Uploaded byLF_OpenvSwitch
PDF, PPTX1,056 views

LF_OVS_17_OvS manipulation with Go at DigitalOcean

The document discusses DigitalOcean's past and present use of Open vSwitch (OvS) for virtual networking. In the past, OvS was manipulated using Perl scripts that built flow strings and called ovs-ofctl. This had issues like lack of testing and non-atomic flow applications. Now, a Go package called ovs is used to programmatically control OvS. It builds flows without string manipulation and applies them atomically. DigitalOcean also uses packages like hvflow and gRPC services hvflowctl and hvflowd to configure OvS flows from network parameters. The future may involve orchestrating OvS directly through OpenFlow to avoid parsing tool outputs and directly applying flows.

Embed presentation

Download as PDF, PPTX
OvS manipulation with Go at DigitalOcean Matt Layher, Software Engineer OvSCon 2017
digitalocean.com ● Software Engineer at DO for ~3.5 years ● Focused on virtual networking primitives ● Huge fan of Go programming language ● GitHub + Twitter: @mdlayher
digitalocean.com Cloud computing designed for developers ● Cloud provider with focus on simplicity ● “Droplet” product is a virtual machine ● Compute, storage, networking, and monitoring primitives ○ Load Balancers as a Service ○ Floating IPs ○ Cloud Firewalls (learn more at Kei Nohguchi’s talk!)
digitalocean.com DO is powered by Open vSwitch! ● 10,000+ of instances of OvS! ● One of the most crucial components in our entire stack.
digitalocean.com Open vSwitch at DigitalOcean: The Past
digitalocean.com Open vSwitch and Perl ● Events (create droplet, power on, etc.) reach a hypervisor ● Perl event handlers pick up events and performs a series of actions to prepare a droplet ● Perl builds flow strings and calls ovs-ofctl
digitalocean.com Building flows with Perl my $ipv4_flow_rules = [ [ # Flow priority. 2020, # Hash of flow matches. { dl_src => $mac, in_port => $ovs_port_id, ip => undef, nw_src => "${ip}/32", }, # Literal string of flow actions. "mod_vlan_vid:${ipv4vlan},resubmit(,1)" ], # … many more flows ]
digitalocean.com Applying flows with Perl # Build comma-separated matches from hash. my $flow = _construct_flow_string($flow_hash); # Build the flow string with usual fields. my $cmd = "priority=${priority},idle_timeout=${timeout},${flow},actions=${actions}"; # Once a flow is added, we need a way to delete it later on! if ($add_delete_hook && defined($delete_hook_handle)) { # Flows written into a libvirt hook to be deleted later. if (_write_flow_to_be_deleted($bridge, $delete_hook_handle, $flow) != PASS) { return FAIL; } } # Shell out to ovs-ofctl and do the work! return _run_ovs_cmd("ovs-ofctl add-flow ${bridge} '${cmd}'");
digitalocean.com Conclusions: Open vSwitch and Perl ● Pros: ○ Straightforward code ○ Perl is well-suited to manipulating strings ● Cons: ○ No sanity checking (other than OvS applying the flow) ○ Lacking test coverage ○ libvirt flow deletion hooks for individual flows proved problematic ○ Shell out once per flow; no atomicity
digitalocean.com Open vSwitch at DigitalOcean: The Present
digitalocean.com Open vSwitch and Go ● Events reach a hypervisor ● Perl/Go (it depends) systems perform a series of actions to prepare a droplet ● Go builds flow strings and calls ovs-ofctl
digitalocean.com package ovs Package ovs is a client library for Open vSwitch which enables programmatic control of the virtual switch.
digitalocean.com package ovs ● Go package for manipulating Open vSwitch ● No DigitalOcean-specific code! ● Open source (soon)! ○ https://github.com/digitalocean/go-openvswitch
digitalocean.com Building flows with Go flow := &ovs.Flow{ // Commonly used flow pieces are struct fields. Priority: 2000, Protocol: ovs.ProtocolIPv4, InPort: droplet.PortID, // Matches and Actions are Go interfaces; functions create a // type that implements the interface. Matches: []ovs.Match{ ovs.DataLinkSource(r.HardwareAddr.String()), ovs.NetworkSource(r.IP.String()), }, Actions: []ovs.Action{ ovs.Resubmit(0, tableL2Rewrite), }, }
digitalocean.com Building flows with Go (cont.) ● Our example flow marshaled to textual format: priority=2000,ip,in_port=1,dl_src=de:ad:be:ef:de:ad, nw_src=192.168.1.1,table=0,idle_timeout=0,actions=resubmit(,10) ● Mostly string manipulation behind the scenes; just like Perl ● Go is statically typed, reducing chance of programmer errors ● Can validate each match and action for correctness without hitting OvS
digitalocean.com The ovs.Match Go interface type Match interface { // MarshalText() (text []byte, err error) encoding.TextMarshaler } ● Because of the way Go interfaces work, any type with a MarshalText method can be used as an ovs.Match ● The error return value can be used to catch any bad input ● ovs.Action’s definition is identical
