- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
楼主 |
发表于 2025-12-18 08:51:30
|
显示全部楼层
2、网络服务Neutron
* E4 ]) S# _7 {! }9 ENeutron基于软件定义网络的思想,实现了网络虚拟化下的资源管理。Neutron的设计目标是实现网络即服务(NaaS),在设计上遵循SDN(Software Defined Network,软件定义网络)架构来管理的。
+ l) M; f( A' B8 U; ANeutron主要包含Neutron server、Plugin和Agent等组件。Neutron server对外提供 OpenStack网络 API,接收请求,并调用Plugin处理请求;Plugin处理 Neutron Server发来的请求,维护OpenStack逻辑网络的状态, 并调用 Agent 处理请求;Agent处理Plugin的请求,负责在network provider上真正实现各种网络功能;此外还有database,用来存放OpenStack的网络状态信息,包括Network、Subnet、Port、Router等。
4 _5 Q5 P$ U5 L; Q, z
, |) s* U8 l1 C+ U" j& n/ n3、OVS8 m X: s$ t! s1 q5 h, j9 M
OVS(Open vSwitch)是虚拟交换机,遵循SDN(Software Defined Network,软件定义网络)架构来管理的。
$ Q- p6 d" i& I, X8 HOVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
. h8 a9 @; |9 Q2 ]' [+ ~在这里插入图片描述
: V" D0 ~) i% J$ y3 t5 H9 yovs由三个组件组成:dataPath、vswitchd和ovsdb。" ^% Q. ~& |0 c4 G1 H
dataPath(opevswitch.ko):openvswitch.ko是ovs的内核模块,当openvswitch.ko模块被加载到内核时,会在网卡上注册一个钩子函数,每当网络包到达网卡时这个钩子函数就会被调用。openvswitch.ko模块在处理网络包时,会先匹配内核中能不能匹配到策略(内核流表)来处理,如果匹配到了策略,则直接在内核态根据该策略做网络包转发,这个过程全程在内核中完成,处理速度非常快,也称之为fast path(快速通道);如果内核中没有匹配到相应策略,则把数据包交给用户态的vswitchd进程处理,此时叫作slow path(慢通道)。dataPath模块可以通过ovs-dpctl命令来配置。! B4 _1 N U" {# }) L
vswitchd:vswitchd是ovs的核心模块,它工作在用户空间(user space),负责与OpenFlow控制器、第三方软件通信。vswitchd接收到数据包时,会去匹配用户态流表,如果匹配成功则根据相关规则转发;如果匹配不成功,则会根据OpenFlow协议规范处理,把数据包上报给控制器(如果有)或者丢弃。
9 i" |" A. ~2 f$ uovsdb:ovs数据库,存储整个ovs的配置信息,包括接口、交换内容、vlan、虚拟交换机信息等。
' F5 |% E3 b( u$ uovs相关术语解释:4 L) Y; f( u9 k+ Y3 g- U
1、Bridge:网桥,也就是交换机(不过是虚拟的,即vSwitch),一台主机中可以创建多个网桥。当数据包从网桥的某个端口进来后,网桥会根据一定的规则把该数据包转发到另外的端口,也可以修改或者丢弃报文。Bridge桥指的是虚拟交换机。, [, r' f) _7 x5 X1 s* I( R2 }& L
2、Port:交换机的端口,有以下几种类型:
1 G7 M- E2 B- n2 W4 E( Q& UNormal: 将物理网卡添加到bridge时它们会成为Port,类型为Normal。此时物理网卡配置ip已没有意义,它已经“退化成一根网线”只负责数据报文的进出。Normal类型的Port常用于vlan模式下多台物理主机相连的那个口,交换机的一端属于Trunk模式。
& z0 o. u4 n, p# bInternal: 此类型的Port,ovs会自动创建一个虚拟网卡接口(Interface),此端口收到数据都会转发给这块网卡,从网卡发出的数据也会通过Port交给ovs处理。当ovs创建一个新的Bridge时,会自动创建一个与网桥同名的Internal Port,同时也会创建一个与网桥同名的Interface。另外,Internal Port可配置IP地址,然后将其up,即可实现ovs三层网络。
0 m2 u* {9 F5 cPatch: 与veth pair功能类似,常用于连接两个Bridge。veth pair:两个网络虚拟端口(设备)
9 l/ u. l' g) r% f) _Tunnel: 实现overlay网络,支持GRE、vxlan、STT、Geneve和IPSec等隧道协议。Tunnel:隧道,三层
( C1 w$ X, W I8 i1 d) ]7 ~3、Interface:网卡,虚拟的(TUN/TAP)或物理的都可以。TAP:单个网络虚拟端口(设备),基于二层;TUN:单个网络虚拟端口(设备),基于三层。veth pair:两个网络虚拟端口(设备),常用于连接两个Bridge。; O6 S [3 L0 ?
4、Controller:控制器,ovs可以接收一个或多个OpenFlow控制器的管理,主要功能为下发流表来控制转发规则。
) [4 q& [0 c1 L4 M i) T0 Z+ L5、FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
4 g) _) d+ F- q' I1 m$ o在这里插入图片描述6 E' q D7 u' v! A( j, A
ens160的ip地址没有了,用的是br-ex的ip地址出去的。
' C3 @' \# Y; A9 ^在这里插入图片描述3 M: O+ U8 Q. E
ovs安装
Q! t( \/ K" C1.开启一台新的linux# b; T- g7 m, `
2.配置在线yum源(openstack那个在线yum源)) I- H. q, F/ B( x
( S4 W! ]( e' @9 [0 E {) ^
配置yum源(先把原有的备份后清空)
% J/ R3 g) T$ @# cd /etc/yum.repos.d/ # rm -rf *
% e Z/ Z ^/ f/ e' q9 X$ d# cat cloud.repo 9 l1 c6 x. r. C
7 u, R2 o8 u, J; }% S
[highavailability]
' E- X; b( I7 M7 ~! q/ U) q2 fname=CentOS Stream 8 - HighAvailability
& A J2 @, r r* g+ p' jbaseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/
2 v( K, V7 U8 o! r5 u" |" Q2 O$ D- [gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
/ P" U( Y- c3 e0 B6 H7 K& V9 V% xgpgcheck=10 a0 z! M* a$ i9 A- \# C+ B8 J
repo_gpgcheck=0
" S+ U9 B. W. i5 H- pmetadata_expire=6h- {1 x5 u6 d' ]! S
countme=1
2 I4 W3 {3 N I- s I+ |4 tenabled=1
5 Q# b/ _- f8 g' H4 N/ {( y5 x4 d1 S$ d- B9 Z
[nfv]" T& a( n6 c4 Q( ?5 p
name=CentOS Stream 8 - NFV
1 G' s5 `3 I c, p% Tbaseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/2 v ~1 s! M, J* L, V& T/ P' f$ p& u
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial- X; i$ _. s0 { O7 O
gpgcheck=1" O1 L* V) _ B& C! _, X* [, W6 G
repo_gpgcheck=0
X( _% m$ E+ @9 E# t$ j- s& Jmetadata_expire=6h
z6 b# x, Q ^" Ocountme=14 O8 q0 }0 d8 I
enabled=1
1 B! R" q8 b4 N; b$ n' Y8 f( q* o# m: `& E+ C) c; P3 W0 B8 h- W
[rt]
9 Z3 N# g% ]; |6 j+ o% e! C Nname=CentOS Stream 8 - RT
! J C8 }- G/ l. P; ~7 X/ |8 n1 bbaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/, e5 t# h( q$ q' S" k& s; g
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial( B t* Z& @1 P& y: t5 r8 a. f
gpgcheck=1
6 Q _3 W( @( W& u" u! `repo_gpgcheck=01 v/ c+ l; }# B, C' a
metadata_expire=6h( a3 f: w1 E* H
countme=1' |. k) t4 X5 a R9 _+ K
enabled=1) }, x& w' U5 w1 F' \# U
: y9 ~+ ^0 V/ f2 h: R# ]) Y$ i[resilientstorage]
( S/ T. E- U' t: M, x* K4 U- Iname=CentOS Stream 8 - ResilientStorage
" J. A' w6 |9 t: H- k+ S& fbaseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/
& V! O) _( K! P$ F2 {# mgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
2 Z/ A5 |. g5 Z h/ Kgpgcheck=1
0 M* V4 L( z1 J0 Y# I; c/ crepo_gpgcheck=0
7 b9 M7 F% v! ^. k7 T7 i- a4 l( g- {metadata_expire=6h: q) s5 v0 J: X; y
countme=1
2 d' |3 F. s* J. ?enabled=16 q3 R( O; v9 h% }9 M" D8 a
( x. ~3 O( k! ^& b+ J8 K
[extras-common]
( {7 y* M7 r8 D* }, G% ?name=CentOS Stream 8 - Extras packages* T ]& n# J2 E& I7 l' S
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/
1 A0 ^1 ]1 O6 q/ Ygpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA5124 S# K( w* }- Q0 A D. V
gpgcheck=1
5 s& e* L* X! ^0 E2 ]; Q8 C; q% A zrepo_gpgcheck=0. n: N T6 \6 a r' s
metadata_expire=6h
3 {* M$ \! x. J4 H4 Jcountme=19 L7 }# r4 I. m* F" r6 U0 B
enabled=10 d( v( I) _& n# A8 N
% X. X/ H7 C" M: ^% u, L5 m
[extras]
( [& D d# b, d6 Pname=CentOS Stream - Extras- C& H# W( _$ C* N" \7 E
mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=extras&infra=
( `4 U, M8 J6 S#baseurl=http://mirror.centos.org///extras//os/3 u3 g' H1 |- M/ R, a1 g
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/( z) Q6 |- q+ V R$ X9 D+ `
gpgcheck=1
% Z3 G3 e9 B, p* ~& ~! e( lenabled=1
1 S O2 B" p8 H5 G, g' ~8 ygpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial! Y! J( t) q( T" g% S9 j- O
9 y1 r; W/ A7 _. w0 B, j+ p[centos-ceph-pacific]9 n. t+ X6 f& ~& d- I9 Y9 J1 @& _
name=CentOS - Ceph Pacific( |! f, d0 a7 d/ X
baseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/$ W* @7 V( q+ O/ C# O6 A/ c8 ?
gpgcheck=0
! S0 N- p1 r' c# d! l2 ]9 Cenabled=1
; o+ J3 s: ]& ?+ H. Vgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage/ n4 B8 t, s: d
2 F5 S. n2 a& l* D" s7 q! }$ g[centos-rabbitmq-38]6 i Y9 {. d; l6 V! C9 Y+ z% V9 a
name=CentOS-8 - RabbitMQ 38
% C2 d$ z4 ]1 v0 Q5 ^) Cbaseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/
' j2 z. j" b4 n0 M" r. Y* W; Bgpgcheck=18 _) j- G5 \! x- A/ y5 k
enabled=1
8 E& ~# s, N. X% h4 bgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
4 a- P. I% ?' ]: r) S" b' J2 o) N) i# J( M4 k
[centos-nfv-openvswitch]8 k: Z% C: C( A8 s
name=CentOS Stream 8 - NFV OpenvSwitch; [7 t" ~; E( o" @# q3 a( ?
baseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/( o6 w$ R- ^9 ~* |0 q/ }
gpgcheck=16 x1 X* _5 K/ q( B9 I# ~! r
enabled=1
9 P$ t' ^2 R, V& X* b& kgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV6 T8 ?( e4 `) J: w; @
module_hotfixes=1
2 l" ] j2 N% J$ }1 A: K
4 q* s* V9 l9 w* }* d! v; W[baseos]- p+ g$ f# i5 s
name=CentOS Stream 8 - BaseOS
3 j" ?0 u1 q' V, d/ X3 L! ^. h, Kbaseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/& H" N' C& a1 s% s9 Q) r
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial4 q& n6 U7 \6 p- C+ l' v1 |/ t
gpgcheck=1* a& \0 p- ], t" W d
repo_gpgcheck=00 @0 {* Q# d: \: ^+ u
metadata_expire=6h& o$ C! |* t+ Y4 b' @- \& d# { Q
countme=1
9 m& i1 N" q7 q& x; eenabled=13 Z* M, f7 o' U, h5 i0 I4 O; w
- D5 [* Y t. w, y[appstream]% L: ?9 V( X" z
name=CentOS Stream 8 - AppStream
8 c& c, X# Y e" o1 w; F( G" a- R- lbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/
2 S o2 H& ~1 ?$ ]gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial$ ?* O W* x; \3 h# o& I
gpgcheck=11 s" D8 \' Q7 `# R- c
repo_gpgcheck=0
6 T1 {+ m4 B, n% o% e3 |) C' Z+ fmetadata_expire=6h+ \, f- a0 T A: Z
countme=1: i j7 l1 I2 P5 |8 W
enabled=1# |# o9 R! _) h, d6 J0 \: F
0 A: D! q4 i$ q; K, E[centos-openstack-victoria]% b o) P8 W0 I4 `. t
name=CentOS 8 - OpenStack victoria
+ W. q0 X% R4 x8 k& K" ]baseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/
+ z6 D9 i; i3 o! `#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga// H& \3 C- A4 `0 k) T9 g: P" l# u
gpgcheck=19 t- V) g1 v6 @6 F
enabled=1
2 q' ^: n. I, f( m! dgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud F4 `2 T% F4 Y
module_hotfixes=1
% ]4 [- v) k9 G& M+ p& I1 K2 e5 |
[powertools]: B# Z5 z0 l3 t/ f; A8 D
name=CentOS Stream 8 - PowerTools
+ A& s6 k- j7 A#mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=PowerTools&infra=
1 j+ z! k+ \; z g* J4 N* jbaseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/, ~8 _( G9 _, M. k }- k2 D% }! I
gpgcheck=1. h: r; n+ E1 z" V6 Y- I1 d
enabled=1$ `( e' P7 l/ U
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) r( x& a# C4 v' B7 b7 ]: q7 Q; r9 R% N
& C' e5 J$ W) D, i- G. p# yum clean all 清理缓存
\( b, m2 P0 j$ o6 l# yum makecache 重新建立缓存
# z* z/ r8 x0 D6 u b% p2 g# yum repolist all 列出yum仓库(13个). F0 V/ n# v- ?' [* h* B* P. k
3.安装基础包及ovs(Tab补全命令,安装bash-completion包后执行bash就行)
7 q" C3 M# }% _( d6 ~6 M安装openvswitch3.1过程报错说找不到gpgkey文件就禁用gpgcheck=0再次安装就行了* A$ K+ [7 v3 E% f
yum install -y vim net-tools bash-completion centos-release-openstack-victoria.noarch tcpdump openvswitch3.1
; q& ^* [4 X/ q }或再单独安装yum install -y openvswitch3.1*6 J5 J& z8 R# ^, ^
查看安装版本:[root@ovs ~]# ovs-vsctl --version
5 F% F- N; b% E& ]5 x- ~- ?8 m. w; B- b4.启动ovs服务+ X- X( G+ a; {+ ^8 M
[root@ovs ~]# systemctl start openvswitch3 {' j8 t5 ^5 z: u3 P. N
[root@ovs ~]# systemctl enable openvswitch' G0 X3 Z: C) {8 G8 h% t% @
[root@ovs ~]# ps -ef | grep openvswitch; d) b5 M7 ~' `0 \
[root@ovs ~]# ovs-vsctl show 查看ovs虚拟交换机信息 J# c& s, k8 F/ C5 H" d1 y
[root@ovs ~]# ovs-vsctl --help 求帮助 或[root@ovs ~]# man ovs-vsctl% b* f: _, g8 _) f% K' }! G: w4 x
5、创建ovs虚拟交换机
0 y1 B% q8 d( Q. R) h1 r& V当创建一个虚拟交换机会生成一个和虚拟交换机同名的Port 和Interface,type为internal(内部的)
+ ]) @5 P+ Y: }0 C" w. D6 A+ I/ u: l5 g/ P2 w
[root@ovs ~]# ovs-vsctl add-br br-int
h9 R! W) N& X' C6 W[root@ovs ~]# ovs-vsctl add-br br-memeda 添加
" l/ ~9 u9 J) ][root@ovs ~]# ovs-vsctl del-br br-memeda 删除
9 j/ { o4 Y8 x6 w. y6 J[root@ovs ~]# ovs-vsctl list-br 查看! ?9 U* ?' u8 }" K; L; K
br-int: J, E8 z3 \1 l w& c- Q; o1 N; c
br-memeda
2 s6 Y0 `# Q0 G2 M! l: k. B[root@ovs ~]# ovs-vsctl show 查询ovs虚拟交换机信息,Bridge桥指的是虚拟交换机* b t% y! q" i' D! X
54c67146-9a9f-40be-8cb7-e8792879aafa+ \+ y, W* V( [) E
Bridge br-memeda
( p' i. O0 K% e Port br-memeda5 J7 @$ u& P" F7 I' a. v8 s
Interface br-memeda
9 V( ]# ]4 x+ [( J+ ~3 M type: internal
% J3 ]0 k/ ?# _/ l# j Bridge br-int
$ P* ^" f+ Q) _6 D5 J' R Port br-int# Y7 B: H# a5 s; l
Interface br-int5 j9 {4 A3 O8 V8 i9 h7 p; c1 B) N
type: internal1 {' S* _6 d- `# N3 }0 ?
ovs_version: "3.1.3"
8 D7 Z3 B: ?) }5 W用轻量级namespace网络命名空间模拟虚拟机
6 o8 ?3 E9 p8 a在这里插入图片描述5 [2 }' h- K0 ]
+ G3 v6 E4 e1 W7 T
[root@ovs ~]# ip netns 查看网络命名空间; J" ]( I+ F; C [5 ?4 z1 s
[root@ovs ~]# ip netns add ns1 添加网络命名空间9 ~3 u, y; d( k# I6 Z, a
[root@ovs ~]# ip netns add ns2
6 G( r5 g3 \1 S( U5 b/ i: F; T0 }[root@ovs ~]# ip netns5 p! A0 k+ a2 \" g, r& ?5 g
ns2
: V* l4 V7 H& d. B& }1 Wns1
: M) V( @: \- q* }7 i创建两个veth pair(一个veth pair有两个网络虚拟接口,veth可理解为网卡端口) 并将一端虚拟接口(veth1和veth2)连接到两个网络命名空间里面。veth pair:两个网络虚拟端口(设备)。" H7 g( ], B6 @1 m* d
在这里插入图片描述" L/ J$ D& H3 b& H' E* M3 n
7 z+ z' Y" `4 f/ A: x
创建两个veth pair,并分别把这两个veth pair的一端放到上述两个网络命名空间
- T, [( F% h; \3 P( o- r# ip link help 或# man ip link 求帮助9 e/ P5 L' h* K
第一个网络命名空间配置
$ f0 S3 ? ?' |" r[root@ovs ~]# ip link add veth11 type veth peer name veth1
- n; @! B, C3 {" D% y[root@ovs ~]# ip link set veth1 netns ns1
2 p* ] [* i; a4 X% M% d' ^[root@ovs ~]# ip netns exec ns1 ip link set veth1 up, E0 _6 h* m$ s! e6 B
第二个网络命名空间配置# m1 o2 c7 h& d; U8 x. b" k
[root@ovs ~]# ip link add veth22 type veth peer name veth2
: J0 m, O7 B5 u! M9 w: ~2 u[root@ovs ~]# ip link set veth2 netns ns2
( ?6 [2 N, Y6 }+ Q0 Y[root@ovs ~]# ip netns exec ns2 ip link set veth2 up, X3 Q5 f) e) y9 U. o/ H8 X
将另外一端虚拟接口(veth11和veth22)连接到ovs虚拟交换机上5 ^0 ?, }4 o( k* o; E) {% q6 f
在这里插入图片描述
. X9 q7 y; s4 ^' }; w/ `; O0 X" d& W; v7 W1 F
[root@ovs ~]# ip link set veth11 up
+ v9 M4 Z) o, J- P. w6 {8 [! ][root@ovs ~]# ip link set veth22 up( }" z; ^: F8 K) l( T, p+ B: j
[root@ovs ~]# ovs-vsctl add-port br-memeda veth11
% D; U' f, h5 @+ g% s5 ^[root@ovs ~]# ovs-vsctl add-port br-memeda veth22
9 C, J5 E( O2 w[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机多了2个Port(Port veth22、Port veth11); d6 _* |. z$ v* W6 `0 \" \2 z; J
3b79f2e1-f433-4015-905e-8945dcada530
/ t% J# u5 I) T4 C Bridge br-memeda
, H6 b h4 y+ ]# C Port br-memeda
$ b, M' ~& Y! j; ` Interface br-memeda0 d B* {0 X9 q3 i) x
type: internal
4 j n- w J- p" c4 q Port veth22
8 {) a( R$ S* p* X Interface veth22! x( J: r, n( ^6 @
Port veth11
% l/ k$ k4 O( u4 D4 |# X Interface veth11
6 E) @% }( e" J$ s) ?, ], W Bridge br-int
. l: F7 D4 {9 H5 Y" y3 f& e) O Port br-int
}0 @8 x9 O. E) U" q( Q* `$ e Interface br-int* Q; z* @- t$ x' x% O% u$ {
type: internal7 c+ O: |+ ] H4 H5 ?9 ]
ovs_version: "3.1.3"
' P+ G) B) }* T. [, T- a2 f1 C为两个网络命名空间手动设置ip地址
" d+ E* B$ o$ H* k6 U在这里插入图片描述# ]! P9 f& ]3 u; `6 k# c! Z a
8 {. @- F1 P9 K2 Y# Y[root@ovs ~]# ip netns exec ns1 ip addr add 1.1.1.1/24 dev veth1
7 J7 b% W8 f& ?[root@ovs ~]# ip netns exec ns1 ip a" W9 |" x' ^+ j6 T' p& v, w
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
/ |9 T( e' g& w0 T link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00) p* C- G' p3 W5 Y+ j
7: veth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group d efault qlen 10006 ^0 Z4 @$ }: _
link/ether fe:f9:3b:cb:9b:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
) v1 e, [3 C# _) V& z$ w) f% P inet 1.1.1.1/24 scope global veth1) I0 q' I3 W% o0 P! ~9 n
valid_lft forever preferred_lft forever( n$ H$ s% n$ k; C. u7 Z
inet6 fe80::fcf9:3bff:fecb:9bc5/64 scope link; z* g2 s4 M: s5 q. v
valid_lft forever preferred_lft forever
# h8 x8 u# E+ r M, F[root@ovs ~]# ip netns exec ns2 ip addr add 1.1.1.2/24 dev veth26 ?) F: I( Y: ^; |/ I& O, a
[root@ovs ~]# ip netns exec ns2 ip a
% `& M( e) Q* f/ E# K* Z6 g: D1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000$ L# F! Q1 h# [0 i% S4 x; r" [: ?
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00& T! ]8 A1 `! Y- X4 U. n1 j
9: veth2@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
9 ]1 v, T0 V# j/ D$ ~0 P link/ether 0a:e3:ac:a8:f3:bc brd ff:ff:ff:ff:ff:ff link-netnsid 0
0 g/ r% |# E. H* o7 t% j4 z8 e inet 1.1.1.2/24 scope global veth24 j8 ?9 y. h* ^0 U
valid_lft forever preferred_lft forever1 i$ i' P% C/ f& r% Y$ Y0 j
inet6 fe80::8e3:acff:fea8:f3bc/64 scope link4 ^9 |% g, n" M( P
valid_lft forever preferred_lft forever
2 z' ]) s. _+ ^" H两个网络命名空间测试连通性
( p* a& q2 n- x' D! a+ R3 r. B, q[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
. x2 n$ c' k/ b. oPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
, f4 k' A6 j8 M3 F64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=2.98 ms
) l" g- l# ^8 Y; v64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.167 ms
`* I, w" q- r- Z+ V. w64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.081 ms
2 d9 O; _$ v7 N+ V$ J5 C% k9 h
7 o" A7 y5 u6 G5 h' J7 g6 h--- 1.1.1.2 ping statistics ---
$ f% c& _: g2 N8 d7 E; ~2 H3 packets transmitted, 3 received, 0% packet loss, time 2065ms
. h3 i. d5 }* [ Xrtt min/avg/max/mdev = 0.081/1.075/2.979/1.346 ms+ m$ D% R ^$ ]8 N6 I2 Y1 F, S% N/ b
[root@ovs ~]# ip netns exec ns2 ping -c 3 1.1.1.1
7 v' |* Q- y9 T n) ]PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
7 W& [5 u. r1 ~0 Y( X: T64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.923 ms
/ [/ v4 n5 e* R2 D3 U64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.084 ms
% G% \- V+ G$ A& F- H* @* J64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.091 ms
# Z. z3 Z9 O- C9 t& \; s0 s& e( w- P, _
--- 1.1.1.1 ping statistics ---3 g: T9 e. @1 ?7 ~
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
# k! C0 M& H7 Xrtt min/avg/max/mdev = 0.084/0.366/0.923/0.393 ms$ q9 V: |' `" ~* N' `- g
vlan虚拟的本地局域网,vlan隔离为了减少网络阻塞和数据包安全
9 ~2 G+ P1 D& M5 K& |6 a& b! Rovs虚拟交换机能和物理交换机一样定义vlan,一个vlan10(tag10),一个vlan20(tag20),把插在ovs交换机上的两个虚拟网络设备对端口分别打上不同的tag(默认是0),也就是配置到不同的vlan里,再验证网络连通性。
& b; E7 w5 G( @! _% t2 l' W; F在这里插入图片描述+ o4 t- y3 y4 W
/ M. w2 F% }7 W" ^8 G& V: |[root@ovs ~]# ovs-vsctl set port veth11 tag=10
, [: W; y& [: {+ G[root@ovs ~]# ovs-vsctl set port veth22 tag=208 d2 H0 T' f) |1 |' q9 q8 j/ e L0 k5 \
[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机的Port veth22和Port veth11下面多了tag标签
) B- |- t2 n1 Q/ h) U% p3b79f2e1-f433-4015-905e-8945dcada530
/ k- S5 S% H/ Z( {# t' p8 n Bridge br-memeda) q% P2 p1 L/ k
Port br-memeda
9 }7 }; @" P5 x- d" ~0 W Interface br-memeda( _% F. G8 ^ u/ M
type: internal2 R( k1 m) g9 T
Port veth22
9 ~4 x1 h; D+ z5 O. P tag: 200 P; S9 l# p& W& ]! `5 t
Interface veth221 u, e6 ^0 O+ [3 F
Port veth113 e* k- i$ f/ U7 y1 [9 Z
tag: 107 s. M4 p; ~5 W( K7 e# c$ w! H, y
Interface veth11
9 H' ]) y8 ]+ c& @! ]" B Bridge br-int( {/ X3 d5 V/ w! F* y
Port br-int
& T4 C/ z$ N" R* W5 V# O+ e Interface br-int
, a, S+ ^& i) ]) W type: internal
1 p" J6 r) N6 ]& e5 {. p ovs_version: "3.1.3"( C3 e7 V3 m" m4 S5 u! x( K
添加不同vlan(tag标签)后ping不通,需借助路由或物理三层交换机# J( |+ N e+ w. |4 B9 h7 K+ _; \$ L
* H. s1 ]! Y( b/ R& t/ J[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2. c! f% \; \: D* s
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
# u6 d2 r, Z' \! n; Q0 t' e. [, ~0 L) C
--- 1.1.1.2 ping statistics ---
; ?5 O& q& |" N. I3 packets transmitted, 0 received, 100% packet loss, time 2064ms9 o* N$ u% l4 N- Y7 V( J4 v, n9 I
在这里插入图片描述
) @) i( g, O, D! R# O! n4 C* n' Q n0 h% m/ Z4 T6 W* k; ]
[root@ovs ~]# ovs-vsctl set port veth22 tag=10 把veth22也改成tag=10就相当于同一个vlan二层互通了
* |8 }. ] d5 q/ \6 D+ G[root@ovs ~]# ovs-vsctl show0 u5 |# V. i$ Y
3b79f2e1-f433-4015-905e-8945dcada530
[1 V8 f( p/ i Bridge br-memeda
1 t6 p! Z7 Z, n# n& M; W Port br-memeda
, b" y8 g ~( g G0 e0 Z s- k1 }; S Interface br-memeda
2 ]- W7 s$ q# M( S: T/ v type: internal
2 H0 s# O W M! ~* ^ Port veth22/ n' Z( F2 K. ^# l2 T C
tag: 10
6 v/ C: K, J4 [/ g6 \$ H Interface veth22
; O; X, t3 E% O; |0 _) g/ A Port veth116 L: x0 C! R. B; T" ]! F$ n1 l% _
tag: 10
& r$ d! N0 c$ n! Q0 Y: U8 \ Interface veth11
) y) ?. I. i# n+ z# N U Bridge br-int
! T. J: x) `8 T } v+ o0 ?; D4 M Port br-int. j4 _9 y2 m g% X/ f
Interface br-int3 g/ P2 ]- f2 S5 l+ _. R
type: internal* \/ S" L f; B! Q
ovs_version: "3.1.3"
5 d( m5 G# X* o/ k[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2 同一个vlan(tag标签)能ping通进行二层通信
2 Z% G$ Z U7 E/ O: z2 ^PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
0 O% \* L! Y5 `" Y% i64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1.43 ms0 O( ~) }5 u/ s) ]
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.093 ms
" x# B! ?: d0 F2 n64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.086 ms5 }2 S9 J- s: T) S- U9 K( I' h G
& J* m4 ^+ C: \- @/ z
--- 1.1.1.2 ping statistics ---, |' o1 b' ~, N1 ?9 ^
3 packets transmitted, 3 received, 0% packet loss, time 2051ms' c- U. L# v8 v) F# l! w2 w
rtt min/avg/max/mdev = 0.086/0.535/1.426/0.630 ms) I. ]2 _5 K5 k0 t% p; | l8 h
FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
; H, b8 a5 x2 b$ _流量走向,添加流表,针对流量进口添加规则。2 N, x7 ^: F, z! t+ i p8 a
在这里插入图片描述' z W' m# L3 d+ M7 t S, ?
