|
|
楼主 |
发表于 2025-12-18 08:51:30
|
显示全部楼层
2、网络服务Neutron
# B+ \+ V3 p1 k4 O+ rNeutron基于软件定义网络的思想,实现了网络虚拟化下的资源管理。Neutron的设计目标是实现网络即服务(NaaS),在设计上遵循SDN(Software Defined Network,软件定义网络)架构来管理的。7 G9 g8 F% T& w# X Y7 M' C$ b
Neutron主要包含Neutron server、Plugin和Agent等组件。Neutron server对外提供 OpenStack网络 API,接收请求,并调用Plugin处理请求;Plugin处理 Neutron Server发来的请求,维护OpenStack逻辑网络的状态, 并调用 Agent 处理请求;Agent处理Plugin的请求,负责在network provider上真正实现各种网络功能;此外还有database,用来存放OpenStack的网络状态信息,包括Network、Subnet、Port、Router等。4 P* j# B& n7 Y8 v# V% l: g
) R: z5 x4 ~0 T- y3、OVS' ~) L! x' t- q6 s/ x1 R2 x/ n
OVS(Open vSwitch)是虚拟交换机,遵循SDN(Software Defined Network,软件定义网络)架构来管理的。
u! f/ c T* qOVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
2 r$ `( I: ] Z7 Y, G在这里插入图片描述
/ e2 n1 c( {6 t! sovs由三个组件组成:dataPath、vswitchd和ovsdb。2 [+ R7 p ]/ C. o& k; O h8 a
dataPath(opevswitch.ko):openvswitch.ko是ovs的内核模块,当openvswitch.ko模块被加载到内核时,会在网卡上注册一个钩子函数,每当网络包到达网卡时这个钩子函数就会被调用。openvswitch.ko模块在处理网络包时,会先匹配内核中能不能匹配到策略(内核流表)来处理,如果匹配到了策略,则直接在内核态根据该策略做网络包转发,这个过程全程在内核中完成,处理速度非常快,也称之为fast path(快速通道);如果内核中没有匹配到相应策略,则把数据包交给用户态的vswitchd进程处理,此时叫作slow path(慢通道)。dataPath模块可以通过ovs-dpctl命令来配置。
9 r& ?; P- H' h; S5 A. m( Ovswitchd:vswitchd是ovs的核心模块,它工作在用户空间(user space),负责与OpenFlow控制器、第三方软件通信。vswitchd接收到数据包时,会去匹配用户态流表,如果匹配成功则根据相关规则转发;如果匹配不成功,则会根据OpenFlow协议规范处理,把数据包上报给控制器(如果有)或者丢弃。" W5 p/ t! ` p- w
ovsdb:ovs数据库,存储整个ovs的配置信息,包括接口、交换内容、vlan、虚拟交换机信息等。
1 {* r; q5 H7 W8 ^% `5 t% rovs相关术语解释:6 {! J! r8 X) Z: }! s, k
1、Bridge:网桥,也就是交换机(不过是虚拟的,即vSwitch),一台主机中可以创建多个网桥。当数据包从网桥的某个端口进来后,网桥会根据一定的规则把该数据包转发到另外的端口,也可以修改或者丢弃报文。Bridge桥指的是虚拟交换机。
2 {4 A, v9 n7 t2、Port:交换机的端口,有以下几种类型:3 ]' H) T6 A( O7 O9 w {
Normal: 将物理网卡添加到bridge时它们会成为Port,类型为Normal。此时物理网卡配置ip已没有意义,它已经“退化成一根网线”只负责数据报文的进出。Normal类型的Port常用于vlan模式下多台物理主机相连的那个口,交换机的一端属于Trunk模式。; ?: B! d. N1 V b" U: b
Internal: 此类型的Port,ovs会自动创建一个虚拟网卡接口(Interface),此端口收到数据都会转发给这块网卡,从网卡发出的数据也会通过Port交给ovs处理。当ovs创建一个新的Bridge时,会自动创建一个与网桥同名的Internal Port,同时也会创建一个与网桥同名的Interface。另外,Internal Port可配置IP地址,然后将其up,即可实现ovs三层网络。
. x1 \/ L- I- O4 b( {Patch: 与veth pair功能类似,常用于连接两个Bridge。veth pair:两个网络虚拟端口(设备)
9 S6 i+ m. I' F ], ]6 u( w lTunnel: 实现overlay网络,支持GRE、vxlan、STT、Geneve和IPSec等隧道协议。Tunnel:隧道,三层! s5 U$ W/ A( u7 y' t! w
3、Interface:网卡,虚拟的(TUN/TAP)或物理的都可以。TAP:单个网络虚拟端口(设备),基于二层;TUN:单个网络虚拟端口(设备),基于三层。veth pair:两个网络虚拟端口(设备),常用于连接两个Bridge。
: G2 {% m) W# |' k+ @! v# s, m4、Controller:控制器,ovs可以接收一个或多个OpenFlow控制器的管理,主要功能为下发流表来控制转发规则。
7 g' h6 ?5 I$ U, b. }+ A% |0 L6 R5、FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
4 G# C: ]+ Q) T" j f" X0 t在这里插入图片描述: h# R# M* g- ]
ens160的ip地址没有了,用的是br-ex的ip地址出去的。; F! _6 E( P- O3 S, K
在这里插入图片描述/ o6 X, c& h' X" c1 f) m8 l
ovs安装 i: z c. p2 r& |+ q/ x! R
1.开启一台新的linux
* d; a) k. p6 f- x: }2.配置在线yum源(openstack那个在线yum源)) O+ a7 x+ S8 s8 c3 _
+ W4 ]7 z0 A7 w2 `0 I2 e; r3 e1 \配置yum源(先把原有的备份后清空)& t' E1 n5 j! i+ B( d7 A7 {
# cd /etc/yum.repos.d/ # rm -rf *
; l& T$ w; |. Z; i) F# cat cloud.repo
( M& m# d% J8 ~9 q
) F5 u) \: v$ z w# k! r[highavailability]
) h& [1 E2 ]# U$ Z0 R& d! Nname=CentOS Stream 8 - HighAvailability" b* @4 Z- r6 P0 \6 X" }7 F
baseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/
9 Q& O, [) j% E% c$ E/ P6 I1 bgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial8 t+ b9 F" n$ J: l ~
gpgcheck=1 V9 i3 u1 u% b1 i. n4 _
repo_gpgcheck=0
; C/ ]; I2 e, @. }metadata_expire=6h
; g# t5 ?4 \) ] _1 O- l0 ecountme=1
% u* K H8 F/ _- u; X+ A. c, k! jenabled=1' t8 I% |( x' H# M
' M8 r& i f6 i- } ~7 W8 ^) J[nfv]
7 l1 S7 c$ C# m1 ^: a' mname=CentOS Stream 8 - NFV/ e5 j: ~* g2 A# Q1 i
baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/- t/ {' E% o1 a! q: i
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
# s" L& b8 q. X. A+ }) o7 j" qgpgcheck=1% z9 ]2 S% i$ }8 x% }/ z
repo_gpgcheck=0
6 W/ A5 e! o2 |' G' v% e9 ]5 Tmetadata_expire=6h
. b. K' W6 R! k Lcountme=1
5 i+ X5 r4 C+ ~" T0 O1 benabled=1+ R d# D! y* i C4 f. Q# G, J
/ t) J* I! S2 P6 J& ^
[rt]) j* O6 S& P0 ]- R; V: D
name=CentOS Stream 8 - RT
5 W. c: U( l) r/ b+ x7 q7 z, mbaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/' U5 K+ _% y' l3 C
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial2 U( W0 g# \$ r+ n) K" L" G+ v
gpgcheck=19 A! c; X1 V8 S3 i5 [6 }# S% x
repo_gpgcheck=0
& E5 }2 T3 C# F; ometadata_expire=6h
4 h$ y+ l) f. a2 {+ }( ycountme=13 a7 U( t% `/ f0 j
enabled=13 v `3 h9 g! s0 V! D; a; s2 G
: p5 j8 |$ I* x* h" I" i( M[resilientstorage]& F) j w2 s |1 S2 [1 I- t
name=CentOS Stream 8 - ResilientStorage
, U% ^, R% L6 U$ H( h9 X" o' j: fbaseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/3 p$ u! n1 q* t9 f1 Y
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) ]: }, P$ h, g0 n: H
gpgcheck=1( H* r& L4 E" s: J9 @4 x6 R
repo_gpgcheck=0
3 z% _) \# q5 c1 R5 smetadata_expire=6h( u& w6 c- D( U
countme=14 T# _# u, K" v5 {$ l
enabled=1
0 r+ V7 Q/ h) }6 O" V( ~: V/ W r5 L# T, z8 j8 o* q, O
[extras-common]
! m' O# H* X( a7 L bname=CentOS Stream 8 - Extras packages. q; ~3 D& @; b y# v3 z
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/# _: h% A& ^6 n; L2 W
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA5123 @1 ]" ~( i1 {; O* c+ o6 Q5 _
gpgcheck=17 W; f) {2 @! s! E1 g& p6 q( w
repo_gpgcheck=0* C. i y( e+ ~3 S* v5 k
metadata_expire=6h( Z3 i* J) }" L/ V J; ]
countme=1, z" e/ g7 u1 V6 [9 ~. L
enabled=1
+ C& p4 Z4 G# ^, I1 f" k" w
# N- V3 Z4 T3 F, p7 v$ p[extras]
9 W: f* T* R, ?5 \/ e; S7 l! zname=CentOS Stream - Extras
4 n7 m k) N, s+ T( W7 j/ Omirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=extras&infra=6 {7 j( J7 S' K& O$ i& e& t
#baseurl=http://mirror.centos.org///extras//os/. W Q1 R3 a3 `" `! ]
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
% {3 W3 h {( G! I) l y i2 jgpgcheck=18 h: I; X- I& B2 ]
enabled=1+ Y/ p/ X8 x8 e& r3 F+ U) L* t
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
9 x- G4 [8 K0 d7 I' O3 x. {
2 n( r4 s& o2 k2 U2 }8 P3 `$ J[centos-ceph-pacific]
& W, `, `$ K. l- G0 H W9 K6 o3 Jname=CentOS - Ceph Pacific
: ^7 V l1 G$ n( U( dbaseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/
) N. p# B1 I; n6 B7 Kgpgcheck=0
# {! e% N, Q$ F- K; Senabled=1) O) B" C5 T7 Y$ E. B5 P* I3 v
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage$ e* `2 ?. k$ F9 X
+ p# I& ~+ @, t2 T% q. i
[centos-rabbitmq-38]- F4 J; V o" [1 T7 B! M
name=CentOS-8 - RabbitMQ 38 ~3 f' y) Q* C
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/* r" L2 q: h ?# p' ?* @
gpgcheck=1
" n% a2 M) A! @ P# oenabled=15 i" F( e5 [7 R9 x$ |2 O
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging
0 a! L; [/ t6 d: g% g% ^, b3 X
1 h8 r4 @7 y- N4 G4 k% W* S8 Z[centos-nfv-openvswitch]# P/ O1 `5 f3 u, `
name=CentOS Stream 8 - NFV OpenvSwitch
# K9 H3 h6 q3 I0 v$ @baseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/
; S. Z* I- o4 k- @gpgcheck=1
* C* C# g4 m% B: m8 H/ h5 zenabled=12 W/ Q% V! r! d4 N. ^$ P
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV0 n T: N0 Z6 W1 }) I
module_hotfixes=1
8 `. D# c" `* |8 C. O+ U2 \: l, S2 B% g7 M% {- e+ k# [. f
[baseos]
' K" m* p5 n4 t3 k& ^9 {. ename=CentOS Stream 8 - BaseOS( e* a0 I( o& u! g+ |) |
baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/3 C! ^5 q$ b" H2 J
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
6 i. q) T& ~# k) |, M f4 `2 I* Zgpgcheck=1* f3 y9 m, T1 h) n, e( Q0 }
repo_gpgcheck=0
2 } R' Q3 T Dmetadata_expire=6h
7 z5 ~% `7 @0 _0 M, J v7 zcountme=1
/ X# R+ ^7 b% j! kenabled=1$ n1 ~2 F: O! H9 W
" ?$ Q3 e( M9 P" b- Q0 _2 Z[appstream]* [+ b F- ?4 U5 E
name=CentOS Stream 8 - AppStream
" k2 p/ d ]* q2 g2 P0 l' Bbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/1 B# ]; o$ f8 x1 R: G+ }) O9 U/ U
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial$ g( H& [& D! r/ w) o9 W! v- I
gpgcheck=1
; }/ [. h4 X4 @$ a7 u9 m5 l1 Prepo_gpgcheck=0% y5 f$ c4 o+ s4 ^
metadata_expire=6h) z% O, P0 g2 C9 m
countme=1% \) V& C* u! s, x2 w6 O
enabled=1
; i2 O+ i6 e* `/ U u I
7 k4 _( Y% w9 G[centos-openstack-victoria]$ R4 f- \* @/ g5 q; q, c4 |
name=CentOS 8 - OpenStack victoria, e: a* R% N6 j9 a6 ?- p
baseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/
, s% ^3 @4 k( i* T3 w0 |3 q P% |- }#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/
# u0 }. P+ K+ S6 |2 cgpgcheck=15 @" n- `; F% U" s9 k2 X5 a
enabled=1
, Z6 ]- l; T4 n5 ]% r6 t3 F4 R5 [gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
% D) E1 L0 Z, h1 `( J/ A+ m' F5 Xmodule_hotfixes=16 L9 N' ?: ^" W( [8 V
9 o7 F4 l- H) `
[powertools]
& g( n; S U; p% b4 lname=CentOS Stream 8 - PowerTools
# D7 {% s- Y% L @( H! {#mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=PowerTools&infra=, d1 U) \+ \8 M
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/5 a9 T9 j: S' r$ r5 S( Z$ u
gpgcheck=1
# M8 Z" R' S7 b0 s w: y* L& Fenabled=1
( H+ J# b( L. Xgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
9 i3 _9 C5 Y0 u
8 S' n7 M$ \$ j/ |% y7 ]# yum clean all 清理缓存
* T S" q1 T: {/ O3 T7 L! J# yum makecache 重新建立缓存
( n m8 R- G% C1 Q; z4 c8 r! f- b# yum repolist all 列出yum仓库(13个)
& f, `, L* k2 n5 I3 v7 k! ~* H0 J3.安装基础包及ovs(Tab补全命令,安装bash-completion包后执行bash就行)
& S; A! d N& ~" Q \/ { @安装openvswitch3.1过程报错说找不到gpgkey文件就禁用gpgcheck=0再次安装就行了 Z" b+ ?" |1 a2 k1 m
yum install -y vim net-tools bash-completion centos-release-openstack-victoria.noarch tcpdump openvswitch3.1
5 \1 Y1 k- s0 F& d或再单独安装yum install -y openvswitch3.1*7 g, @5 u/ o& W! d0 t3 u8 u
查看安装版本:[root@ovs ~]# ovs-vsctl --version m d2 h$ z- M' N6 c+ v* e
4.启动ovs服务0 @9 g8 L1 }2 t) x) N2 ?
