technical introduction to midonet
TRANSCRIPT
Introduction to midonet
Taku Fukushima
Agenda
1. What is MidoNet?
2. Architecture
3. Feature details
4. Community
5. Summary
1. What is MidoNet?
Why do we need MidoNet?• Demands for the virtualised networking
• Faster and more flexible provisioning
• Cloud IaaS requires virtualised networking
• Multi-tenancy
• Complete software-based solution
MidoNet Features• L2- L3 Logical Switching
• Logical Routing
• State-less and Stateful NAT
• Logical and distributed Firewall
• L4 Load Balancing
• BGP and its ECMP multiplexing
• GRE and VXLAN tunneling
MidoNet Features• OpenStack Neutron integration and MidoStack
• REST API
• VTEP support with OVSDB protocol
• Partial Docker integration
History of MidoNet (a dev’s perspective)
• Started with Midolman written in Python, OpenStack Austin, Open vSwitch (including userland)
• MidoNet 1.x
• Re-written with Java
• Scala was partially introduced
• Open-sourced in Nov, 2014 New!
• MidoNet 2.0 (WIP)
2. Architecture
Architecture Overview
Datapath control via Netlink by Midolman
NSDB NSDB
NSDB
Open vSwitch Datapath
IF IF
Interfaces on the hostIF
VM VM VM Midolman(MidoNet
agent)
Network
Flow Table
MidoNet APINova API
Horizon MidoNet CLI
Watch/modify
Add/remove flows
Neutron API
MidoNet Plugin
Host
Cache
Store virtual topology
information
Clients / Users
Nova compute
GRE/VXLAN Tunneling
NSDB NSDB
NSDB
PrivateNetwork
Host
Midolman
CacheDatapath
VM VM VM
Flow Table
Nova compute
MidoNet APINova API
Horizon MidoNet CLI
Neutron API
MidoNet Plugin
Clients / Users
Host
Midolman
CacheDatapath
VM VM VM
Flow Table
Nova compute
BGP Gateway
Midolman
Datapath
Flow Table
BGP Gateway
Midolman
Datapath
Flow Table
GRE/VXLAN Tunneling
Internet
NSDB and Cluster API
NSDB NSDB
NSDB
Open vSwitch Datapath
IF IF
Interfaces on the hostIF
VM VM VM Midolman(MidoNet
agent)
Network
Flow Table
MidoNet APINova API
Horizon MidoNet CLI
Watch/modify
Add/remove flows
Neutron API
MidoNet Plugin
Host
Cache
Store virtual topology
information
Clients / Users
Nova compute
NSDB and Cluster API
OpenStack integration and APIsNSDB NSDB
NSDB
Open vSwitch Datapath
IF IF
Interfaces on the hostIF
VM VM VM Midolman(MidoNet
agent)
Network
Flow Table
MidoNet APINova API
Horizon MidoNet CLI
Watch/modify
Add/remove flows
Neutron API
MidoNet Plugin
Host
Cache
Store virtual topology
information
Clients / Users
Nova compute
OpenStack integration
and MidoNet API
BGP with ECMP
NSDB NSDB
NSDB
PrivateNetwork
Host
Midolman
CacheDatapath
VM VM VM
Flow Table
Nova compute
MidoNet APINova API
Horizon MidoNet CLI
Neutron API
MidoNet Plugin
Clients / Users
Host
Midolman
CacheDatapath
VM VM VM
Flow Table
Nova compute
BGP Gateway
Midolman
Datapath
Flow Table
BGP Gateway
Midolman
Datapath
Flow Table
GRE/VXLAN Tunneling
Internet
3. Feature details
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed L2 Switching
20
VM 1 VM 2
Virtual Tenant Router B
Virtual Topology
Physical Topology
ARP Request
Virtual Switch B1
VM 1 VM 2
State Cluster
Virtual Switch B1
MAC Port Host
AC:CA:BA:00:00:01
AC:CA:BA:00:00:02
vPort 0
vPort 1
Host 0
Host 1
Tunnel Zone
GRE / VXLAN IPv4Host
192.168.0.1
10.0.0.1
Host 0
Host 1
MAC AC:CA:BA:00:00:01 MAC AC:CA:BA:00:00:02
vPort 1vPort 0
Host 0 Host 1
• State cluster based on ZooKeeper • Stores the virtual topology • Topology is cached by the MidoNet Agent • Agents access data using publish-subscribe
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Layer 2 Gateways
21
VM 1 VM 2
Virtual Tenant Router B
Virtual Topology
Physical Topology
Virtual Switch B1
vPort 1vPort 0
Virtual Provider Router
vPort L3GW
vPort L2GW
Layer 2 Network
VM 1 Host 0 Hardware VTEP
State Cluster
Layer 2 Network
VXLAN
L2 gateway for VXLAN
• The state cluster adds L2 gateway functions
• Exchange state data with hardware VXLAN tunnel end-points (VTEPs)
• Leverages virtualization at the edge to optimize the traffic flow
L2 VXLAN Gateway
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Layer 2 Networks
22
Private IP Network
Virtual Servers
VM 1
VM 2
Hardware VTEP
L2 Network
Hardware VTEP
Hardware VTEP
State Cluster
Virtual Switch B1
VM 1 VM 2
vPort 1vPort 0
L2 Network