在这里插入图片描述
" l2 k3 U* E! T- E s0 _+ p
4 k d( r2 ^0 d查看ovs默认的流表- N% `* A' s2 k& S, x
[root@ovs ~]# ovs-ofctl dump-flows br-memeda 查看虚拟交换机的流规则- v4 X, }" e" W/ I5 J G5 J
cookie=0x0, duration=2161.884s, table=0, n_packets=49, n_bytes=3682, priority=0 action s=NORMAL
; F' p" \4 v2 p, {. [6 \9 F/ ^. a' j此时ovs就类似于传统交换机,我们给ovs交换机添加一条优先级为2(数字越大优先级越高,高于默认表项的0优先级)的流表项,把veth11进来的请求都drop掉,发现ns1不能ping通ns2。
7 h0 K0 E- q% {5 ^[root@ovs ~]# ovs-ofctl add-flow br-memeda "priority=2,in_port=veth11,actions=drop" 添加流规则
# z' ~3 M8 \% b# { s6 o- x/ q& R[root@ovs ~]# ovs-ofctl dump-flows br-memeda
% w! h; Z, J1 \1 |# ^ cookie=0x0, duration=2.578s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=veth11 actions=drop, C k: x$ k P+ `' ^8 G
cookie=0x0, duration=2217.329s, table=0, n_packets=49, n_bytes=3682, priority=0 actions=NORMAL) ?7 z: L2 G' E$ i
[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
/ ]+ a# m" k# C) APING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
( o" ~( c7 A% F) C' Y; _
/ P& w l% H6 u--- 1.1.1.2 ping statistics ---5 \( O0 g1 I; Z1 o+ x- }! u
3 packets transmitted, 0 received, 100% packet loss, time 2076ms
g- U. d% q$ Z9 `( O删除刚添加的表项,ns1与ns2又能正常通信0 c. \5 a* m$ k' Z8 K" O/ D
[root@ovs ~]# ovs-ofctl del-flows br-memeda "in_port=veth11" 删除刚添加的流规则就互通了
$ k% Q* w0 u# U: b |[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
6 }$ Z0 n) V) NPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data." Z* g7 ?- u9 z, U' t# Q
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.766 ms
x) c: O2 F, G2 M6 n c# q1 h- _5 i64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.096 ms1 @1 c4 i9 }$ p+ K6 I
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.088 ms* v% B% ]9 a9 N- P1 k j
# [' R9 T, R% ^9 ~. u& n5 x--- 1.1.1.2 ping statistics ---3 `: f7 s& ]8 V; K4 P
3 packets transmitted, 3 received, 0% packet loss, time 2043ms
! I c% x: [( p2 xrtt min/avg/max/mdev = 0.088/0.316/0.766/0.318 ms" U j8 ^- y6 C- C
[root@ovs ~]# ovs-ofctl dump-flows br-memeda" D* b$ k5 x, V' e
cookie=0x0, duration=2315.744s, table=0, n_packets=59, n_bytes=4438, priority=0 action s=NORMAL
# e& q9 a- O1 l4、OVN
2 S. Y+ g' @6 Z5 JOVN建立在OVS之上的,遵循SDN(Software Defined Network,软件定义网络)架构来管理的,用软件将控制面和转发面分离,OVN做控制面,OVS做转发面。
/ R4 Q( C" @9 X; @: t! p( P# z$ f xovn是建立在ovs之上的,ovn必须有底层的ovs,ovs可理解为二层交换机,ovn可理解为三层交换机。
, u1 e: x) s! t" E* v7 Q, ~OVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
" L3 A" R' ?# e t" g" `$ n单纯的ovs在云计算领域还存在着一些问题,例如:0 X- R, S, ]7 z7 O: b
1、ovs只能做二层转发,没有三层的能力,无法在ovs上进行路由配置等操作;0 ?6 k9 D* ?/ u
2、ovs没有高可用配置;: N1 m( P# J: |! W9 u9 e7 m( N
3、在虚拟化领域vm从一台物理机迁移到另一台物理机,以及容器领域container从一个节点迁移到另一个节点都是非常常见的场景,而单纯的ovs的配置只适用于当前节点。当发生上述迁移过程时,新的节点因对应的ovs没有相关配置,会导致迁移过来的vm或者container无法正常运作。
$ n$ }$ A6 \: B3 S" k针对这些问题,出现了ovn(Open Virtual Network),ovn提供的功能包括:, L& }% i6 }. A
1、分布式虚拟路由器(distributed virtual routers)& z8 L3 Y0 q; m* L. p+ t
2、分布式虚拟交换机(distributed logical switches)
9 K% J4 q$ A( F4 @+ X$ s0 E3、访问控制列表(ACL)# R+ i; }* R) B8 |- g1 Y0 g: X
4、DHCP K/ o1 j Y% t1 ~
5、DNS server% l* {8 U$ @) d7 r& Y9 Y. }
在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。openstack创建一个网络,会以逻辑交换机(switch)的形式保存到北向数据库。
* f8 A1 f/ R; m" l4 K在这里插入图片描述& }, f( Q0 f0 O& L3 @2 A
在这里插入图片描述. a. g$ J5 `& o0 Q
ovn官网对ovn的逻辑架构如下所示:+ K' a1 ~' h) |, J3 K E$ A6 H% X
3 D) x2 I! m/ j2 A( C: ^! X
CMS
& t$ n2 e8 s" @: S: i) d |
0 W7 z8 k* G" z5 s# I* K. y" a |
; v2 N, ?# W4 i" v5 j +-----------|-----------+
- p: Z$ P5 w0 h9 q2 I$ s( @1 y+ I | | |
1 ]) E2 t& y& I' f% a4 Y+ A | OVN/CMS Plugin |
: C' i6 K$ J, x | | |. c& J7 v8 r# }
| | |
5 A4 }/ h* u8 `; A8 g5 V; p | OVN Northbound DB |8 ]1 F1 i! e0 n8 G ]8 s) u
| | |- Y, R- h% `- c, ~
| | |
% r8 p2 ^ l; p6 @1 Q7 L- [ | ovn-northd |
7 u( {8 ?0 K' D3 ^" Y) u$ T | | |* `: W! ~* P4 `6 Y- e
+-----------|-----------+
0 C+ ?1 b8 ?5 ?3 H9 }! T |8 b8 M2 [9 K6 {
|
- g$ d2 u" U4 T. [2 W +-------------------+
. ?0 m5 e9 p, K | OVN Southbound DB |
- w) ?+ U/ Q. J1 g7 u" U% | +-------------------+
+ K. W4 n7 s. _ f/ @ |
7 n: Y3 O! e1 U7 g4 y8 f k |$ C+ H- o! \6 r# ~
+------------------+------------------+
4 g( K. [& L1 N! m6 } | | |: P- `- z I8 Y: z0 l: n
HV 1 | | HV n |
3 |6 L; C* p7 i +---------------|---------------+ . +---------------|---------------+% a) w! b% l' N- m! F2 R
| | | . | | |
' T( h; q: q A; k U4 H | ovn-controller | . | ovn-controller |/ i, B( m0 l! |6 Y4 `
| | | | . | | | |& X7 W7 m$ b& w/ u$ G5 R( D) K ^
| | | | | | | |! S5 x% p/ h7 z; M) ]+ W
| ovs-vswitchd ovsdb-server | | ovs-vswitchd ovsdb-server |5 B. Z6 N- B$ ^% o8 g2 F5 ~% O4 B5 K
| | | |8 {9 o8 L. F0 _- ?0 P
+-------------------------------+ +-------------------------------+
5 r& N3 r( x) B. i5 c. |) V' tovn根据功能可以把节点分为两类:3 X8 c5 w& R/ e
central: 可以看做中心节点,central节点组件包括OVN/CMS plugin、OVN Northbound DB、ovn-northd、OVN Southbound DB。) X: S- F- M6 s/ D+ G) p n
hypervisor(hv): 可以看做工作节点,hypervisor节点组件包括ovn-controller、ovs-vswitchd、ovsdb-server。# ], A% R$ g2 J, D! A( T
central节点相关组件和hypervisor组件运行在同一个物理节点上。$ U2 l2 j* n7 a ?5 L
相关组件的功能如下:/ I$ T/ D8 b1 T: p. `4 T
1、CMS: 云管软件(Cloud Management Software),例如openstack(ovn最初就是设计给openstack用的)。& ?/ b3 @! h4 P! f1 x/ ~8 E" \
2、OVN/CMS plugin: 云管软件插件,例如openstack的neutron plugin。它的作用是将逻辑网络配置转换成OVN理解的数据,并写到北向数据库(OVN Northbound DB)中。
, @$ [0 R+ N1 J8 }0 J3、OVN Northbound DB: ovn北向数据库,保存CMS plugin下发的配置,它有两个客户端CMS plugin和ovn-northd。通过ovn-nbctl命令直接操作它。北向数据库保存逻辑网络信息(交换机和路由器等)4 Q8 n# ^$ H8 v. B7 E
4、ovn-northd: 北向进程将OVN Northbound DB中的数据进行转换并保存到OVN Southbound DB。所有信息经过北向数据库通过ovn-northd北向进程和南向数据库互通。
! j" p# U5 a) I1 C" L) q5、OVN Southbound DB: ovn南向数据库,它也有两个客户端: 上面的ovn-northd和下面的运行在每个hypervisor上的ovn-controller。通过ovn-sbctl命令直接操作它。南向数据库保存各个节点的物理网络信息。. k% D* ?9 N C) O& K
6、ovn-controller: 相当于OVN在每个hypervisor上的agent(代理)。北向它连接到OVN Southbound Database学习最新的配置转换成openflow流表,南向它连接到ovs-vswitchd下发转换后的流表,同时也连接到ovsdb-server获取它需要的配置信息。
$ z4 s D6 R. @% ^# P7、ovs-vswitchd和ovs-dbserver: ovs用户态的两个进程。
: G: D {, L8 |每个节点都有个ovn-controller控制器,这个ovn-controller控制器是管理ovs(ovs-vswitchd、ovsdb-server)的,ovn-controller对接到南向数据库,经过ovn-northd北向进程和北向数据库互通,之后和openstack互通。
3 \5 V# n/ J3 a+ \) Q南向数据库保存物理网络状态信息,北向数据库保存逻辑网络状态信息。
) ]9 h' `9 D) d9 R8 G在这里插入图片描述, ~5 P4 ?. ?* ?9 Z
克隆出两台虚拟机,安装ovs、ovn4 y% G7 v: }. M% K* S" J7 L
. \' V, T6 d7 Z, K; ^$ _
CentOS Stream 8 版本, x9 e' G+ T) [# _. i2 j# N2 e
" H/ X3 c/ @0 L5 Q7 c6 a6 T" z7 @
systemctl stop firewalld.service 3 e+ S# V" z2 r- I# V
systemctl disable firewalld.service, u* t/ s7 k$ b
setenforce 0
2 \7 E9 H0 |# g/ Msed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
/ D7 C: ]: I$ N0 jmkdir /etc/yum.repos.d/bak
* p; z/ t- G5 [9 i! `mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/6 A0 A$ m" j9 w8 q# \
3 P5 l) b+ z$ A# S+ B
cat <<EOF > /etc/yum.repos.d/cloudcs.repo: F2 k, k& v9 r9 n" v
[ceph]
8 C' s. F. ?4 p1 aname=ceph
' G( R1 s* L6 @# f1 W+ Ebaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/x86_64/
8 Q& z7 J; E* L" j# s- E6 a% p+ ygpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc
& m$ z8 N0 ~: r6 S6 Wgpgcheck=1
2 w8 A6 i2 K( d( P2 _) v% p( r& renabled=1
3 Y% Y9 p$ {+ q0 f; F4 ?1 c( J! W/ a& D2 |# x+ t2 d
[ceph-noarch]9 T2 P. u" i `) R
name=ceph-noarch
% f1 m' g$ a# M$ s* Bbaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/noarch/3 w$ T: ?" h2 p6 n! n/ S
gpgcheck=1
9 B4 h) e4 r/ Z9 e" Lgpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc3 m; B0 \- h8 n& O& g, k
enabled=19 q* h* ?4 g9 e+ T3 d8 T5 t- {+ y
0 U& g2 m6 }# a$ c, h6 z7 u[ceph-SRPMS]
' S, b2 }9 C& Kname=SRPMS3 b6 y* z1 d! v m3 R0 { X7 ?
baseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/SRPMS/- g3 b5 }7 C& P. F. B
gpgcheck=1
2 A2 E5 V2 |" D" Zgpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc
# Q$ ~: C6 b" n* V8 ^enabled=1
. e. b2 a' v2 N! g$ ]% R% m; }7 u: r2 e% U$ W7 W7 W# N! |
[highavailability]
2 h3 x+ _& b, F# L% g+ i3 |name=CentOS Stream 8 - HighAvailability
' t& x5 l; ]# M7 v' K obaseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/
! G. g1 e: l1 Y* m0 V0 S2 ]. Mgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial- m7 v% Y% G. n- n( [$ ^$ U
gpgcheck=12 \, r" k+ C% _/ M
repo_gpgcheck=0
6 P$ {5 g4 G0 F& C1 `$ H! Dmetadata_expire=6h4 G$ G9 O! H: e1 X: L7 e, t
countme=14 q, k S/ Q+ Q5 Q
enabled=1
7 l! [3 P2 f4 G8 k% Q. A
" v0 {0 n) K! Y L2 x[nfv]
6 W8 Y! c6 ]4 rname=CentOS Stream 8 - NFV0 n/ L, K' N9 g" M( c) E) R
baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/
3 M: N& h# l5 r1 {/ ?) k0 d; m5 W" Ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial! n$ a& ]- }6 S3 q
gpgcheck=1( ^9 Y9 T, q! _3 I9 F; I
repo_gpgcheck=0
. ]) I8 ?% N9 j e l3 o8 Fmetadata_expire=6h5 K+ _( T0 d3 i7 f# X6 _- e
countme=1
1 N' f! u& Z' s7 \# venabled=1
! Q# r% W; C; H. R: |4 }! Z' n
[rt]- \0 ?/ ]: g% s' g& O
name=CentOS Stream 8 - RT ?5 X. T" t- J& t4 B
baseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/
N5 K% C& r' O# C- q0 N9 G% ]gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial: e/ z$ l" B ^) H1 J4 l& _
gpgcheck=1
2 ?- l0 s# H6 r! Xrepo_gpgcheck=0
: R( J- I; h" V8 ometadata_expire=6h6 n6 J1 o: p3 m& h, N3 Z
countme=1
7 A& k+ D. @, ?6 d2 ]: h& lenabled=1+ V2 x- i8 l% s
' K# C8 |# k1 y) _( h+ E1 t[resilientstorage]
! `. r* f/ s" J) V% p; M" @( c. K. Pname=CentOS Stream 8 - ResilientStorage
9 k6 y. P, I5 e0 @( Pbaseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/1 f1 Y. Z2 |; k+ y$ M$ c( u
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
% e) {* E, R5 G+ y7 U) ugpgcheck=1! M0 I! p; C) D
repo_gpgcheck=0, T: R/ ^9 d% c4 {# {: {
metadata_expire=6h
6 _9 M3 l# O; |countme=1
6 h9 F4 {, z. K4 [& fenabled=1
. C& r: q' u7 G1 _$ C2 I
" T/ j9 j# A5 C5 V! _- ][extras-common] ^' s0 j' s& D! k7 e3 {1 Q
name=CentOS Stream 8 - Extras packages
+ }, h i7 i# h5 c- Zbaseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/
* U# h% L& \! M2 g% k9 D* ^4 ogpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
, t2 k! |5 G, ~0 dgpgcheck=1, D: t- o- E- W
repo_gpgcheck=0
0 w/ a3 i8 V* D) d$ ?" Cmetadata_expire=6h
2 j( \* J/ t% {5 Q& F- ?countme=1
: H, f+ ~' e/ U/ P4 w menabled=1
L8 f& z3 L0 m, o4 B& F
2 W4 v. W! ~+ X8 ~7 ]# t _[extras]' p$ T# Q8 Q: W$ K
name=CentOS Stream $releasever - Extras
5 F2 ~2 E0 T6 f- J' q' hmirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=extras&infra=$infra" |2 W" k' s/ V5 w% T* U4 m
#baseurl=http://mirror.centos.org/$contentdir/$stream/extras/$basearch/os/3 V* L, T( z$ v7 ^. p5 D
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
! Z& T4 @0 e: O5 B( ?gpgcheck=1. J+ h a6 @: N' X. J6 i& U
enabled=1
+ Z2 _ X$ C# s/ G2 p0 T" Igpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial0 m; {7 p0 }: U; L1 w, P3 L
& H0 z& G. H5 U R8 ?6 z5 O[centos-ceph-pacific]/ v/ Y/ T! Q7 E. v3 w m3 ]
name=CentOS - Ceph Pacific
% | `& |9 l$ h7 r$ B7 Nbaseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/" d8 |0 q6 g N% g, d: C8 Y5 `
gpgcheck=0
! b( F: a r/ ~# ^enabled=1
3 C) K8 n1 x+ Q( q" G5 C5 t; k. Zgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
" B" e9 Y2 B$ ?" Y
$ h5 n2 G) O) `* l" ~, _& m[centos-rabbitmq-38]6 M3 `1 H [. f
name=CentOS-8 - RabbitMQ 38) u- g4 C% i& c. R$ h* E0 k# h7 P
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/
* }9 R9 H" Q! f: Mgpgcheck=1
- L: X/ A( T8 E6 h6 Fenabled=12 D1 R# _6 ?/ f1 z+ L" ^) w: l
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
6 @. `, i' K6 u
7 c1 z, _% S6 z, Y: j[centos-nfv-openvswitch]% M% { R! O b# v
name=CentOS Stream 8 - NFV OpenvSwitch
* }. [1 I$ h: E9 h& U" abaseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/
* m3 f9 m/ d+ H, I' U+ m: U1 A7 v+ Vgpgcheck=1
* D/ f! o5 L" [% R& Denabled=15 X4 L" N, k8 J! e2 c+ l# F
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV$ }- f5 g' ]4 M' g8 M3 A
module_hotfixes=1; k v- k' f" R4 x5 [& f: y/ l; X
: i, z/ }1 ?& z* n8 Y9 U3 q6 m
[baseos]1 k9 h h' S) Y2 M3 h* R" x$ _
name=CentOS Stream 8 - BaseOS6 `4 ]8 @9 d8 _0 ?6 \9 w
baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/) {, T. h9 a( r; I% k
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
( s; p$ w7 J$ W a' J4 t- o- sgpgcheck=1
- y8 a% v$ h/ T) H9 @! E8 p) srepo_gpgcheck=0+ b, o7 d( H2 ?; P6 K) m
metadata_expire=6h
0 T) [) l6 P, t: ~$ @5 F( R9 Wcountme=1
5 J( O" ]9 a7 J! W! D0 Xenabled=1
# `% E2 W9 F. i0 C8 s2 r. b4 I8 s9 T) F Y
[appstream]6 s, X0 @! C8 V+ e0 x( W
name=CentOS Stream 8 - AppStream
; Y" b2 x5 q8 p, D. C3 M; B4 ?baseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/
4 u8 Z& b+ _9 ^9 s$ Q2 }( H/ E' |gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
W8 a1 b4 R7 C8 Wgpgcheck=1 n2 J$ a- ~/ ?* ~( }
repo_gpgcheck=0
/ B' M9 G, {7 o$ y: Emetadata_expire=6h
7 G% i5 b, @2 o2 }5 b8 @# A" B6 t" Ecountme=1# w8 c( q, i8 i% G) D* b2 J2 F
enabled=16 b1 F! G4 j- T2 ?% n* o
* f N( `) S7 m9 a4 A[centos-openstack-victoria]
! T; y: F9 a2 Y' n6 Jname=CentOS 8 - OpenStack victoria
7 d5 D' t( \; j2 W/ L2 qbaseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/# k# c7 l7 O2 V3 `* ~" N
#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/' }" f" s7 R, l2 y9 w/ h
gpgcheck=1
$ D1 n+ h" X( a6 h4 W% @; xenabled=1& g( m8 i% @2 l* H5 s
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud7 y! D* K3 g, @9 `: B8 j0 X' ^
module_hotfixes=1" ?2 ^( a( s. o! p* S) z
% u b, D1 I( L4 x0 g: L- R6 Y[powertools]4 D! n8 _" i1 T. L
name=CentOS Stream 8 - PowerTools- {# ]" _* X+ \5 m$ ^6 g
#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=PowerTools&infra=$infra. X+ p7 [6 {& v
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/6 Y7 V( H1 D Z& L4 ]! W6 A
gpgcheck=1; ^/ Y* y: g: W! ~/ y1 m: C4 ~ B2 o. X
enabled=1
7 X8 B6 K3 L: e! O8 T/ w8 ngpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
1 b8 v( o# @3 Q* u; wEOF
) D5 Y3 W2 W5 c* d. X, O
5 O" w5 W ^* Ryum install -y vim net-tools bash-completion git tcpdump autoconf automake libtool make python3 centos-release-openstack-victoria.noarch( j! M, H. _* t9 R6 M
yum install -y openvswitch3.1*0 _5 y, d( y& y P4 i6 l! M
yum install -y ovn22.12*
9 e; t# }, ? ~0 M# H2 J7 y查看安装版本来检查ovn是否安装成功,# ovn-appctl --version5 b t+ p% b& i) l( H
echo 'export PATH=$PATH:/usr/share/ovn/scripts:/usr/share/openvswitch/scripts' >> /etc/profile( r. t) X6 y8 O, w7 u
source /etc/profile 重新读取配置文件让配置文件立即生效
0 M3 `9 l5 ~$ K8 \% r& f0 v在这里插入图片描述
1 V# c. g& @5 I2 x6 j8 W2 Ycentral相关组件启动:把node1作为central节点,安装central必需的三个组件:OVN Northbound DB、ovn-northd、OVN Southbound DB。
5 Z6 F; ? ?) n c在控制节点启动central,只用在一个控制节点上启动即可(node1或node2上开启都行,这里是在node1开启),central只需要一套即可。( G' [ S {$ V8 O' m
# z% X+ z/ n& y0 Q1 y5 S! K
ovn-ctl start_northd命令会自动启动北桥数据库、ovn-northd、南桥数据库三个服务' T; V0 q" @# ]) n
[root@node1 ~]# ovn-ctl start_northd
* `0 t4 T6 |1 P4 U! m) b8 h$ K/etc/ovn/ovnnb_db.db does not exist ... (warning).
: y0 u4 x+ L3 x! u. q- N# QCreating empty database /etc/ovn/ovnnb_db.db [ OK ]! n3 r8 S" R2 b! x3 t
Starting ovsdb-nb [ OK ]$ m" r, B# [$ p' w+ b; ?
/etc/ovn/ovnsb_db.db does not exist ... (warning).
) r5 G ?1 a& U b/ r9 x/ GCreating empty database /etc/ovn/ovnsb_db.db [ OK ]0 L& M/ ~9 Q* y% @& [, ?$ P0 ]5 e
Starting ovsdb-sb [ OK ]6 g. u/ q' H- ?