[root@ovs ~]# systemctl start openvswitch
) o' x7 s. G* [% M8 Q3 t9 s[root@ovs ~]# systemctl enable openvswitch# G/ E* Y! C3 _' P( i. F/ r4 M) N
[root@ovs ~]# ps -ef | grep openvswitch3 d5 \: T! {; K/ S) g" s
[root@ovs ~]# ovs-vsctl show 查看ovs虚拟交换机信息
* k1 w: E$ b7 u3 b4 d% t[root@ovs ~]# ovs-vsctl --help 求帮助 或[root@ovs ~]# man ovs-vsctl. @2 P7 n4 W+ V! Z7 o; w
5、创建ovs虚拟交换机
8 e2 `% @" ?1 \; w4 Y6 p$ j当创建一个虚拟交换机会生成一个和虚拟交换机同名的Port 和Interface,type为internal(内部的)9 S0 v, `; w( ^9 U
8 V' U1 i0 q9 {/ P, t
[root@ovs ~]# ovs-vsctl add-br br-int
G+ s$ o3 [! Z/ O) ?6 v1 u) P[root@ovs ~]# ovs-vsctl add-br br-memeda 添加
' s$ p* [- y5 n$ t[root@ovs ~]# ovs-vsctl del-br br-memeda 删除
& I; k" g: v/ s' @[root@ovs ~]# ovs-vsctl list-br 查看
* U6 w: [8 n; K7 W7 X7 t& I: F% Mbr-int! u5 ^+ V0 t4 M# p; o
br-memeda F8 U2 [+ s7 a1 w. w: f% ~
[root@ovs ~]# ovs-vsctl show 查询ovs虚拟交换机信息,Bridge桥指的是虚拟交换机: O) f! t0 \0 @6 |+ R1 J) f
54c67146-9a9f-40be-8cb7-e8792879aafa) R! J7 Q8 E( h. F2 ~8 Q% i+ r9 U6 Q, q: J
Bridge br-memeda
1 P% o% P- f* B/ {7 i( A7 \5 z' A4 L Port br-memeda% ]/ @) f Z0 M% m' Q* L
Interface br-memeda: C, Z8 E j' G" b+ }: @
type: internal
0 k, {" C4 v/ A4 r! O! Q Bridge br-int
- t- B7 M# V% ^6 Q Port br-int0 j |' Z R0 Z6 J% Y
Interface br-int/ ~- _" O) \4 c3 V( Z5 {% f& q1 d
type: internal
2 O3 p6 ?* X& B0 q9 V/ q ovs_version: "3.1.3"' ]) L- I3 U l0 {. Q9 i+ z
用轻量级namespace网络命名空间模拟虚拟机, \4 a0 Y$ \1 ^8 Z& A
在这里插入图片描述: d9 q7 w3 G" u: S o! ^/ ^
f8 o- P$ M( z! Y
[root@ovs ~]# ip netns 查看网络命名空间4 F2 ]; N0 E; M( G( g5 E
[root@ovs ~]# ip netns add ns1 添加网络命名空间3 Y5 h& |( c. f/ G s+ x% i! w
[root@ovs ~]# ip netns add ns2/ K) r" j4 Q0 Z
[root@ovs ~]# ip netns0 \1 _( _9 A" `( _; ~
ns2( w: x2 k8 [) N6 W! u# d
ns1+ _ t; ~. e6 j/ C/ R4 a. k4 O/ S
创建两个veth pair(一个veth pair有两个网络虚拟接口,veth可理解为网卡端口) 并将一端虚拟接口(veth1和veth2)连接到两个网络命名空间里面。veth pair:两个网络虚拟端口(设备)。0 o, ?9 j$ ?; W$ y6 `& c8 u
在这里插入图片描述- h2 B$ f7 {/ e9 P) G
3 I8 V5 \6 x: x& m! [1 I4 `- \
创建两个veth pair,并分别把这两个veth pair的一端放到上述两个网络命名空间
k8 n; f6 b; p# ip link help 或# man ip link 求帮助 g. U2 U/ Z0 J% T
第一个网络命名空间配置$ V) }1 F6 v: X& }3 B J
[root@ovs ~]# ip link add veth11 type veth peer name veth1
$ w# [3 C j8 `7 i- b" a[root@ovs ~]# ip link set veth1 netns ns1
: k$ g- Z- a6 S4 f7 p$ s J[root@ovs ~]# ip netns exec ns1 ip link set veth1 up7 h- I) b% ~5 h& j
第二个网络命名空间配置
% m, q4 i( ]6 H& @[root@ovs ~]# ip link add veth22 type veth peer name veth2
; x( ^# |/ o1 d$ r[root@ovs ~]# ip link set veth2 netns ns29 J. m6 d- n) i$ e$ D3 v
[root@ovs ~]# ip netns exec ns2 ip link set veth2 up/ x" r2 @3 l. K5 [" a
将另外一端虚拟接口(veth11和veth22)连接到ovs虚拟交换机上 T. `/ }3 c" z1 P- c9 C4 F
在这里插入图片描述
5 s4 G) j3 J" w z
# t( l, Q1 `1 H* o( R- P+ Z: s[root@ovs ~]# ip link set veth11 up; X7 \' g6 z0 L3 O z! g
[root@ovs ~]# ip link set veth22 up: R" i/ J( r( g. b% E
[root@ovs ~]# ovs-vsctl add-port br-memeda veth11
! L% K, E- F6 e6 q9 N[root@ovs ~]# ovs-vsctl add-port br-memeda veth221 ?5 u5 {" |2 E3 P. e1 A
[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机多了2个Port(Port veth22、Port veth11)
) w5 a+ t9 c5 r2 } F, @5 e3b79f2e1-f433-4015-905e-8945dcada530% n; F7 X: V% M0 E8 x# }+ D9 E
Bridge br-memeda
/ ^- P0 U1 J! Q Port br-memeda
$ T: b) p" T$ \& u6 C9 {- N Interface br-memeda2 G w; i" O4 x
type: internal
! d: f% C# I& ]" O Port veth227 w3 o6 L6 U6 U$ G& j
Interface veth22
) m3 j, b1 ^: I$ L; s/ d Port veth118 O5 E$ M( ]& W+ Q
Interface veth11; O$ @1 t. w$ v4 a1 g
Bridge br-int
& s2 L3 A9 i9 A( C. h+ B8 k Port br-int
5 f4 t, t- k4 o2 s Interface br-int% D5 G; J$ u6 V
type: internal! U+ [2 O, _6 f; b3 g1 Y
ovs_version: "3.1.3"
& |9 |8 e5 A; H* o为两个网络命名空间手动设置ip地址
# l+ @$ k0 X/ L9 `在这里插入图片描述2 ^1 z$ C, i- n' [( u3 \
8 N0 S8 N+ b# [: g[root@ovs ~]# ip netns exec ns1 ip addr add 1.1.1.1/24 dev veth1
# q [& i' x9 t6 B* d[root@ovs ~]# ip netns exec ns1 ip a
/ ~( ~/ ^7 d. y1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
1 C6 }; v& J& I: C6 U& L link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6 i6 I. ^5 m* M7: veth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group d efault qlen 1000
# e4 c9 }; O- x9 g& j/ d5 Q link/ether fe:f9:3b:cb:9b:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
- q$ J& \7 z0 L. n9 _2 j inet 1.1.1.1/24 scope global veth1
4 Q5 v7 Z/ l& E valid_lft forever preferred_lft forever
0 z7 _. E" d( ] inet6 fe80::fcf9:3bff:fecb:9bc5/64 scope link }2 x+ w/ k2 C0 y( _
valid_lft forever preferred_lft forever4 s4 {7 j6 N V2 r. C, u
[root@ovs ~]# ip netns exec ns2 ip addr add 1.1.1.2/24 dev veth2
$ ^& `& F8 m, s2 s. N" o[root@ovs ~]# ip netns exec ns2 ip a* j) l5 N$ p: g7 R
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 10006 a/ F& e! @1 m" z5 C4 R3 c& a2 p
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
' L2 d5 |& S% Z9: veth2@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
7 [7 q8 v/ j/ O link/ether 0a:e3:ac:a8:f3:bc brd ff:ff:ff:ff:ff:ff link-netnsid 0
8 d. ~9 T6 A/ E+ O& t$ y inet 1.1.1.2/24 scope global veth2
* \' }9 ^' V. l* x3 e& \ valid_lft forever preferred_lft forever2 k; K: }3 p) @+ l% k
inet6 fe80::8e3:acff:fea8:f3bc/64 scope link0 l3 K! D/ a4 {. l, X
valid_lft forever preferred_lft forever) H1 `0 G/ L) d) O5 j* a; B
两个网络命名空间测试连通性
' c; w9 ~4 d& Y, x. Y" C" P[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
0 r) W" Y2 F! m0 O1 o, b- t) KPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.- a& n& {& ^1 L s
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=2.98 ms
$ P/ S* i$ b' Z64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.167 ms
) q: s8 m M( k3 ?6 y* k64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.081 ms
9 Q; x6 Q: i: u |4 O* L6 i$ J/ w: Q' _! s5 i
--- 1.1.1.2 ping statistics ---
" ]4 X4 ]& q* N4 f" l$ h+ }3 packets transmitted, 3 received, 0% packet loss, time 2065ms
7 l9 i/ C0 {/ A$ j, o* A+ `rtt min/avg/max/mdev = 0.081/1.075/2.979/1.346 ms
. O" ]) l# G$ ~) ` U" C$ V5 z[root@ovs ~]# ip netns exec ns2 ping -c 3 1.1.1.1
a5 _: t6 U0 n# O6 i' ?4 `( c& QPING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
9 q+ a/ d4 b1 V) X64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.923 ms. @2 ?; E. \" }5 B* f
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.084 ms
& J, S' V5 ~* q6 c; I64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.091 ms5 W' k7 l; W. c2 T& }0 m
( X1 p: O+ }1 c' d T/ v--- 1.1.1.1 ping statistics ---
2 i9 l; L" N9 f; S3 packets transmitted, 3 received, 0% packet loss, time 2007ms0 D& X; u, d+ D# T( x8 @" M$ D: l: N) U
rtt min/avg/max/mdev = 0.084/0.366/0.923/0.393 ms
' p7 K. a& U1 ~ ^2 ~9 R D, J; Zvlan虚拟的本地局域网,vlan隔离为了减少网络阻塞和数据包安全# U5 P7 `$ h5 t4 e& W) c- B2 @* M2 v
ovs虚拟交换机能和物理交换机一样定义vlan,一个vlan10(tag10),一个vlan20(tag20),把插在ovs交换机上的两个虚拟网络设备对端口分别打上不同的tag(默认是0),也就是配置到不同的vlan里,再验证网络连通性。" Z3 P2 }; R) _% x9 e
在这里插入图片描述
! Y N9 ^: r; F4 l' d4 {
3 x1 n0 s& g! y' T" J. r; R- F[root@ovs ~]# ovs-vsctl set port veth11 tag=10
2 b" t/ P0 C: ?. L3 ?. J% @[root@ovs ~]# ovs-vsctl set port veth22 tag=20
% n3 h5 b& ^2 w! G" T[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机的Port veth22和Port veth11下面多了tag标签
4 R' R: T% I0 |$ E+ D4 _3 j5 c1 l2 o3b79f2e1-f433-4015-905e-8945dcada530
3 t" N; ~# H. i$ Q Bridge br-memeda4 L* X6 k" Z+ X% U/ r8 f
Port br-memeda
. t- K% ~: }2 b( `% ?" @) z Interface br-memeda
1 p; J' K; K) Z6 @( S, Z type: internal% A. K1 {4 N' ~* C! p
Port veth22
( r% l* Y% x$ q, ~$ v tag: 20
3 E _! G) z% `1 ^ Interface veth22
, h- c; x/ j$ \/ t2 q/ [ Port veth117 D5 U: Y4 Z1 E% N
tag: 10) U, G z9 ?; [$ w1 {
Interface veth11
) e7 b. L/ c0 m1 q s1 t3 h Bridge br-int
6 A: u; G; f- `8 i7 H Port br-int; R: M% r. c( k8 J
Interface br-int
) a" p0 j( h2 y! J type: internal
. d/ z1 q0 O6 L7 | w ovs_version: "3.1.3"
8 i. H) H. ? ^" j6 J! A添加不同vlan(tag标签)后ping不通,需借助路由或物理三层交换机8 l0 V4 i# q7 l# ]4 U x& Y
4 h: o, z# @7 ]$ t% Y
[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2" c* `) |: ^' G% ?+ L& Y
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.6 x! T0 h0 o% @7 N9 ?/ j" Q
/ ?" w: ^5 p1 d+ Z--- 1.1.1.2 ping statistics ---. N/ b% M# [# j& @$ Y+ @: @
3 packets transmitted, 0 received, 100% packet loss, time 2064ms
- g4 N5 Q4 ~3 ]: O8 s在这里插入图片描述* z7 x/ Q4 z# w% B( M
4 \. J$ o( h& F- r0 C' g
[root@ovs ~]# ovs-vsctl set port veth22 tag=10 把veth22也改成tag=10就相当于同一个vlan二层互通了
1 B/ ] U5 y) G5 |[root@ovs ~]# ovs-vsctl show
# ~" Y* W4 A) P3b79f2e1-f433-4015-905e-8945dcada530- H9 X( t8 \# Y6 Y( L
Bridge br-memeda7 D: X1 `, t9 A1 u7 ~
Port br-memeda2 B4 l8 j8 m3 ?: Y0 y7 T6 z
Interface br-memeda
7 o7 r0 X/ z# q" S type: internal
' B, Z8 M1 Q" Y0 Q, s% x# {/ Y Port veth22( Z2 E( s& \8 y% f# g* i* E& C
tag: 10; E1 |/ `& h% L$ t7 Z2 j
Interface veth22
5 Z8 T" Y. ^. V: W4 V7 l Port veth11
# ]3 P z& G6 U; i' F tag: 100 |4 @/ M. V$ ?7 j
Interface veth11
4 d; g$ ^% s; ?% }* k; | Bridge br-int
5 i0 T0 R' q4 H; n Port br-int
3 o l8 g( Q$ l; A6 C5 l Interface br-int: t: T5 d, I" j b, ~* h