vPort L2GW 0 vPort L2GW 1 vPort L2GW 2
Physical Topology Virtual Topology
Scalability and High
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Layer 3 Routing
23
Private IP Network
Virtual Servers
VM 1
VM 2
Provider Network
State Cluster
Virtual Switch B1
VM 1 VM 2
vPort 1vPort 0
Physical Topology Virtual Topology
Scalability and High
Border Node
Border Node
Border Node
Virtual Tenant Router B
Virtual Provider Router
vPort L3GW
vPort L3GW
Provider Network BGP Peer
BGP Peer
BGP Peer
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Firewall
24
• MidoNet supports OpenStack/Neutron Security Groups • Apply to each network port bound to a VM, inbound or outbound • Any forward traffic not explicitly allowed by a rule is dropped • Return traffic is allowed
VM 1 VM 2
Virtual Tenant Router A
Virtual Switch A1
Virtual Provider Router
Virtual Switch A2
vPort 1vPort 0
Port-level firewall
$ neutron security-group-rule-create --protocol tcp \ --port-range-min 22 --port-range-max 22 \ -—direction ingress security-group-1
SG-1 Allowing SSH inbound traffic
$ neutron security-group-rule-create --protocol icmp \ --direction ingress security-group-2
SG-2 Allowing ICMP inbound traffic
Chains
Rules
• Anti-spoofing • L2 - L4 header fields • Wildcards • Ranges
MidoNet Models
CHAIN vPort0 ingress
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Firewall
25
VM 1 VM 2
Virtual Tenant Router A
Virtual Switch A1
Virtual Provider Router
Virtual Switch A2
vPort 1vPort 0
$ neutron security-group-rule-create --protocol tcp \ --port-range-min 22 --port-range-max 22 \ -—direction ingress security-group-1
SG1 Allowing SSH inbound traffic
$ neutron security-group-rule-create --protocol icmp \ --direction ingress security-group-2
SG2 Allowing ICMP inbound traffic
SG-1SG-1 SG-2
DROP if not
MAC1 AC:CA:BA:00:00:01
MAC2 AC:CA:BA:00:00:02
DROP if not IP1
ACCEPT return
JUMP SG-1
DROP everything
CHAIN SG-1 ingressACCEPT TCP port range
• Different agents must exchange flow information
• Drop not allowed packets at the ingress host
• Protects the private underlay
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Network Address Translation
26
Virtual Switch B1
VM 1 VM 2
Virtual Tenant Router B
Virtual Provider Router
Provider Network
Private Network
Public Network
10.0.0.100:1234
151.16.16.1:370Fo
rwar
d flo
w Return flow
L4 NAT for a TCP connection
Private IP Network
VM 1
Border Router
Virtual Topology Physical Topology
MidoNet 101! Face-to-Face with the Distributed SDN・FOSDEM 2015
Distributed Flow State
27
VM 1 VM 2
Virtual Switch B1
VM 1
VM 2
Virtual Tenant Router B Private Network
Public Network
Physical Topology Virtual Topology
Forward flowFwd outFwd in
Flow state
Return flow Ret inRet out
Ingress host
Possible return flow ingress
Possible forward flow ingress
Egress host
Ingress host Egress host
Forward flow
Fwd out
Fwd in
Ingress host
Possible return flow ingress
Possible forward flow ingress
Egress host
1
2
3
• Flow state forwarded to possible interested hosts
• No delay for simulating flow ingress packets at other hosts
• State backup in cluster
State Cluster
4. Community
Entering MidoNet community• Slack (midonet.slack.com)
• Mailing list
• Midolman code walkthrough
• Code walk-through videos
• GerritHub
• Code review + CI with several tests
Documentation and help• Wiki
• wiki.midonet.org
• Documentations
• docs.midonet.org
• JIRA (Issue Tracker)
• https://midonet.atlassian.net/
http://lists.midonet.org/pipermail/midonet-dev/
5. Summary
MidoNet rocks• True distributed architecture
• Intelligence at the edge
• Open-sourced under Apache License v2
• Growing community and ecosystem
The end of slides. Any questions?
Distributed architecture of MidoNet• Each compute node has MidoNet agent
• MidoNet handles L2 - L4, NAT, LB, … at the edge
• MidoNet agent has cached virtual networking topology information and synchronises with Network State Database (NSDB)
• MidoNet agent adds/removes flows to/from the local Open vSwitch datapath based on simulations of packets
The rise of OpenFlow
It brought a simple and flexible idea to decouple control planes from data
planes. However, OpenFlow controllers can be a SPoF.