Starting ovn-northd [ OK ]
1 L! m* x" h$ q7 O; F* R) k# s9 B% V* G. R, {5 ~0 Q
[root@node1 ~]# ps -ef | grep ovn
+ \, m/ R* z# x. U# [) \+ {root 34102 34101 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-nb.log --remote=punix:/var/run ovn/ovnnb_db.sock --pidfile=/var/run/ovn/ovnnb_db.pid --unixctl=/var/run/ovn/ovnnb_db.ctl --detach --monitor --remote=db:OVN_Northbound,NB_Global,connections --private-key=db:OVN_Northbound,SSL,private_key --certificate=db:OVN_Northbound,SSL,certificate --ca-cert=db:OVN_Northbound,SSL,ca_cert --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers /etc/ovn/ovnnb_db.db
$ P: ?1 a3 Q$ P: T$ aroot 34118 34117 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --detach --monitor --remote=db:OVN_Southbound,SB_Global,connections --private-key=db:OVN_Southbound,SSL,private_key --certificate=db:OVN_Southbound,SSL,certificate --ca-cert=db:OVN_Southbound,SSL,ca_cert --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /etc/ovn/ovnsb_db.db* x4 i( I) ]7 ~, x
root 34128 1 0 21:02 ? 00:00:00 ovn-northd: monitoring pid 34129 (healthy)1 w6 _4 z+ d1 u' r: k
root 34129 34128 0 21:02 ? 00:00:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/ovn/ovnnb_db.sock --ovnsb-db=unix:/var/run/ovn/ovnsb_db.sock --no-chdir --log-file=/var/log/ovn/ovn-northd.log --pidfile=/var/run/ovn/ovn-northd.pid --detach --monitor
+ s9 o' m, n- i6 q. u8 P- S7 Droot 34302 34259 0 21:07 pts/0 00:00:00 grep --color=auto ovn& f& A( e. f2 }% {
在这里插入图片描述; O7 V" f0 a! l0 r
hypervisor相关组件启动:hypervisor节点包含三个组件:ovn-controller、ovs-vswitchd和ovsdb-server。+ K% t0 z) b1 |1 v* J
启动hypervisor(hv)相关组件:node1和node2两台节点上都要启动,首先启动两个节点上的 ovs-vswitchd 和 ovsdb-server
0 N. |( J; ~5 z0 Z4 T
* Q' V4 E( a$ Y4 N[root@node1 ~]# ovs-ctl start --system-id=random
4 |+ h- `/ g3 W7 Q. e' f/etc/openvswitch/conf.db does not exist ... (warning).% W% ^/ c5 A9 Y v) p2 ^) O
Creating empty database /etc/openvswitch/conf.db [ OK ]
, b: I! n3 e6 S8 Q2 XStarting ovsdb-server [ OK ]
$ \6 v/ Q s0 IConfiguring Open vSwitch system IDs [ OK ]" Q8 u! b- m* X/ K5 Z, q- s& m( W0 s
Inserting openvswitch module [ OK ]; o5 d" C: K3 q0 T# u3 G
Starting ovs-vswitchd [ OK ]& z2 {! x1 u2 e1 S$ U
Enabling remote OVSDB managers [ OK ]
0 N8 W* P7 x" x, ~7 B
$ b& J. Y: ?) {[root@node2 ~]# ovs-ctl start --system-id=random
/ c1 I, ?" Y0 {7 J& T- J# b2 X/etc/openvswitch/conf.db does not exist ... (warning).7 P: c o! i8 M
Creating empty database /etc/openvswitch/conf.db [ OK ]( q8 M. D& H% j( g e6 p
Starting ovsdb-server [ OK ]
+ h% e+ Z+ S* y1 M- d' QConfiguring Open vSwitch system IDs [ OK ]
; }1 g) T! \ n- m; q7 ^, lInserting openvswitch module [ OK ]9 z" _" g# } l# p/ a
Starting ovs-vswitchd [ OK ]
: x- F h( e) l6 e" Y- i) DEnabling remote OVSDB managers [ OK ]
) T5 t0 j7 x; ?3 |在这里插入图片描述+ Z; R6 b$ w: ?) T: J0 d" F
两个节点分别启动ovn-controller) I6 }. \ T# o$ l9 S
+ c5 N2 V9 j( z9 ], ~1 T8 G
[root@node1 ~]# ovn-ctl start_controller) S" h$ t# o: S" b5 A9 @
Starting ovn-controller [ OK ]
8 }+ m- W. N6 W9 T2 y0 q4 j9 i[root@node1 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥- @$ h8 [, m3 L- s1 o
ed157e0c-cac3-46b9-830c-f2d710b475d5
, M4 I1 h3 j. @( H6 x) M: o$ L Bridge br-int
9 _1 Q# ?" n; A fail_mode: secure
7 G$ R' Q& `) o$ V$ ^# [ datapath_type: system& R8 x9 z% M* u3 R( o, s& K+ L
Port br-int9 _# S& J! ^& z4 [
Interface br-int
% w) P$ K; l" E' i type: internal X) _6 q" e! k, R
ovs_version: "3.1.3"
/ v: t) ]" m" {$ L; Z& c$ K$ z
- [8 B S& ]( m0 @0 ], w[root@node2 ~]# ovn-ctl start_controller
$ F+ Z" |0 C Y9 u! D; w- ^Starting ovn-controller [ OK ] i8 c2 T* W" E: Q) `/ {4 c
[root@node2 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥
; ]' |7 m- _$ k# `) q$ W9 `# mf6669675-b42d-47de-be95-b26bf6d1e069
( \! j! R3 ^- R0 c; H Bridge br-int
7 T {% ^) b- z& T: K* g fail_mode: secure
2 ?& H7 V- Z6 m( y% }. U1 ], c, C1 y datapath_type: system, B8 Z/ b# c/ N. e: o
Port br-int
- r1 E3 j6 h! x& \9 N3 o6 _; M* h/ n Interface br-int3 i# S8 v9 g/ o* q( j: i' o
type: internal& b/ h# ]8 ~) G# B
ovs_version: "3.1.3"
6 e. M5 D. c5 _' J1 z8 X在这里插入图片描述
0 `- o& [& P$ b+ c5 E8 v1 E可以看出此时hypervisor并没有和central关联起来(也就是ovn-controller没有和南向数据库连接)。可以在node1上验证:[root@node1 ~]# ovn-nbctl show
1 e6 ^! R4 z8 s; L K0 B4 b4 Fhypervisor连接central,开放南北数据库端口:( v2 R* \$ J* S( i* E: d
+ R: Z; I' y g" \0 ]+ [- Iovn-northd之所以能连上南向数据和北向数据库,是因为它们部署在同一台机器上,通过unix sock连接
( @ Z- X2 ?+ R7 Bcentral节点开放北向数据库端口6441,该端口主要给CMS plugins连接使用3 x4 F+ `" ~* y
central节点开放南向数据库端口6442,该端口给ovn-controller连接# T' W: ]; u; u' h, c: E. ~
[root@node1 ~]# ovn-nbctl set-connection ptcp:6641:10.1.1.41
^) r0 X* {: S- p1 S0 e r# c1 Q! c. e[root@node1 ~]# ovn-sbctl set-connection ptcp:6642:10.1.1.41& i) I! {8 R$ Z$ S$ Y5 m& H
[root@node1 ~]# netstat -tulnp |grep 664" N9 G% O0 S! B+ A
tcp 0 0 10.1.1.41:6641 0.0.0.0:* LISTEN 34102/ovsdb-server
: c( G9 w& A1 p8 o- o4 I! utcp 0 0 10.1.1.41:6642 0.0.0.0:* LISTEN 34118/ovsdb-server$ _* d& ], v! A
node1上ovn-controller连接南向数据库
( ~0 @9 d6 o+ {. {# u$ Xovn-remote:指定南向数据库连接地址
: ]; {0 W% d( i! S! fovn-encap-ip:指定ovs/controller本地ip$ r9 W" ?) ~) Y7 V: d9 S" x8 }
ovn-encap-type:指定隧道协议,这里用的是geneve4 `; v; E4 z/ C7 e( t n% b7 Y: S
system-id:节点标识7 L9 V( D6 c: \2 c8 J) U4 l1 g
[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.41" external-ids:ovn-encap-type=geneve external-ids:system-id=node1* A1 \8 n8 F0 i6 u
5 k/ m! l- y( V$ A) n
node2上ovn-controller连接南向数据库
+ b1 u* @& e5 @[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.42" external-ids:ovn-encap-type=geneve external-ids:system-id=node2
. X# A/ s& Y, g) ]2 Y
. R* T2 Y( n* ? R在node1查看南向数据库信息9 N/ I, l- O' _* Y+ g% l
[root@node1 ~]# ovn-sbctl show0 N' Y" I+ q$ M5 l% G7 ]2 l; e
Chassis node2
& E" m) \# h! H) P: l* ~6 U0 ?8 T6 t hostname: node2
0 O# S/ }$ [, y, o Encap geneve
* C8 R, L, Z: m' H3 |% A, j6 [ ip: "10.1.1.42"
3 F6 n+ I$ V! n7 ^, l9 a( ]$ a options: {csum="true"}
% ?6 _, m$ s1 Q+ Y, M4 x( N& @7 E/ bChassis node1
0 w& v9 O6 |: d$ c/ m hostname: node1' R9 v8 h& T; C9 G9 U+ Q
Encap geneve
+ V2 h f( D# z( M- e) N! b ip: "10.1.1.41"$ P# C+ v' x4 q E8 H
options: {csum="true"}9 F/ [" G/ u3 D7 V4 D; C$ K e
在这里插入图片描述% w6 @! a+ x* N! g# C8 @
以上的逻辑架构是站在底层组件和服务的角度来看的。
5 y1 i" c# E6 N接下来换一种角度,站在逻辑网络的角度来看。# B& B, x2 m* R) h1 A
在这里插入图片描述/ W Y$ W0 j2 \( |: S- ~
geneve隧道:ovn-controller连接南向数据库时,指定了external-ids:ovn-encap-type=geneve参数,此时看看两个节点上的ovs信息如下,会发现两个节点上都有一个ovn创建的ovs交换机br-int,而且br-int交换机上添加的节点port/interface类型都为geneve/ K$ S7 N: |. y$ r/ v0 l& H: s
9 v* K, @: M* Z4 }. |9 ~[root@node1 ~]# ovs-vsctl show node1上查看ovs信息8 S4 o6 E. ?$ H) ?: T
ed157e0c-cac3-46b9-830c-f2d710b475d55 G- h* N9 r' I2 `
Bridge br-int
+ E$ L8 W( }, b fail_mode: secure
" H$ g. O; ]( _( g8 K% m9 a datapath_type: system' w) @3 s- \% t, }
Port br-int
* M3 @# x3 \- i% T$ h; q, O% L# u Interface br-int
& m! M2 J0 @$ J type: internal" }1 |/ S. v3 [$ K
Port ovn-node2-0 W5 o- k4 q( v
Interface ovn-node2-0
3 ?# |" P2 Y/ F! W' @ type: geneve7 e( S+ n, ~4 x9 Y
options: {csum="true", key=flow, remote_ip="10.1.1.42"}
! B% M1 q5 t, u, i ovs_version: "3.1.3"& D: i: `1 h: f, @0 z+ s
1 a7 W% u; \0 F5 F: F/ F9 l
[root@node2 ~]# ovs-vsctl show node2上查看ovs信息
, ^/ k' J8 J$ z- uf6669675-b42d-47de-be95-b26bf6d1e069
; w* i0 ]2 a" \1 ^+ ^* _: `' x Bridge br-int5 {: O! W0 |. |( D: H) u
fail_mode: secure
5 g; Y1 t$ v5 c6 _! v datapath_type: system
! A9 ]* T$ \' z6 }+ i1 ~) i Port ovn-node1-0: w, d! ~. U% O- n# e8 D' j
Interface ovn-node1-0
9 @, O9 p; L) y4 M" _# r type: geneve5 _- h1 N' v. `& \1 e* J
options: {csum="true", key=flow, remote_ip="10.1.1.41"}
1 L; ^7 o" H) b1 A9 d: d# F7 J! N Port br-int
( `& L5 c7 U1 I% X3 _ Interface br-int
* T: T' g$ l" j4 ]$ B' }% O5 L type: internal" ~1 p& Z ~! x2 d
ovs_version: "3.1.3"
) U0 O/ u' f% N. J[root@node1 ~]# ip link | grep gene 查看geneve隧道link0 U+ y' L# @! ~: u& ~
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
. k1 ]" _ Y8 x查看geneve隧道link详情,从dstport 6081可以看出geneve隧道udp端口是60810 i. u1 m; G1 w) \5 |( K/ t
[root@node1 ~]# ip -d link show genev_sys_6081
& q! I5 e4 M6 v. P8 e5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
; y. ?3 w2 v9 B1 i! ] link/ether 6a:e3:ff:a5:cc:d6 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465
5 ]; A$ `6 E! E. |& F geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx/ J* I- x; K. [$ P
openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
* {* c. k# E1 I( m& |查看geneve隧道udp端口,最后一列为“-”表示这个端口是内核态程序监听( Z. i0 q, a- e! f7 {
[root@node1 ~]# netstat -nulp|grep 60816 t: b! W" } v# x$ |
udp 0 0 0.0.0.0:6081 0.0.0.0:* -6 P& Q7 E6 M4 `- p# ^; e
udp6 0 0 :::6081 :::* -5 _: B- L0 i8 t, \
0 u; w. r5 j k& k, j
[root@node2 ~]# ip link | grep gene# _: b0 C) ?6 y! x u" l
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
+ W3 B _; N$ e2 K4 u[root@node2 ~]# ip -d link show genev_sys_60815 Q6 e3 r7 Y, _9 E
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 10006 x) d ] j" ^
link/ether 4e:db:f1:e4:43:94 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 654658 B# w2 w; }. [* R
geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx4 f% H/ ^3 t+ @4 T
openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535+ T' Y# `" J9 B% y+ I! Q1 e" g