type: internal0 ~/ P1 _* Q7 W4 J- t9 D3 H" w
ovs_version: "3.1.3"
9 S+ ^5 ]( A" H r" F' G; p[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2 同一个vlan(tag标签)能ping通进行二层通信0 s4 k/ s9 Q ^( W; p
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.* c" g0 U- w. G+ v
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1.43 ms# G$ d# r7 `, U T5 d# N3 Z
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.093 ms
5 O9 L/ W; p; f9 P5 w! o; j, t64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.086 ms! ?0 X9 L. G% M4 y% ]+ Y: @: g
+ X# N% c! w4 B* J& T4 P$ v
--- 1.1.1.2 ping statistics ---# l, I# l/ E$ r6 h) d: w5 l5 F
3 packets transmitted, 3 received, 0% packet loss, time 2051ms' ^' l/ ^6 S9 X2 B! V
rtt min/avg/max/mdev = 0.086/0.535/1.426/0.630 ms. A9 K2 w" B9 h& ^) Z* @
FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
3 r5 y6 x. M- x流量走向,添加流表,针对流量进口添加规则。, L O/ n% }3 O) h1 s; f
在这里插入图片描述: c, n1 }8 x1 v( a# [! h
在这里插入图片描述# L$ o1 z# G, L
9 x' ~$ Z3 U: ^* R5 A8 R7 y查看ovs默认的流表$ ~" W% q3 [8 L' r; P9 U
[root@ovs ~]# ovs-ofctl dump-flows br-memeda 查看虚拟交换机的流规则2 {" {! N( f7 ], q+ n- s, F; N
cookie=0x0, duration=2161.884s, table=0, n_packets=49, n_bytes=3682, priority=0 action s=NORMAL
; h6 W8 T4 I' x# P8 b此时ovs就类似于传统交换机,我们给ovs交换机添加一条优先级为2(数字越大优先级越高,高于默认表项的0优先级)的流表项,把veth11进来的请求都drop掉,发现ns1不能ping通ns2。
3 k8 T- m! K% x' g[root@ovs ~]# ovs-ofctl add-flow br-memeda "priority=2,in_port=veth11,actions=drop" 添加流规则, _6 U, g! z0 d( y) N8 }
[root@ovs ~]# ovs-ofctl dump-flows br-memeda
9 a% w3 x4 |$ t- g# V- N cookie=0x0, duration=2.578s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=veth11 actions=drop1 Y+ c# ?3 W! ?; b
cookie=0x0, duration=2217.329s, table=0, n_packets=49, n_bytes=3682, priority=0 actions=NORMAL! A4 M. x# _2 ^/ J G. I6 M
[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2) k0 t6 {0 s) W
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.6 h- f4 Z t" @! B& ~: \# H! }4 J) j7 i
8 B9 k2 W! Z/ ]8 W4 Z% m/ ]--- 1.1.1.2 ping statistics ---
( S9 I5 W; Z6 @8 j. o3 packets transmitted, 0 received, 100% packet loss, time 2076ms
# I: N4 F6 T! R删除刚添加的表项,ns1与ns2又能正常通信) J. s; t" M9 W8 b* _& B; F/ Y+ z
[root@ovs ~]# ovs-ofctl del-flows br-memeda "in_port=veth11" 删除刚添加的流规则就互通了
3 f) H) P+ N. }, \: q/ ^[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
/ \9 A+ q: O1 ZPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.! g' D* t4 l# e( L) A, u
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.766 ms
3 a8 ?( p; v7 r8 w8 q, g1 A64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.096 ms# B, Q/ A( Y! t& }. ~" i! g
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.088 ms
) F/ L6 O' |) `, M& F% A' Y
( q! ?$ C- ]/ @& v--- 1.1.1.2 ping statistics ---
/ L( S7 Z: |& K/ ~' D3 packets transmitted, 3 received, 0% packet loss, time 2043ms
1 k i$ G F5 }/ \8 ?rtt min/avg/max/mdev = 0.088/0.316/0.766/0.318 ms2 C4 r c, |+ _, ]/ s
[root@ovs ~]# ovs-ofctl dump-flows br-memeda
- G, V& P) S5 O$ X9 {, T+ Q' ^) p$ c( n cookie=0x0, duration=2315.744s, table=0, n_packets=59, n_bytes=4438, priority=0 action s=NORMAL
% J% a! V9 g$ x7 v/ B! w4、OVN
7 D" V* U! y4 F% T- b3 e( b. KOVN建立在OVS之上的,遵循SDN(Software Defined Network,软件定义网络)架构来管理的,用软件将控制面和转发面分离,OVN做控制面,OVS做转发面。( T" \/ n l7 ` s) y& {
ovn是建立在ovs之上的,ovn必须有底层的ovs,ovs可理解为二层交换机,ovn可理解为三层交换机。' D( U- T+ j& Y& _: a
OVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
2 J$ K1 e" h% J5 J# w) k- R2 d3 R单纯的ovs在云计算领域还存在着一些问题,例如:) x7 g5 e: F3 h6 g
1、ovs只能做二层转发,没有三层的能力,无法在ovs上进行路由配置等操作;7 E, Y. e0 m( k
2、ovs没有高可用配置;" M0 t8 K ~6 K& `6 E+ j
3、在虚拟化领域vm从一台物理机迁移到另一台物理机,以及容器领域container从一个节点迁移到另一个节点都是非常常见的场景,而单纯的ovs的配置只适用于当前节点。当发生上述迁移过程时,新的节点因对应的ovs没有相关配置,会导致迁移过来的vm或者container无法正常运作。
$ |3 _: Q- q7 V5 F, K针对这些问题,出现了ovn(Open Virtual Network),ovn提供的功能包括:
6 V: |- y4 `( G1、分布式虚拟路由器(distributed virtual routers)
1 Y( k* w# o$ l2、分布式虚拟交换机(distributed logical switches)
/ b {9 K* ]) C4 ]. o) h2 `( T' w6 a3、访问控制列表(ACL)% i! f1 m- g! A0 f5 _
4、DHCP
. c) E7 Z( u+ w9 M/ z- b; [5、DNS server8 O* r5 Q* L2 Z8 e/ O S
在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。openstack创建一个网络,会以逻辑交换机(switch)的形式保存到北向数据库。( z5 b4 A7 v. I
在这里插入图片描述
, r* Y6 {. I: [8 c8 K+ Z$ R! A在这里插入图片描述
3 a: U7 L/ ^/ l0 d Bovn官网对ovn的逻辑架构如下所示:
5 Y7 m+ ~2 K# Z# c: T9 v
' B( X) d# ~6 D f CMS/ a/ s) P, p6 x" `( |5 V
|
7 v8 c/ U3 B% Y7 l" k+ _ |
1 J: P# j# m# S( X0 b +-----------|-----------+) x2 m1 L: D8 \2 `# f
| | |9 |) s* f& y; C( `$ H4 F8 c
| OVN/CMS Plugin |
/ P4 ? Y& p9 U% ?: T1 w | | | Y/ q& Z2 |. N, V
| | |
1 X, U% ~8 g. H, `5 F& H) y# C5 t | OVN Northbound DB |. x: i% J, T/ M: h
| | |( s; K- r- u% _' k) t& U9 |
| | |
' |# f) d0 o: K/ J0 q; \ | ovn-northd |; `+ j) W, f* W- |- m5 u( r
| | |
$ c8 c- q- p# L' Y& ]3 H +-----------|-----------+, |$ O( w m0 h- X8 P
|
4 w9 E: n8 M6 D4 R1 N6 W |! l6 p* d! M0 e$ l8 o
+-------------------+
0 P2 R5 R J% y3 \9 G7 c; V | OVN Southbound DB |
* ~# C6 b- q% ]# p +-------------------+
* f+ p( l' ^: \: b2 w |5 ]3 l4 f3 h+ e; g" i
|0 p2 U$ Q% x( B/ k. E% J% z+ r5 D
+------------------+------------------+
`: v$ x; ~; k5 q6 ~7 t | | |, \- V; Z7 Q% n4 p$ j
HV 1 | | HV n |/ t5 m5 q/ z2 X B0 _$ ^1 C. `
+---------------|---------------+ . +---------------|---------------+2 v5 K8 W3 {1 Y6 y/ j
| | | . | | |9 P* W8 y, ?4 _2 K. W+ p7 a
| ovn-controller | . | ovn-controller |
5 ~, y5 j& {: x4 q3 ` | | | | . | | | |. u2 [' c9 I! _# w
| | | | | | | |6 g! v3 I0 k( O! C. ~' R% ? S
| ovs-vswitchd ovsdb-server | | ovs-vswitchd ovsdb-server |
& U8 I1 |# g7 @7 s! z | | | |
8 r: B4 r W q9 E* P. Y +-------------------------------+ +-------------------------------+5 u# G' F% G4 Y6 C% u" g4 I
ovn根据功能可以把节点分为两类:6 D) ~) a, H% g
central: 可以看做中心节点,central节点组件包括OVN/CMS plugin、OVN Northbound DB、ovn-northd、OVN Southbound DB。8 F/ Q- i w8 ^$ C) @* w# B) _ V
hypervisor(hv): 可以看做工作节点,hypervisor节点组件包括ovn-controller、ovs-vswitchd、ovsdb-server。
0 t# J. b; U- y/ a8 d, u, V7 Vcentral节点相关组件和hypervisor组件运行在同一个物理节点上。
- h$ O1 U: K/ b+ |7 N" [相关组件的功能如下:
% @2 S: K: T6 n: C+ v5 a/ A: }1、CMS: 云管软件(Cloud Management Software),例如openstack(ovn最初就是设计给openstack用的)。
3 m( @' ^& o; i1 ~* x* A, m; _2、OVN/CMS plugin: 云管软件插件,例如openstack的neutron plugin。它的作用是将逻辑网络配置转换成OVN理解的数据,并写到北向数据库(OVN Northbound DB)中。
) Z. N2 q' f3 o( K4 x3、OVN Northbound DB: ovn北向数据库,保存CMS plugin下发的配置,它有两个客户端CMS plugin和ovn-northd。通过ovn-nbctl命令直接操作它。北向数据库保存逻辑网络信息(交换机和路由器等)+ L, ^2 l; I) L, {: F9 j C
4、ovn-northd: 北向进程将OVN Northbound DB中的数据进行转换并保存到OVN Southbound DB。所有信息经过北向数据库通过ovn-northd北向进程和南向数据库互通。6 _7 e" Y# f1 E2 X
5、OVN Southbound DB: ovn南向数据库,它也有两个客户端: 上面的ovn-northd和下面的运行在每个hypervisor上的ovn-controller。通过ovn-sbctl命令直接操作它。南向数据库保存各个节点的物理网络信息。
6 G8 k: `/ d4 p: |4 h6、ovn-controller: 相当于OVN在每个hypervisor上的agent(代理)。北向它连接到OVN Southbound Database学习最新的配置转换成openflow流表,南向它连接到ovs-vswitchd下发转换后的流表,同时也连接到ovsdb-server获取它需要的配置信息。4 L# K5 r4 w; o q8 a* L3 v
7、ovs-vswitchd和ovs-dbserver: ovs用户态的两个进程。/ w2 d2 \' l* s5 o
每个节点都有个ovn-controller控制器,这个ovn-controller控制器是管理ovs(ovs-vswitchd、ovsdb-server)的,ovn-controller对接到南向数据库,经过ovn-northd北向进程和北向数据库互通,之后和openstack互通。
9 E4 J, h& B- K0 [南向数据库保存物理网络状态信息,北向数据库保存逻辑网络状态信息。( ]5 Z( U; ]5 m
在这里插入图片描述, k. `. s' i7 j; J/ [) {% f
克隆出两台虚拟机,安装ovs、ovn
* S1 x+ \" r% Y5 M- n" d
3 G' D1 f% ?' T$ GCentOS Stream 8 版本9 U. a a d, Y& x& A; M* K
$ _8 ?9 D# Y, X3 z5 B
systemctl stop firewalld.service , e/ P" l" `+ m( A4 m4 V( I8 ]
systemctl disable firewalld.service
" j. B' H, v$ B$ ~4 U( csetenforce 02 U4 l! q ] j( y! h
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config. K, l7 k5 h9 j; o$ v& O
mkdir /etc/yum.repos.d/bak2 @/ y E7 X. _$ l# G2 x
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/
. _+ D( p+ s" K7 R$ ^5 l) I1 d; d
# l' d+ O6 V- U% Xcat <<EOF > /etc/yum.repos.d/cloudcs.repo! X0 ]; c/ }' M( q0 k
[ceph]
+ z" g3 h& x- i8 V7 j, gname=ceph
5 k2 s" ? h, \) @4 @) Y$ f! rbaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/x86_64/1 [+ \7 r, i0 [1 Y
gpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc. o! N0 E; i& L- U- F. h
gpgcheck=1
x; H! a! t5 Jenabled=1
2 ?2 x) G3 [: g, e+ ?. [
) X1 Q& t% q& T3 f[ceph-noarch]
* b& I0 `4 e; X- m- bname=ceph-noarch3 }- J; X& J3 X- b0 Q/ l" L
baseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/noarch/& F( ]5 X$ a- w6 f
gpgcheck=1
7 I% e) a! r3 D* Qgpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc
% y8 e/ |- L+ ] m7 Uenabled=1& e6 A8 _# Y+ {" x4 K3 R
# f4 f) m' Q; g" X. n) U
[ceph-SRPMS]+ |9 b1 N& h% y: d9 z& m5 {+ Y
name=SRPMS
/ s0 \2 {, F3 g3 P5 c. J* e4 zbaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/SRPMS/+ f+ @$ ^8 m( _1 ^4 t1 o3 J
gpgcheck=1* n- T1 C" m$ g7 N
gpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc2 i/ [5 T* ^$ h3 ?' [
enabled=1
% Y( K: U& U- _8 S9 `
3 |- b( |. C: S+ ~[highavailability]# @2 q+ \! ]. Q2 w3 l( V
name=CentOS Stream 8 - HighAvailability
