技术解析:openstack vlan模式下的隔离和数据流向(转)
一、隔離
計(jì)算機(jī)網(wǎng)絡(luò),是分層實(shí)現(xiàn)的,不同協(xié)議工作在不同層,按著OSI的分層模型,共有七個(gè)層,我們一般所說的隔離,通常指的是第2層,也叫“數(shù)據(jù)鏈路層”;數(shù)據(jù)鏈路層的網(wǎng)絡(luò)包,也叫“幀”,我們常說的網(wǎng)卡的MAC地址,就是幀的地址,MAC,其實(shí)是“媒體訪問控制”(media access control)的簡(jiǎn)稱,這是數(shù)據(jù)鏈路層的一個(gè)子層。
為什么要在這個(gè)二層上做隔離呢?因?yàn)槎拥膸?#xff0c;其中一些幀的地址是廣播地址,在同一個(gè)二層的設(shè)備都可以、也必須接收這些幀,交換機(jī)一般認(rèn)為工作在二層,對(duì)這些廣播包,也都要轉(zhuǎn)發(fā),所以二層通常被稱為一個(gè)“廣播域”。
二、VLAN
Openstack Neutorn的實(shí)現(xiàn)核心是二層物理網(wǎng)絡(luò)的抽象與管理,支持多種不同的網(wǎng)絡(luò)隔離技術(shù),以保障租戶tenant之間的網(wǎng)絡(luò)隔離,而VLAN就是主要使用的隔離方案,它本身就是交換機(jī)廣泛使用的二層隔離技術(shù);但這種方案也有一定的局限性,首先管理相對(duì)麻煩,需要配合設(shè)置物理交換機(jī),另外VLAN的可用數(shù)量也有限制,VLAN的ID號(hào)僅有四千多個(gè),我們假設(shè)每個(gè)租戶分配1個(gè)VLAN,那最多也就能支持四千多個(gè)租戶。
三、虛擬網(wǎng)絡(luò)設(shè)備
圖1:vlan模式下計(jì)算節(jié)點(diǎn)的虛擬網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)圖
3.1 在vlan網(wǎng)絡(luò)模式下,計(jì)算節(jié)點(diǎn)上虛擬網(wǎng)絡(luò)設(shè)備如下:
(1)tapxxx設(shè)備
簡(jiǎn)單的理解為為虛擬機(jī)提供的虛擬網(wǎng)卡,就是VM對(duì)應(yīng)的網(wǎng)口的vNIC。虛擬機(jī)的網(wǎng)絡(luò)功能由vNIC提供,Hypervisor可以為每個(gè)虛擬機(jī)創(chuàng)建一個(gè)或多個(gè)vNIC。
(2) qbrxxx設(shè)備
Linux網(wǎng)橋,簡(jiǎn)單理解就是為安全組服務(wù),負(fù)責(zé)安全;因?yàn)椴荒茉趖ap設(shè)備上配置network ACL rules,增加該linux bridge來實(shí)現(xiàn)iptable的安全組策略。
(3) qvmxxx設(shè)備
qvm主要是給從VM出來的包打上vlan tag。
(4) plyxxx設(shè)備
Ovs bridge,主要功能是實(shí)現(xiàn)過濾非本機(jī)MAC的單播報(bào)文。
(5) pvixxx和pvoxxx設(shè)備
ply是策略網(wǎng)橋,ply與br-int之間由一對(duì)path port連接,連接ply的一端為pvi端口,連接br-int的一端為pvo端口。
(6) br-int設(shè)備
br-int集成網(wǎng)橋,主要是幀的轉(zhuǎn)發(fā)功能。
(7) int-brcps和phy-brcps設(shè)備
主要負(fù)責(zé)將br-int轉(zhuǎn)發(fā)的幀中的vlanid轉(zhuǎn)換。
(8) brcps和trunk0設(shè)備
br-cps是Ovs bridge ,Trunk0由eth0和eth1組成的bond(active-backup模式),packets要想進(jìn)入physical network,還得通過真正的物理網(wǎng)卡trunk0(eth2和eth4),所以將trunk0橋接到br-1上來打通整個(gè)鏈路。
(9) tapuuu設(shè)備
DHCP服務(wù)監(jiān)聽端口。
3.2 計(jì)算節(jié)點(diǎn)上的網(wǎng)絡(luò)設(shè)備信息
3.2.1 Linux bridage信息
Compute153:~ # virsh list Id Name State ----------------------------------------------------1 instance-00000583 running2 instance-000005df running3 instance-00000603 running4 instance-00000654 running5 instance-0000068f running6 instance-000006d7 running7 instance-0000070d running9 instance-00000769 running10 instance-0000090d running11 instance-00000a37 running 計(jì)算節(jié)點(diǎn)Compute153上啟動(dòng)了10個(gè)虛擬機(jī)。Compute153 :~ # brctl show bridge name bridge id STP enabled interfaces qbr7fc1e7d0-0c 8000.bee6e69f9457 no qvm7fc1e7d0-0ctap7fc1e7d0-0c qbr931641ad-4b 8000.eaa1a27fffcb no qvm931641ad-4btap931641ad-4b qbr963c4b38-70 8000.7635674ec1fc no qvm963c4b38-70tap963c4b38-70 qbr9df6f9f9-42 8000.2e1eba67aca5 no qvm9df6f9f9-42tap9df6f9f9-42 qbrb9dd9478-0f 8000.2e954943421c no qvmb9dd9478-0ftapb9dd9478-0f qbrc24f2999-b9 8000.427df7c7a333 no qvmc24f2999-b9tapc24f2999-b9 qbrc3833757-af 8000.7e6eb025950b no qvmc3833757-aftapc3833757-af qbrc78917be-9c 8000.1a67a8814d03 no qvmc78917be-9ctapc78917b0-9c qbrd5cbf3b0-ef 8000.f6de8391f526 no qvmd5cbf3b0-eftapd5cbf3b0-ef qbrfe79631b-85 8000.c2d425903a69 no qvmfe79631b-85tapfe79631b-85可以看到有10個(gè)qbr,每一個(gè)虛擬機(jī)的每一張網(wǎng)卡都有對(duì)應(yīng)的qbr。每一個(gè)qbr都有對(duì)應(yīng)的 tap和qvm,對(duì)應(yīng)圖上的qbr北向與南向接口。
