SlideShare a Scribd company logo
Building your own SDN
with Debian Linux, Salt Stack and Python
PyCON.de 2017
Maximilian Wilhelm
<max@sdn.clinic>
@BarbarossaTM
2
Who am I?
● Maximilian Wilhelm
– @BarbarossaTM
● Senior Infrastructure Architect, Uni Paderborn
● Infrastructure Archmage, Freifunk Hochstift
● Fanboy of
– (Debian) Linux
– ifupdown2
● Networker
● OpenSource Hacker
Agenda
● Contemporary Linux Networking
– Batteries included
– ifupdown2
– Salt Stack
● DIY-SDN
– Python modules
● Putting it all together
4
Why bother building an SDN?
5
FFHO WiFi backbone (planned)
root@Stretch:~$ ifconfig
-bash: ifconfig: command not found
root@Stretch:~$ route
-bash: route: command not found
root@Stretch:~$ arp
-bash: arp: command not found
● vconfig
● ifenslave
● iproute2 – Swiss Army knife for networkers
● Functions cleanly separated into subcommands
● ip link – L2: MTU, VLANs, LAGs, bridges
● ip addr – L3 addresses
● ip neigh – ARP/ND
● ip route – Routing + MPLS
8
VXLAN
● “Ethernet over UDP”
– Or: “Poor mans approach to MPLS”
● Designed as Layer2 overlay for DCs
– Multi-tenant Overlay over IP-Fabric
– 24Bit VNI => 16M Instances
– Unicast/Multicast communication
● Read: VLL / VPLS
– Endpoints = VTEP (VXLAN Tunnel End Point)
● RFC7348
9
And even more awesome stuff...
● Latest networking additions
– VRFs
– MPLS forwarding plane
– VLAN-aware-bridges
● Tunneling
– GRE
– IPsec
– OpenVPN
– Wireguard
Used for L2-PTP-VPNs
Used for external links
Used on KVM hypervisors
Links to AS201701
10
Network interface configuration
● Classic ifupdown not easily automated
● Generating /etc/network/interfaces simple
● How to reload?
– »service networking restart« disruptive
– No tool for “reload” present
– Isn't trivial to build
➔ CumulusNetworks Ifupdown2
– Rewrite of ifupdown in Python
– https://github.com/CumulusNetworks/ifupdown2
11
ifupdown2
● No full feature parity with ifupdown
● Shipped with batteries included
– dependency resolution
– ifreload
– VRFs
– VXLAN
– VLAN-aware bridges
● Not (yet) supported:
– ppp
12
ifupdown2 Patches
● Easy to extend, thanks to Python
● Upstream open for ideas (Hi Julien & Roopa)
● Added support for
– B.A.T.M.A.N. interfaces
– Tunnel (GRE, SIT, IPIP, GRETAP)
● Open Pull-Requests for
– Condoning bridge interfaces for configuration
– Setting phys-dev for VXLAN
– Setting vEth peer name
13
VXLAN / VTEPs with ifupdown2
# vx_v2001_padcty
auto vx_v2001_padcty
iface vx_v2001_padcty
vxlan-id 1310977
vxlan-physdev vlan2001
vxlan-svcnodeip 225.20.1.1
#
hwaddress f2:00:c1:01:20:01
mtu 1560
14
About that routing thing
● Protocols
– OSPF
– IS-IS
– BGP
● Implentations:
– Bird
– QuaggaFRR
– GoBGP
– ExaBGP (Written in Python :-))
Used for OSPF / iBGP + eBGP
15
Automation
16
Salt Stack
● Continuous Management
– (De)install packages
– Generate and manage config files
– Manage system services/units
– Configure the network
– Distribute Host Certificates
– ...
● Written in Python
● Extensible by own Python modules
17
States
● Represent state $something should have
● Usually YAML format
● Bunch of definitions of..
– Packages to (de)install
– Services to (de)activate
– File contents
– Users
– …
● Allows definition of dependencies
18
State example (bird excerpt)
https://github.com/FreifunkHochstift/ffho-
salt-public/blob/master/bird/init.sls
19
Pillar
● Structured key value store
● Usually YAML format
– Eval Jinja2 → Read YAML
● Data can be read from templates
– As data structures. Yay.
● Predestined for
– Keys