0 C. U1 ]" W: R( z0 e# H7 L3 A1 ^baseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/7 Q, v2 I5 z3 _) C" r
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial# i4 g: P1 L5 |9 y
gpgcheck=1; v3 p7 Q0 K8 k/ h
repo_gpgcheck=0& h9 `! y! G2 S. l2 ~
metadata_expire=6h
- K2 ^% @# N: v: {; ~countme=1
8 L0 y% |* B6 |9 R$ @8 senabled=10 B! V6 y" r0 ^$ Y4 J
R3 w1 O) V, @: c5 I[nfv]0 I4 S, S6 n; ]$ E7 \6 K
name=CentOS Stream 8 - NFV
: s. G7 r2 }1 k7 @baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/
: C1 R7 e7 G+ m9 }6 R* Pgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
5 q5 h( F7 ]7 J! wgpgcheck=1! ~$ l M- ^& _7 L! N
repo_gpgcheck=0
! h* r: i; a" e& \6 P+ }+ pmetadata_expire=6h, |+ G: `2 F0 X
countme=1
; ~0 x6 c- Y5 L* t" denabled=1
! J+ l: A4 y0 b0 B' e8 Z
% |: X' ]7 E F( w[rt]
9 x# G2 n# ?' b, e- z& { d A' Nname=CentOS Stream 8 - RT
' f! \4 B3 J" t1 o8 C4 X/ ~* m, rbaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/0 Q1 X @. b, i1 I; w6 g" S
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial* W/ a$ h5 [: G7 s5 ~
gpgcheck=1
. G3 S' v% l9 h1 ^) prepo_gpgcheck=0
% Z+ C3 u3 F7 R- q( {: \metadata_expire=6h8 x. O2 m; H/ G' s
countme=1
9 b6 s- y6 q2 o1 Benabled=1
: x* e/ l4 }1 o. G4 u* u) f, r, h6 S. S& r) Z
[resilientstorage]& o* o4 m, c' u+ q! A# ^
name=CentOS Stream 8 - ResilientStorage
6 I v7 `. z, Q* jbaseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/1 I* [) M6 Z7 N1 b! ^: h4 D- a0 F
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial4 c* i% K1 x- r
gpgcheck=12 E7 a1 S* C. y! E0 T" t- t2 k9 s
repo_gpgcheck=02 i+ F+ G1 h8 I; |1 l8 Z* m
metadata_expire=6h
1 [' r: y! p9 j+ scountme=11 m" l& u9 F# ? k9 {" ^
enabled=16 C7 A7 s* ]5 |: Q. K2 o/ J
4 Y. k9 T4 c9 D( t% F+ H
[extras-common]
& P. T2 [1 g3 q8 u8 p, i, l Lname=CentOS Stream 8 - Extras packages/ y$ d! X+ l! y6 X' k6 A3 S! s ^5 r
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/
4 ?" ]7 Z9 Z2 |& n1 |& R, pgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
0 ]8 q8 ~9 o; Y/ ?8 J0 o' |1 agpgcheck=14 f- m. }% R, J; ?+ `
repo_gpgcheck=00 |1 r( y& u$ E- |; V! g0 b
metadata_expire=6h
& A9 ~: Y/ V; F( s% `4 Lcountme=1
! H: h, w$ f5 A% ?enabled=1- K' Q" _' \9 g) b8 c
3 P! D* S% d- e2 n* l
[extras]
4 d' z4 H+ k( o1 d: ^name=CentOS Stream $releasever - Extras
1 l5 K, I0 d( j5 Kmirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=extras&infra=$infra
/ Q; R' j; c0 y7 K1 [$ U#baseurl=http://mirror.centos.org/$contentdir/$stream/extras/$basearch/os/
$ n$ U* v% I& v! gbaseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
; {; t; l6 E$ k0 H9 Ngpgcheck=1
/ U: r! y+ y5 `) ~enabled=16 H, A7 c) M! [5 Z
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
! v m" o& y9 }4 r% |
! @. ~' ~6 E0 \$ a[centos-ceph-pacific]
2 x; L& i5 X: Y! {name=CentOS - Ceph Pacific
" m9 B% O3 B& j4 Obaseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/
/ n: Z: V9 V0 g# @0 |0 Xgpgcheck=04 K3 t: O5 n7 d- i1 F4 [- g
enabled=1! K: t9 z+ O* f: y4 R( F5 R# Y
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
. }0 c* ~' p7 f; n. h! i" ~4 N
5 O4 B; q- [0 R8 f( R[centos-rabbitmq-38]3 [5 I3 j, C: F6 C
name=CentOS-8 - RabbitMQ 38/ U( H& c6 A) I9 e. v( J) |
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/
7 H: w( C' k: K# e& A% Fgpgcheck=12 V' }+ t2 e4 [* q; X
enabled=12 v8 V, E0 `1 o
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging* J# Q4 d% l8 G3 T4 U
) d5 ]5 F1 H3 i% g: H$ q; F
[centos-nfv-openvswitch]0 p9 N9 O( x/ s# _% f
name=CentOS Stream 8 - NFV OpenvSwitch
, u3 e& m& {2 hbaseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/
% n, {% b2 B) K a( l4 mgpgcheck=16 f+ v j. ]$ T1 C! H! o- T
enabled=1- D3 u# u; ]( L4 I G2 ?4 l' Z
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV! q( r( y+ [, \ ]4 v: b$ E
module_hotfixes=1# ~+ i. {; L0 L7 z
. ]& y3 p: `- {
[baseos]8 J, ?7 ]# |5 A4 f: e: ^
name=CentOS Stream 8 - BaseOS
' f2 Q2 K: g4 l: d; p! Lbaseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/1 e$ k& c- _5 t2 e, j
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
! {: _7 J) g* `) R" l2 Ogpgcheck=1
4 R3 R9 ?0 K, o% p$ Vrepo_gpgcheck=0
5 ]7 K8 I2 n: @9 }& C9 E* ometadata_expire=6h- `% F$ P" z8 B+ L( e
countme=1
) w1 B' H8 y3 P! _enabled=1
3 z3 H' |; y2 z% d2 r5 x, C
7 ^- f" r4 D7 o- @ [3 n- D1 x H! \[appstream]9 U, i. [4 H& J3 ^
name=CentOS Stream 8 - AppStream1 s& c1 X7 U/ L5 V
baseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/, H: @6 e+ r; |3 M+ }+ W
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial$ T. T& ~ Z4 |# X: G, d0 @- X
gpgcheck=1
( @; ^/ X' K4 t( Trepo_gpgcheck=06 K) F7 R* K3 K2 u
metadata_expire=6h9 N! N; O& ^: T6 S) T
countme=1
) W: z+ I, X& e0 w7 v8 penabled=1
9 f8 t. b$ u/ p/ T3 ?! Y8 [+ l
* ^2 e. @! F3 O( g1 O- }6 x[centos-openstack-victoria]* H# p9 o5 l; d+ f& h
name=CentOS 8 - OpenStack victoria
+ O0 k& N2 V& Q$ P' ibaseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/
$ ?) `/ B$ W% V6 `#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/
& \4 _3 y5 Q% H" ~0 Egpgcheck=1 j1 F4 ^5 F, U
enabled=1( V4 o" Z D# m6 o4 [$ C# `
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
( w6 Q0 ?9 p" j2 s( i E! amodule_hotfixes=16 \6 Q4 _1 r9 `0 u
% a+ S2 d) I: O( G+ G
[powertools]
8 Y% }' {2 _/ y6 G: c3 yname=CentOS Stream 8 - PowerTools/ g# m7 w1 h5 |( g/ [( |7 U. { _
#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=PowerTools&infra=$infra5 X, y3 A" h6 o) m
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/
$ S2 I U2 S# G- Ygpgcheck=1
2 W( G, v8 K `enabled=1 X& _! O4 p& v* ^4 Q
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) j' g0 j/ f& E" q) O
EOF( Y( w, Q5 t: n4 u4 d% ~% h% O2 @. |
/ y2 b6 |( F- g6 [8 b: M
yum install -y vim net-tools bash-completion git tcpdump autoconf automake libtool make python3 centos-release-openstack-victoria.noarch7 h0 a( X+ g- Q$ ~9 `$ O; f4 k' H
yum install -y openvswitch3.1*
7 e5 s) m) R% {yum install -y ovn22.12*+ x/ W1 }7 B1 Q! J3 o% E
查看安装版本来检查ovn是否安装成功,# ovn-appctl --version F: j/ M0 A1 q$ f: X+ B5 \, |8 c
echo 'export PATH=$PATH:/usr/share/ovn/scripts:/usr/share/openvswitch/scripts' >> /etc/profile
1 J6 P/ H) z, Usource /etc/profile 重新读取配置文件让配置文件立即生效* W4 Q2 i$ m( ]. ]7 Y
在这里插入图片描述. M8 A8 _6 D* \
central相关组件启动:把node1作为central节点,安装central必需的三个组件:OVN Northbound DB、ovn-northd、OVN Southbound DB。
& I- c; E3 r/ A在控制节点启动central,只用在一个控制节点上启动即可(node1或node2上开启都行,这里是在node1开启),central只需要一套即可。
# ^' ]3 b! k/ X
/ w3 a5 d B2 \ovn-ctl start_northd命令会自动启动北桥数据库、ovn-northd、南桥数据库三个服务
`; o/ e+ |( ^* L[root@node1 ~]# ovn-ctl start_northd
5 z& _0 H6 S) N) x/etc/ovn/ovnnb_db.db does not exist ... (warning).
* X7 {- J. I6 v0 M6 F& j$ n; Y4 gCreating empty database /etc/ovn/ovnnb_db.db [ OK ] ~& Y& |+ R: O
Starting ovsdb-nb [ OK ]9 C/ G: k) ~( ?8 D# I
/etc/ovn/ovnsb_db.db does not exist ... (warning).
& c, e8 ~2 h" Z5 ?2 {/ _! O7 v( J) qCreating empty database /etc/ovn/ovnsb_db.db [ OK ]
. m( f7 G8 D( K2 B' {- oStarting ovsdb-sb [ OK ]
; Y' b) o( ]9 W2 N: T9 h3 BStarting ovn-northd [ OK ]
- v+ K- t" q! U9 L( f& d, Y
. Z: W r4 m& o[root@node1 ~]# ps -ef | grep ovn0 c5 y1 \$ T8 C6 ~9 E9 Z: ^% L
root 34102 34101 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-nb.log --remote=punix:/var/run ovn/ovnnb_db.sock --pidfile=/var/run/ovn/ovnnb_db.pid --unixctl=/var/run/ovn/ovnnb_db.ctl --detach --monitor --remote=db:OVN_Northbound,NB_Global,connections --private-key=db:OVN_Northbound,SSL,private_key --certificate=db:OVN_Northbound,SSL,certificate --ca-cert=db:OVN_Northbound,SSL,ca_cert --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers /etc/ovn/ovnnb_db.db* Y; l# ^; E9 V7 a, _9 E! j3 {
root 34118 34117 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --detach --monitor --remote=db:OVN_Southbound,SB_Global,connections --private-key=db:OVN_Southbound,SSL,private_key --certificate=db:OVN_Southbound,SSL,certificate --ca-cert=db:OVN_Southbound,SSL,ca_cert --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /etc/ovn/ovnsb_db.db
z* Q6 y$ `- Z. W' \0 [' b# Proot 34128 1 0 21:02 ? 00:00:00 ovn-northd: monitoring pid 34129 (healthy); r; J- n& c$ Q6 D1 ~8 j) D
root 34129 34128 0 21:02 ? 00:00:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/ovn/ovnnb_db.sock --ovnsb-db=unix:/var/run/ovn/ovnsb_db.sock --no-chdir --log-file=/var/log/ovn/ovn-northd.log --pidfile=/var/run/ovn/ovn-northd.pid --detach --monitor5 z$ G7 a1 _9 `# B( p1 U0 C8 i
root 34302 34259 0 21:07 pts/0 00:00:00 grep --color=auto ovn
+ n r& S/ U* V: ^: I在这里插入图片描述
$ [; e9 |$ \: T$ Shypervisor相关组件启动:hypervisor节点包含三个组件:ovn-controller、ovs-vswitchd和ovsdb-server。
1 r h, P1 ]$ K9 B% K启动hypervisor(hv)相关组件:node1和node2两台节点上都要启动,首先启动两个节点上的 ovs-vswitchd 和 ovsdb-server
5 L9 H" j5 ~# }+ X9 ]4 c
, G* M3 I2 _, v1 ]! ~1 b$ k, o1 C# F[root@node1 ~]# ovs-ctl start --system-id=random9 \+ ]. |" @4 u! J" \4 L
/etc/openvswitch/conf.db does not exist ... (warning).