[root@node2 ~]# netstat -nulp|grep 60810 g: I* D2 x6 R. }% |2 t/ U
udp 0 0 0.0.0.0:6081 0.0.0.0:* -
) f+ q$ ?, W0 s- L4 p7 A' K1 Eudp6 0 0 :::6081 :::* -
( f6 B. T+ u3 @0 J" J在这里插入图片描述
' O9 t; s W7 P8 v; L
. X+ ]! v4 T/ J0 |在做以下实验验证时需要注意MAC地址的合法性,不要误配置。MAC地址分为三类:
& Q, U3 C+ f/ C广播地址(全F)
, [# m$ l% [ }4 n) bFF:FF:FF:FF:FF:FF. {/ o& t4 K. }6 a% n4 S1 ^1 C
主播地址(第一个字节为奇数)
' C; m) F. y( G! }% vX1:XX:XX:XX:XX:XX* v3 i( ~$ V% X. ^1 H
X3:XX:XX:XX:XX:XX' Q3 X1 O% S+ r* I
X5:XX:XX:XX:XX:XX
+ p+ d# Q- k- F0 p O; r# k6 P2 wX7:XX:XX:XX:XX:XX8 a7 G' L* U$ F& P
X9:XX:XX:XX:XX:XX% L) z7 ~; t# S( j4 F% f
XB:XX:XX:XX:XX:XX
) J& V/ n5 ^ H' Y: c# q5 IXD:XX:XX:XX:XX:XX
/ i: Y% f% z. B& H9 e8 E0 ~XF:XX:XX:XX:XX:XX
1 Q Y# N5 o9 S' a2 w可用MAC地址(第一个字节为偶数)) n" t; O" {% w5 T& I
X0:XX:XX:XX:XX:XX5 a, d# W3 e7 Y$ z: h( S
X2:XX:XX:XX:XX:XX$ F2 c5 l! A! k7 }
X4:XX:XX:XX:XX:XX
. F6 ~+ |/ k/ G8 w4 W$ jX6:XX:XX:XX:XX:XX/ X3 y3 O/ E# \! c3 l/ [
X8:XX:XX:XX:XX:XX% u( i' x5 c8 v" L) ?, K$ `
XA:XX:XX:XX:XX:XX' K/ s4 g7 t b; r% P$ P
XC:XX:XX:XX:XX:XX
$ r9 ]* x+ a1 b& X6 H: @5 h- \XE:XX:XX:XX:XX:XX) C) m: w' A1 v
在每个节点上创建一个网络命名空间ns1(因为在两个节点上所以同名ns1不会冲突),网络命名空间可理解为虚拟机,并且在ovs交换机上创建一组port和interfacce,然后把interface放到网络命名空间下。veth pair:两个网络虚拟端口(设备),veth可理解为网卡端口,一个端口在虚拟机上,一个端口在br-int虚拟交换机上。- ~& v1 ], k/ i/ @( j0 C8 ?# E
+ I& c1 g" M! znode1上执行
( z- G/ A e; R: @' b, w# y4 V# t* D[root@node1 ~]# ip netns add ns1 Y, K/ P6 @* ?( J0 \
[root@node1 ~]# ip link add veth11 type veth peer name veth12: n- _1 B; W( O+ l$ [$ S& R
[root@node1 ~]# ip link set veth12 netns ns1
- f0 ?: R3 E5 c. @/ F[root@node1 ~]# ip link set veth11 up
; t& v$ D, S' f6 v& m- Z' I0 o r[root@node1 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:01% u' G+ g! d* N6 _+ ^/ h
[root@node1 ~]# ip netns exec ns1 ip link set veth12 up" X. ~# N: @1 _& `
[root@node1 ~]# ovs-vsctl add-port br-int veth11
" }# S/ {+ _/ I3 E/ G' p3 E% t[root@node1 ~]# ip netns exec ns1 ip addr add 192.168.1.10/24 dev veth12# x0 k5 Q4 Y- }; z0 q2 G. ^8 ^: g j
2 x1 F& X6 s7 V- znode2上执行,注意veth12的ip和和node1上veth12 ip在同一个子网
: J0 L7 d7 y& i' r. r9 ][root@node2 ~]# ip netns add ns1
& P! o* W/ D- S! j, f5 T3 X2 g4 ]1 }[root@node2 ~]# ip link add veth11 type veth peer name veth12
# g/ f7 |# g Q; H" C[root@node2 ~]# ip link set veth12 netns ns1
: F! L% p9 H8 ~6 y/ M[root@node2 ~]# ip link set veth11 up$ e$ T; `" `8 t7 d
[root@node2 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:02& R s- i5 B1 L) X; L2 P/ W3 b# G
[root@node2 ~]# ip netns exec ns1 ip link set veth12 up
- R+ E3 B8 M F6 G, @4 T[root@node2 ~]# ovs-vsctl add-port br-int veth11# q' `2 W1 R/ H' z' p/ o
[root@node2 ~]# ip netns exec ns1 ip addr add 192.168.1.20/24 dev veth125 o+ n+ n6 m- _5 \2 ]. h
6 _1 W7 ?) |3 V0 T7 ~查看node1上br-int交换机信息
9 z8 a' Q# Z& N[root@node1 ~]# ovs-vsctl show* P) S# y: q2 R1 G
ed157e0c-cac3-46b9-830c-f2d710b475d5
E. o5 @% g5 T* ~: k6 P Bridge br-int
& t6 P3 `# [8 v, p- R1 p fail_mode: secure, c/ @) \3 N9 a) l1 f
datapath_type: system# Y6 |( y+ ?4 u) ~
Port br-int
- @: \. }5 h: w$ ]3 M5 P( i. k Interface br-int
3 H- Y2 Y' U$ s type: internal
4 s% t1 {2 S- M1 C: X$ s9 o6 W Port veth11
8 O) \' p- n& o- \( L6 \ Interface veth11
- G* d3 J- {$ Z/ q% j) D+ _- h Port ovn-node2-0: P" [- M0 S4 W! J: F
Interface ovn-node2-0
. v; }( q3 N8 [% [! F type: geneve: I( p/ O* ?) t; k
options: {csum="true", key=flow, remote_ip="10.1.1.42"}! f" B# P" S, ]0 X4 a, o+ I1 z
ovs_version: "3.1.3"4 |4 j( X5 Y+ l) ^! T
查看node2上br-int交换机信息
* i* O2 {$ K. e* E7 `$ a! ^[root@node2 ~]# ovs-vsctl show
, V1 |. P) M; p# }/ m4 R) if6669675-b42d-47de-be95-b26bf6d1e069* r% f. P3 I+ ~, H& U! T* v
Bridge br-int x D* e* I$ g( |( i( _; e
fail_mode: secure
5 Z2 k& D: H: q5 i. t datapath_type: system
. a: F+ H/ E, D* n$ I0 j [* L4 H Port veth11: o) P B7 d6 D) p
Interface veth11
; ~' A0 ?/ e! m- P Port ovn-node1-0
" V2 {2 I4 R- k% U, V Interface ovn-node1-0' `; x9 f; `7 r' u1 Q$ |) W& s
type: geneve2 m8 ]( R0 m5 i% Z/ H# V) n5 _
options: {csum="true", key=flow, remote_ip="10.1.1.41"} L, a5 V* M/ b2 H
Port br-int
6 i* @8 P1 J6 p7 q/ _ Interface br-int
" N3 {! D8 k% ~8 j5 @" _, W type: internal( S* j* b0 h1 l. p
ovs_version: "3.1.3"
3 W3 `1 W; p% s- ~% b" ^; X, R( T; ^ z9 K* Y, U6 o
现在从node1上的ns1 ping node2上的ns1是不通的,因为它们是不同主机上的网络,二/三层广播域暂时还不可达。
3 l- G( v& n o4 b[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20
) C, r0 Q& U7 h+ j9 f5 qPING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
. L8 ^- ]( Q6 k" `* I( x' [: ]1 V% U* `- R+ D
--- 192.168.1.20 ping statistics --- R+ b3 Y* l% ?3 A
3 packets transmitted, 0 received, 100% packet loss, time 2047ms4 Y) H3 m8 e7 ^" s
在这里插入图片描述
! S' g. o1 v: C: _8 J2 ?6 X查看openstack的控制节点发现,ovn的北向数据库中有逻辑交换机信息。
. a5 e. l. I0 V7 q+ ^# x# m在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。一个网络就是一个逻辑交换机。6 M* l7 m( b) A; N+ w5 B' _ e
在这里插入图片描述9 P# f" F4 t3 H5 Y, _
在node1中查看发现,ovn的北向数据库中没有逻辑交换机信息
. M# A- c; w+ Y# _: q在这里插入图片描述
4 y# o2 \$ E6 i3 l; u6 ~在openstack不同节点的虚拟机ip互通,这两个虚拟机ip连的是同一个网络,是同一个逻辑交换机上的同一个子网不同ip所以互通。) Z% U* i5 L7 N6 k. {8 A( [/ v
这两个节点的虚拟机ns1的ip是手工配置的独立的、不互通,这两个虚拟机ip没有连到逻辑交换机上,加个逻辑交换机就能互通。
' B8 L; O9 J8 i- Q0 S1 ^2 e' a在这里插入图片描述" m( G+ e* A) M7 {% K8 p# V2 ?4 y
逻辑交换机(Logical Switch):为了使node1和node2上两个连接到ovs交换机的ns能正常通信,需借助ovn的逻辑交换机,注意逻辑交换机是北向数据库概念。9 Y# b# T' E& x! o: k
4 G% u4 ~. Z7 Y9 G" f, E7 L' c4 V在node1上创建逻辑交换机* j1 m# K/ z+ z% d \
[root@node1 ~]# ovn-nbctl ls-add ls14 |- B( ~2 v r4 w/ n
[root@node1 ~]# ovn-nbctl show, F {8 u* O; G6 X! z/ {& J ?- {6 Y
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
. v% V/ ?: h, |在逻辑交换机上添加端口0 E7 d; v( s ]5 i
添加并设置用于连接node1的端口,注意mac地址要和veth pair网络命名空间内的那端匹配起来. L. C5 o! D! m( @2 w- \; f2 C E0 I' a. W
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node1-ns1
/ d/ K# m, Z& Z, ^6 c0 T9 C[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
% X# ~( _" F3 p( q[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node1-ns1 00:00:00:00:00:011 ~0 o' `, s! b# [9 k1 K/ D
添加并设置用于连接node2的端口,注意mac地址要匹配起来7 p# C% E+ D4 }2 ~$ \$ X
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node2-ns1
/ h" |: V" x# [2 w3 Z* z[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:02
" R# y$ ~+ [4 [4 ^. f3 B[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node2-ns1 00:00:00:00:00:02
% F! \3 j( V# n7 c2 I查看逻辑交换机信息- i! b) t9 K; \- W& \" P7 ]
[root@node1 ~]# ovn-nbctl show5 D+ G6 A& e* y" b! f! f+ s
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1). S$ k9 s* H% N7 @
port ls1-node1-ns1
6 C6 G/ ?( x4 ]: |% X: ]6 @ q- W addresses: ["00:00:00:00:00:01"]: y" B6 M- @5 f9 h2 V' t5 ]
port ls1-node2-ns1+ c4 y, M, `; Z2 t9 v
addresses: ["00:00:00:00:00:02"]+ M" y8 g$ P$ `0 `2 \: j" b
. v6 G' E) a" A5 y: k
node1上执行,veth11端口连接逻辑交换机端口" t$ m# w) l4 y# T6 Y
[root@node1 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node1-ns1
: S% j: e& G) R# h4 W# ?* Lnode2上执行,veth11端口连接逻辑交换机端口7 |) I6 g6 Y6 z1 v, W9 R/ M
[root@node2 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node2-ns1
) B+ T( K+ r" N9 m A再次查看南向数据库信息,发现端口已连接 e+ [* F' X) U Q. Z* ^0 |
[root@node1 ~]# ovn-sbctl show; b4 Z4 S+ ]; z- n& J! `: Z
Chassis node2
! p6 c- G6 @9 t, p$ Y% s6 ~ hostname: node28 W! v8 ~" l1 j
Encap geneve4 {* s' ?! j) z4 [9 t4 T
ip: "10.1.1.42"( O6 L( a0 ?6 | n! k0 @5 q
options: {csum="true"}" {5 V7 C' a" n$ F7 j6 P5 c
Port_Binding ls1-node2-ns1
3 v1 m+ f& y9 J3 e6 T# H4 @; S& SChassis node1$ }! ^8 {4 Z6 y
hostname: node1
9 [. m1 a& u9 p. `6 S Encap geneve. c0 `* o! a: m7 q
ip: "10.1.1.41"5 U' P9 }" N- m/ x7 ]6 K! L
options: {csum="true"}
2 A8 D& d+ ]: M5 P Port_Binding ls1-node1-ns1* h3 H# J1 u" }' C8 Q
node1上验证网络连通性
Y& K! u" t' n[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20* E; m9 n6 Q+ G0 v! K& s% r3 J
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
; Y+ x; @ q6 N6 l- |$ a( D/ K64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=4.68 ms$ {+ F7 H- g' o8 r( x
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.908 ms7 \, I; S& p+ ^5 ^+ B J
64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.756 ms
8 J3 D D! V0 Q" r0 |; Y( }4 J. b& l; P M( M& X* ?
--- 192.168.1.20 ping statistics ---
5 x6 F" O. `! ^! J6 N. Q3 c3 packets transmitted, 3 received, 0% packet loss, time 2004ms
7 v7 e8 M# r8 h+ b1 Z( \9 jrtt min/avg/max/mdev = 0.756/2.115/4.682/1.816 ms" V8 t& r# W. ]* t9 L5 E% z: U9 @# F
node2上验证网络连通性
, x! [ t8 {0 f# m# @& @% z[root@node2 ~]# ip netns exec ns1 ping -c 3 192.168.1.10
+ w, l- e+ h$ s4 w0 G# |PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
+ P y* R- N& R3 y: C64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.34 ms1 Q' c# q1 k2 K$ N/ s
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.863 ms! T& r }. g+ }2 i8 \. @$ X
64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=0.372 ms; q0 x. I" C7 \% ?3 f g2 s' f
4 _% J! I6 J1 Z$ j1 l$ R--- 192.168.1.10 ping statistics --- Q2 H" F3 O' z6 N; Y$ a
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+ ^3 f8 Z5 L+ Z2 Lrtt min/avg/max/mdev = 0.372/1.525/3.342/1.300 ms) r# v M: ?1 i. r+ F) x
现在node1和node2的ns1互通了,相当于创建了两个实例,这两个实例ip用的子网是连在同一个逻辑交换机上的,是同一个逻辑交换机上的同一个子网不同ip所以互通。" u# F% K$ @" h# x
在这里插入图片描述, u% B! A- C" y: ?