– Host specific configuration
– Any other configuration data
20
Pillar Example (TE excerpt)
21
Templating - Jinja2
● Default language: Jinja2
– Yay, Python again – kind of
● Usable within file templates and states
22
Jinja2 state example
23
Modules
● No regex support in Jinja2 though. D’oh.
➔ 1. highly complex extension module:
# ffho.py
import re
def re_replace (pattern, replacement, string):
return re.sub (pattern, replacement, string)
def re_search (pattern, string, flags = 0):
return re.search (pattern, string, flags)
24
Hello regular expressions
# /etc/bird/bird.d/l3-access.conf
protocol direct l3_access {
{%- for iface in salt['pillar.get']('nodes:' ~
grains['id'] ~ ':ifaces') %}
{%- if salt['ffho.re_search']('^vlan3dd$',
iface) %}
interface "{{ iface }}";
{%- endif %}
{%- endfor %}
}
25
Jinja or real Python?
● Templating is cool
● Complex code within Jinja2 is not
● Why not move this to modules?
– Use full Python potential
– Structure code into nice functions
– Functions callable from Jinja2
– Profit
26
The SDN part
#SDN
Disclaimer: Font on special request of AbraXXL
27
ffho_net.py
● Generate / compute
– Interfaces config (for /etc/network/interfaces)
– Bird OSPF configuration
– Bird BGP configuration
● iBGP / eBGP peerings / Traffic Engineering routes
– B.A.T.M.A.N. + VXLAN overlay ifaces
● Uniquie MAC addresses for B.A.T.M.A.N. ifaces
– DNS entries from interface configuration
https://github.com/FreifunkHochstift/ffho-
salt-public/blob/master/_modules/ffho_net.py
28
Python networking modules
from ipaddress import ip_address,ip_network
# Calculate DNS PTR name
ip = ip_address (u'%s' % prefix.split ('/')[0])
ptr = ip.reverse_pointer
# Calculate network address
net_h = ip_network (u'%s' % prefix, strict = False)
network = str (net_h.network_address)
29
30
Pillar Example (node config)
bbr-vega.in.ffho.net:
id: 198
sysLocation: Vega
roles:
- router
- batman
- bbr
sites:
- pad-cty
Quelle für Loopback-IP
Bird config (OSPF + iBGP)
Source for Loopback-IP
Generate Batman interfaces
Batman instances
31
Pillar Example (node config) contd.
ifaces:
bond0:
bond-slaves: "eth0 eth1"
vlan1002:
desc: "<-> gw04"
vlan-raw-device: bond0
prefixes:
- 10.132.253.58/31
- 2a03:2260:2342:fe1c::1/126
batman_connect_sites: pad-cty
[...]
Source for /etc/network/interfaces
Generate VXLAN
overlay
32
IPoBATMANoVXLANoIPoVLANoRF
● Wait, what?
Ethernet (RF / Kabel)
Vlan
IP
VXLAN
B.A.T.M.A.N. Adv.
VXLAN
IP
33
Hardware
● Zoo of sponsored Hardware
– Servers, Switches, WiFi, ..
➔ Unify hardware pool
– PCengines APU2
– Netonix WISP Switches
– Ubiquiti Networks
● PowerBeam
● LiteBeam
● AC Mesh Pro
34
Before / After (PaderHalle)
35
We can do 19” as well
36
What’s next?
● Migrate IPAM from RackTables to NetBox
– Netbox as a nifty API
– Query nodes and interfaces life from NetBox
● Finish DNS anycast setup
● Activate BGP ADD-PATH for iBGP (RFC7911)
● Achieve world domination
37
Freifunkromantik
38
More Freifunkromantik
39
Further Reading
● #routingdays – Learn to build the Internet
– https://blog.sdn.clinic/2017/09/ffrl-routingdays-
learn-to-build-the-internet/
–
● Salt-Orchestrated Software Defined (Freifunk)
Network (german)
– https://www.slideshare.net/BarbarossaTM/software
-defined-freifunk-backbones-78288014
– https://blog.sdn.clinic/category/freifunk/ffho/https://
blog.sdn.clinic/category/freifunk/ffho/
40
Questions? Remarks?
Thank you :-)
Maximilian Wilhelm
<max@elitepeer.de>
@BarbarossaTM
41
SDN ingredients
ifupdown2