3.2.2 ovs bridage信息
通過ovs-vsctl可以查詢主機(jī)上已有的 OVS bridge及其中的 port。
Bridge "plyc24f2999-b9"Port "qvmc24f2999-b9"Interface"qvmc24f2999-b9"type: internalPort "plyc24f2999-b9"Interface"plyc24f2999-b9"type: internalPort "pvic24f2999-b9"Interface"pvic24f2999-b9"type: patchoptions: {peer="pvoc24f2999-b9"}可以看到ply網(wǎng)橋信息,上面對(duì)接qvm,下面對(duì)接br-int,ply與br-int之間是一對(duì)port接口, pvi與pvo接口。
Bridge br-intfail_mode: securePort "pvoc78917be-9c"tag: 5Interface"pvoc78917be-9c"type: patchoptions:{peer="pvic78917be-9c"}Port "pvob9dd9478-0f"tag: 9Interface"pvob9dd9478-0f"type: patchoptions:{peer="pvib9dd9478-0f"}注意pov端口是有tag的,這是一個(gè)內(nèi)部的tag,主要是為了區(qū)分同一虛擬機(jī)的不同虛擬網(wǎng) 卡 設(shè)備,會(huì)將多張網(wǎng)卡依次編號(hào)。
Bridge br-intfail_mode: securePort "pvoc78917be-9c"tag: 5Interface"pvoc78917be-9c"type: patchoptions:{peer="pvic78917be-9c"}Port "pvob9dd9478-0f"tag: 9Interface"pvob9dd9478-0f"type: patchoptions:{peer="pvib9dd9478-0f"}Port br-inttag: 4095Interface br-inttype: internalPort int-brcpsInterface int-brcpstype: patchoptions: {peer=phy-brcps}Port "pvo9df6f9f9-42"tag: 5Interface"pvo9df6f9f9-42"type: patchoptions:{peer="pvi9df6f9f9-42"}可以看到br-int網(wǎng)橋上的所有端口信息,向上是pvo口,向下是int-brcps口,是用來連接 brcps網(wǎng)橋。
Bridge br-intfail_mode: securePort "pvoc78917be-9c"tag: 5Interface"pvoc78917be-9c"type: patchoptions:{peer="pvic78917be-9c"}Port int-brcpsInterface int-brcpstype: patchoptions: {peer=phy-brcps}int-brcps和phy-brcps接口是br-int與brcps網(wǎng)橋相連的接口,查詢br-int是可以找到與之相連的int-brcps,查詢brcps網(wǎng)橋可以找到與之相連的phy-brcps接口。
Bridge brcpsPort external_omtag:1405Interface external_omtype: internalPort "trunk0"Interface "trunk0"Port phy-brcpsInterface phy-brcpstype: patchoptions: {peer=int-brcps}Port external_apitag:1400Interface external_apitype: internalPort brcpstag:0Interface brcpstype: internalPort "om-physnet1"tag:1089Interface "om-physnet1"type: internal管理面網(wǎng)橋brcps上有多個(gè)端口,用于與外部通信打通的external_om與external_api端口,帶tag;向上的phy-brcps接口;本地接口brcps,以及端口om-physnet1,還有最重要的trunk0,實(shí)際的數(shù)據(jù)物理通信接口。
以上就是vlan模式虛擬機(jī)通信需要經(jīng)過的所有端口,數(shù)據(jù)流向如下:
-
1)數(shù)據(jù)幀從VM出來,經(jīng)過TAP提供的虛擬網(wǎng)口vNIC,再經(jīng)過Linux網(wǎng)橋qrb安全驗(yàn)證,走到qvm,會(huì)打上一個(gè)內(nèi)部的VLANtag,成為主機(jī)節(jié)點(diǎn)內(nèi)部的local id。這個(gè)id的作用是區(qū)分同一個(gè)主機(jī)內(nèi)部的不同VM;
-
2)繼續(xù)南下到ply,資料顯示作用是過濾掉非本機(jī)的MAC,主要作用是為了方便訪問同一個(gè)主機(jī)的其他VM,如果目的源是同一臺(tái)主機(jī)則直接訪問,不用br-int轉(zhuǎn)發(fā);
-
3)繼續(xù)走到br-int會(huì)實(shí)現(xiàn)轉(zhuǎn)發(fā)到目的幀主機(jī),南下到patch port,port會(huì)把幀中間的之前打的內(nèi)部VLAN ID即local id刪除,換成外部的VLAN ID;
-
4)之后幀走到實(shí)際的外部物理交換機(jī)網(wǎng)口,發(fā)送到目的地。
3.2.2 br-int dump-flows信息
br-int完成從brcps上過來流量(從口int-brcps到達(dá))的vlan tag轉(zhuǎn)換,下面例子可以看到從外部VLAN ID:1013轉(zhuǎn)換為內(nèi)部VLAN ID:2。
