Anda di halaman 1dari 20

Networking in OpenStack for nonnetworking people: Neutron, OVS and

friends

Dave Neary
dneary@redhat.com
Open Source and Standards
Red Hat

DAVE NEARY

AGENDA

Networking review: the OSI model


Networking in a virtual world
Neutron and OVS
Debugging and fixing networking issues

DOC144908-20130513r1

RED HAT OPENSTACK | 2013

Networking: The OSI model


Layer 7

Layer 1

DAVE NEARY

Networking: The OSI model


Layer 7
SMTP
Software
TCP/IP

Routers
Switching
Layer 1

Cables

DAVE NEARY

Hardware

Switches and routers

DAVE NEARY

Networking in a virtual world

CC BY from OpenStack Operations Guide:


http://bit.ly/OpenStackNetworking
6

DAVE NEARY

Networking in a virtual world: Open vSwitch

DAVE NEARY

Networking in a virtual world: Neutron

Abstracts away internals of switching and SDN


provider
Provides high-level abstractions (router, subnet,
network, gateway)
Law of Leaky Abstractions applies

DAVE NEARY

Neutron: Creating a subnet

neutron router-create router1

neutron net-create net1

10

neutron subnet-create net1 172.17.0.0/24 --name


subnet1
neutron router-interface-add router1 subnet1

DAVE NEARY

Neutron: Attaching a public subnet

11

neutron net-create net2 --router-external=True


neutron subnet-create net2 192.168.0.0/24
--name subnet2 --enable_dhcp=False
--allocation-pool
start=192.168.0.32,end=192.168.0.63
--gateway=192.168.0.1
neutron router-gateway-set router1 net2

DAVE NEARY

Neutron: Floating IPs

12

To connect from an external machine to an instance,


you need a routable IP address
Floating IP addresses are public aliases for private IP
addresses
They survive changes in private IPs, enable load
balancing, etc.
Equivalent to Elastic IPs in AWS

DAVE NEARY

Neutron: Floating IPs

neutron floatingip-create net2

neutron floatingip-list

neutron port-list

13

neutron floatingip-associate <floating-ip>


<port>

DAVE NEARY

Debugging network issues: Devices

ip a shows status of all physical and virtual devices

ovs-vsctl show shows interfaces and bridges in the

virtual switch

14

ovs-dpctl show shows datapaths on the switch

DAVE NEARY

Debugging network issues: Tracking packets

tcpdump is your friend

15

tcpdump -n -i <interface> -w <filename>

Set interface to vnet device, instance eth0, bridge


device, or host ethernet device to see where packets
are not getting through
-i any for all interfaces

iptables -L to check iptables rules

DAVE NEARY

Debugging network issues: Network namespaces

16

Network namespaces allow VLANs to share


overlapping address space important for bigger
deployments, and to provide multi-tenant networks

ip netns list lists all known network namespaces

ip netns exec <namespace id> route -n

Shows routing table inside specific namespace

Execute arbitrary commands (incl. ssh, ping)

DAVE NEARY

Debugging networking issues: DHCP

Scenario: Instance is not getting IP address

Step 1: nova console-log <instance name>

DHCP request sent, no reply received

Step 2: Verify neutron-dhcp-agent is running


Step 3: Check host logs (/var/log/messages and
/var/log/neutron/*)
Step 4: If host is not seeing DHCP traffic: tcpdump -i
all | grep -i dhcp

17

DAVE NEARY

Debugging networking issues: Access/routing

Scenario: I can't SSH into an instance


Step 1: Security groups: port 22 TCP & all ICMP
allowed?
Step 2: Is floating IP address routable from client?

18

route -n on client

Verify that public subnet in OpenStack is accessible


from client (eg. for local LAN, that it matches
192.168.0.0/24)

Step 3: Bridges OK?

DAVE NEARY

Debugging networking issues: Access/routing

Bridge issues:

ovs-vsctl show is ethernet card attached to same

bridge as public network?

neutron router show router1 are the private

subnet and public subnet connected to the router?

ip netns exec <public namespace id> ping


<floating IP> - does the public network match the

local LAN exactly?

ip netns exec <private namespace id> route -n

is traffic being correctly routed from the instance out?

19

DAVE NEARY

Resources

20

OpenStack Network troubleshooting:


http://bit.ly/OpenStackNetworking
OpenStack Networking: L3 workflow:
http://bit.ly/L3Workflow
RDO Networking: http://bit.ly/RDONetworking
RDO: Neutron with an external network:
http://bit.ly/RDONeutronExtNet
OpenStack Tales from the Crypt:
http://bit.ly/OpenStackCrypt

DAVE NEARY

QUESTIONS?

DOC144908-20130513r1

RED HAT OPENSTACK | 2013