More Related Content

What's hot

Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...
Maximilan Wilhelm
 
6.Routing
6.Routing6.Routing
6.Routing
phanleson
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Maximilan Wilhelm
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ng
Maximilan Wilhelm
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Maximilan Wilhelm
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
Maximilan Wilhelm
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Maximilan Wilhelm
 
Building Scalable Data Center Networks
Building Scalable Data Center NetworksBuilding Scalable Data Center Networks
Building Scalable Data Center Networks
Cumulus Networks
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface Manager
Cumulus Networks
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IP
Maximilan Wilhelm
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
YongKi Kim
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
어형 이
 
Vigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startVigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick start
Jimmy Tu
 
Mlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyMlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancy
Cumulus Networks
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
Etsuji Nakai
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers
videos
 

What's hot (20)

Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...Intent driven, fully automated deployment of anycasted load balancers with ha...
Intent driven, fully automated deployment of anycasted load balancers with ha...
 
6.Routing
6.Routing6.Routing
6.Routing
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
Overlays & IP-Fabrics - viele Wege führen nach Rom und warum Layer2 keine Lös...
 
Contemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ngContemporary network configuration for linux - ifupdown-ng
Contemporary network configuration for linux - ifupdown-ng
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 
IPv6 im Jahre 2018
IPv6 im Jahre 2018IPv6 im Jahre 2018
IPv6 im Jahre 2018
 
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
Angewandte Netzwerkgrundlagen reloaded - von Layer 1 bis 3
 
Building Scalable Data Center Networks
Building Scalable Data Center NetworksBuilding Scalable Data Center Networks
Building Scalable Data Center Networks
 
Ifupdown2: Network Interface Manager
Ifupdown2: Network Interface ManagerIfupdown2: Network Interface Manager
Ifupdown2: Network Interface Manager
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
Netzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IPNetzwerkgrundlagen - Von Ethernet bis IP
Netzwerkgrundlagen - Von Ethernet bis IP
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch
 
Vigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick startVigor 3910 docker firmware quick start
Vigor 3910 docker firmware quick start
 
Mlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancyMlag invisibile layer 2 redundancy
Mlag invisibile layer 2 redundancy
 
How VXLAN works on Linux
How VXLAN works on LinuxHow VXLAN works on Linux
How VXLAN works on Linux
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
 
6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers6. hands on - open mano demonstration in remote pool of servers
6. hands on - open mano demonstration in remote pool of servers
 

Similar to Building your own sdn with debian linux salt stack and python

[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
OpenStack Korea Community
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
Open Networking Summit
 
Snabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporterSnabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporter
Igalia
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Samsung Open Source Group
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linaro
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Samsung Open Source Group
 
Raspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateRaspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 update
Kevin Hooke
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
openPOWERLINK over Xenomai
openPOWERLINK over XenomaiopenPOWERLINK over Xenomai
openPOWERLINK over Xenomai
Alexandre LAHAYE
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
cemporku
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Open-NFP
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PROIDEA
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdf
MuthuramanElangovan
 
Banog meetup August 30th, network device property as code
Banog meetup August 30th, network device property as codeBanog meetup August 30th, network device property as code
Banog meetup August 30th, network device property as code
Damien Garros
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
M.Qasim Arham
 
Openstack Networking and ML2
Openstack Networking and ML2Openstack Networking and ML2
Openstack Networking and ML2
Szlovencsak Attila
 

Similar to Building your own sdn with debian linux salt stack and python (20)

[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
 
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
FD.io - The Universal Dataplane
FD.io - The Universal DataplaneFD.io - The Universal Dataplane
FD.io - The Universal Dataplane
 
Snabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporterSnabbflow: A Scalable IPFIX exporter
Snabbflow: A Scalable IPFIX exporter
 
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux DeviceAdding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
 
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under LinuxPractical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
 
Raspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 updateRaspberry Pi and Amateur Radio - 2020 update
Raspberry Pi and Amateur Radio - 2020 update
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
 
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
openPOWERLINK over Xenomai
openPOWERLINK over XenomaiopenPOWERLINK over Xenomai
openPOWERLINK over Xenomai
 
Modul 3 Firewalll.ppt
Modul 3 Firewalll.pptModul 3 Firewalll.ppt
Modul 3 Firewalll.ppt
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStackStacks and Layers: Integrating P4, C, OVS and OpenStack
Stacks and Layers: Integrating P4, C, OVS and OpenStack
 
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...PLNOG16: Obsługa 100M pps na platformie PC, Przemysław Frasunek, Paweł Mała...
PLNOG16: Obsługa 100M pps na platformie PC , Przemysław Frasunek, Paweł Mała...
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdf
 