Compute153 :~ # ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4):cookie=0xaf3ffaad56834ff8,duration=8767986.702s, table=0, n_packets=138635866, n_bytes=49130127982,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1013actions=mod_vlan_vid:2,NORMALcookie=0xaf3ffaad56834ff8,duration=8759690.249s, table=0, n_packets=902894466, n_bytes=111008267998,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1014actions=mod_vlan_vid:3,NORMALcookie=0xaf3ffaad56834ff8,duration=8606291.966s, table=0, n_packets=75523546, n_bytes=7721353259,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=503actions=mod_vlan_vid:4,NORMALcookie=0xaf3ffaad56834ff8,duration=7943259.828s, table=0, n_packets=27312770, n_bytes=4039091682,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1011actions=mod_vlan_vid:5,NORMALcookie=0xaf3ffaad56834ff8,duration=7248098.099s, table=0, n_packets=17132221, n_bytes=1590164809,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=504actions=mod_vlan_vid:6,NORMALcookie=0xaf3ffaad56834ff8,duration=5730798.970s, table=0, n_packets=35859018, n_bytes=4389953008,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1012actions=mod_vlan_vid:7,NORMALcookie=0xaf3ffaad56834ff8,duration=583874.187s, table=0, n_packets=2041814, n_bytes=433205117,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1015actions=mod_vlan_vid:8,NORMALcookie=0xaf3ffaad56834ff8,duration=146306.053s, table=0, n_packets=435169, n_bytes=31391505, idle_age=0,hard_age=65534, priority=3,in_port=1,dl_vlan=1016 actions=mod_vlan_vid:9,NORMALcookie=0xaf3ffaad56834ff8,duration=9233017.369s, table=0, n_packets=8966890076, n_bytes=2799828872226,idle_age=0, hard_age=65534, priority=2,in_port=1 actions=dropcookie=0xaf3ffaad56834ff8, duration=9233016.732s,table=0, n_packets=1106708092, n_bytes=190560627712, idle_age=0,hard_age=65534, priority=0 actions=NORMALcookie=0xaf3ffaad56834ff8,duration=9233019.667s, table=23, n_packets=0, n_bytes=0, idle_age=65534,hard_age=65534, priority=0 actions=dropcookie=0xaf3ffaad56834ff8,duration=9233019.551s, table=24, n_packets=0, n_bytes=0, idle_age=65534,hard_age=65534, priority=0 actions=drop3.2.3 brcps dump-flows信息
brcps上負(fù)責(zé)從br-int上過來的流量(從口phy-brcps到達(dá)),實(shí)現(xiàn)local vlan到外部vlan的轉(zhuǎn)換,下面例子可以看到從內(nèi)部VLAN ID:2轉(zhuǎn)換為外部VLAN ID:1013。
Compute153 :~ # ovs-ofctl dump-flows brcps NXST_FLOW reply (xid=0x4):cookie=0xaaf94399aad7707e,duration=8768079.505s, table=0, n_packets=4610859, n_bytes=723908441,idle_age=6, hard_age=65534, priority=4,in_port=5,dl_vlan=2actions=mod_vlan_vid:1013,NORMALcookie=0xaaf94399aad7707e,duration=8759783.046s, table=0, n_packets=1061625441, n_bytes=180117774176,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=3actions=mod_vlan_vid:1014,NORMALcookie=0xaaf94399aad7707e,duration=8606384.765s, table=0, n_packets=12135266, n_bytes=3806123480,idle_age=32, hard_age=65534, priority=4,in_port=5,dl_vlan=4actions=mod_vlan_vid:503,NORMALcookie=0xaaf94399aad7707e,duration=7943352.621s, table=0, n_packets=8783552, n_bytes=1513703385,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=5actions=mod_vlan_vid