digitalocean.com The ovs.Client Go type // Configure ovs.Client with our required OpenFlow flow format and protocol. client := ovs.New(ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14")) // $ ovs-vsctl --may-exist add-br br0 err := client.VSwitch.AddBridge("br0") // $ ovs-ofctl add-flow --flow-format=OXM-OpenFlow14 --protocols=OpenFlow14 br0 ${flow} err = client.OpenFlow.AddFlow("br0", exampleFlow()) ● ovs.Client is a wrapper around ovs-vsctl and ovs-ofctl commands ● ovs.New constructor uses “functional options” pattern for sane defaults ● We can still only apply one flow at a time… right?
digitalocean.com ovs.Client flow bundle transactions // Assume we want to apply a new flow set and remove old one. add, remove := newFlows(), oldFlows() // We can apply all of these flows atomically using a flow bundle! err := client.OpenFlow.AddFlowBundle(bridge, func(tx *ovs.FlowTransaction) error { // $ echo -e “delete priority=10,cookie=1,actions=dropn” >> mem tx.Delete(remove...) // $ echo -e “add priority=10,cookie=1,actions=output:1n” >> mem tx.Add(add...) // $ cat mem | ovs-ofctl --bundle add-flow --flow-format=OXM-OpenFlow14 --protocols=OpenFlow14 br0 - return tx.Commit() }) ● Flow bundle stored in memory, passed directly from buffer to ovs-ofctl ● Modifications are processed by OvS in a single, atomic transaction
digitalocean.com package hvflow Package hvflow provides Open vSwitch flow manipulation at the hypervisor level.
digitalocean.com package hvflow ● DigitalOcean-specific wrapper for package ovs ● Provides higher-level constructs, such as: ○ enable public IPv4 and IPv6 connectivity ○ reset and apply security policies ○ disable all connectivity
digitalocean.com The hvflow.Client Go type // Configure hvflow.Client to modify bridge “br0”. client, err := hvflow.NewClient("br0", ovs.New( ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14"), )) ● hvflow.Client is a high-level wrapper around ovs.Client ● hvflow.NewClient constructor uses “functional options” pattern for sane defaults
digitalocean.com Network parameters - “netparams” ● Encode all necessary information about how to enable networking for a given VNIC ● Carries IPv4 and IPv6 addresses, firewall configurations, floating IPs… ● netparams used to configure OvS with hvflow.Client.Transaction method { "droplet_id": 1, "vnics": [ { "mac": "de:ad:be:ef:de:ad", "enabled": 1, "name": "tapext1", "interface_type": "public", "addresses": { "ipv4": [ { "ip_address": "10.0.0.10", "masklen": 20, "gateway": "10.0.0.1" } ] } } ] }
digitalocean.com hvflow.Client transactions // Assume a netparams structure similar to the one just shown. params, ifi := networkParams(), "public" err := client.Transaction(ctx, func(ctx context.Context, tx *hvflow.Transaction) error { // Convert netparams into hvflow simplified representation. req, ok, err := hvflow.NewIPv4Request(params, ifi) if err != nil { return err } if ok { // If IPv4 configuration present, apply it! if err := tx.EnableIPv4(ctx, req); err != nil { return wrapError(err, "failed to enable IPv4 networking") } } return tx.Commit() })
digitalocean.com hvflow.Client transactions (cont.) ● Each operation accumulates additional flows to be applied within the context of the transaction. ● Flow set sizes can vary from a couple dozen to several hundred flows. ● Flows are always applied using a flow bundle; non-transactional hvflow.Client API was deleted! // IPv4 configuration. err := tx.EnableIPv4(ctx, req4) // IPv6 configuration. err = tx.EnableIPv6(ctx, req6) // Floating IPv4 configuration. err = tx.EnableFloatingIPv4(ctx, req4F) // Disable networking on an interface. err = tx.Disable(ctx, 10, "public") // Apply flow set to OvS. err = tx.Commit()
digitalocean.com The hvflow.Cookie Go interface type Cookie interface { Marshal() (uint64, error) Unmarshal(i uint64) error } ● Cookie structs packed and unpacked from uint64 form ● Cookies are versioned using a 4-bit identifier ● Used to store identification metadata about a flow ● Easy deletions of flows; much simpler deletion hooks with libvirt
digitalocean.com hvflowctl and hvflowd gRPC client and server that manipulate Open vSwitch
digitalocean.com hvflowctl and hvflowd ● gRPC client and server written in Go ● hvflowctl passes netparams and other data to hvflowd ● hvflowd manipulates OvS flows via hvflow package
digitalocean.com hvflowd’s gRPC interface ● gRPC uses protocol buffers (“protobuf”) for RPC communication ● RPCs accept one message type and return another ● netparamspb package for encoding netparams in protobuf // The set of RPCs that make up the “HVFlow” service. service HVFlow { // Add flows using the parameters specified in request. rpc AddFlows(AddFlowsRequest) returns (AddFlowsResponse); } // RPC parameters encoded within a request message. message AddFlowsRequest { // netparams have a protobuf representation too. netparamspb.NetworkParams network_params = 1; string interface_type = 2; } // No need to return any data on success. message AddFlowsResponse {}
