linux network namespaces in open vswitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf ·...
TRANSCRIPT
![Page 1: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/1.jpg)
Linux Network Namespacesin Open vSwitch
Jiri BencRed HatNovember 2015
![Page 2: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/2.jpg)
Linux Network Namespaces in Open vSwitch2
Network Namespaces
● Partitioning of Linux network stack
● Resources isolation
● Used heavily by containers, Open Stack, ...
![Page 3: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/3.jpg)
Linux Network Namespaces in Open vSwitch3
● Interfaces in an OVS bridge may be moved to a different netns
ovs-vsctl add-port br0 eth0ip link set eth0 netns otherns
● But cannot be added from a different netns
● Weird behavior of some OVS tools
ovs-vsctl show
ovs-ofctl show br0
Current State of Open vSwitch Support
![Page 4: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/4.jpg)
Linux Network Namespaces in Open vSwitch4
Kernel Datapath
● Isolation: skb_scrub_packet
● Recently added to ovs_vport_receive:if (unlikely(dev_net(skb->dev) != ovs_dp_get_net(vport->dp))) skb_scrub_packet(skb, true);
● What is the netns of the datapath?
![Page 5: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/5.jpg)
Linux Network Namespaces in Open vSwitch5
root netns netns0
Kernel Datapath
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 6: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/6.jpg)
Linux Network Namespaces in Open vSwitch6
root netns netns0
Kernel Datapath – the Easy Case
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 7: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/7.jpg)
Linux Network Namespaces in Open vSwitch7
root netns netns0
Kernel Datapath – the Easy Case Reversed
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 8: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/8.jpg)
Linux Network Namespaces in Open vSwitch8
root netns netns0
Kernel Datapath – Switching Inside Netns
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 9: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/9.jpg)
Linux Network Namespaces in Open vSwitch9
Kernel Datapath – skb scrubbing
● Call skb_scrub_packet on send (ovs_vport_send)● compare netns of the ingress and egress interface● ignore netns of the datapath
![Page 10: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/10.jpg)
Linux Network Namespaces in Open vSwitch10
Kernel Datapath – skb scrubbing
● Call skb_scrub_packet on send (ovs_vport_send)● compare netns of the ingress and egress interface● ignore netns of the datapath
● What about tunnels?
![Page 11: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/11.jpg)
Linux Network Namespaces in Open vSwitch11
Kernel Datapath – skb scrubbing
● Call skb_scrub_packet on send (ovs_vport_send)● compare netns of the ingress and egress interface● ignore netns of the datapath
● What about tunnels?● nothing special since lwtunnels
● What about conntrack?
![Page 12: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/12.jpg)
Linux Network Namespaces in Open vSwitch12
Kernel Datapath – skb scrubbing
● Call skb_scrub_packet on send (ovs_vport_send)● compare netns of the ingress and egress interface● ignore netns of the datapath
● What about tunnels?● nothing special since lwtunnels
● What about conntrack?● conntrack is done in datapath netns● egress scrubbing is too late
![Page 13: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/13.jpg)
Linux Network Namespaces in Open vSwitch13
root netns netns0
Kernel Datapath – Conntrack
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 14: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/14.jpg)
Linux Network Namespaces in Open vSwitch14
netns1root netns netns2netns0
Kernel Datapath – Conntrack
kernel datapath
eth0 eth1 eth2
ovs-vswitchd
ovsdb-server
![Page 15: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/15.jpg)
Linux Network Namespaces in Open vSwitch15
Matching in User Space
● ovsdb contains only the interface name
● Kernel datapath may have a different view● interface renames● moving interfaces between net namespaces
● Example:
ovs-vsctl add-port br0 eth0ip link set eth0 name shadow0ip link set eth1 name eth0ovs-ofctl show br0ovs-dpctl show
![Page 16: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/16.jpg)
Linux Network Namespaces in Open vSwitch16
Detecting Interface Changes
● Listening to netlink events, updating the db
● What to do on interface deletion?
![Page 17: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/17.jpg)
Linux Network Namespaces in Open vSwitch17
Detecting Interface Changes
● Listening to netlink events, updating the db
● What to do on interface deletion?● netns move is reported as delete + create● create is reported in the target netns
![Page 18: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/18.jpg)
Linux Network Namespaces in Open vSwitch18
Detecting Interface Changes
● Listening to netlink events, updating the db
● What to do on interface deletion?● netns move is reported as delete + create● create is reported in the target netns● missing kernel API
![Page 19: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/19.jpg)
Linux Network Namespaces in Open vSwitch19
Detecting Interface Changes
● Listening to netlink events, updating the db
● What to do on interface deletion?● netns move is reported as delete + create● create is reported in the target netns● missing kernel API
● Listening in other namespaces● NETLINK_LISTEN_ALL_NSID
![Page 20: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/20.jpg)
Linux Network Namespaces in Open vSwitch20
Detecting Interface Changes
● Listening to netlink events, updating the db
● What to do on interface deletion?● netns move is reported as delete + create● create is reported in the target netns● missing kernel API
● Listening in other namespaces● NETLINK_LISTEN_ALL_NSID● no way to detect newly created namespaces● missing kernel API
![Page 21: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/21.jpg)
Linux Network Namespaces in Open vSwitch21
Namespaces in ovsdb
● Conflicting interface names
● Need to store netns in ovsdb● netnsid (from the ovsdb-server namespace)
![Page 22: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/22.jpg)
Linux Network Namespaces in Open vSwitch22
Namespaces in ovsdb
● Conflicting interface names
● Need to store netns in ovsdb● netnsid (from the ovsdb-server namespace)
● Cannot switch to netns using netnsid● missing kernel API
![Page 23: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/23.jpg)
Linux Network Namespaces in Open vSwitch23
root netns netns1netns0
Netnsid Problem
kernel datapath
eth1
ovs-vswitchd
ovsdb-server
ovs-ofctl
ovs-vsctl
![Page 24: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/24.jpg)
Linux Network Namespaces in Open vSwitch24
root netns netns1netns0
Netnsid Problem
kernel datapath
eth1
ovs-vswitchd
ovsdb-server
ovs-ofctl
ovs-vsctl
netnsid
![Page 25: Linux Network Namespaces in Open vSwitchopenvswitch.org/support/ovscon2015/17/1555-benc.pdf · 2020-02-27 · 3 Linux Network Namespaces in Open vSwitch Interfaces in an OVS bridge](https://reader033.vdocument.in/reader033/viewer/2022042920/5f657eec622f9a2a303407bb/html5/thumbnails/25.jpg)
Questions? Ideas?