:1011,NORMALcookie=0xaaf94399aad7707e,duration=7248190.902s, table=0, n_packets=2559355, n_bytes=510785011,idle_age=16, hard_age=65534, priority=4,in_port=5,dl_vlan=6actions=mod_vlan_vid:504,NORMALcookie=0xaaf94399aad7707e,duration=5730891.771s, table=0, n_packets=16831749, n_bytes=3864947698,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=7actions=mod_vlan_vid:1012,NORMALcookie=0xaaf94399aad7707e,duration=583966.979s, table=0, n_packets=169878, n_bytes=24055409, idle_age=29,hard_age=65534, priority=4,in_port=5,dl_vlan=8 actions=mod_vlan_vid:1015,NORMALcookie=0xaaf94399aad7707e,duration=146398.874s, table=0, n_packets=1541, n_bytes=157171, idle_age=132,hard_age=65534, priority=4,in_port=5,dl_vlan=9 actions=mod_vlan_vid:1016,NORMALcookie=0xaaf94399aad7707e,duration=9233110.012s, table=0, n_packets=78, n_bytes=6780, idle_age=65534,hard_age=65534, priority=2,in_port=5 actions=dropcookie=0xaaf94399aad7707e,duration=9233111.393s, table=0, n_packets=10761364888, n_bytes=3180091314185,idle_age=0, hard_age=65534, priority=0 actions=3.2.4 iptables安全組
每一個(gè)虛擬機(jī)的tap都對(duì)應(yīng)2個(gè)chain表(out和in),dhcp agent到虛擬機(jī)的訪問策略定義在out表;
Compute153 :~ # iptables -Lneutron-openvswi-sg-chain Chainneutron-openvswi-sg-chain ( 20references) target prot opt source destination neutron-openvswi-i7fc1e7d0-0 all -- anywhere anywhere PHYSDEV match --physdev-outtap7fc1e7d0-0c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o7fc1e7d0-0 all -- anywhere anywhere PHYSDEV match --physdev-intap7fc1e7d0-0c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i931641ad-4 all -- anywhere anywhere PHYSDEV match --physdev-outtap931641ad-4b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o931641ad-4 all -- anywhere anywhere PHYSDEV match --physdev-intap931641ad-4b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i963c4b38-7 all -- anywhere anywhere PHYSDEV match --physdev-outtap963c4b38-70 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o963c4b38-7 all -- anywhere anywhere PHYSDEV match --physdev-intap963c4b38-70 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i9df6f9f9-4 all -- anywhere anywhere PHYSDEV match --physdev-outtap9df6f9f9-42 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o9df6f9f9-4 all -- anywhere anywhere PHYSDEV match --physdev-intap9df6f9f9-42 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ib9dd9478-0 all -- anywhere anywhere PHYSDEV match --physdev-outtapb9dd9478-0f --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ob9dd9478-0 all -- anywhere anywhere PHYSDEV match --physdev-intapb9dd9478-0f --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic24f2999-b all -- anywhere anywhere PHYSDEV match --physdev-outtapc24f2999-b9 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc24f2999-b all -- anywhere anywhere PHYSDEV match --physdev-intapc24f2999-b9 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic3833757-a all -- anywhere anywhere PHYSDEV match --physdev-outtapc3833757-af --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc3833757-a