digitalocean.com hvflowd AddFlows RPC // AddFlows requests that hvflowd add flows to enable connectivity for one or more droplets. func (s *server) AddFlows(ctx context.Context, req *hpb.AddFlowsRequest) (*hpb.AddFlowsResponse, error) { // Fetch netparams from gRPC request message. params := req.GetNetworkParams() // Perform the necessary transaction logic to establish connectivity. err := s.hvflowc.Transaction(ctx, func(ctx context.Context, tx *hvflow.Transaction) error { // hvflow.Client transaction logic … return tx.Commit() }) // Inform the caller if the request was successful. return &hvflowpb.AddFlowsResponse{}, err } ● RPCs enable orchestration among multiple hypervisors and hvflowd instances
digitalocean.com Testing hvflowctl and hvflowd ● Unit tests verify a flow looks a certain way ○ go test ./... ● Integration tests verify the behavior of flows applied to OvS ○ mininet, OvS, hvflowctl, hvflowd
digitalocean.com Testing with mininet ● Network topology created with multi-namespace OvS in mininet ● hvflowd spun up in each “hypervisor namespace” # Spin up hvflowd in the background and set per-hypervisor environment # variables needed to enable multiple instances to run together. for key in self.hvflowdEnv: self.cmd('export %s=%s' % (key, self.hvflowdEnv[key])) self.cmd('%s &' % (self.hvflowdPath)) ● hvflowctl issues RPCs using JSON netparams fixtures # Issue RPCs to hvflowd using flags and netparams JSON. self.switch.cmd("echo '%s' | %s %s --rpc %s %s" % (stdinBuf, self.hvflowctlPath, command, rpcAddr, opts))
digitalocean.com Testing with mininet (cont.) ● Docker image built and pulled by Concourse CI ● Virtual droplet and hypervisor topology spun up by mininet ● Tests run on every pull request to hvflow package Beginning testing with /configs/production.json ==> Outside to public droplet d1 should pass out1 (8.8.8.8) ----> d1 (192.0.2.10) *** Results: 0% dropped (1/1 received) ==> Outside to floating on d1 should pass out1 (8.8.8.8) ----> d1 (192.0.2.100) *** Results: 0% dropped (1/1 received) ==> Outside to private d1 should fail out1 (8.8.8.8) ----> X(d1) (10.60.5.5) *** Results: 100% dropped (0/1 received)
digitalocean.com Conclusions: Open vSwitch and Go ● Pros: ○ Go is well-suited to building large, highly concurrent, network systems ○ Go compiles to a single, statically-linked binary for trivial deployment ○ Flows are easier to read for those who aren’t familiar with OvS ○ Data is statically typed and checked before hitting OvS ○ Flows can be bundled and committed atomically ● Cons: ○ Flows structures are verbose if you are familiar with OvS ○ We are still shelling out to OvS tools
digitalocean.com Open vSwitch at DigitalOcean: The Future
digitalocean.com Orchestrated Open vSwitch and Go ● RPC performed to a “regional network service” (RNS) ● RNS determines actions, sends RPCs to hvflowd ● hvflowd builds flows and speaks OpenFlow directly
digitalocean.com Use cases for an OvS orchestration system ● High level networking actions that apply to many hypervisors and their droplets ○ Apply firewall “open TCP/22” to all droplets for customer X ○ Disable connectivity to all droplets for customer Y hvflowd hvflowd hvflowd hvflowd hvflowd RNS DO systems
digitalocean.com Why speak OpenFlow directly? ● Difficulty parsing unstable OvS tool text output ○ ovs-ofctl dump-ports br0 tap0 ● Tedious generation and parsing of flow strings
digitalocean.com Why not use an OpenFlow controller? ● Industry is moving to a distributed control plane approach ○ Need to carefully avoid architectures where it would be difficult to scale a central controller ● We considered OVN, but were concerned about its maturity ○ The “RNS” architecture is similar to OVN ● A distributed OpenFlow controller is not off the table! ○ Maybe hvflowd becomes OvS’s “controller”?
digitalocean.com ovs.Client with OpenFlow // Configure ovs.Client with our required OpenFlow flow format and protocol. client := ovs.New( ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14"), // Toggle on direct OpenFlow support. ovs.UseOpenFlow("localhost:6633"), ) // Flow marshaled to binary instead of text format, and sent via OpenFlow. err = client.OpenFlow.AddFlow("br0", exampleFlow()) ● ovs.New constructor gains a new option to toggle on OpenFlow ● ovs.Client opens a socket and sends raw OpenFlow commands
digitalocean.com ovs.Match gains a new method type Match interface { // MarshalText() (text []byte, err error) encoding.TextMarshaler // New: MarshalBinary() (bin []byte, err error) encoding.BinaryMarshaler } ● Implement a MarshalBinary method for all Match types ● ovs.Action would be updated in the same way
digitalocean.com Conclusions: orchestrated Open vSwitch and Go ● Pros: ○ Easy to orchestrate changes amongst multiple servers ○ No more parsing OvS tool string output ○ No more generating and parsing the flow text format! ● Cons: ○ Too early to tell!
digitalocean.com Open vSwitch at DigitalOcean: Conclusions
digitalocean.com DO is powered by Open vSwitch! ● We’ve deployed more than 10,000 instances of OvS and have run it in production for three years. ● We’ve moved from Perl to Go, and our OvS tooling has too. ● We’re excited for the future of OvS and OVN!
Thank you! Matt Layher mdlayher@do.co GitHub + Twitter: @mdlayher https://github.com/digitalocean/go-openvswitch

