtual world CC BY from OpenStack Operations Guide:
  7. 7. DAVE NEARY7 Networking in a virtual world: Open vSwitch
  8. 8. DAVE NEARY9 Networking in a virtual world: Neutron ● Abstracts away internals of switching and SDN provider ● Provides high-level abstractions (router, subnet, network, gateway) ● “Law of Leaky Abstractions” applies
  9. 9. DAVE NEARY10 Neutron: Creating a subnet ● neutron router-create router1 ● neutron net-create net1 ● neutron subnet-create net1 --name subnet1 ● neutron router-interface-add router1 subnet1
  10. 10. DAVE NEARY11 Neutron: Attaching a public subnet ● neutron net-create net2 --router-external=True ● neutron subnet-create net2 --name subnet2 --enable_dhcp=False --allocation-pool start=,end= --gateway= ● neutron router-gateway-set router1 net2
  11. 11. DAVE NEARY12 Neutron: Floating IPs ● To connect from an external machine to an instance, you need a routable IP address ● Floating IP addresses are public aliases for private IP addresses ● They survive changes in private IPs, enable load balancing, etc. ● Equivalent to Elastic IPs in AWS
  12. 12. DAVE NEARY13 Neutron: Floating IPs ● neutron floatingip-create net2 ● neutron floatingip-list ● neutron port-list ● neutron floatingip-associate <floating-ip> <port>
  13. 13. DAVE NEARY14 Debugging network issues: Devices ● ip a shows status of all physical and virtual devices ● ovs-vsctl show shows interfaces and bridges in the virtual switch ● ovs-dpctl show shows datapaths on the switch
  14. 14. DAVE NEARY15 Debugging network issues: Tracking packets ● tcpdump is your friend ● tcpdump -n -i <interface> -w <filename> ● Set interface to vnet device, instance eth0, bridge device, or host ethernet device to see where packets are not getting through ● -i any for all interfaces ● iptables -L to check iptables rules
  15. 15. DAVE NEARY16 Debugging network issues: Network namespaces ● Network namespaces allow VLANs to share overlapping address space – important for bigger deployments, and to provide multi-tenant networks ● ip netns list – lists all known network namespaces ● ip netns exec <namespace id> route -n ● Shows routing table inside specific namespace ● Execute arbitrary commands (incl. ssh, ping)
  16. 16. DAVE NEARY17 Debugging networking issues: DHCP ● Scenario: Instance is not getting IP address ● Step 1: nova console-log <instance name> ● DHCP request sent, no reply received ● Step 2: Verify neutron-dhcp-agent is running ● Step 3: Check host logs (/var/log/messages and /var/log/neutron/*) ● Step 4: If host is not seeing DHCP traffic: tcpdump -i all | grep -i dhcp
  17. 17. DAVE NEARY18 Debugging networking issues: Access/routing ● Scenario: I can't SSH into an instance ● Step 1: Security groups: port 22 TCP & all ICMP allowed? ● Step 2: Is floating IP address routable from client? ● route -n on client ● Verify that public subnet in OpenStack is accessible from client (eg. for local LAN, that it matches ● Step 3: Bridges OK?
  18. 18. DAVE NEARY19 Debugging networking issues: Access/routing ● Bridge issues: ● ovs-vsctl show – is ethernet card attached to same bridge as public network? ● neutron router show router1 – are the private subnet and public subnet connected to the router? ● ip netns exec <public namespace id> ping <floating IP> - does the public network match the local LAN exactly? ● ip netns exec <private namespace id> route -n – is traffic being correctly routed from the instance out?
  19. 19. DAVE NEARY20 Resources ● OpenStack Network troubleshooting: ● OpenStack Networking: L3 workflow: ● RDO Networking: ● RDO: Neutron with an external network: ● OpenStack Tales from the Crypt:
  20. 20. REDHAT OPENSTACK |2013DOC144908-20130513r1 QUESTIONS?