multi-tenant iaas using openstack + · pdf filemulti-tenant iaas using openstack +...
TRANSCRIPT
Multi-tenant IaaS using OpenStack + OpenContrail
Takashi Sogabe(@rev4t)
Internet Initiative Japan., Inc.
Who am I ?
• Takashi Sogabe (@rev4t)
• I develop services and devices at IIJ
– Lately, I also verify software and implement network in order to create new services
– I call myself “full stack engineer”
What do I want to do?
• Contrail is now open source!
– Quickest way for engineer to understand is to actually try
– I want to view source codes with smirk on my face
– First, create demo environment and play with it
What is OpenContrail ?
• It’s a software that can easily create IaaS that has scalability
– It’s an SDN product
• It works with OpenStack, CloudStack
• Control plane: BGP or XMPP
• Data plane: MPLS over GRE
– It appears to support MPLS over UDP and VXLAN as well
Source of Information
• http://opencontrail.org/
– Documents and packages are provided here
• https://github.com/Juniper/contrail-controller
– Source codes are provided openly at github
• http://juni.pr/17tlcQh
– Valuable information in Japanese regarding OpenContrail, posted by Juniper Arimura-san on J-NET
Why MPLS/BGP ?
• They are mature technology so you can use it with peace of mind
– ISPs are already using MPLS for IP-VPN services
– Performance is maintained with lots of VPN connections in place
– It’s easy to establish inter-DC connections or hybrid clouds
• Use of L3VPN router for external router makes it easy to interconnect
What else can you do?
• Service Chaining
– NFV in other words
– You can combine Firewall or many other features in between VMs
• Network Monitoring
– You can monitor in-communication session information from web screen
– If necessary, you can tcpdump from the web screen
• Imagine overlay network version of Remote SPAN (RSPAN)
Minimum configuration needed for testing?
• PC server * 1 unit
– Juniper recommends 5 units or more
– If it’s just testing purpose, 1 unit is enough
• Router * 1 unit
– One which can talk MPLS VPN
– Juniper MX and SRX are examples
– If you don’t need External Router, then not necessary
Server configuration of demo environment
External Router(Gateway Router)
• Contrail System • OpenStack (controller, etc) • OpenStack(nova-compute)
• vRouter
Router for internet connection
192.168.192.0/24
.64
.79
10.0.0.1/24
OpenContrail Architecture
Install (1)
• http://juni.pr/1alNn7h – Building from source
• git + repo – Setting up is cumbersome so this is adequate for building only
• devstack – https://github.com/dsetia/devstack
– Use of Binary package • OS image provided by Juniper • Rpm package (CentOS or Fedora) • Juniper.net account is needed
– Juniper says if you apply from online form, an account is created for you in a day or two
• OS image is used for the demo this time – Contrail Install Media for CentOS 90-day EVAL (Release 1.02) – OpenStack Grizzly
Install (2)
1. Download OS image and install on PC
2. Run setup.sh – cd /opt/contrail/contrail_packages; ./setup.sh
3. Create testbed file
4. Install system – cd /opt/contrail/utils; fab install_contrail
– (rebooted automatically)
– cd /opt/contrail/utils; fab setup_all
– (rebooted automatically)
Testbed file
• cd /opt/contrail/utils/fabfile/testbeds • cp testbed_singlebox_example.py testbed.py • Edit vi testbed.py
ext_routers = *(‘srx1’, ‘192.168.192.79’)+ (if external router does not exist, comment out)
host1 = ‘[email protected]’ host_build = ‘[email protected]’ env.passwords = { host1: ‘<host password>’, host_build: ‘<host password>’, }
Install (3)
• If installation is successful, you can log in Horizon and Contrail Web screen
– Horizon
• http://(host ip address)/
• username: admin
• password: contrail123
– Contrail
• http://(host ip address):8080/
• username, password … Same as Horizon
External Router configuration(1)
• Interface configuration
interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.192.79/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.0.1/24; } } }
External Router configuration(2)
• L3VPN configuration
routing-options { static { route 0.0.0.0/0 next-hop 192.168.192.5; } route-distinguisher-id 192.168.192.79; autonomous-system 64512; dynamic-tunnels { setup1 { source-address 192.168.192.79; gre; destination-networks { 192.168.192.0/24; } } } }
protocols { bgp { group contrail-controller { type internal; local-address 192.168.192.79; family inet-vpn { unicast; } neighbor 192.168.192.64; } } stp; }
