Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building your own sdn with debian linux salt stack and python

428 views

Published on

Topics like Infrastructure Automation / Orchestration, Cloud, and Software Defined Networks are on everyones tongue and nearly all network vendors who think highly of themselves provide products and maybe even solutions in this sphere of buzzwords.

Within the last years there has been a paradigm shift towards host and segment routing – think »IP Fabric« – as well as a focus on open protocols and standards like OSPF, IS-IS, BGP & MPLS not only in the data center. This even brought us some new standards like VXLAN and a bunch of open source based “open networking” platforms. Now we aren't always locked to the operating systems of a networking vendor but can choose the control plane software from a variety of Linux based solutions which can be managed and orchestrated by lots of different means.

Thanks to the Linux basis and the Open Source spirit of some vendors, some features (VRFs, MPLS forwarding plane, …) today are part of the upstream Linux kernel and available for everyone! Most notable are the contributions of the Debian Linux based platform from Cumulus Networks, which include the VRF support for Linux, some MPLS patches for FRR and ifupdown2 (which is written in Python :-)).

Putting a bunch of these technologies and ideas together will open up a lot of powerful options for building low budget yet mighty networks. This talk will lay out how to build a SDN based service provide like infrastructure with the help of Salt Stack, some 1000 lines of Python and a bunch of affordable hardware where overlay networks and anycast aren't things to be scared of. The Freifunk Hochstift network and server infrastructure will be used as an example.

The target audience mainly consists of (Linux-) system and network engineers / architects, who already have some experience with the other world. A positive attitude towards automation and magic is a plus.