在这里插入图片描述: o- ^) W2 j# W: k, b% Q) U3 E
geneve隧道验证:从node1上的ns1 ping node2上的ns1的例子,抓包看看各个相关组件报文,验证geneve隧道封解包。通过抓包分析,可以看出geneve隧道在ovn/ovs跨主机通信的重要作用,同时也能看到ovn逻辑交换机可以把不同宿主机上的二层网络打通,或者说ovn逻辑交换机可以把ovs二层广播域扩展到跨主机。" @/ ~6 r3 V; t( i
. ?" ?) Q% a& q1 ~// node1上ns1 ping node2上ns1
7 z2 [. ]3 S M& D, \# T* G; S# ip netns exec ns1 ping -c 1 192.168.1.20
, k$ l* S, d5 a( Q* _' fPING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
/ Y' ?5 h. [" ?64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=1.00 ms, M" P7 @8 `6 g) D% {: Z
--- 192.168.1.20 ping statistics ---
7 s( t5 b+ K2 Y; J! Q9 o- d1 packets transmitted, 1 received, 0% packet loss, time 0ms
2 j4 l. \; n' Irtt min/avg/max/mdev = 1.009/1.009/1.009/0.000 ms
( H" |+ a7 E" S9 {! n1 ]& k3 E2 N6 |$ g) q7 g' z, }4 k q! u' l
// node1上ns1中的veth12抓包0 |8 q' {$ T/ D$ y' f. ?
# ip netns exec ns1 tcpdump -i veth12 -n5 R8 v m, `: N) X2 N% ?/ D
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
/ _, r7 v5 a$ V/ W& M# ^- Hlistening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes2 G, ?4 ^8 p/ w3 }3 L! d
22:23:11.364011 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 64
3 v H4 I# _; i4 j' ?& g K) j2 l8 v; E22:23:11.365000 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
1 l$ ~: _# E7 J, L22:23:16.364932 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28( Z/ }0 Z& N0 L
22:23:16.365826 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
3 `/ E2 q1 g; o0 W3 X
6 x1 e5 r8 u: s- q// node1上veth12的另一端veth11抓包" a- j, ?0 F9 h" z
# tcpdump -i veth11 -n
0 S- i! f/ r( ]! Ttcpdump: verbose output suppressed, use -v or -vv for full protocol decode
- D8 t2 ^8 ~1 i/ Wlistening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
" N8 z) l; f1 o3 E7 h$ o6 H22:25:11.225987 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 647 \( D6 S5 \# [- {7 P5 T
22:25:11.226914 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64 r0 v. N5 H' J
22:25:16.236933 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 281 d0 L/ H0 [) g, y, l! A' F
22:25:16.237563 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28, Z% w$ u" b* m+ {2 G+ d: C# Q1 J
22:25:16.237627 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28- ^& k4 \2 }! m9 S" S
22:25:16.237649 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
1 }1 X# m) a& r) c _% E2 u( N8 P+ V" H. d" |/ ^! _
// node1上genev_sys_6081网卡抓包) k6 p4 c3 U/ b/ R* d1 Z) ? ]6 Y
# tcpdump -i genev_sys_6081 -n
$ p( T# }$ s7 V) k3 u/ y& S2 K- E! qtcpdump: verbose output suppressed, use -v or -vv for full protocol decode% t5 v( z) W# C# t! y3 {6 ]+ ^
listening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes& V0 C4 K6 E8 p$ e5 F
22:28:15.872064 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64& E% h9 r0 r1 t, Z2 A6 o
22:28:15.872717 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 644 ~- I, O7 P0 f* j
22:28:20.877100 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28# Q! U1 {+ y% W* g) A
22:28:20.877640 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
- Z6 `* i. n( s) [8 a5 V22:28:20.877654 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
# R! b: H" j7 Y6 ?8 Y) b22:28:20.877737 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
2 I$ F$ B$ K4 s7 x! B2 @; ?+ Y. k1 A
// node1上eth0抓包,可以看出数据包经过genev_sys_6081后做了geneve封装& [2 N: }; ]5 A/ f5 m' D7 w( ^# A
# tcpdump -i eth0 port 6081 -n
! c9 Z* ]; ]) e7 ~7 Rtcpdump: verbose output suppressed, use -v or -vv for full protocol decode
& R; [+ P& b3 |0 O7 }3 S% xlistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
' t& T$ m# R0 S+ B2 C2 v& r22:30:23.446147 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64
" ?7 _% |3 u K$ _+ g- Z22:30:23.446659 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64
/ ?5 L, N( N; T2 N1 C0 S22:30:28.461137 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 284 b6 n; O2 r% B" m
22:30:28.461554 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28* c% C+ c- ~5 W1 M! F& F6 f7 w
22:30:28.461571 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28, d7 z/ j5 H( G3 `' s5 E/ ^; u
22:30:28.461669 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
9 U8 o: D3 j1 U
! s- m4 W4 \, V0 V===================跨主机===================: X+ T/ Y+ P: s, f% A1 g, h
$ v, s2 H) e. C' l5 u9 {
// node2上eth0抓包 H5 N2 t9 _. F. Y
# tcpdump -i eth0 port 6081 -n4 n2 ?1 h: t% H O4 H# E1 L7 i+ B
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
" m. _. `: j4 o/ ilistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes5 V5 r9 p8 c. U ]1 G% e4 {
22:23:11.364189 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 648 n# K6 I& b9 V: C# N; [) L5 g
22:23:11.364662 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
! y9 j# W: I1 ? r, D3 e% p& v# m9 M22:23:16.365086 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
6 w$ Z4 x& J, d! J1 f22:23:16.365487 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28' k, K- |* k3 K, |% C0 K
) f2 ?% ~, o% c; X// node2上genev_sys_6081网卡抓包,可以看到数据包从genev_sys_6081出来后做了geneve解封5 x* q: @/ X" V
# tcpdump -i genev_sys_6081 -n
4 D! I3 P: b' u; l2 B) Ctcpdump: verbose output suppressed, use -v or -vv for full protocol decode
0 j7 O! }! ^' x* l, Glistening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes8 t# K4 T }1 ?* i( u( A$ W
22:25:11.226186 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
/ H( G7 @* R: S' r" i) }22:25:11.226553 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64
9 h1 p" M0 z0 z# f W7 r22:25:16.237070 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 287 Q2 Y8 g3 n9 v+ X
22:25:16.237162 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
! h5 \& J' b8 v22:25:16.237203 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 288 w) }9 k3 U, ?5 p7 T
22:25:16.237523 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28% \9 w0 N- D9 o
' P* ^- h. p. J. B// node2上veth11抓包# W; k5 U- T# ?# |% r, h# R
# tcpdump -i veth11 -n8 g8 j3 O. { x d
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
: R. O4 t( M8 r) b( Vlistening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes# n4 H% y" W' q) m, F
22:28:15.872198 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64
) U4 z5 }( u X2 C. O& e( J6 s( c" c22:28:15.872235 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 64" n: m7 }9 [: J& l
22:28:20.876913 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
3 I- b- C' b/ U, s$ F$ m! V22:28:20.877274 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28# C' h4 W& _2 }' H% ]( q2 {
22:28:20.877287 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
, U; Q4 H6 @% a22:28:20.877613 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
* E' H' l# p5 M* N6 S9 I4 A( l* ^% l3 E; Y
// node2上ns1中的veth12抓包
& s+ L" j) a. T7 I3 r. h# ip netns exec ns1 tcpdump -i veth12 -n/ Q# S7 b% v( ?2 A4 F
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode2 K& R7 ^$ J) z
listening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes f) Q! @3 d& [/ Z$ \0 c
22:30:23.446212 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64
8 l. [! ?& C' t& k; s9 O22:30:23.446242 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64; P" w3 a2 l: t
22:30:28.460912 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28. P4 g/ c/ R& {' m6 _; u
22:30:28.461260 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
. _" W2 {/ |% `6 O5 b22:30:28.461272 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28# }1 q( b4 }( F, F4 s
22:30:28.461530 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 280 J8 E( g/ z, W3 ] U7 V9 q/ v
逻辑路由器(Logical Router):
" v1 U( M6 @8 s6 S前面验证了ovn逻辑交换机跨主机同子网的通信,那不同子网间又该如何通信呢?这就要用到ovn的逻辑路由器了。1 W) o A( e3 Z9 K: ~ G5 x
先在node2上再创建个网络命名空间ns2,ip设置为另外一个子网192.168.2.30/24,并且再增加一个逻辑交换机。( @, ]' `6 x- P. |
在这里插入图片描述
0 L$ |' r! _; H) u o# [) c/ W1 g
$ N0 _0 ~4 N) A8 T7 v9 s7 u( inode2上执行. G5 q/ e4 k, l" v3 F, J
[root@node2 ~]# ip netns 查看网络命名空间
; v5 B& s* k; o1 |: Uns1 (id: 0)
( H) V6 f/ P- u8 J; s* f[root@node2 ~]# ip netns add ns2
4 N# p( f5 t+ r& Q9 C& H6 O[root@node2 ~]# ip link add veth21 type veth peer name veth22. G! S2 }9 a( L1 r# B# K3 w
[root@node2 ~]# ip link set veth22 netns ns2
1 K5 {" A( k6 s1 y* x$ l[root@node2 ~]# ip link set veth21 up/ i) P% Y2 C. ^
[root@node2 ~]# ip netns exec ns2 ip link set veth22 address 00:00:00:00:00:03& G" u8 ~7 X( i6 F: R* t R
[root@node2 ~]# ip netns exec ns2 ip link set veth22 up4 N; z$ b+ M7 r& T6 {
[root@node2 ~]# ovs-vsctl add-port br-int veth21
2 G5 R5 w& j5 F6 I0 v8 N[root@node2 ~]# ip netns exec ns2 ip addr add 192.168.2.30/24 dev veth22' e3 ?1 {+ [2 Y% B: o
[root@node2 ~]# ip netns
/ s3 C' |% c9 j6 j' V Yns2 (id: 1)! \8 d, ]7 n' @: R7 \7 q( j( E0 F/ y
ns1 (id: 0)3 |( [5 Z' M: W/ ^9 m! N* Z# J
, c1 B7 a$ ^# P9 N2 e) w v3 Anode1上用ovn命令新增一个逻辑交换机,并配置好端口) G- ?6 s) V+ C6 \5 E. ^. ~
[root@node1 ~]# ovn-nbctl ls-add ls2 a; a4 o. _- ~. \( }* b: y* y
[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-node2-ns2
0 J/ \$ {2 D e$ O[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03! P' w# m' Z) F# ?7 I! l L/ X' A
[root@node1 ~]# ovn-nbctl lsp-set-port-security ls2-node2-ns2 00:00:00:00:00:03' {1 h. a7 n( p3 v
" g; W+ D2 A S! c$ o$ ]* `; ynode2上ovs交换机端口和ovn逻辑交换机端口匹配起来4 x8 `5 ?; y! J/ W- u- @$ N# U
[root@node2 ~]# ovs-vsctl set interface veth21 external-ids:iface-id=ls2-node2-ns2
) @" I- S& j, @! E) R) ?( e
5 O6 t* q: s4 D& k1 W+ s查看北向数据库和南向数据库信息
4 ^- M$ @4 i8 {! F[root@node1 ~]# ovn-nbctl show
$ r9 s" [9 v5 Q) Y- u6 K9 \switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)7 z6 k! n) O# d. u t, w8 E
port ls2-node2-ns2 |7 o* K* ^4 R0 y* n- A4 ^
addresses: ["00:00:00:00:00:03"]
1 e- u+ f; l0 p9 x- zswitch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
/ {$ c! h/ u, p5 n* d- H) ^ port ls1-node1-ns1
# c: W" E5 V0 I addresses: ["00:00:00:00:00:01"]
2 h: {; U# Q# a! w5 E6 W port ls1-node2-ns1$ E! T5 u3 O4 {& o- E* X# i9 F: A5 }
addresses: ["00:00:00:00:00:02"]5 n% l; u+ I. p+ U. M0 V
[root@node1 ~]# ovn-sbctl show
% k2 ]; E( M$ f9 m: e8 eChassis node28 o' P3 F* F0 q& _
hostname: node23 g7 E) Y: x2 f6 \' c" O: D