External Router configuration(3)
• VRF configuration
routing-instances { cusotomer-public { instance-type vrf; interface ge-0/0/1.0; vrf-target target:64512:10000; routing-options { static { route 0.0.0.0/0 next-hop 10.0.0.2; } } } }
External Router configuration(4)
• If you use SRX, set forwarding mode as packet based
security { forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } }
root> show security flow status Flow forwarding mode: Inet forwarding mode: packet based Inet6 forwarding mode: packet based MPLS forwarding mode: packet based ISO forwarding mode: packet based Flow trace status Flow tracing status: off
If you use Flow base, it appears there is no way to add dynamic tunnel in the security zone
CREATING TENANT NETWORK USING OPENCONTRAIL
Network Configuration (1)
• 3 ways to configure
– Configure from OpenContrail Web screen
– Configure from OpenStack
• However, some parameters cannot be configured usingneutron(quantum)
– OpenContrail REST API
• API server: http://(controller_host):8082/
• There is no document at all at this time – However, you can probably use most of it if you go through
Top level URL
Tenant network
vRouter
private 10.254.0.0/24
.253
.254
.254
public 10.255.0.0/24
test-private-1
test-public-1
.253
external network 10.0.0.0/24
.252
test-private-2
10.1.0.253 global 10.1.0.0/24
Floating-ip
.254
vRouter
External router
.252
test-public-2
.1
Create network (public)
Create IP address block (public)
Configure Global network
Activate test-public-1, test-public-2
Ping from test-public-1 to 10.0.0.1
Create Private network
Activate test-private-1, test-private-2
Ping from test-private-1 to test-public-1
Create Policy
Apply Policy
Again, Ping from test-private-1 to test-public-1
Create and assign Floating-ip
Ping from ext-router to test-public-1
root> ping 10.1.0.253 routing-instance cusotomer-public PING 10.1.0.253 (10.1.0.253): 56 data bytes 64 bytes from 10.1.0.253: icmp_seq=0 ttl=62 time=31.423 ms 64 bytes from 10.1.0.253: icmp_seq=1 ttl=62 time=2.510 ms ^C --- 10.1.0.253 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss
External router show route (1)
root> show route inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 192.168.192.5 via ge-0/0/0.0 10.1.0.1/32 *[Local/0] 1d 20:49:29 Reject 192.168.192.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/0.0 192.168.192.79/32 *[Local/0] 1d 20:49:20 Local via ge-0/0/0.0
External router show route (2)
inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.0/24 *[Tunnel/300] 1d 20:49:46 Tunnel 192.168.192.64/32 *[Tunnel/300] 00:56:35 > via gr-0/0/0.32769
External router show route (3)
cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 10.0.0.2 via ge-0/0/1.0 10.0.0.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/1.0 10.0.0.1/32 *[Local/0] 1d 20:49:19 Local via ge-0/0/1.0 10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16
External router show route (4)
mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 299792 *[VPN/170] 02:02:08 > to 10.0.0.2 via ge-0/0/1.0, Pop bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.64:2:10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16
Network Management(1)
Network Management (2)
Network Management (3)
You can monitor Flow information real-time
Network Management(4)
Verify Routing Table
Using Analyzer (1)
• Imagine L3SW Remote SPAN(RSPAN) feature became more useful – Specify network to capture packet and type of
packet • Analyzer instance activates automatically
• Administrator can peruse packet dump from OpenStack admin screen using Wireshark
– You can also log in Compute Node, directly tcpdump tap interface, however, Analyzer is much more easier to use
Using Analyzer (2)
Using Analyzer (3)
Summary
• Very easy to use admin screen – You can monitor communications on overlay
• Architecture that enables scalability – Controller workload is small as communications by
each node is doen by itself on overlay
– Use of Cassandra for backend database which allows scalability
– Use of L3VPN routers for external router which allows scalability of uplinks • I heard VXLAN can be used as well but it appears it cannot
be configured from admin screen yet
Things I would like to investigate further
• Service Chaining
• Measure scalability by increasing number of nodes
• Terminate external router using VXLAN
• I would like to try the version supporting Havana