3 s$ z- D' O! m5 ECreating empty database /etc/openvswitch/conf.db [ OK ]$ y- e. \1 h8 ]6 @
Starting ovsdb-server [ OK ]/ s/ x L3 @ t* t6 m7 x& N {* }" n
Configuring Open vSwitch system IDs [ OK ]$ g) D! W3 t) `" _) i
Inserting openvswitch module [ OK ]
9 s; Y2 K5 d. ?$ HStarting ovs-vswitchd [ OK ]5 Q; D0 | d5 Q( H% `; k
Enabling remote OVSDB managers [ OK ]
3 \) r7 o7 y8 Z1 O, u0 S7 E* U" ^+ F( z7 [1 Z/ e+ X6 w7 R! k" E
[root@node2 ~]# ovs-ctl start --system-id=random
& K! l" r8 {5 t8 @) H4 K/etc/openvswitch/conf.db does not exist ... (warning).+ z7 X" c! D' U9 G+ m" m8 f( B
Creating empty database /etc/openvswitch/conf.db [ OK ], x |0 ^0 z& C# Z( F& I$ [
Starting ovsdb-server [ OK ]
6 [/ N0 O' f% F4 M2 `' aConfiguring Open vSwitch system IDs [ OK ]
Z3 Y- u; {+ Q$ jInserting openvswitch module [ OK ]
% ]8 Z9 _* X4 u' a3 P. l* UStarting ovs-vswitchd [ OK ]% k+ f9 q2 h. G( E4 B# ?
Enabling remote OVSDB managers [ OK ]
" U# s. z: o3 p在这里插入图片描述
- O9 p6 T1 h1 j$ C* ~两个节点分别启动ovn-controller2 j7 I8 H3 ^# p6 m% ^0 L; k; Z
- G$ A6 G. v: E. V[root@node1 ~]# ovn-ctl start_controller. |, b. K4 l1 f8 N
Starting ovn-controller [ OK ]! d$ d8 H# U, q1 e6 Z! d
[root@node1 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥' r. }& y4 _% L! N7 H7 Z
ed157e0c-cac3-46b9-830c-f2d710b475d5- m1 _2 s: Y1 w3 k
Bridge br-int
# j& S% q& o( J9 ~ q' y" L! o, @ fail_mode: secure% k) V- D9 e+ i
datapath_type: system/ I7 D4 [" B* f7 j7 C
Port br-int
" H8 Y, i5 s7 f; a: ^ Interface br-int
" }" w! W" s$ V& N) L& o* i type: internal+ d0 s A, ^4 |/ d8 x" k* R$ `
ovs_version: "3.1.3"
* n/ y0 M/ L, ]' W2 F! l& R
" t- `+ Q. q0 k9 ][root@node2 ~]# ovn-ctl start_controller
: i; v+ ~/ _4 QStarting ovn-controller [ OK ]
: h+ Z# H5 }' f[root@node2 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥4 k7 F% o& i% U" R' A
f6669675-b42d-47de-be95-b26bf6d1e069: ^$ P5 l4 S' f2 V& [7 v. `! H4 N
Bridge br-int
, z, B) D; u% T+ d% N* N. p! h fail_mode: secure
- d3 O" r' E1 a( _% U0 v# l9 J datapath_type: system9 q0 Q- E% s- c
Port br-int4 V3 j0 ]1 J0 N& P. [" P3 z
Interface br-int
1 l9 O7 B, k% J; Q' f type: internal P; ^1 a" C# E" P1 h3 |
ovs_version: "3.1.3"
1 n. U- d1 ?0 B4 W1 t1 e, v8 A在这里插入图片描述; c' ~2 e8 C$ `# E$ O0 u) y
可以看出此时hypervisor并没有和central关联起来(也就是ovn-controller没有和南向数据库连接)。可以在node1上验证:[root@node1 ~]# ovn-nbctl show3 W* x' B8 X: k$ _" L2 z* s B# |1 U. e
hypervisor连接central,开放南北数据库端口:9 ]! g) D% g0 n% ]: g. v
( e3 @- a% b: R) t5 z9 o- p% Q2 Sovn-northd之所以能连上南向数据和北向数据库,是因为它们部署在同一台机器上,通过unix sock连接
* S4 ^3 S! r$ r7 ~central节点开放北向数据库端口6441,该端口主要给CMS plugins连接使用* Q' K( V8 V* u% A6 W6 x* }
central节点开放南向数据库端口6442,该端口给ovn-controller连接
0 V% R; M9 p( _; V4 w9 M[root@node1 ~]# ovn-nbctl set-connection ptcp:6641:10.1.1.41* r! K1 v E0 }8 k q, j8 a2 d
[root@node1 ~]# ovn-sbctl set-connection ptcp:6642:10.1.1.41
7 g! H/ G5 G- v! A* N8 @[root@node1 ~]# netstat -tulnp |grep 664
8 G. y( ~# Y4 I! jtcp 0 0 10.1.1.41:6641 0.0.0.0:* LISTEN 34102/ovsdb-server
2 a( ]2 _. L0 F' M8 P8 vtcp 0 0 10.1.1.41:6642 0.0.0.0:* LISTEN 34118/ovsdb-server4 e1 R: u: i! G( V& y2 m
node1上ovn-controller连接南向数据库
) X4 a9 K9 P1 E: ~% V/ kovn-remote:指定南向数据库连接地址
2 N! |7 P, M$ g" ?8 K# D5 Iovn-encap-ip:指定ovs/controller本地ip
4 O7 m3 G) a4 E2 ^ovn-encap-type:指定隧道协议,这里用的是geneve6 f a# L! C7 @3 z, h5 `& u, i! X7 y
system-id:节点标识. M) t, t6 ?) V: d5 s1 z6 l# ?# f, [
[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.41" external-ids:ovn-encap-type=geneve external-ids:system-id=node1' H, a9 _& ~9 m/ }& B* d: ?
3 D+ m/ u4 E! o$ }
node2上ovn-controller连接南向数据库
9 v, z/ N) g5 l) W- \% Y5 @( f[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.42" external-ids:ovn-encap-type=geneve external-ids:system-id=node2
5 v( S9 o, n" }* ^9 G0 Q$ Y2 @8 p' I2 l" D4 O4 i J4 E4 l
在node1查看南向数据库信息, y E' {( c, Y$ `+ Q2 C& Q# x+ w
[root@node1 ~]# ovn-sbctl show/ | w o2 H5 s, Z. \* O: G
Chassis node24 B! G4 U. a8 a' ~
hostname: node22 s1 c8 G3 i% Z0 o9 Q$ K
Encap geneve
N1 d2 p9 d" E' G) w ip: "10.1.1.42"% P# t7 ]. r" t: H L) Q
options: {csum="true"}
4 ^; L. N, l6 B0 ~Chassis node1# A0 r6 l! q# [$ Y( V$ z
hostname: node1
) S, X% i" k! p( m: J2 D Encap geneve0 J: Y/ A- B G9 {0 X' E+ m
ip: "10.1.1.41"2 F; ]/ b3 e/ n' ?, ]& q; s6 q
options: {csum="true"}6 R2 M& S, G% D9 e
在这里插入图片描述
& j% t v1 z' J+ F1 @0 q/ t p以上的逻辑架构是站在底层组件和服务的角度来看的。
1 J2 n q* f1 @+ l1 t接下来换一种角度,站在逻辑网络的角度来看。
: z; g. e4 b8 j+ F0 K在这里插入图片描述
% x8 u2 Z" |& z. xgeneve隧道:ovn-controller连接南向数据库时,指定了external-ids:ovn-encap-type=geneve参数,此时看看两个节点上的ovs信息如下,会发现两个节点上都有一个ovn创建的ovs交换机br-int,而且br-int交换机上添加的节点port/interface类型都为geneve# n3 Y" `* ^/ t; {
0 C3 C- j0 y+ P( k[root@node1 ~]# ovs-vsctl show node1上查看ovs信息
/ K' N6 t) ^# Q fed157e0c-cac3-46b9-830c-f2d710b475d5 r5 w; r$ f( p" T2 Q5 F \( E- h
Bridge br-int( ?/ o2 S' g7 V" ]6 J9 P P
fail_mode: secure
. v/ q0 o$ l! X datapath_type: system
# W+ Y8 b5 f7 _& g* N# g& \& z Port br-int
& s. Q( L! W6 B3 C9 M Interface br-int9 ?; y; D. R3 Y, ?1 g/ B) z+ w' E
type: internal4 Y k, T) [/ a: B, @1 z' @; A
Port ovn-node2-0. N# V* _2 G) P7 R7 c4 _: x8 ?- s
Interface ovn-node2-0
; u2 e! {( v2 Z+ Q$ W, c type: geneve
0 B* F. @/ X4 V1 s* Q* K options: {csum="true", key=flow, remote_ip="10.1.1.42"}: K5 {* I ^0 @! B7 d( M
ovs_version: "3.1.3"6 M( v! T4 }' X) L; c4 K
( r3 M/ m) ?$ a' g- f* I3 s- I1 b* ?$ k
[root@node2 ~]# ovs-vsctl show node2上查看ovs信息
P# j4 Q0 h' f+ If6669675-b42d-47de-be95-b26bf6d1e069
# b6 R& Q3 M( k4 d& p2 M Bridge br-int
, T# ~" \& H5 Y* f; e fail_mode: secure- O$ V2 y* r1 j+ E
datapath_type: system2 Z5 c1 A/ t! l! N( m
Port ovn-node1-0
8 C6 Y% [) a, q" [8 K( i) i! S Interface ovn-node1-0
- `% ?' O2 j: j8 z- b: h) c type: geneve+ c9 c! _* ?; K6 d1 U I3 x
options: {csum="true", key=flow, remote_ip="10.1.1.41"}
- w5 }/ L) b' U( ~0 H& ~3 @4 ] Port br-int; b! t' I2 w+ w+ J7 r+ X
Interface br-int0 C# M* o! _9 t
type: internal
: i4 i( C! b; l! ]# c% l# U ovs_version: "3.1.3"
+ a& z( K9 @) v& y9 ^- g[root@node1 ~]# ip link | grep gene 查看geneve隧道link
* w) @' p$ ~- F; s# Z7 Y5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 10001 U8 E4 `2 S4 h9 I& ~
查看geneve隧道link详情,从dstport 6081可以看出geneve隧道udp端口是6081
) w# c' J. N. z[root@node1 ~]# ip -d link show genev_sys_6081 & f* Q7 `. U" U" |1 `
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000: F H( p$ y+ a5 a) @# H( v8 n
link/ether 6a:e3:ff:a5:cc:d6 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 654658 O1 @# {# X b6 x- U- W
geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx
: K5 G( j( N! ^3 S openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535+ b# _ k3 ]- m1 c+ G& y" t
查看geneve隧道udp端口,最后一列为“-”表示这个端口是内核态程序监听0 V) s' A" }% s% l
[root@node1 ~]# netstat -nulp|grep 6081: y) U9 i0 q0 k+ U* P9 `5 x
udp 0 0 0.0.0.0:6081 0.0.0.0:* -; c8 o4 m8 W: P# E
udp6 0 0 :::6081 :::* -7 G& b) D0 i1 R/ \4 Q- ?