More Related Content

PDF
LF_OVS_17_LXC Linux Containers over Open vSwitch
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
byLF_OpenvSwitch
 
PDF
LF_OVS_17_State of the OVN
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Enabling hardware acceleration in OVS-DPDK using DPDK Framework.
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVN and Containers - An update.
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
byLF_OpenvSwitch
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
byLF_OpenvSwitch
 
LF_OVS_17_Enabling Hardware Offload of OVS Control & Data plane using LiquidIO
byLF_OpenvSwitch
 
LF_OVS_17_State of the OVN
byLF_OpenvSwitch
 
LF_OVS_17_OVS Performance on Steroids - Hardware Acceleration Methodologies
byLF_OpenvSwitch
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
byLF_OpenvSwitch
 
LF_OVS_17_Enabling hardware acceleration in OVS-DPDK using DPDK Framework.
byLF_OpenvSwitch
 
LF_OVS_17_OVN and Containers - An update.
byLF_OpenvSwitch
 
LF_OVS_17_Red Hat's perspective on OVS HW Offload Status
byLF_OpenvSwitch
 

What's hot

PPTX
OpenvSwitch Deep Dive
byrajdeep
 
PDF
OVS Hardware Offload with TC Flower
byNetronome
 
PDF
Open vSwitch Introduction
byHungWei Chiu
 
PPTX
Ovs dpdk hwoffload way to full offload
byKevin Traynor
 
PDF
Open vSwitch Implementation Options
byNetronome
 
PPTX
High Performance Networking Leveraging the DPDK and Growing Community
by6WIND
 
PDF
Accelerate Service Function Chaining Vertical Solution with DPDK
byOPNFV
 
PPTX
Accelerating Neutron with Intel DPDK
byAlexander Shalimov
 
PDF
DPDK Support for New HW Offloads
byNetronome
 
PDF
LF_DPDK17_Event Adapters - Connecting Devices to Eventdev
byLF_DPDK
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
PDF
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
PPTX
OVS v OVS-DPDK
byMd Safiyat Reza
 
PDF
Open vSwitch Offload: Conntrack and the Upstream Kernel
byNetronome
 
PPTX
OpenStack 2012 fall summit observation - Quantum/SDN
byTe-Yen Liu
 
PDF
DPDK Summit 2015 - HP - Al Sanders
byJim St. Leger
 
PDF
LF_DPDK17_ OpenVswitch hardware offload over DPDK
byLF_DPDK
 
PDF
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 
PDF
DPACC Acceleration Progress and Demonstration
byOPNFV
 
OpenvSwitch Deep Dive
byrajdeep
 
OVS Hardware Offload with TC Flower
byNetronome
 
Open vSwitch Introduction
byHungWei Chiu
 
Ovs dpdk hwoffload way to full offload
byKevin Traynor
 
Open vSwitch Implementation Options
byNetronome
 
High Performance Networking Leveraging the DPDK and Growing Community
by6WIND
 
Accelerate Service Function Chaining Vertical Solution with DPDK
byOPNFV
 
Accelerating Neutron with Intel DPDK
byAlexander Shalimov
 
DPDK Support for New HW Offloads
byNetronome
 
LF_DPDK17_Event Adapters - Connecting Devices to Eventdev
byLF_DPDK
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
byLF_OpenvSwitch
 
LF_OVS_17_Ingress Scheduling
byLF_OpenvSwitch
 
OVS v OVS-DPDK
byMd Safiyat Reza
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
byNetronome
 
OpenStack 2012 fall summit observation - Quantum/SDN
byTe-Yen Liu
 
DPDK Summit 2015 - HP - Al Sanders
byJim St. Leger
 
LF_DPDK17_ OpenVswitch hardware offload over DPDK
byLF_DPDK
 
LF_OVS_17_OVS-DPDK Installation and Gotchas
byLF_OpenvSwitch
 
DPACC Acceleration Progress and Demonstration
byOPNFV
 

Viewers also liked

PDF
LF_OVS_17_IPSEC and OVS DPDK
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVN at Nutanix
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVN and Kelda
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Day 2 Closing Remarks
byLF_OpenvSwitch
 
PDF
LF_OVS_17_Day 2 Opening Remarks
byLF_OpenvSwitch
 
PDF
LF_OVS_17_CORD: An open source platform to reinvent the network edge
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OvS Hardware Offload with TC Flower
byLF_OpenvSwitch
 
PDF
LF_OVS_17_OVS-DPDK for NFV: go live feedback!
byLF_OpenvSwitch
 
PDF
LF_OVS_17_The birth of SmartNICs -- offloading dataplane traffic to...software
byLF_OpenvSwitch
 
