A peek at OpenStack Neutron
From the OpenStack official website, OpenStack is a cloud operating system that controls large pools of compute, storage, and networking resources throughout a datacenter, all managed through a dashboard that gives administrators control while empowering their users to provision resources through a web interface.
Today we will be concentrating more on the detailed working of the networking service of OpenStack, known as Neutron.
OpenStack (nova) compute also has a legacy networking service which manages the networking part for it. However, it is not as extensive and flexible you would want if networking is one of the elements on which you want to have control on.
The article will also give you a better understanding of networking in virtual machines work.
There are certain prerequisites in order to gain a better understanding of the following article.
Linux Namespaces are a feature of linux via which help to isolate and virtualize the resources of the system. The types of namespaces are process based, networking based, mount based, IPC based, User Id based and control group based. For this article, understanding the networking namespace would suffice.
Tun/tap interfaces are a feature offered by Linux (and probably by other UNIX-like operating systems) that can do userspace networking, that is, allow userspace programs to see raw network traffic (at the ethernet or IP level) and do whatever they like with it.
VLAN interfaces are interfaces which are unique based on their VLAN ID, multiple VLANs can be set on top of a single interface.
Veth pair are a feature which is usually used to provide direct connectivity between network namespaces.
Linux bridge is a layer 2 virtual device that on its own cannot receive or transmit anything unless you bind one or more real devices to it.
OVS is virtual switch which helps in switching via flow tables and contains a database and daemon in order to match and carry out rules
Types of Networks:
- Local — A local network is a network where the instances can only communicate with the instances in the same compute node if they are in the same network.
- Flat — A flat network doesn’t have any segregation of networks based on VLANs.
- VLAN — A VLAN network is a network where VLANs are used for segregation of networks.
- VXLAN/GRE — VXLAN and GRE are used to create overlay networks (network built on top of a network).
OpenStack neutron has 2 main networking plugins.
- Linux Bridge
- OVS
In the previous version of OpenStack, only one of the plugins was usable per deployment. However, in the recent releases, both the versions can coexist. In this article, we will focus mainly on the Linux Bridge plugin and a little on the OVS.
We will now discuss how the different types of networks are implemented in Neutron.
Local:
In local networks, the instances don’t have communication with the external world. Hence, there is no physical interface in the bridge and the bridge only contains the tap interfaces which enables communication between the local instances.
Flat:
In a flat network, there are no VLAN segregations. Hence, the tap interfaces are directly put in a linux bridge with the physical interface which means that only a single network can exist.
VLAN:
In the above diagram, we have a physical interface eth0. Using VLANs, we create two more interfaces eth0.100 and eth0.101 on the interface eth0. We create tap interfaces Tap0, Tap1 and Tap2 for VM1, VM2 and VM3. We put Tap0, Tap1 and eth0.100 in the same bridge and Tap2 and eth0.101 in another bridge. When the traffic goes out of the tap interfaces, onto to the VLAN interfaces, the traffic is tagged with the VLAN ID so that ingress traffic can also be forwarded back to the VM.
The OVS plugin which Neutron uses is implemented in a different manner. OVS is a virtual switch which basically maintains flow tables which can be chained to others. Depending on the flow (source ip, destination ip, source port, destination port, protocol), it matches the flow with the appropriate action which can be dropping, tagging or sending the packet. It uses veth pairs, patch ports, tap interfaces, provider bridge, integration bridge and physical interfaces to achieve the above mentioned type of networks.
This is precisely how hypervisors implement networking in our host machines. I hope this article helps you to understand how the hypervisors implement multiple networking strategies like bridged mode, NAT mode and so on.
I hope you liked the article. I will be coming up with something on OVS as well soon. Please let me know if you have any queries regarding the article. Happy reading!!