& Z( i. G! [2 W# ~
[root@node2 ~]# ip link | grep gene$ i6 W9 e: e/ U' j$ K2 e
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
: s1 Y( q0 ~5 m# ?7 A9 [/ ]. r. }[root@node2 ~]# ip -d link show genev_sys_6081
! ^/ V1 I) i2 ]( c3 E5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
" k% i5 {1 Z$ Y! M E% ~0 { link/ether 4e:db:f1:e4:43:94 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465
; D" }& c p: K" u; \ geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx
0 ]/ T9 A3 F M+ J openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535. C; ^/ M, w9 T, l
[root@node2 ~]# netstat -nulp|grep 6081( g! y. X' c' F1 z. X1 l1 W
udp 0 0 0.0.0.0:6081 0.0.0.0:* - ^& B3 z' [& n) Q
udp6 0 0 :::6081 :::* -, D- e' e( K2 i, y8 T& T& o" I
在这里插入图片描述
% f! T# J6 V5 V
6 F4 E, ~: S" X+ H; ^, z5 Y! a: d在做以下实验验证时需要注意MAC地址的合法性,不要误配置。MAC地址分为三类:
* e, [" G4 l: ?广播地址(全F)8 s. p2 k6 D+ W% y# C
FF:FF:FF:FF:FF:FF2 x) N3 f( o; C) \% b
主播地址(第一个字节为奇数); R# o$ |0 a( v, s) q
X1:XX:XX:XX:XX:XX3 H6 A' v; [% W7 Z0 {* L4 K
X3:XX:XX:XX:XX:XX
4 x. \4 a4 v% l# AX5:XX:XX:XX:XX:XX
) I( C6 B! |# U" ^1 j0 rX7:XX:XX:XX:XX:XX' [ N% j5 C [
X9:XX:XX:XX:XX:XX
" b& S& ?. o8 OXB:XX:XX:XX:XX:XX+ j1 d5 d: c2 v
XD:XX:XX:XX:XX:XX
5 B7 E: e" y: c6 gXF:XX:XX:XX:XX:XX' a8 j, c% p0 C, \/ h7 b/ R, {2 ~: O
可用MAC地址(第一个字节为偶数), k0 {7 S1 N8 k. ] L
X0:XX:XX:XX:XX:XX/ a) t G4 Q! A& f
X2:XX:XX:XX:XX:XX! H: G: k2 l$ W/ Y$ Y+ d# y0 R2 |! S
X4:XX:XX:XX:XX:XX
& _4 ~6 d, Z- `. w( Z' _X6:XX:XX:XX:XX:XX1 P) M' _- k/ P& q! {# q
X8:XX:XX:XX:XX:XX
$ Q0 z% L7 L% V) g! nXA:XX:XX:XX:XX:XX2 P) ~8 g7 O8 L. }* D3 |. d4 {+ }+ V
XC:XX:XX:XX:XX:XX
1 E2 _& q1 i) v! gXE:XX:XX:XX:XX:XX% B' h) \6 E# ~ W% ?: T, Y2 ?( L
在每个节点上创建一个网络命名空间ns1(因为在两个节点上所以同名ns1不会冲突),网络命名空间可理解为虚拟机,并且在ovs交换机上创建一组port和interfacce,然后把interface放到网络命名空间下。veth pair:两个网络虚拟端口(设备),veth可理解为网卡端口,一个端口在虚拟机上,一个端口在br-int虚拟交换机上。
; P: m4 Q) d; ?7 b1 e9 Y9 h s; \, j
node1上执行
: u: V$ |4 x+ u& e \) Q% q9 F[root@node1 ~]# ip netns add ns1- q( e0 a2 u$ S
[root@node1 ~]# ip link add veth11 type veth peer name veth12% v1 ~7 c2 S0 T7 h& z5 W
[root@node1 ~]# ip link set veth12 netns ns1
8 V5 i6 \ F/ J+ n5 w. T* ~$ W4 J[root@node1 ~]# ip link set veth11 up
- ^( f0 F: F2 I+ ^& `) S[root@node1 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:01
+ H) e/ d& q# K. B/ n) q c[root@node1 ~]# ip netns exec ns1 ip link set veth12 up
) ?+ t8 \& r# g. h$ G[root@node1 ~]# ovs-vsctl add-port br-int veth11
7 L# |/ I( D5 i. i U- W[root@node1 ~]# ip netns exec ns1 ip addr add 192.168.1.10/24 dev veth12
: t) }( ^2 @/ P6 U! x) E p; v
" [9 |4 v& p2 F4 E( r: Lnode2上执行,注意veth12的ip和和node1上veth12 ip在同一个子网# t( v' F' z# p; V6 n
[root@node2 ~]# ip netns add ns1$ s) |! n$ e( G( u7 j
[root@node2 ~]# ip link add veth11 type veth peer name veth12" U; ?* a- c1 W! M+ V+ U H
[root@node2 ~]# ip link set veth12 netns ns1' k! ]( F. q' i8 g7 s
[root@node2 ~]# ip link set veth11 up4 _) U$ F- o! w1 f9 o" o) K
[root@node2 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:02. T. p& u8 z& |0 h+ |- F
[root@node2 ~]# ip netns exec ns1 ip link set veth12 up
4 Y; |' |2 P; a: F$ Z7 j: J3 ]5 z[root@node2 ~]# ovs-vsctl add-port br-int veth111 \; s. o6 c5 i( y
[root@node2 ~]# ip netns exec ns1 ip addr add 192.168.1.20/24 dev veth120 Q* p: _/ |- y/ \6 c c" ~
/ n4 d% f Z! H5 Y# u- q: s' B
查看node1上br-int交换机信息/ c, w+ x/ C* u. r- M3 E
[root@node1 ~]# ovs-vsctl show
/ R2 g9 g' i! ?* H& T K) d0 w* Z$ r0 red157e0c-cac3-46b9-830c-f2d710b475d5. b& f$ @9 H% G W# Z# v; N! E7 ^
Bridge br-int) u& k2 x4 a- m3 y
fail_mode: secure, {7 z( J) h% Q5 s
datapath_type: system% b2 X7 Q, s8 ?, \! @5 e6 S
Port br-int
9 f1 e+ z ~: t2 y Interface br-int& I- C% R3 y, J9 l6 z
type: internal
: T+ q, e/ I5 s2 u Port veth11
# j4 ^+ _$ k& q8 L$ s( [/ Q+ ~& x Interface veth11( q5 B8 p. `4 V Q9 c4 c
Port ovn-node2-0
. Q. S \ e, Y) J& U; N Interface ovn-node2-03 M% U! D+ f6 X5 x: y# o" [
type: geneve7 D5 Q8 \; a' p$ I6 O1 Q
options: {csum="true", key=flow, remote_ip="10.1.1.42"}) d: r a' Y- B7 ?
ovs_version: "3.1.3"
4 w, z: R+ u4 h- n) C; A$ ?查看node2上br-int交换机信息
' X8 y' B' }# N1 G; p[root@node2 ~]# ovs-vsctl show: L& s o c- v& J
f6669675-b42d-47de-be95-b26bf6d1e069) d" D* ]5 p, J! L3 r5 S
Bridge br-int
4 p& k+ |) I& y& r$ M% I5 g fail_mode: secure
8 V% T2 _, T4 G" y datapath_type: system2 n4 I: p7 x& s6 ~1 c/ o
Port veth11
; l! ]+ |6 k& `: B Interface veth11
7 O$ {$ V; Y6 U& O: W Port ovn-node1-04 F( Z* [. M% Z4 Y/ Q, }
Interface ovn-node1-0
* M/ Q, z" _5 w v$ [0 K) N type: geneve6 [( j- J- {# t
options: {csum="true", key=flow, remote_ip="10.1.1.41"}9 k6 n. d4 u+ Y" \, ^+ U( m
Port br-int
! J. Q; c+ Q: D/ U8 S' V1 p. I( i Interface br-int( M0 Q! z' ?- f( ^* G4 [
type: internal" s' z- G. M6 _* }* _# f. z
ovs_version: "3.1.3"5 g; r3 U, d+ g
, N3 P' R7 b7 W N' K
现在从node1上的ns1 ping node2上的ns1是不通的,因为它们是不同主机上的网络,二/三层广播域暂时还不可达。
8 m3 {9 H$ I9 F# v4 Y[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20* H; Y0 {% l% u' ~2 m- e1 X
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.$ _1 K* g0 S# F% j* v0 O0 D6 X5 k
! a& K% X8 L, f) {8 ?--- 192.168.1.20 ping statistics ---3 u; P8 @* H `2 |' E* ?( }
3 packets transmitted, 0 received, 100% packet loss, time 2047ms, O( F5 q1 h9 h" Z: O7 z0 W
在这里插入图片描述
" ]" @& l4 U( r+ Q, j查看openstack的控制节点发现,ovn的北向数据库中有逻辑交换机信息。8 g2 C% ~# S' S% X+ y' d
在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。一个网络就是一个逻辑交换机。
" a9 N. Y: @; Z" }0 o在这里插入图片描述: X, s/ @* @6 u2 M- C1 a! [5 v" g) m
在node1中查看发现,ovn的北向数据库中没有逻辑交换机信息
' S8 n U- ]. y5 @- k7 R1 U+ y! ?- i在这里插入图片描述
N" T" {) V! t在openstack不同节点的虚拟机ip互通,这两个虚拟机ip连的是同一个网络,是同一个逻辑交换机上的同一个子网不同ip所以互通。
# d% a) K, U2 a7 C0 D1 D. D* A2 r这两个节点的虚拟机ns1的ip是手工配置的独立的、不互通,这两个虚拟机ip没有连到逻辑交换机上,加个逻辑交换机就能互通。
9 B4 ~5 t$ g$ `在这里插入图片描述
. [/ r5 G [7 R) r5 e逻辑交换机(Logical Switch):为了使node1和node2上两个连接到ovs交换机的ns能正常通信,需借助ovn的逻辑交换机,注意逻辑交换机是北向数据库概念。
$ }: ^! x9 `( o ?4 U8 A# |* c. K- D7 n8 d v
在node1上创建逻辑交换机
4 A% F. }, o6 J& V4 j) ][root@node1 ~]# ovn-nbctl ls-add ls1
^/ U6 |% j4 B- t[root@node1 ~]# ovn-nbctl show2 G0 i3 t/ Z5 u" V* V7 a4 v
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)1 X) V+ W1 w0 v: ?4 i( C
在逻辑交换机上添加端口6 v+ U& h: R4 j3 H
添加并设置用于连接node1的端口,注意mac地址要和veth pair网络命名空间内的那端匹配起来
- J5 ^$ w( j- R& h" j% b& Y; h9 E) Q ][root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node1-ns1
; E# h ~' ]7 R[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
% b4 e/ C% m' t: b( o: O[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node1-ns1 00:00:00:00:00:01$ `8 q- f$ I& {" H
添加并设置用于连接node2的端口,注意mac地址要匹配起来0 b+ ~# ?2 w( F0 W9 B1 |0 x: T
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node2-ns1
% E9 z$ r2 q$ h6 \[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:020 o) B6 W. M* s! w. d5 n4 S
[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node2-ns1 00:00:00:00:00:02
+ r! k9 u4 l! b; a W查看逻辑交换机信息
' E& A+ r# B+ s: `6 j[root@node1 ~]# ovn-nbctl show
; p1 C2 l1 `8 cswitch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1). y$ G( j: g9 m
port ls1-node1-ns1
) c, L* K8 Y. u% d4 j addresses: ["00:00:00:00:00:01"]
2 a; W! _# N# Z [$ q& f port ls1-node2-ns1+ o. D2 E" D; d: J: b
addresses: ["00:00:00:00:00:02"]: r0 h' d3 g6 B: }. P
' N6 D) Z, f1 G# O0 Dnode1上执行,veth11端口连接逻辑交换机端口/ [/ m/ c- a8 N2 S" {& I5 Y
[root@node1 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node1-ns1
3 ~, H" _# | e v3 g# H- |1 fnode2上执行,veth11端口连接逻辑交换机端口+ Q3 T/ l) |3 h, Z
[root@node2 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node2-ns1( } \/ x4 I7 V# n/ Y* C2 R- v* V
再次查看南向数据库信息,发现端口已连接* _7 Z+ W" | P C
[root@node1 ~]# ovn-sbctl show
+ o6 ~0 e( Y* j, O( @6 T) gChassis node27 S3 Q4 |) \; v- S
hostname: node2
- v, L. F. o: C. L: P$ ^9 A Encap geneve
& L0 |9 g( P& A$ O! x: x0 E3 c ip: "10.1.1.42"
3 \/ r d2 V+ w5 w options: {csum="true"}
4 z+ C1 M' j! P! g1 F) C- h Port_Binding ls1-node2-ns1
/ ^" D5 m- ?/ Q" pChassis node10 I9 S$ I4 L& j/ F8 |
hostname: node1
- T4 ?) t" w7 r Encap geneve. Z/ o) @0 x2 }6 I4 k
ip: "10.1.1.41"
% u+ n1 N$ D5 J& \1 ] options: {csum="true"}) W* m! a C, Z5 b% `5 I3 D' E0 l1 N3 C
Port_Binding ls1-node1-ns18 e2 |8 g& ]# L- o$ _- a Y! x
node1上验证网络连通性
9 `* j4 D v3 C0 T0 u[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20
# ~* V( Y. Y9 e) [PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.( l% v" @8 b% g: z* S8 @/ e9 ]2 C
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=4.68 ms
+ w" v) T" Q' ?, ^$ {, j+ ~, q64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.908 ms
* U0 `" e# Z( K) o5 J9 K% r64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.756 ms9 X* u' R! P6 K) I
- ~6 k" `# u" g/ k4 Z: l--- 192.168.1.20 ping statistics ---! H$ ^$ r7 @0 R
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
) P5 R4 V7 @: [' [" urtt min/avg/max/mdev = 0.756/2.115/4.682/1.816 ms
4 I& W3 `) \0 D) t7 u7 G1 Ynode2上验证网络连通性
6 G0 ^1 V7 ^. [& I; f[root@node2 ~]# ip netns exec ns1 ping -c 3 192.168.1.10
; C& ] N& Q- o9 j1 _$ N4 l0 BPING 192.168.1.10 (192.168.1.10) 56(84) bytes of data./ m7 T# B; T; N6 R4 Y# Y
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.34 ms
" X$ N; S+ I" y! b64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.863 ms
: [" ~% \7 {5 p64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=0.372 ms9 H' A- n9 O- S
2 f, P- H. X% K& z T. |--- 192.168.1.10 ping statistics ---
# I( Y: d3 Z9 j3 `5 l; I7 L1 |3 packets transmitted, 3 received, 0% packet loss, time 2003ms
) G5 l7 Z7 u/ H$ }+ p! {( t3 Xrtt min/avg/max/mdev = 0.372/1.525/3.342/1.300 ms
8 |, y0 _& @9 F) x( U4 K现在node1和node2的ns1互通了,相当于创建了两个实例,这两个实例ip用的子网是连在同一个逻辑交换机上的,是同一个逻辑交换机上的同一个子网不同ip所以互通。1 m' `$ B9 D! H0 }" N$ y0 E; R1 [
在这里插入图片描述
2 L/ B* ?3 f6 W8 Y3 g; D在这里插入图片描述
- N$ S: v) E' k9 lgeneve隧道验证:从node1上的ns1 ping node2上的ns1的例子,抓包看看各个相关组件报文,验证geneve隧道封解包。通过抓包分析,可以看出geneve隧道在ovn/ovs跨主机通信的重要作用,同时也能看到ovn逻辑交换机可以把不同宿主机上的二层网络打通,或者说ovn逻辑交换机可以把ovs二层广播域扩展到跨主机。