PDF
LF_OVS_17_DigitalOcean Cloud Firewalls: powered by OvS and conntrack
byLF_OpenvSwitch
 
LF_OVS_17_IPSEC and OVS DPDK
byLF_OpenvSwitch
 
LF_OVS_17_OVN at Nutanix
byLF_OpenvSwitch
 
LF_OVS_17_OVN and Kelda
byLF_OpenvSwitch
 
LF_OVS_17_Day 2 Closing Remarks
byLF_OpenvSwitch
 
LF_OVS_17_Day 2 Opening Remarks
byLF_OpenvSwitch
 
LF_OVS_17_CORD: An open source platform to reinvent the network edge
byLF_OpenvSwitch
 
LF_OVS_17_OvS Hardware Offload with TC Flower
byLF_OpenvSwitch
 
LF_OVS_17_OVS-DPDK for NFV: go live feedback!
byLF_OpenvSwitch
 
LF_OVS_17_The birth of SmartNICs -- offloading dataplane traffic to...software
byLF_OpenvSwitch
 
LF_OVS_17_DigitalOcean Cloud Firewalls: powered by OvS and conntrack
byLF_OpenvSwitch
 

Similar to LF_OVS_17_OvS manipulation with Go at DigitalOcean

PPT
OpenFlow Tutorial
byJa-seop Kwak
 
PDF
H2O 3 REST API Overview
bySri Ambati
 
PDF
Virtualized network with openvswitch
bySim Janghoon
 
PDF
Stacks and Layers: Integrating P4, C, OVS and OpenStack
byOpen-NFP
 
PPT
OpenFlow tutorial
byopenflow
 
PPTX
Openstack openswitch basics
bynshah061
 
PPTX
lect4_SDNbasic_openflow.pptx
byJesicaDcruz1
 
PDF
Cisco Openflow
byVijayaguru Jayaram
 
PDF
Networking and Go: An Engineer's Journey (Strangeloop 2019)
bySneha Inguva
 
PPTX
Harmonia open iris_basic_v0.1
byYongyoon Shin
 
PDF
PLNOG 8: Piotr Gierz - Protokół OpenFlow
byPROIDEA
 
PDF
OVS-LinuxCon 2013.pdf
byDanielHanganu2
 
PDF
software defined network, openflow protocol and its controllers
byIsaku Yamahata
 
PDF
Open vSwitch for networking solution for L2
byHaseebAhmed360060
 
PDF
Networked APIs with swift
byTim Burks
 
PPTX
Thebasicintroductionofopenvswitch
byRamses Ramirez
 
PDF
第2回クラウドネットワーク研究会 「OpenFlowコントローラとその実装」
bySho Shimizu
 
PDF
SDN/OpenFlow #lspe
byChris Westin
 
PDF
Openlab.2014 02-13.major.vi sion
byCcie Light
 
PDF
H2O 3 REST API Overview
byRaymond Peck
 
OpenFlow Tutorial
byJa-seop Kwak
 
H2O 3 REST API Overview
bySri Ambati
 
Virtualized network with openvswitch
bySim Janghoon
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
byOpen-NFP
 
OpenFlow tutorial
byopenflow
 
Openstack openswitch basics
bynshah061
 
lect4_SDNbasic_openflow.pptx
byJesicaDcruz1
 
Cisco Openflow
byVijayaguru Jayaram
 
Networking and Go: An Engineer's Journey (Strangeloop 2019)
bySneha Inguva
 
Harmonia open iris_basic_v0.1
byYongyoon Shin
 
PLNOG 8: Piotr Gierz - Protokół OpenFlow
byPROIDEA
 
OVS-LinuxCon 2013.pdf
byDanielHanganu2
 
software defined network, openflow protocol and its controllers
byIsaku Yamahata
 
Open vSwitch for networking solution for L2
byHaseebAhmed360060
 
Networked APIs with swift
byTim Burks
 
Thebasicintroductionofopenvswitch
byRamses Ramirez
 
第2回クラウドネットワーク研究会 「OpenFlowコントローラとその実装」
bySho Shimizu
 
SDN/OpenFlow #lspe
byChris Westin
 
Openlab.2014 02-13.major.vi sion
byCcie Light
 
H2O 3 REST API Overview
byRaymond Peck
 

Recently uploaded

PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
How Much Does It Cost To Build Software
bycollinmishell2
 