Banog meetup August 30th, network device property as code
Banog meetup August 30th, network device property as codeBanog meetup August 30th, network device property as code
Banog meetup August 30th, network device property as code
 
Osnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptxOsnug meetup-tungsten fabric - overview.pptx
Osnug meetup-tungsten fabric - overview.pptx
 
Openstack Networking and ML2
Openstack Networking and ML2Openstack Networking and ML2
Openstack Networking and ML2
 

Recently uploaded

一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 

Recently uploaded (11)

一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 

Building your own sdn with debian linux salt stack and python

  • 1. Building your own SDN with Debian Linux, Salt Stack and Python PyCON.de 2017 Maximilian Wilhelm <max@sdn.clinic> @BarbarossaTM
  • 2. 2 Who am I? ● Maximilian Wilhelm – @BarbarossaTM ● Senior Infrastructure Architect, Uni Paderborn ● Infrastructure Archmage, Freifunk Hochstift ● Fanboy of – (Debian) Linux – ifupdown2 ● Networker ● OpenSource Hacker
  • 3. Agenda ● Contemporary Linux Networking – Batteries included – ifupdown2 – Salt Stack ● DIY-SDN – Python modules ● Putting it all together 4
  • 6. root@Stretch:~$ ifconfig -bash: ifconfig: command not found root@Stretch:~$ route -bash: route: command not found root@Stretch:~$ arp -bash: arp: command not found ● vconfig ● ifenslave
  • 7. ● iproute2 – Swiss Army knife for networkers ● Functions cleanly separated into subcommands ● ip link – L2: MTU, VLANs, LAGs, bridges ● ip addr – L3 addresses ● ip neigh – ARP/ND ● ip route – Routing + MPLS
  • 8. 8 VXLAN ● “Ethernet over UDP” – Or: “Poor mans approach to MPLS” ● Designed as Layer2 overlay for DCs – Multi-tenant Overlay over IP-Fabric – 24Bit VNI => 16M Instances – Unicast/Multicast communication ● Read: VLL / VPLS – Endpoints = VTEP (VXLAN Tunnel End Point) ● RFC7348
  • 9. 9 And even more awesome stuff... ● Latest networking additions – VRFs – MPLS forwarding plane – VLAN-aware-bridges ● Tunneling – GRE – IPsec – OpenVPN – Wireguard Used for L2-PTP-VPNs Used for external links Used on KVM hypervisors Links to AS201701
  • 10. 10 Network interface configuration ● Classic ifupdown not easily automated ● Generating /etc/network/interfaces simple ● How to reload? – »service networking restart« disruptive – No tool for “reload” present – Isn't trivial to build ➔ CumulusNetworks Ifupdown2 – Rewrite of ifupdown in Python – https://github.com/CumulusNetworks/ifupdown2
  • 11. 11 ifupdown2 ● No full feature parity with ifupdown ● Shipped with batteries included – dependency resolution – ifreload – VRFs – VXLAN – VLAN-aware bridges ● Not (yet) supported: – ppp
  • 12. 12 ifupdown2 Patches ● Easy to extend, thanks to Python ● Upstream open for ideas (Hi Julien & Roopa) ● Added support for – B.A.T.M.A.N. interfaces – Tunnel (GRE, SIT, IPIP, GRETAP) ● Open Pull-Requests for – Condoning bridge interfaces for configuration – Setting phys-dev for VXLAN – Setting vEth peer name
  • 13. 13 VXLAN / VTEPs with ifupdown2 # vx_v2001_padcty auto vx_v2001_padcty iface vx_v2001_padcty vxlan-id 1310977 vxlan-physdev vlan2001 vxlan-svcnodeip 225.20.1.1 # hwaddress f2:00:c1:01:20:01 mtu 1560
  • 14. 14 About that routing thing ● Protocols – OSPF – IS-IS – BGP ● Implentations: – Bird – QuaggaFRR – GoBGP – ExaBGP (Written in Python :-)) Used for OSPF / iBGP + eBGP
  • 16. 16 Salt Stack ● Continuous Management – (De)install packages – Generate and manage config files – Manage system services/units – Configure the network – Distribute Host Certificates – ... ● Written in Python ● Extensible by own Python modules
  • 17. 17 States ● Represent state $something should have ● Usually YAML format ● Bunch of definitions of.. – Packages to (de)install – Services to (de)activate – File contents – Users – … ● Allows definition of dependencies