all -- anywhere anywhere PHYSDEV match --physdev-intapc3833757-af --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic78917be-9 all -- anywhere anywhere PHYSDEV match --physdev-outtapc78917be-9c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc78917be-9 all -- anywhere anywhere PHYSDEV match --physdev-intapc78917be-9c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-id5cbf3b0-e all -- anywhere anywhere PHYSDEV match --physdev-outtapd5cbf3b0-ef --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-od5cbf3b0-e all -- anywhere anywhere PHYSDEV match --physdev-intapd5cbf3b0-ef --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ife79631b-8 all -- anywhere anywhere PHYSDEV match --physdev-outtapfe79631b-85 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ofe79631b-8 all -- anywhere anywhere PHYSDEV match --physdev-intapfe79631b-85 --physdev-is-bridged /* Jump to the VM specific chain. */ ACCEPT all -- anywhere anywhere Compute153 :~ # iptables -L neutron-openvswi-oc78917be-9 Chainneutron-openvswi-oc78917be- 9( 2references) target prot opt source destination RETURN udp -- default 255.255.255.255 udpspt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-openvswi-sc78917be-9 all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* AllowDHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /*Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /*Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets thatappear related to an existing connection (e.g. TCP ACK/FIN) but do not have anentry in conntrack. */ neutron-openvswi-sg-fallback all -- anywhere anywhere /* Sendunmatched traffic to thefallback chain. */ Compute153 :~ # iptables -Lneutron-openvswi-ic78917be-9 Chainneutron-openvswi-ic78917be- 9( 1references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /*Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- xxx.xxx.xxx.xxx anywhere udp spt:bootps udp dpt:bootpc ---DHCP RETURN udp -- xxx.xxx.xxx.xxx anywhere udp spt:bootps udp dpt:bootpc ---DHCP RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets thatappear related to an existing connection (e.g. TCP ACK/FIN) but do not have anentry in conntrack. */ neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to thefallback chain. */3.3 計(jì)算節(jié)點(diǎn)的vlan隔離
在vlan模式下,每個(gè) vlan network 都有自己的 bridge,從而也就實(shí)現(xiàn)了基于 vlan 的隔離,vlan tag的轉(zhuǎn)換需要在br-int和brcps兩個(gè)網(wǎng)橋上進(jìn)行相互配合。br-int負(fù)責(zé)從int-brcps過來的包(帶外部vlan)轉(zhuǎn)換為內(nèi)部vlan,而brcps負(fù)責(zé)從phy-brcps過來的包(帶內(nèi)部vlan)轉(zhuǎn)化為外部的vlan。租戶的流量隔離也是通過vlan來進(jìn)行的,因此包括兩種vlan,虛擬機(jī)在Compute Node內(nèi)流量帶有的local vlan和在Compute Node之外物理網(wǎng)絡(luò)上隔離不同租戶的vlan。物理交換機(jī)與eth網(wǎng)卡相連的 port 設(shè)置成 trunk 模式,實(shí)現(xiàn)同一塊物理網(wǎng)卡上面通過多個(gè)不同vlan 的數(shù)據(jù)。
原文鏈接:技術(shù)解析:openstack vlan模式下的隔離和數(shù)據(jù)流向
總結(jié)
以上是生活随笔為你收集整理的技术解析:openstack vlan模式下的隔离和数据流向(转)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 网购巨头京东赚钱揭秘,是自寻死路还是生财
- 下一篇: lammps教程:如何从dump文件导出