LF_OVS_17_OvS manipulation with Go at DigitalOcean

  • 1.
    OvS manipulation withGo at DigitalOcean Matt Layher, Software Engineer OvSCon 2017
  • 2.
    digitalocean.com ● Software Engineerat DO for ~3.5 years ● Focused on virtual networking primitives ● Huge fan of Go programming language ● GitHub + Twitter: @mdlayher
  • 4.
    digitalocean.com Cloud computing designedfor developers ● Cloud provider with focus on simplicity ● “Droplet” product is a virtual machine ● Compute, storage, networking, and monitoring primitives ○ Load Balancers as a Service ○ Floating IPs ○ Cloud Firewalls (learn more at Kei Nohguchi’s talk!)
  • 5.
    digitalocean.com DO is poweredby Open vSwitch! ● 10,000+ of instances of OvS! ● One of the most crucial components in our entire stack.
  • 6.
    digitalocean.com Open vSwitch atDigitalOcean: The Past
  • 7.
    digitalocean.com Open vSwitch andPerl ● Events (create droplet, power on, etc.) reach a hypervisor ● Perl event handlers pick up events and performs a series of actions to prepare a droplet ● Perl builds flow strings and calls ovs-ofctl
  • 8.
    digitalocean.com Building flows withPerl my $ipv4_flow_rules = [ [ # Flow priority. 2020, # Hash of flow matches. { dl_src => $mac, in_port => $ovs_port_id, ip => undef, nw_src => "${ip}/32", }, # Literal string of flow actions. "mod_vlan_vid:${ipv4vlan},resubmit(,1)" ], # … many more flows ]
  • 9.
    digitalocean.com Applying flows withPerl # Build comma-separated matches from hash. my $flow = _construct_flow_string($flow_hash); # Build the flow string with usual fields. my $cmd = "priority=${priority},idle_timeout=${timeout},${flow},actions=${actions}"; # Once a flow is added, we need a way to delete it later on! if ($add_delete_hook && defined($delete_hook_handle)) { # Flows written into a libvirt hook to be deleted later. if (_write_flow_to_be_deleted($bridge, $delete_hook_handle, $flow) != PASS) { return FAIL; } } # Shell out to ovs-ofctl and do the work! return _run_ovs_cmd("ovs-ofctl add-flow ${bridge} '${cmd}'");
  • 10.
    digitalocean.com Conclusions: Open vSwitchand Perl ● Pros: ○ Straightforward code ○ Perl is well-suited to manipulating strings ● Cons: ○ No sanity checking (other than OvS applying the flow) ○ Lacking test coverage ○ libvirt flow deletion hooks for individual flows proved problematic ○ Shell out once per flow; no atomicity
  • 11.
    digitalocean.com Open vSwitch atDigitalOcean: The Present
  • 12.
    digitalocean.com Open vSwitch andGo ● Events reach a hypervisor ● Perl/Go (it depends) systems perform a series of actions to prepare a droplet ● Go builds flow strings and calls ovs-ofctl
  • 13.
    digitalocean.com package ovs Package ovsis a client library for Open vSwitch which enables programmatic control of the virtual switch.
  • 14.
    digitalocean.com package ovs ● Gopackage for manipulating Open vSwitch ● No DigitalOcean-specific code! ● Open source (soon)! ○ https://github.com/digitalocean/go-openvswitch
  • 15.
    digitalocean.com Building flows withGo flow := &ovs.Flow{ // Commonly used flow pieces are struct fields. Priority: 2000, Protocol: ovs.ProtocolIPv4, InPort: droplet.PortID, // Matches and Actions are Go interfaces; functions create a // type that implements the interface. Matches: []ovs.Match{ ovs.DataLinkSource(r.HardwareAddr.String()), ovs.NetworkSource(r.IP.String()), }, Actions: []ovs.Action{ ovs.Resubmit(0, tableL2Rewrite), }, }
  • 16.
    digitalocean.com Building flows withGo (cont.) ● Our example flow marshaled to textual format: priority=2000,ip,in_port=1,dl_src=de:ad:be:ef:de:ad, nw_src=192.168.1.1,table=0,idle_timeout=0,actions=resubmit(,10) ● Mostly string manipulation behind the scenes; just like Perl ● Go is statically typed, reducing chance of programmer errors ● Can validate each match and action for correctness without hitting OvS
  • 17.
    digitalocean.com The ovs.Match Gointerface type Match interface { // MarshalText() (text []byte, err error) encoding.TextMarshaler } ● Because of the way Go interfaces work, any type with a MarshalText method can be used as an ovs.Match ● The error return value can be used to catch any bad input ● ovs.Action’s definition is identical
  • 18.
    digitalocean.com The ovs.Client Gotype // Configure ovs.Client with our required OpenFlow flow format and protocol. client := ovs.New(ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14")) // $ ovs-vsctl --may-exist add-br br0 err := client.VSwitch.AddBridge("br0") // $ ovs-ofctl add-flow --flow-format=OXM-OpenFlow14 --protocols=OpenFlow14 br0 ${flow} err = client.OpenFlow.AddFlow("br0", exampleFlow()) ● ovs.Client is a wrapper around ovs-vsctl and ovs-ofctl commands ● ovs.New constructor uses “functional options” pattern for sane defaults ● We can still only apply one flow at a time… right?
  • 19.