3 E A7 {, K9 |: }: S& i* Z% P# c% ]1 ~* s# s" A, ?
// node1上ns1 ping node2上ns1
" K4 n3 {8 F& a0 A$ c. t' z# @# ip netns exec ns1 ping -c 1 192.168.1.20. g! l4 V% Q+ @) M6 M( n
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
+ u* u4 O( x% U! M& a& F/ f64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=1.00 ms
$ J7 w+ ]5 H; w! i& g( R+ H--- 192.168.1.20 ping statistics ---9 I" L/ h J$ w1 R( O4 L
1 packets transmitted, 1 received, 0% packet loss, time 0ms
% a& l" S, I; D8 Nrtt min/avg/max/mdev = 1.009/1.009/1.009/0.000 ms
6 S3 K" r% V7 B. N# M/ L) H; Y+ k* _* e
// node1上ns1中的veth12抓包
" R @" T: z9 s# ip netns exec ns1 tcpdump -i veth12 -n
) B7 P) i( c8 S- jtcpdump: verbose output suppressed, use -v or -vv for full protocol decode1 ^) Z( _! o* Y4 |, P8 ~
listening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes
+ N5 W3 o$ f( e i+ P/ C% ^* m22:23:11.364011 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 646 O9 d0 I- `. C9 l1 Y2 l
22:23:11.365000 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
; |. ^/ r3 d' k/ ^% q6 Z8 b0 [' ?22:23:16.364932 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
3 p' n6 E0 [2 A; T* o22:23:16.365826 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
- m2 |# t$ I) y2 G
) e" d9 G5 A# j0 ]. p5 o2 \6 M// node1上veth12的另一端veth11抓包/ {1 {1 W" v$ t, T! L) ]
# tcpdump -i veth11 -n3 a/ c, ]1 b/ A, g
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
- i! y5 ]7 i, n9 Olistening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes: Q$ A& r2 W; f. S/ j- O0 N3 s- h1 {
22:25:11.225987 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64$ l" Q: _- w0 q4 J
22:25:11.226914 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64- W3 D) Y+ U: T/ J9 I( ?
22:25:16.236933 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28! H" R) G4 a+ z. B: @
22:25:16.237563 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
$ C, {% d* Y. c7 ^9 b22:25:16.237627 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28# O# E+ r+ l: k
22:25:16.237649 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
E: u2 M7 a7 Q9 w4 d M5 r# F
2 F" J4 o* |1 h$ Z// node1上genev_sys_6081网卡抓包
' J# x5 n) ~- E1 A" H# tcpdump -i genev_sys_6081 -n' \2 ^; K" { G$ v
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode. h8 {9 W* U/ q% o6 h' C& U
listening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes0 ] T# \9 a6 o5 O7 H( N9 G
22:28:15.872064 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64( n2 }( Y% |8 t9 b
22:28:15.872717 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 64
" D; f8 q' e, i3 ]8 Z22:28:20.877100 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 280 g w+ a. V! f$ G' A& a( j
22:28:20.877640 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28 P; I) P3 B8 R/ G* p
22:28:20.877654 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 282 e4 @) h9 g: B+ {
22:28:20.877737 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
$ F4 q, |+ p( ~, W
) p @4 ]$ o% s" m8 f// node1上eth0抓包,可以看出数据包经过genev_sys_6081后做了geneve封装" ^5 i+ ]- v; x; [5 g! _
# tcpdump -i eth0 port 6081 -n6 a6 C4 p% h. j. v7 ~/ z
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
. W" ?# e& r* s/ f `. xlistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes1 `7 Y1 i% t$ {
22:30:23.446147 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64
$ T9 j7 z& b. e( x, Z9 e" O1 l9 s* G22:30:23.446659 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 645 w; v$ }8 `) r5 A& G- n
22:30:28.461137 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28* U" U2 \7 U) d; z
22:30:28.461554 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 284 C. Q4 e! U2 R! x5 R
22:30:28.461571 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 285 E3 B! F9 [+ k }0 D, ]: [
22:30:28.461669 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
; y6 E' C* b6 p* G) O$ F
+ u* P% B& C" c' A; v5 ~: i J$ b+ C6 r===================跨主机===================
/ q3 n6 ?- f3 ~0 _3 r2 x7 w; W3 r7 X! s* A5 T
// node2上eth0抓包
/ {" i5 {7 ]$ s- x9 m# tcpdump -i eth0 port 6081 -n$ u7 ~" n9 J; z! _4 X0 t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode6 M9 k7 ]2 ^' x' U+ \$ t) l/ S* }( X
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
- I/ z- [% X! }, u& z8 a' V5 e22:23:11.364189 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 649 D! o( M I- t O- j* M* v$ e
22:23:11.364662 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
) v" ^6 y/ V6 e# } q# d22:23:16.365086 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
: q, D; F) o" \% V, ? a+ z3 v/ k22:23:16.365487 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
5 m" ~; o8 K# B4 ~0 `9 c) \: q3 Q
+ X4 D. T, Z' I q% j5 P2 H// node2上genev_sys_6081网卡抓包,可以看到数据包从genev_sys_6081出来后做了geneve解封4 Y, M; y& q8 U! B/ E2 }
# tcpdump -i genev_sys_6081 -n
8 J1 w7 @, ~3 m/ }* _5 F- {tcpdump: verbose output suppressed, use -v or -vv for full protocol decode4 z: T* _" u- O6 R8 R8 [
listening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes
( u/ d6 o# z; V# ? l& e7 O; B$ d; I22:25:11.226186 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
' w$ @3 Z# u, D9 c {22:25:11.226553 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64) C7 E4 v+ |/ f) B, z
22:25:16.237070 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28$ t N6 \9 k; V2 M( \: ~
22:25:16.237162 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
' t4 Q( M1 C' A* N M5 m22:25:16.237203 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28+ p8 i; Z) O$ F9 v% O
22:25:16.237523 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28( q# j( ~; b+ `8 z- P0 j; M
5 _7 F+ G1 S2 ]/ P$ v' e% o% f+ d4 d/ ~( C
// node2上veth11抓包/ |1 ?% r/ q( ]- L- k
# tcpdump -i veth11 -n; r8 b" l) e! Q8 @8 }: a7 U2 I
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+ u/ q' }' V9 }6 Elistening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
] `; ?0 s% I+ q( e. M- ]22:28:15.872198 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64
& k" Z' Z/ Y o' U; V: R8 t22:28:15.872235 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 642 |$ Y' S5 n! e) X6 [
22:28:20.876913 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
' n. i( D( d8 V1 V: B: X# n22:28:20.877274 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28- l0 c$ L; U5 E; ], w) {- s
22:28:20.877287 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
6 U% L; `$ t: a; A% C$ @22:28:20.877613 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
( u: H1 m; {& C' O z; [2 ?6 T* r$ a( r5 V! ~& j
// node2上ns1中的veth12抓包1 S/ N' C/ R$ Q. b( g1 ?- u2 v; X) E
# ip netns exec ns1 tcpdump -i veth12 -n9 V9 d& Q/ _) T6 U; l$ q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
( l% H$ B$ X) S. C( ^7 o6 v+ W: c9 Olistening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes
2 N) z2 C0 X7 n9 W22:30:23.446212 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64& H$ U$ F P, E5 f
22:30:23.446242 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64& ]2 [* i0 p8 C' u
22:30:28.460912 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
X) F- v& M/ R" O; f7 g22:30:28.461260 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
' d# s' P' N( m' m0 c22:30:28.461272 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
0 }" W; w- m& U* c3 ]: G22:30:28.461530 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 280 b; B3 Q# W& `8 T' K+ h. }
逻辑路由器(Logical Router):9 z" s2 L7 k/ |+ x/ f# ^ m1 Q7 A
前面验证了ovn逻辑交换机跨主机同子网的通信,那不同子网间又该如何通信呢?这就要用到ovn的逻辑路由器了。
% U$ I, Z6 f$ h$ C( R先在node2上再创建个网络命名空间ns2,ip设置为另外一个子网192.168.2.30/24,并且再增加一个逻辑交换机。9 p% e6 r3 m1 j5 R5 A7 j
在这里插入图片描述
3 `) O# C) j! g# E6 v6 O
8 v3 R% n0 Q+ X) ~1 n2 h- K8 C3 F* Ynode2上执行 ~) p9 S. [- Y4 v/ q! u
[root@node2 ~]# ip netns 查看网络命名空间# b% k* N' S2 W
ns1 (id: 0)( N0 C, k% f+ s
[root@node2 ~]# ip netns add ns2
n0 Q* `! _8 B1 R5 O[root@node2 ~]# ip link add veth21 type veth peer name veth22
9 w2 v$ i8 c% j# y[root@node2 ~]# ip link set veth22 netns ns2
" l8 M& H f$ o2 Q9 E) n[root@node2 ~]# ip link set veth21 up
* Y: \3 _& B: N; U3 o/ E. G2 C[root@node2 ~]# ip netns exec ns2 ip link set veth22 address 00:00:00:00:00:03
% J4 o& w: N6 m7 A[root@node2 ~]# ip netns exec ns2 ip link set veth22 up
) S* K# C4 H, Q( U! v. v[root@node2 ~]# ovs-vsctl add-port br-int veth21
. q' \& _$ Y2 t+ W* T[root@node2 ~]# ip netns exec ns2 ip addr add 192.168.2.30/24 dev veth22
2 L1 H3 [0 b- A4 Q. q[root@node2 ~]# ip netns: n k; r9 X8 l$ m
ns2 (id: 1)
( v: t7 s$ h8 p: Mns1 (id: 0): x' r3 {( L2 _' O" j7 h
1 @! q7 M6 M7 a
node1上用ovn命令新增一个逻辑交换机,并配置好端口
1 o3 R& Z) v9 p9 H8 d[root@node1 ~]# ovn-nbctl ls-add ls2/ l2 W3 f1 q( N- q$ K% C( m
[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-node2-ns2# x& j3 B, ~' ~+ G6 Y4 ~$ n" j, _
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03
4 q' G6 @8 }4 ~" V[root@node1 ~]# ovn-nbctl lsp-set-port-security ls2-node2-ns2 00:00:00:00:00:03! u) a4 Y% w, H1 B# \% B0 h
5 m9 q1 x8 k. D
node2上ovs交换机端口和ovn逻辑交换机端口匹配起来2 m6 Y; Y! [$ Z& G1 q( L
[root@node2 ~]# ovs-vsctl set interface veth21 external-ids:iface-id=ls2-node2-ns2
7 e: S j4 s7 H* G9 a% p2 b; z3 K8 K; E# J# G$ d7 l$ b
查看北向数据库和南向数据库信息
, q5 a' {/ O3 t. o+ \[root@node1 ~]# ovn-nbctl show p7 _, h7 m. }
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
: ~+ G; V4 i+ @) | port ls2-node2-ns2
# `4 G6 C5 s6 Z) O5 T9 P- r# } addresses: ["00:00:00:00:00:03"]
# v+ ]- J* p, N3 sswitch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1): A$ ?, @% i: z- y; i! p
port ls1-node1-ns12 l5 \ }2 I. C0 d& \! c
addresses: ["00:00:00:00:00:01"]3 O- w) S6 c- u ]
port ls1-node2-ns1
" Q0 A6 V3 ~7 |8 ^ addresses: ["00:00:00:00:00:02"]
( N r; I ]7 V) I: \4 A I$ p[root@node1 ~]# ovn-sbctl show
) W$ j3 X( e uChassis node2
& J4 j6 R- t4 |& ~$ l6 u hostname: node20 j! h% K/ |+ \' M f