  • 18. 18 State example (bird excerpt) https://github.com/FreifunkHochstift/ffho- salt-public/blob/master/bird/init.sls
  • 19. 19 Pillar ● Structured key value store ● Usually YAML format – Eval Jinja2 → Read YAML ● Data can be read from templates – As data structures. Yay. ● Predestined for – Keys – Host specific configuration – Any other configuration data
  • 21. 21 Templating - Jinja2 ● Default language: Jinja2 – Yay, Python again – kind of ● Usable within file templates and states
  • 23. 23 Modules ● No regex support in Jinja2 though. D’oh. ➔ 1. highly complex extension module: # ffho.py import re def re_replace (pattern, replacement, string): return re.sub (pattern, replacement, string) def re_search (pattern, string, flags = 0): return re.search (pattern, string, flags)
  • 24. 24 Hello regular expressions # /etc/bird/bird.d/l3-access.conf protocol direct l3_access { {%- for iface in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':ifaces') %} {%- if salt['ffho.re_search']('^vlan3dd$', iface) %} interface "{{ iface }}"; {%- endif %} {%- endfor %} }
  • 25. 25 Jinja or real Python? ● Templating is cool ● Complex code within Jinja2 is not ● Why not move this to modules? – Use full Python potential – Structure code into nice functions – Functions callable from Jinja2 – Profit
  • 26. 26 The SDN part #SDN Disclaimer: Font on special request of AbraXXL
  • 27. 27 ffho_net.py ● Generate / compute – Interfaces config (for /etc/network/interfaces) – Bird OSPF configuration – Bird BGP configuration ● iBGP / eBGP peerings / Traffic Engineering routes – B.A.T.M.A.N. + VXLAN overlay ifaces ● Uniquie MAC addresses for B.A.T.M.A.N. ifaces – DNS entries from interface configuration https://github.com/FreifunkHochstift/ffho- salt-public/blob/master/_modules/ffho_net.py
  • 28. 28 Python networking modules from ipaddress import ip_address,ip_network # Calculate DNS PTR name ip = ip_address (u'%s' % prefix.split ('/')[0]) ptr = ip.reverse_pointer # Calculate network address net_h = ip_network (u'%s' % prefix, strict = False) network = str (net_h.network_address)
  • 29. 29
  • 30. 30 Pillar Example (node config) bbr-vega.in.ffho.net: id: 198 sysLocation: Vega roles: - router - batman - bbr sites: - pad-cty Quelle für Loopback-IP Bird config (OSPF + iBGP) Source for Loopback-IP Generate Batman interfaces Batman instances
  • 31. 31 Pillar Example (node config) contd. ifaces: bond0: bond-slaves: "eth0 eth1" vlan1002: desc: "<-> gw04" vlan-raw-device: bond0 prefixes: - 10.132.253.58/31 - 2a03:2260:2342:fe1c::1/126 batman_connect_sites: pad-cty [...] Source for /etc/network/interfaces Generate VXLAN overlay
  • 32. 32 IPoBATMANoVXLANoIPoVLANoRF ● Wait, what? Ethernet (RF / Kabel) Vlan IP VXLAN B.A.T.M.A.N. Adv. VXLAN IP
  • 33. 33 Hardware ● Zoo of sponsored Hardware – Servers, Switches, WiFi, .. ➔ Unify hardware pool – PCengines APU2 – Netonix WISP Switches – Ubiquiti Networks ● PowerBeam ● LiteBeam ● AC Mesh Pro
  • 34. 34 Before / After (PaderHalle)
  • 35. 35 We can do 19” as well
  • 36. 36 What’s next? ● Migrate IPAM from RackTables to NetBox – Netbox as a nifty API – Query nodes and interfaces life from NetBox ● Finish DNS anycast setup ● Activate BGP ADD-PATH for iBGP (RFC7911) ● Achieve world domination
  • 39. 39 Further Reading ● #routingdays – Learn to build the Internet – https://blog.sdn.clinic/2017/09/ffrl-routingdays- learn-to-build-the-internet/ – ● Salt-Orchestrated Software Defined (Freifunk) Network (german) – https://www.slideshare.net/BarbarossaTM/software -defined-freifunk-backbones-78288014 – https://blog.sdn.clinic/category/freifunk/ffho/https:// blog.sdn.clinic/category/freifunk/ffho/
  • 40. 40 Questions? Remarks? Thank you :-) Maximilian Wilhelm <max@elitepeer.de> @BarbarossaTM