    digitalocean.com ovs.Client flow bundletransactions // Assume we want to apply a new flow set and remove old one. add, remove := newFlows(), oldFlows() // We can apply all of these flows atomically using a flow bundle! err := client.OpenFlow.AddFlowBundle(bridge, func(tx *ovs.FlowTransaction) error { // $ echo -e “delete priority=10,cookie=1,actions=dropn” >> mem tx.Delete(remove...) // $ echo -e “add priority=10,cookie=1,actions=output:1n” >> mem tx.Add(add...) // $ cat mem | ovs-ofctl --bundle add-flow --flow-format=OXM-OpenFlow14 --protocols=OpenFlow14 br0 - return tx.Commit() }) ● Flow bundle stored in memory, passed directly from buffer to ovs-ofctl ● Modifications are processed by OvS in a single, atomic transaction
  • 20.
    digitalocean.com package hvflow Package hvflowprovides Open vSwitch flow manipulation at the hypervisor level.
  • 21.
    digitalocean.com package hvflow ● DigitalOcean-specificwrapper for package ovs ● Provides higher-level constructs, such as: ○ enable public IPv4 and IPv6 connectivity ○ reset and apply security policies ○ disable all connectivity
  • 22.
    digitalocean.com The hvflow.Client Gotype // Configure hvflow.Client to modify bridge “br0”. client, err := hvflow.NewClient("br0", ovs.New( ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14"), )) ● hvflow.Client is a high-level wrapper around ovs.Client ● hvflow.NewClient constructor uses “functional options” pattern for sane defaults
  • 23.
    digitalocean.com Network parameters -“netparams” ● Encode all necessary information about how to enable networking for a given VNIC ● Carries IPv4 and IPv6 addresses, firewall configurations, floating IPs… ● netparams used to configure OvS with hvflow.Client.Transaction method { "droplet_id": 1, "vnics": [ { "mac": "de:ad:be:ef:de:ad", "enabled": 1, "name": "tapext1", "interface_type": "public", "addresses": { "ipv4": [ { "ip_address": "10.0.0.10", "masklen": 20, "gateway": "10.0.0.1" } ] } } ] }
  • 24.
    digitalocean.com hvflow.Client transactions // Assumea netparams structure similar to the one just shown. params, ifi := networkParams(), "public" err := client.Transaction(ctx, func(ctx context.Context, tx *hvflow.Transaction) error { // Convert netparams into hvflow simplified representation. req, ok, err := hvflow.NewIPv4Request(params, ifi) if err != nil { return err } if ok { // If IPv4 configuration present, apply it! if err := tx.EnableIPv4(ctx, req); err != nil { return wrapError(err, "failed to enable IPv4 networking") } } return tx.Commit() })
  • 25.
    digitalocean.com hvflow.Client transactions (cont.) ●Each operation accumulates additional flows to be applied within the context of the transaction. ● Flow set sizes can vary from a couple dozen to several hundred flows. ● Flows are always applied using a flow bundle; non-transactional hvflow.Client API was deleted! // IPv4 configuration. err := tx.EnableIPv4(ctx, req4) // IPv6 configuration. err = tx.EnableIPv6(ctx, req6) // Floating IPv4 configuration. err = tx.EnableFloatingIPv4(ctx, req4F) // Disable networking on an interface. err = tx.Disable(ctx, 10, "public") // Apply flow set to OvS. err = tx.Commit()
  • 26.
    digitalocean.com The hvflow.Cookie Gointerface type Cookie interface { Marshal() (uint64, error) Unmarshal(i uint64) error } ● Cookie structs packed and unpacked from uint64 form ● Cookies are versioned using a 4-bit identifier ● Used to store identification metadata about a flow ● Easy deletions of flows; much simpler deletion hooks with libvirt
  • 27.
    digitalocean.com hvflowctl and hvflowd gRPCclient and server that manipulate Open vSwitch
  • 28.
    digitalocean.com hvflowctl and hvflowd ●gRPC client and server written in Go ● hvflowctl passes netparams and other data to hvflowd ● hvflowd manipulates OvS flows via hvflow package
  • 29.
    digitalocean.com hvflowd’s gRPC interface ●gRPC uses protocol buffers (“protobuf”) for RPC communication ● RPCs accept one message type and return another ● netparamspb package for encoding netparams in protobuf // The set of RPCs that make up the “HVFlow” service. service HVFlow { // Add flows using the parameters specified in request. rpc AddFlows(AddFlowsRequest) returns (AddFlowsResponse); } // RPC parameters encoded within a request message. message AddFlowsRequest { // netparams have a protobuf representation too. netparamspb.NetworkParams network_params = 1; string interface_type = 2; } // No need to return any data on success. message AddFlowsResponse {}
  • 30.
    digitalocean.com hvflowd AddFlows RPC //AddFlows requests that hvflowd add flows to enable connectivity for one or more droplets. func (s *server) AddFlows(ctx context.Context, req *hpb.AddFlowsRequest) (*hpb.AddFlowsResponse, error) { // Fetch netparams from gRPC request message. params := req.GetNetworkParams() // Perform the necessary transaction logic to establish connectivity. err := s.hvflowc.Transaction(ctx, func(ctx context.Context, tx *hvflow.Transaction) error { // hvflow.Client transaction logic … return tx.Commit() }) // Inform the caller if the request was successful. return &hvflowpb.AddFlowsResponse{}, err } ● RPCs enable orchestration among multiple hypervisors and hvflowd instances