Encap geneve
$ X5 N( y8 k' y/ j# S3 u ip: "10.1.1.42"% Y) b1 A9 p& ^+ E9 n( D$ Y. k; `
options: {csum="true"}
K; _; n" S( p. \9 B; Q4 Y- H Port_Binding ls2-node2-ns25 _% G$ |/ j" t( A& Y% ~$ C6 [
Port_Binding ls1-node2-ns1
4 c3 B% s+ l' h }. T$ XChassis node1
, ]2 Y# Y+ h# X$ z/ M+ F: B hostname: node1- L! x, y. |4 V
Encap geneve
/ M) ^3 a8 Y0 U. ~- M4 w ip: "10.1.1.41" d0 L4 ~) q' e4 v9 W% Y
options: {csum="true"}8 `1 f2 }3 w, ^4 H( e. K. C& Z* W
Port_Binding ls1-node1-ns1' g8 a, s( F# I4 G5 C
创建ovn逻辑路由器连接两个逻辑交换机 X4 a J' p3 g" r- w& R2 A$ O
1 N) n! K& y3 \) |3 r# M
添加逻辑路由器,路由信息保存在北向数据库2 r8 w+ a& I$ ~- D7 j) {/ ~
[root@node1 ~]# ovn-nbctl lr-add lr11 n* f5 F, ^; T6 O$ D, T
逻辑路由器添加连接交换机ls1的端口6 a }4 G1 I( h3 _ {$ G
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:11:00 192.168.1.1/249 i( P- R! l" L2 v+ M
逻辑路由器添加连接交换机ls2的端口. W3 ~" `% s$ w4 Y6 M( }
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:12:00 192.168.2.1/24
+ Q h/ o' t% N: \7 t! W
- p! {9 W# W; c* w) t+ r逻辑路由器连接逻辑交换机ls1
! R; T/ l( |# ?[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-lr1( m' ~5 \8 L0 ` C9 K
[root@node1 ~]# ovn-nbctl lsp-set-type ls1-lr1 router8 T3 a# [# r) w" q1 ^2 c0 f) O
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-lr1 00:00:00:00:11:00# p% P; X- @3 M$ c6 P
[root@node1 ~]# ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
9 f4 E k, S+ o0 ^; K8 d* W, S1 L# q6 \9 C/ p
逻辑路由器连接逻辑交换机ls2
+ i, o' {+ ^9 c0 H[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-lr1/ J4 Z9 b* J! E3 w7 F! w4 m8 V) d
[root@node1 ~]# ovn-nbctl lsp-set-type ls2-lr1 router
8 U9 O, r: |" N! T3 ]5 T[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-lr1 00:00:00:00:12:00
* B; h$ a) A4 b- n0 c, H/ A0 T[root@node1 ~]# ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls26 y% m: u* I2 x L1 J7 B. ^
5 `; U1 t3 e i8 \6 `. A" E
查看北向数据库和南向数据库信息/ g; ~, U) B+ `9 i# [" i
[root@node1 ~]# ovn-nbctl show& {+ |; `- R9 i; w- x0 n
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)+ x- _( U( \, M# k! a
port ls2-node2-ns25 r0 q; F; M6 a. `; H: n* ^2 X
addresses: ["00:00:00:00:00:03"]
% O T F3 [3 g* j, f3 U& v port ls2-lr1+ ?# P, [( e% K4 k
type: router1 l! @) ?6 }3 d! Z6 z& s
addresses: ["00:00:00:00:12:00"]: Q7 I/ f' B# b+ B/ `" A
router-port: lr1-ls28 S: s. f2 G& d/ f# s/ ?; {& \
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
, z6 r4 M8 }$ h Q port ls1-node1-ns1; L, {' K& v, g1 Y1 X2 d
addresses: ["00:00:00:00:00:01"]/ ]1 L1 a) H4 s y7 \$ ]; N
port ls1-node2-ns1- P2 B$ | l+ P& |
addresses: ["00:00:00:00:00:02"]
E# }: E5 f* x; i port ls1-lr11 \5 S7 v, {! v" z6 ^- K% K
type: router
" U* {9 f2 J* D8 m, L+ i addresses: ["00:00:00:00:11:00"]: Y# t7 C/ W9 }& j
router-port: lr1-ls1
' N, s; `6 X K& o/ g+ X) Arouter e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)& W& I1 `9 X$ j3 r" u% s A6 p2 F6 Q
port lr1-ls2
$ w ]3 }: i( o mac: "00:00:00:00:12:00"
/ s! I% I# h/ z* j) X+ o* z1 B. ` networks: ["192.168.2.1/24"]" x% e" c9 c; r( U# b( a1 S
port lr1-ls1
6 y' F$ n8 R$ A0 Y+ ~/ w, y6 o mac: "00:00:00:00:11:00"" N7 e# ^3 a, R c: ?1 T- u7 f
networks: ["192.168.1.1/24"]
2 Q# {, E/ {- ?$ _3 w! \# }[root@node1 ~]# ovn-sbctl show7 ?6 Y% Y/ D; h& } V9 k; N
Chassis node2
' q9 I% q2 X t4 ]8 U" ` hostname: node2
9 I7 \2 ]+ E8 m9 }$ j Encap geneve U8 [) m; {& a& }6 V
ip: "10.1.1.42"
9 x$ T4 u V6 M) B3 l options: {csum="true"}4 {' I3 x* c. ]1 T
Port_Binding ls2-node2-ns2
5 u) I2 _0 q6 c/ d; G- u% ] Port_Binding ls1-node2-ns16 R, u- ]1 A; [# g# {2 d
Chassis node1
- n( w M8 ^4 F6 T Z# @0 C) I) q hostname: node1, e0 y* d, r- T; {9 v. ]
Encap geneve1 n/ g/ D- _; ]
ip: "10.1.1.41"
, C" z# p* V+ E, h( \ options: {csum="true"}
. \) l) P E3 F Port_Binding ls1-node1-ns1
" l7 p5 t3 D9 C' [在这里插入图片描述) [( G' ]9 f' m" S8 f$ U, l
从node1的ns1(192.168.1.10/24) ping node2的ns2(192.168.2.30),验证跨节点不同子网的连通性。
# l( e5 k" }3 f: ?) v. Z* o0 |. R8 Y
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30- g8 ~ Z5 X3 h+ L5 g- `$ F3 M
connect: Network is unreachable connect: 网络不可达8 T+ U3 O/ \+ r
查看ns1上的路由配置,显然此时没有到192.168.2.0/24网段的路由
5 K9 z% B& |' Q" ^[root@node1 ~]# ip netns exec ns1 ip route show! p5 N( F& e$ {0 J
192.168.1.0/24 dev veth12 proto kernel scope link src 192.168.1.10" \0 r! N: f( p0 J* x
[root@node1 ~]# ip netns exec ns1 route -n2 N3 ~6 v9 L( _4 @/ ?( n& n3 f
Kernel IP routing table
3 E7 r p8 W$ R. l$ XDestination Gateway Genmask Flags Metric Ref Use Iface/ W9 m$ h% y* D$ G/ Z K/ e0 }* m3 `
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 veth12( C0 p% Z# R& B% o. _
因为路由器是三层概念,要先给ovs的相关port配置上ip
9 v& v" \1 i: Q3 l4 p
+ Q5 D; d5 j& S8 Z/ w$ N[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
' ~. p( F- @1 g# x[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:025 u5 G9 \* t' I
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:034 E! l! A3 W, v
再给三个网络命名空间添加默认路由,网关为ovn逻辑路由器对应的port ip4 K0 z' G6 w- Z% N' D7 |4 `
- H% o1 J6 O5 B9 Y( A/ M
node1上ns15 b5 S5 C* R! R( r0 B
[root@node1 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth126 \1 |* T7 B2 J
node2上ns1
3 u, x f c/ B, _$ \4 v) R0 ]) Z [root@node2 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12
3 s$ D3 t, g* c node2上ns2! x2 J \2 P+ S$ l+ L
[root@node2 ~]# ip netns exec ns2 ip route add default via 192.168.2.1 dev veth22
4 {: k! G7 d" N" ?. H: H再次查看下南北向数据库信息% z& P- B: E8 Y: B7 \% J x
8 V" p2 p& q. k" N1 D! `9 Q; G) v[root@node1 ~]# ovn-nbctl show
7 _2 M0 I4 l; Uswitch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)0 |9 L- G/ I8 [* g! t: h1 T1 V
port ls2-node2-ns2
V7 L' w! e, V: `: f' J addresses: ["00:00:00:00:00:03"]
' x; k! g% G8 `$ |, d8 Y8 T2 g+ ~! [ port ls2-lr12 ?+ U N( S( m$ s. o" `
type: router
5 [ W9 p7 a$ @# ^ addresses: ["00:00:00:00:12:00"]
( N7 Z" v0 n& z' s9 }" W router-port: lr1-ls25 E" o. N5 p3 }+ M6 I/ v
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
8 v7 m5 ]8 v! T) M l+ ^: k port ls1-node1-ns1
) ?& }) S2 E4 z. g: W. d2 @/ s( g) ` addresses: ["00:00:00:00:00:01"]/ t: o) x- f3 g1 k0 W7 t
port ls1-node2-ns14 K- _( s/ R# N ]" L$ D
addresses: ["00:00:00:00:00:02"]
" u/ }5 \$ b* H* _) L9 K: Q/ } port ls1-lr1) P9 n1 E' }( a+ D/ d
type: router& C; C, E( p! |
addresses: ["00:00:00:00:11:00"]) C0 O! f- _1 q G+ N
router-port: lr1-ls1+ Q" s" t' x+ C/ A! R) n9 e. `
router e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)9 |- N, ^3 f6 i, R; m+ b$ I N0 O
port lr1-ls2
& h8 P0 u- F3 t& H( i mac: "00:00:00:00:12:00") j" o& T% @: H' O( q6 r
networks: ["192.168.2.1/24"]# g4 _$ _5 p! ^' o1 W: Y, L4 h$ \
port lr1-ls1
- u: M S2 u: w) K& F' \& _ mac: "00:00:00:00:11:00"# a0 ]4 [. C8 E3 d& E* R, ^
networks: ["192.168.1.1/24"]. P# D. k) }* O, U1 h
[root@node1 ~]# ovn-sbctl show
( f- D& }6 ] A) [1 X4 s- W lChassis node2
% ^' J5 D( {# y2 `, @: N! T1 u hostname: node2" a% {; d, ^5 C: E' m M
Encap geneve W) N4 R8 F% g9 k8 J# f4 `
ip: "10.1.1.42" P" |, o6 A* G) `+ Q! \
options: {csum="true"}
. S5 u- V% |# Q& I. I5 w Port_Binding ls2-node2-ns2' W4 O7 {' Q8 x
Port_Binding ls1-node2-ns16 U' } H, D C
Chassis node1& b- x5 ?% W5 K
hostname: node1
- e' x; N2 S2 h7 } Encap geneve
6 k7 s% N" q; p1 {6 y- ] ip: "10.1.1.41"
' {7 H% C+ w0 Y0 }% @ options: {csum="true"}
7 t3 o7 K* X0 a X7 z( L Port_Binding ls1-node1-ns1% H3 z6 B6 I9 n' Y0 `
在这里插入图片描述9 D" v& x" h9 L& Q8 ^7 w+ l$ a
验证网络连通性
+ d( w' }2 \& w; {
1 q1 {! m. U; V* X# Tnode1上ns1连通网关, i2 \9 p Z) Y
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.1.1
! i n4 z+ i0 ]- C8 t; FPING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
8 M9 ~! I! ]- b* O+ J9 |' K) }/ M64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=20.10 ms
# G" O$ \! s& L1 x2 E1 I8 i# L" r6 y
--- 192.168.1.1 ping statistics ---6 {+ V9 e# G0 S0 q
1 packets transmitted, 1 received, 0% packet loss, time 0ms
2 C/ P' ~7 L+ U. x0 @- Brtt min/avg/max/mdev = 20.950/20.950/20.950/0.000 ms
8 Z! ?; }" A, w6 U- m. ^. _5 Z+ G& |9 |% I2 |" N: I" `; W6 V
node2上ns2连通网关# m5 S7 b. h* D: a/ Y A
[root@node2 ~]# ip netns exec ns2 ping -c 1 192.168.2.17 T( L+ X+ e0 [* t; h- `
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
5 x( e2 T5 Q3 h b6 }6 r64 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=38.5 ms4 E3 G! t' y. E- f& A; v5 L: k8 y
/ [) f8 z {) k--- 192.168.2.1 ping statistics ---
4 n4 }9 x& m' m8 E6 u1 packets transmitted, 1 received, 0% packet loss, time 0ms
' ?& C( k- y6 T% c$ urtt min/avg/max/mdev = 38.477/38.477/38.477/0.000 ms1 y8 W% [) r( c3 m) @% D e
* G# s$ _# {( ?: ]3 gnode1上ns1 ping node2上ns2( x/ z% J6 J' D$ c& \3 g
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30; |% v4 M7 A; ^1 v$ i
PING 192.168.2.30 (192.168.2.30) 56(84) bytes of data.! T' f& |9 @- i
64 bytes from 192.168.2.30: icmp_seq=1 ttl=63 time=1.23 ms
$ K& U# a& @, |; s! K- l# c& ?1 C* Y) b6 K: {$ G$ F/ T3 _/ q( x
--- 192.168.2.30 ping statistics ---
2 X) Q/ O; n O1 packets transmitted, 1 received, 0% packet loss, time 0ms
/ g1 d9 @* ?4 J" l4 V4 o4 Vrtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms
' X( A/ |4 S% o' K; J复制
$ O0 s$ X3 O, J" t( n; r% k/ f/ s注意:ovn逻辑交换机/逻辑路由器是北向数据库概念,这两个逻辑概念经过ovn-northd“翻译”到了南向数据库中,再通过hypervisor上的ovn-controller同步到ovs/ovsdb-server,最终形成ovs的port和流表等数据。& [* d5 o3 v9 N' F5 z' c6 G
ovn逻辑交换机通过geneve隧道,把二层广播域扩展到了不同主机上的ovs;而ovn逻辑路由器则是把三层广播域扩展到了不同主机上的ovs,从而实现跨主机的网络通信。
3 p$ F# h. U; n% I. L8 b8 k2 qovn逻辑交换机和逻辑路由器都会在所有的hypervisor中生成对应的流表配置,这也是ovn网络高可用以及解决实例迁移等问题的原理。 |
|
发表于 2025-12-18 08:50:57
9 b$ k' R# e7 Y/ f0 P+ r4 }
! z, p9 X- ?# U$ j( E4 A {
/ x" j: X; S0 N( Z. A N. B
t# R: u0 b: L+ }1 B# n' N6 I
8 ~. R; O+ L/ a7 N* u
% P! c- O4 R' A6 b8 g3 R
) T) @7 t+ T8 f9 L! c
$ I6 b3 _+ y; W: s& E5 l
" T, i- f T. Y7 e+ m
5 C7 J8 F- o _: k) h; j+ b3 [
( n2 ]/ l7 k. ^! V% ~4 g* _
8 h* h& ~/ l" Z
- I4 p i1 C7 T! p2 t0 ]