Encap geneve1 D" U2 M1 g' V- T+ X L
ip: "10.1.1.42"
9 N7 ^& f3 p Y! e& o* G- ~ options: {csum="true"}$ ?% v/ o9 H n& H
Port_Binding ls2-node2-ns2
/ ?/ w2 ]2 ?. h, p8 p" [8 S2 R Port_Binding ls1-node2-ns1
/ b1 C5 v2 _/ P, j2 ?8 MChassis node1
0 i) c9 O7 |1 s) I) T) L hostname: node1
t, ?# N% f8 m5 \1 E# s8 X Encap geneve n% R2 n( ]7 [7 g
ip: "10.1.1.41"
0 o- g7 }- k* C5 T options: {csum="true"}
$ V8 W8 V& V9 U4 r; k Port_Binding ls1-node1-ns1
G5 c) Z+ C; ] N- p创建ovn逻辑路由器连接两个逻辑交换机! x! j( w, g+ H4 i$ ~- x% B
; E# k0 s3 k% f7 }! Z) a* ]* L* O添加逻辑路由器,路由信息保存在北向数据库
+ O+ e Y( l3 x6 v) e) l[root@node1 ~]# ovn-nbctl lr-add lr1
$ ]: E% l; J/ M7 u/ u1 A; w7 t逻辑路由器添加连接交换机ls1的端口! p8 o- y1 ]2 v. _
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:11:00 192.168.1.1/248 w6 y9 R' Q2 g" K' D
逻辑路由器添加连接交换机ls2的端口# `5 x8 H6 }, x5 y# q, w2 f. _
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:12:00 192.168.2.1/243 z% x1 r) s( B" |' U$ s% _0 w2 J
* z/ C5 m' d' M8 M% i2 X6 l逻辑路由器连接逻辑交换机ls18 Q b8 r M. J: s4 K, |
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-lr1
1 f* d* U1 J% j, n8 _[root@node1 ~]# ovn-nbctl lsp-set-type ls1-lr1 router
+ b2 c, l/ E% U" N[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-lr1 00:00:00:00:11:00
; u" C" m2 b" v, y! [- ^[root@node1 ~]# ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
( M* h* o8 j8 o6 h; }6 K" q9 s! h7 A( R E8 | q' n
逻辑路由器连接逻辑交换机ls2
5 Q# i f1 T8 u0 U) H7 _9 z[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-lr1
0 o: C* G3 k V6 t[root@node1 ~]# ovn-nbctl lsp-set-type ls2-lr1 router# e1 Q% z% k; @3 l. M6 C8 }, n
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-lr1 00:00:00:00:12:00( v0 c/ _9 a$ u j% l X; }
[root@node1 ~]# ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2( O# y( Z' k( y
9 \5 L" g, P! r( j/ e; f, B
查看北向数据库和南向数据库信息/ o# j. k$ `* M; f
[root@node1 ~]# ovn-nbctl show8 }1 w: r# D# U- S/ \# \
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
6 T9 @, m! d. |# r6 j port ls2-node2-ns2
! i! _; J2 |( _# n! E& q, w- ` addresses: ["00:00:00:00:00:03"]& ^- p2 B9 Y& o% K9 R
port ls2-lr1
6 |1 N' f6 o3 B0 D' ~: S type: router' e }; l$ D A% U( R3 c
addresses: ["00:00:00:00:12:00"]
; M0 K6 G( @; }2 \. S* l7 i router-port: lr1-ls2
. H3 E; L* ~- ?9 F; a* r, o) kswitch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)+ ]8 Q2 H1 T" @9 b% @. @
port ls1-node1-ns1
6 X8 A% r+ g( j4 {, x7 W addresses: ["00:00:00:00:00:01"]
1 Z' X- S0 P6 j; Y4 [7 `8 r- O3 k port ls1-node2-ns1
5 `. U; Y" ^3 g7 a, J! P addresses: ["00:00:00:00:00:02"] y" B D7 O; p; F( @" V8 ~
port ls1-lr1# A0 }. l0 {2 g1 `, O( ~* c* y3 N
type: router
2 M: A; w3 _, |0 Q addresses: ["00:00:00:00:11:00"]; I. p1 U" D( G9 p
router-port: lr1-ls1
( r. m# \0 D5 c- s" lrouter e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)
4 a4 e/ h# t" r5 _ port lr1-ls2
$ f' O4 v% ^+ f1 I7 D7 \ mac: "00:00:00:00:12:00"
9 J/ D: d) d/ A- r1 i" ~ networks: ["192.168.2.1/24"]
% n, O$ `# [" R- x, X1 U# h port lr1-ls11 r0 n# O8 j$ }7 d+ v) [1 o# I
mac: "00:00:00:00:11:00"
* i" }- _& u/ m# _; `; ] networks: ["192.168.1.1/24"]
* p, L5 C% M8 C, v- E[root@node1 ~]# ovn-sbctl show' }9 b* P/ ?, ]' l3 A: ^, V
Chassis node2" R+ r3 ^9 Z% J( n+ P5 {0 h- P
hostname: node2
& ]4 ?9 j) D0 x& K1 @1 W& b Encap geneve# f8 e* G" k8 T, |+ ^9 q: ^
ip: "10.1.1.42"% i- z$ a f; k9 s) z0 |1 t
options: {csum="true"}
( R+ c. B; P& K) G0 z9 m Port_Binding ls2-node2-ns2+ U$ \/ |: v2 v4 @0 R2 T6 p& r5 }/ a. H
Port_Binding ls1-node2-ns16 `7 O) ]% `; l( L2 a5 c( [( Y: z
Chassis node1
6 Z, W }7 Y' l hostname: node1
! Q0 D1 H. Q: y l Y+ f Encap geneve
& ?& n }5 |6 H F! Y ip: "10.1.1.41". I7 g3 \9 Y% Z* z4 z5 B( u' V
options: {csum="true"}
* ?8 Q. _; E1 t Port_Binding ls1-node1-ns1
/ Q' {0 n( a0 c9 V$ j) h5 [在这里插入图片描述
' M# z( p5 y2 ^/ {+ I( Q从node1的ns1(192.168.1.10/24) ping node2的ns2(192.168.2.30),验证跨节点不同子网的连通性。! g* { d- m0 F
/ v) y: ~. X! \+ j0 m. c6 b[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30
0 d5 n( v0 j3 \ F# jconnect: Network is unreachable connect: 网络不可达
" J$ b+ | q% G0 M5 V9 {查看ns1上的路由配置,显然此时没有到192.168.2.0/24网段的路由
2 ?1 ^$ c7 J. m8 U[root@node1 ~]# ip netns exec ns1 ip route show& H+ X% M5 g$ ^5 V
192.168.1.0/24 dev veth12 proto kernel scope link src 192.168.1.10
j4 z8 K& n+ p8 y, z[root@node1 ~]# ip netns exec ns1 route -n
2 e! z0 H" s5 i; FKernel IP routing table5 A* U/ C: W0 P' [% y
Destination Gateway Genmask Flags Metric Ref Use Iface2 ^1 A% A' x4 ^& T9 @5 x% }1 `, R
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 veth12$ n7 Y- m( \. T
因为路由器是三层概念,要先给ovs的相关port配置上ip
! S, I9 [: p y$ _4 I% ?% r0 `8 t
' w9 z4 j: e1 T/ Q! s. n[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
3 @0 Q: b& \8 q) E1 J& e[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:02
4 W& ]6 Y8 d5 R% g/ O$ J. ~[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:033 n: d5 u/ p, y! N! r
再给三个网络命名空间添加默认路由,网关为ovn逻辑路由器对应的port ip) e T( W6 c G) x( ^" |: m
% N) z3 W. F$ ?$ `: x node1上ns1
; X+ E" ?% v+ o9 |/ ?2 B4 \ [root@node1 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth121 b* v. Y2 n5 {3 a8 W# X# u, z
node2上ns19 ^4 m8 }. d( b* B- S
[root@node2 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12- e/ D1 Z, X: S
node2上ns2
: f% w# E% A9 H( M9 W" ^; h. t" t [root@node2 ~]# ip netns exec ns2 ip route add default via 192.168.2.1 dev veth221 j- {* ?6 B5 X1 V0 t0 z
再次查看下南北向数据库信息& S+ p9 w0 L4 h6 m9 g! A
! l+ H9 H9 \+ `; Z
[root@node1 ~]# ovn-nbctl show2 `( x- J0 h# y- c' _
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2): @% I) X0 z- j* t* g
port ls2-node2-ns2 R7 n% `( N& }8 z
addresses: ["00:00:00:00:00:03"]
" E. B6 H" C/ a* {7 C( L' @: l! Z% U4 R port ls2-lr1
. J3 F- `7 C% W' ] V type: router
4 Q: d: Y0 Y* I% C addresses: ["00:00:00:00:12:00"]# [. l% G8 f0 W$ J7 p- _9 z
router-port: lr1-ls2% e: g& @7 B: W( c/ a' w
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)5 `, [) w9 }: z3 f& v/ z& J
port ls1-node1-ns1* P$ _( v. g& l' w7 r* y9 p& ^" l
addresses: ["00:00:00:00:00:01"]1 i! z7 q# w' I3 x$ V' X
port ls1-node2-ns1
! w. B6 T7 B9 H& G# b U# X4 } addresses: ["00:00:00:00:00:02"]
% K! N% j7 E5 R! V) f. a9 r+ v port ls1-lr1
s" b6 v6 M+ M Y/ ^7 i# { type: router
' d- |+ j( G' V4 t+ A# s% C% b# P' K) H( h addresses: ["00:00:00:00:11:00"]$ J* {5 s3 X! t, }1 P v( A/ M1 j6 o
router-port: lr1-ls1. l) T. x' G& u2 S
router e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)
( d5 w4 k7 q3 K+ g$ _ port lr1-ls2! h" z3 Y% w, b' y
mac: "00:00:00:00:12:00"5 R- Z) @+ r5 c" M
networks: ["192.168.2.1/24"]
, W% s8 R5 S: y: x6 N. G+ H: w port lr1-ls1: {2 D, C6 R3 j; `) G4 m
mac: "00:00:00:00:11:00"
8 ^6 a2 ^; [$ F3 i' V8 u networks: ["192.168.1.1/24"]/ N' r7 m0 D8 x5 {1 z' M
[root@node1 ~]# ovn-sbctl show
6 K4 \& B$ v* M8 D$ N# z0 w( MChassis node2/ m( a1 O" }) R* Z6 y
hostname: node2. O3 Q5 @# t& b& u" o9 E# J8 g
Encap geneve
4 s+ Z9 i, w3 M/ Y$ o ip: "10.1.1.42"
9 O2 }$ b& S' T* n/ J5 D options: {csum="true"}
' E2 T8 W; \% n! w# | Port_Binding ls2-node2-ns25 z/ R+ _( c% |* [7 M; Q' ~
Port_Binding ls1-node2-ns1
+ p3 `3 ?& P( _$ T% Q& AChassis node1
# m) N6 W; t* H2 [! ` hostname: node1
% Z2 I' ?1 Q' e0 n2 S n Encap geneve8 R8 ]+ d+ [6 q9 u4 t7 v, o/ H" r
ip: "10.1.1.41"3 K7 h% d& j O( ]( J- A
options: {csum="true"}( H2 p/ I9 c1 o& `5 q
Port_Binding ls1-node1-ns1
3 H9 l5 v. m$ _1 X# C m在这里插入图片描述$ O7 `2 U2 _4 @
验证网络连通性" x" V! D0 P8 n; [' G* b5 _
, r9 S% i" x) ?; H9 o8 Y) a; A* y9 Y
node1上ns1连通网关0 x* z' p9 w/ e/ r3 R5 G4 N
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.1.1, @7 j( q: M2 H( N$ P, n
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
4 V- [8 n" Z6 F) T3 I64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=20.10 ms
5 d3 d7 u1 G7 }8 H/ p/ w- t
" M. r q0 v. c$ T--- 192.168.1.1 ping statistics ---3 m- F9 g/ V5 m& w4 @$ U
1 packets transmitted, 1 received, 0% packet loss, time 0ms5 z5 M& N4 f% i5 A% G' t" \* ^
rtt min/avg/max/mdev = 20.950/20.950/20.950/0.000 ms
, x M. s7 Z7 [" T8 H" u0 G. J" I2 K% d2 w8 I1 G/ k
node2上ns2连通网关
9 ~* Z% }2 P u[root@node2 ~]# ip netns exec ns2 ping -c 1 192.168.2.14 r8 Y5 c. w w7 h7 Q8 L/ q
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.2 L# M$ y; E* ~! _! ~
64 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=38.5 ms* I& \ ]7 V2 a- g
# R/ P5 x+ v) _ n
--- 192.168.2.1 ping statistics ---7 t4 ?7 N* f9 s' `2 I4 g
1 packets transmitted, 1 received, 0% packet loss, time 0ms% j2 K. `, E$ p. H, r
rtt min/avg/max/mdev = 38.477/38.477/38.477/0.000 ms
4 X( a+ e/ c/ V h
3 e' Q/ {, x7 nnode1上ns1 ping node2上ns2
+ i+ b, O6 |; X0 ]+ X! j[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30
L. W4 ~! A+ t( G" I, R+ ?PING 192.168.2.30 (192.168.2.30) 56(84) bytes of data.; a' K" F/ {; a+ T7 Y$ H
64 bytes from 192.168.2.30: icmp_seq=1 ttl=63 time=1.23 ms+ Y6 d4 J4 i, o W" K) @6 a
, i$ o/ q+ U8 X--- 192.168.2.30 ping statistics ---
; m+ i( m9 E) {2 D5 c) @ ?' m3 `1 packets transmitted, 1 received, 0% packet loss, time 0ms9 ?' j! \; O9 q+ L$ C) s% V
rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms
: d0 u4 N; |2 W8 }1 x" b+ e% Z复制
- O2 W; f+ x+ [( ^" }* C( `注意:ovn逻辑交换机/逻辑路由器是北向数据库概念,这两个逻辑概念经过ovn-northd“翻译”到了南向数据库中,再通过hypervisor上的ovn-controller同步到ovs/ovsdb-server,最终形成ovs的port和流表等数据。1 Q% N4 E( k! q1 j6 W8 D- x1 c, a
ovn逻辑交换机通过geneve隧道,把二层广播域扩展到了不同主机上的ovs;而ovn逻辑路由器则是把三层广播域扩展到了不同主机上的ovs,从而实现跨主机的网络通信。
. C% ^ S1 R: I, @0 N2 j2 ]. oovn逻辑交换机和逻辑路由器都会在所有的hypervisor中生成对应的流表配置,这也是ovn网络高可用以及解决实例迁移等问题的原理。 |
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2025-12-18 08:50:57
( h' C$ G4 r7 v% _
5 b0 F+ V" O6 m5 _3 v; f
7 q5 o4 s9 ?, B8 y
& i0 t/ k7 o X, L, ?
2 q* H/ y) O6 G, V
4 ^$ F# f6 u; l: z: A* Q
2 D8 D7 v: \6 m* j7 c' ?
- E% W2 U% {! b; v! {
; @ D4 g' x/ q5 I1 C C
2 P- u' t# Y* @' [4 Y- L7 e
* \! v( Q! W8 f9 f! i
4 d: M, o, X/ f4 E
X6 r2 Q/ f/ v! @# a" i& y! B
2 x: T9 t; d g) z$ w; s+ o
" N6 O' m) Q4 M' Q, J5 }; r7 O
7 R/ M. s% S/ Q* Y9 e8 T/ s
& R$ X( q! l$ D: X
3 x2 h' [! e0 g( O/ l
' u5 V$ @1 }( K8 J
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