Published in: Internet
  • Be the first to comment

Building your own sdn with debian linux salt stack and python

  1. 1. Building your own SDN with Debian Linux, Salt Stack and Python PyCON.de 2017 Maximilian Wilhelm <max@sdn.clinic> @BarbarossaTM
  2. 2. 2 Who am I? ● Maximilian Wilhelm – @BarbarossaTM ● Senior Infrastructure Architect, Uni Paderborn ● Infrastructure Archmage, Freifunk Hochstift ● Fanboy of – (Debian) Linux – ifupdown2 ● Networker ● OpenSource Hacker
  3. 3. Agenda ● Contemporary Linux Networking – Batteries included – ifupdown2 – Salt Stack ● DIY-SDN – Python modules ● Putting it all together 4
  4. 4. Why bother building an SDN?
  5. 5. 5 FFHO WiFi backbone (planned)
  6. 6. root@Stretch:~$ ifconfig -bash: ifconfig: command not found root@Stretch:~$ route -bash: route: command not found root@Stretch:~$ arp -bash: arp: command not found ● vconfig ● ifenslave
  7. 7. ● iproute2 – Swiss Army knife for networkers ● Functions cleanly separated into subcommands ● ip link – L2: MTU, VLANs, LAGs, bridges ● ip addr – L3 addresses ● ip neigh – ARP/ND ● ip route – Routing + MPLS
  8. 8. 8 VXLAN ● “Ethernet over UDP” – Or: “Poor mans approach to MPLS” ● Designed as Layer2 overlay for DCs – Multi-tenant Overlay over IP-Fabric – 24Bit VNI => 16M Instances – Unicast/Multicast communication ● Read: VLL / VPLS – Endpoints = VTEP (VXLAN Tunnel End Point) ● RFC7348
  9. 9. 9 And even more awesome stuff... ● Latest networking additions – VRFs – MPLS forwarding plane – VLAN-aware-bridges ● Tunneling – GRE – IPsec – OpenVPN – Wireguard Used for L2-PTP-VPNs Used for external links Used on KVM hypervisors Links to AS201701
  10. 10. 10 Network interface configuration ● Classic ifupdown not easily automated ● Generating /etc/network/interfaces simple ● How to reload? – »service networking restart« disruptive – No tool for “reload” present – Isn't trivial to build ➔ CumulusNetworks Ifupdown2 – Rewrite of ifupdown in Python – https://github.com/CumulusNetworks/ifupdown2
  11. 11. 11 ifupdown2 ● No full feature parity with ifupdown ● Shipped with batteries included – dependency resolution – ifreload – VRFs – VXLAN – VLAN-aware bridges ● Not (yet) supported: – ppp
  12. 12. 12 ifupdown2 Patches ● Easy to extend, thanks to Python ● Upstream open for ideas (Hi Julien & Roopa) ● Added support for – B.A.T.M.A.N. interfaces – Tunnel (GRE, SIT, IPIP, GRETAP) ● Open Pull-Requests for – Condoning bridge interfaces for configuration – Setting phys-dev for VXLAN – Setting vEth peer name
  13. 13. 13 VXLAN / VTEPs with ifupdown2 # vx_v2001_padcty auto vx_v2001_padcty iface vx_v2001_padcty vxlan-id 1310977 vxlan-physdev vlan2001 vxlan-svcnodeip 225.20.1.1 # hwaddress f2:00:c1:01:20:01 mtu 1560
  14. 14. 14 About that routing thing ● Protocols – OSPF – IS-IS – BGP ● Implentations: – Bird – QuaggaFRR – GoBGP – ExaBGP (Written in Python :-)) Used for OSPF / iBGP + eBGP
  15. 15. 15 Automation
  16. 16. 16 Salt Stack ● Continuous Management – (De)install packages – Generate and manage config files – Manage system services/units – Configure the network – Distribute Host Certificates – ... ● Written in Python ● Extensible by own Python modules
  17. 17. 17 States ● Represent state $something should have ● Usually YAML format ● Bunch of definitions of.. – Packages to (de)install – Services to (de)activate – File contents – Users – … ● Allows definition of dependencies
  18. 18. 18 State example (bird excerpt) https://github.com/FreifunkHochstift/ffho- salt-public/blob/master/bird/init.sls
  19. 19. 19 Pillar ● Structured key value store ● Usually YAML format – Eval Jinja2 → Read YAML ● Data can be read from templates – As data structures. Yay. ● Predestined for – Keys – Host specific configuration – Any other configuration data
  20. 20. 20 Pillar Example (TE excerpt)
  21. 21. 21 Templating - Jinja2 ● Default language: Jinja2 – Yay, Python again – kind of ● Usable within file templates and states
  22. 22. 22 Jinja2 state example
  23. 23. 23 Modules ● No regex support in Jinja2 though. D’oh. ➔ 1. highly complex extension module: # ffho.py import re def re_replace (pattern, replacement, string): return re.sub (pattern, replacement, string) def re_search (pattern, string, flags = 0): return re.search (pattern, string, flags)
  24. 24. 24 Hello regular expressions # /etc/bird/bird.d/l3-access.conf protocol direct l3_access { {%- for iface in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':ifaces') %} {%- if salt['ffho.re_search']('^vlan3dd$', iface) %} interface "{{ iface }}"; {%- endif %} {%- endfor %} }
  25. 25. 25 Jinja or real Python? ● Templating is cool ● Complex code within Jinja2 is not ● Why not move this to modules? – Use full Python potential – Structure code into nice functions – Functions callable from Jinja2 – Profit
  26. 26. 26 The SDN part #SDN Disclaimer: Font on special request of AbraXXL
  27. 27. 27 ffho_net.py ● Generate / compute – Interfaces config (for /etc/network/interfaces) – Bird OSPF configuration – Bird BGP configuration ● iBGP / eBGP peerings / Traffic Engineering routes – B.A.T.M.A.N. + VXLAN overlay ifaces ● Uniquie MAC addresses for B.A.T.M.A.N. ifaces – DNS entries from interface configuration https://github.com/FreifunkHochstift/ffho- salt-public/blob/master/_modules/ffho_net.py
  28. 28. 28 Python networking modules from ipaddress import ip_address,ip_network # Calculate DNS PTR name ip = ip_address (u'%s' % prefix.split ('/')[0]) ptr = ip.reverse_pointer # Calculate network address net_h = ip_network (u'%s' % prefix, strict = False) network = str (net_h.network_address)
  29. 29. 29
  30. 30. 30 Pillar Example (node config) bbr-vega.in.ffho.net: id: 198 sysLocation: Vega roles: - router - batman - bbr sites: - pad-cty Quelle für Loopback-IP Bird config (OSPF + iBGP) Source for Loopback-IP Generate Batman interfaces Batman instances
  31. 31. 31 Pillar Example (node config) contd. ifaces: bond0: bond-slaves: "eth0 eth1" vlan1002: desc: "<-> gw04" vlan-raw-device: bond0 prefixes: - 10.132.253.58/31 - 2a03:2260:2342:fe1c::1/126 batman_connect_sites: pad-cty [...] Source for /etc/network/interfaces Generate VXLAN overlay
  32. 32. 32 IPoBATMANoVXLANoIPoVLANoRF ● Wait, what? Ethernet (RF / Kabel) Vlan IP VXLAN B.A.T.M.A.N. Adv. VXLAN IP
  33. 33. 33 Hardware ● Zoo of sponsored Hardware – Servers, Switches, WiFi, .. ➔ Unify hardware pool – PCengines APU2 – Netonix WISP Switches – Ubiquiti Networks ● PowerBeam ● LiteBeam ● AC Mesh Pro
  34. 34. 34 Before / After (PaderHalle)
  35. 35. 35 We can do 19” as well
  36. 36. 36 What’s next? ● Migrate IPAM from RackTables to NetBox – Netbox as a nifty API – Query nodes and interfaces life from NetBox ● Finish DNS anycast setup ● Activate BGP ADD-PATH for iBGP (RFC7911) ● Achieve world domination
  37. 37. 37 Freifunkromantik
  38. 38. 38 More Freifunkromantik
  39. 39. 39 Further Reading ● #routingdays – Learn to build the Internet – https://blog.sdn.clinic/2017/09/ffrl-routingdays- learn-to-build-the-internet/ – ● Salt-Orchestrated Software Defined (Freifunk) Network (german) – https://www.slideshare.net/BarbarossaTM/software -defined-freifunk-backbones-78288014 – https://blog.sdn.clinic/category/freifunk/ffho/https:// blog.sdn.clinic/category/freifunk/ffho/
  40. 40. 40 Questions? Remarks? Thank you :-) Maximilian Wilhelm <max@elitepeer.de> @BarbarossaTM
  41. 41. 41 SDN ingredients ifupdown2

×