  • 31.
    digitalocean.com Testing hvflowctl andhvflowd ● Unit tests verify a flow looks a certain way ○ go test ./... ● Integration tests verify the behavior of flows applied to OvS ○ mininet, OvS, hvflowctl, hvflowd
  • 32.
    digitalocean.com Testing with mininet ●Network topology created with multi-namespace OvS in mininet ● hvflowd spun up in each “hypervisor namespace” # Spin up hvflowd in the background and set per-hypervisor environment # variables needed to enable multiple instances to run together. for key in self.hvflowdEnv: self.cmd('export %s=%s' % (key, self.hvflowdEnv[key])) self.cmd('%s &' % (self.hvflowdPath)) ● hvflowctl issues RPCs using JSON netparams fixtures # Issue RPCs to hvflowd using flags and netparams JSON. self.switch.cmd("echo '%s' | %s %s --rpc %s %s" % (stdinBuf, self.hvflowctlPath, command, rpcAddr, opts))
  • 33.
    digitalocean.com Testing with mininet(cont.) ● Docker image built and pulled by Concourse CI ● Virtual droplet and hypervisor topology spun up by mininet ● Tests run on every pull request to hvflow package Beginning testing with /configs/production.json ==> Outside to public droplet d1 should pass out1 (8.8.8.8) ----> d1 (192.0.2.10) *** Results: 0% dropped (1/1 received) ==> Outside to floating on d1 should pass out1 (8.8.8.8) ----> d1 (192.0.2.100) *** Results: 0% dropped (1/1 received) ==> Outside to private d1 should fail out1 (8.8.8.8) ----> X(d1) (10.60.5.5) *** Results: 100% dropped (0/1 received)
  • 34.
    digitalocean.com Conclusions: Open vSwitchand Go ● Pros: ○ Go is well-suited to building large, highly concurrent, network systems ○ Go compiles to a single, statically-linked binary for trivial deployment ○ Flows are easier to read for those who aren’t familiar with OvS ○ Data is statically typed and checked before hitting OvS ○ Flows can be bundled and committed atomically ● Cons: ○ Flows structures are verbose if you are familiar with OvS ○ We are still shelling out to OvS tools
  • 35.
    digitalocean.com Open vSwitch atDigitalOcean: The Future
  • 36.
    digitalocean.com Orchestrated Open vSwitchand Go ● RPC performed to a “regional network service” (RNS) ● RNS determines actions, sends RPCs to hvflowd ● hvflowd builds flows and speaks OpenFlow directly
  • 37.
    digitalocean.com Use cases foran OvS orchestration system ● High level networking actions that apply to many hypervisors and their droplets ○ Apply firewall “open TCP/22” to all droplets for customer X ○ Disable connectivity to all droplets for customer Y hvflowd hvflowd hvflowd hvflowd hvflowd RNS DO systems
  • 38.
    digitalocean.com Why speak OpenFlowdirectly? ● Difficulty parsing unstable OvS tool text output ○ ovs-ofctl dump-ports br0 tap0 ● Tedious generation and parsing of flow strings
  • 39.
    digitalocean.com Why not usean OpenFlow controller? ● Industry is moving to a distributed control plane approach ○ Need to carefully avoid architectures where it would be difficult to scale a central controller ● We considered OVN, but were concerned about its maturity ○ The “RNS” architecture is similar to OVN ● A distributed OpenFlow controller is not off the table! ○ Maybe hvflowd becomes OvS’s “controller”?
  • 40.
    digitalocean.com ovs.Client with OpenFlow //Configure ovs.Client with our required OpenFlow flow format and protocol. client := ovs.New( ovs.FlowFormat("OXM-OpenFlow14"), ovs.Protocols("OpenFlow14"), // Toggle on direct OpenFlow support. ovs.UseOpenFlow("localhost:6633"), ) // Flow marshaled to binary instead of text format, and sent via OpenFlow. err = client.OpenFlow.AddFlow("br0", exampleFlow()) ● ovs.New constructor gains a new option to toggle on OpenFlow ● ovs.Client opens a socket and sends raw OpenFlow commands
  • 41.
    digitalocean.com ovs.Match gains anew method type Match interface { // MarshalText() (text []byte, err error) encoding.TextMarshaler // New: MarshalBinary() (bin []byte, err error) encoding.BinaryMarshaler } ● Implement a MarshalBinary method for all Match types ● ovs.Action would be updated in the same way
  • 42.
    digitalocean.com Conclusions: orchestrated OpenvSwitch and Go ● Pros: ○ Easy to orchestrate changes amongst multiple servers ○ No more parsing OvS tool string output ○ No more generating and parsing the flow text format! ● Cons: ○ Too early to tell!
  • 43.
    digitalocean.com Open vSwitch atDigitalOcean: Conclusions
  • 44.
    digitalocean.com DO is poweredby Open vSwitch! ● We’ve deployed more than 10,000 instances of OvS and have run it in production for three years. ● We’ve moved from Perl to Go, and our OvS tooling has too. ● We’re excited for the future of OvS and OVN!
  • 45.
    Thank you! Matt Layher mdlayher@do.co GitHub+ Twitter: @mdlayher https://github.com/digitalocean/go-openvswitch