- 积分
- 16840
在线时间 小时
最后登录1970-1-1
|
楼主 |
发表于 2025-12-18 08:51:30
|
显示全部楼层
2、网络服务Neutron
, \! r: X9 z$ f8 N& gNeutron基于软件定义网络的思想,实现了网络虚拟化下的资源管理。Neutron的设计目标是实现网络即服务(NaaS),在设计上遵循SDN(Software Defined Network,软件定义网络)架构来管理的。) j8 C1 A0 G' B. X4 X
Neutron主要包含Neutron server、Plugin和Agent等组件。Neutron server对外提供 OpenStack网络 API,接收请求,并调用Plugin处理请求;Plugin处理 Neutron Server发来的请求,维护OpenStack逻辑网络的状态, 并调用 Agent 处理请求;Agent处理Plugin的请求,负责在network provider上真正实现各种网络功能;此外还有database,用来存放OpenStack的网络状态信息,包括Network、Subnet、Port、Router等。
+ I8 N |, n' O/ ^: L3 ~
& E0 p# y9 |$ B/ `3、OVS6 Y7 ]' v n2 A$ L. F+ q* I
OVS(Open vSwitch)是虚拟交换机,遵循SDN(Software Defined Network,软件定义网络)架构来管理的。1 A% q& V* d3 J2 R
OVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
`& u& Z9 ~% u* _. Q在这里插入图片描述: ~) b9 o/ t+ U1 m
ovs由三个组件组成:dataPath、vswitchd和ovsdb。
; f4 y9 M- n) [' j8 M% I5 h* o8 Q" TdataPath(opevswitch.ko):openvswitch.ko是ovs的内核模块,当openvswitch.ko模块被加载到内核时,会在网卡上注册一个钩子函数,每当网络包到达网卡时这个钩子函数就会被调用。openvswitch.ko模块在处理网络包时,会先匹配内核中能不能匹配到策略(内核流表)来处理,如果匹配到了策略,则直接在内核态根据该策略做网络包转发,这个过程全程在内核中完成,处理速度非常快,也称之为fast path(快速通道);如果内核中没有匹配到相应策略,则把数据包交给用户态的vswitchd进程处理,此时叫作slow path(慢通道)。dataPath模块可以通过ovs-dpctl命令来配置。: \0 C3 ~3 d7 {1 [# X. m
vswitchd:vswitchd是ovs的核心模块,它工作在用户空间(user space),负责与OpenFlow控制器、第三方软件通信。vswitchd接收到数据包时,会去匹配用户态流表,如果匹配成功则根据相关规则转发;如果匹配不成功,则会根据OpenFlow协议规范处理,把数据包上报给控制器(如果有)或者丢弃。
2 e6 v0 N+ p( W: \: b8 S( \/ Hovsdb:ovs数据库,存储整个ovs的配置信息,包括接口、交换内容、vlan、虚拟交换机信息等。
0 ^, _: |2 F+ R( @: Z+ rovs相关术语解释:
7 D" e. O U- @. o; h0 `7 }' A y1、Bridge:网桥,也就是交换机(不过是虚拟的,即vSwitch),一台主机中可以创建多个网桥。当数据包从网桥的某个端口进来后,网桥会根据一定的规则把该数据包转发到另外的端口,也可以修改或者丢弃报文。Bridge桥指的是虚拟交换机。& `4 W& }/ z' @( n
2、Port:交换机的端口,有以下几种类型:: c! r: K1 B) o
Normal: 将物理网卡添加到bridge时它们会成为Port,类型为Normal。此时物理网卡配置ip已没有意义,它已经“退化成一根网线”只负责数据报文的进出。Normal类型的Port常用于vlan模式下多台物理主机相连的那个口,交换机的一端属于Trunk模式。
) V+ j: z, s6 B) [6 X2 D$ GInternal: 此类型的Port,ovs会自动创建一个虚拟网卡接口(Interface),此端口收到数据都会转发给这块网卡,从网卡发出的数据也会通过Port交给ovs处理。当ovs创建一个新的Bridge时,会自动创建一个与网桥同名的Internal Port,同时也会创建一个与网桥同名的Interface。另外,Internal Port可配置IP地址,然后将其up,即可实现ovs三层网络。
0 |0 {% x2 u+ E9 a9 WPatch: 与veth pair功能类似,常用于连接两个Bridge。veth pair:两个网络虚拟端口(设备)
! G6 k. M) f" L% ^, ETunnel: 实现overlay网络,支持GRE、vxlan、STT、Geneve和IPSec等隧道协议。Tunnel:隧道,三层
* |0 r! M& y4 v. x3 _) i. {% ]9 r3、Interface:网卡,虚拟的(TUN/TAP)或物理的都可以。TAP:单个网络虚拟端口(设备),基于二层;TUN:单个网络虚拟端口(设备),基于三层。veth pair:两个网络虚拟端口(设备),常用于连接两个Bridge。
b8 J7 h# r% U& \) d/ d8 T4、Controller:控制器,ovs可以接收一个或多个OpenFlow控制器的管理,主要功能为下发流表来控制转发规则。! O. z8 V- @) @; Q! ~# d _ K; E t
5、FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
2 a% q V7 R$ |& q+ F6 G4 u在这里插入图片描述& f1 A% s4 b$ [, \
ens160的ip地址没有了,用的是br-ex的ip地址出去的。
% A+ P. k! c! \( b, m" \# ^# ^- M在这里插入图片描述1 W$ e- o9 b' G8 R8 ~, o9 V) }# k: I
ovs安装
: U0 g; {! u6 m5 @1.开启一台新的linux
0 z8 T* ^: L) X; E- l2.配置在线yum源(openstack那个在线yum源)4 R6 P4 V P0 j, \2 I8 a2 {
* y" b' _* F' U% m+ s- a9 n
配置yum源(先把原有的备份后清空)
+ h! O7 N* }, X S- V( `, J# cd /etc/yum.repos.d/ # rm -rf *
: @1 j9 k1 a- S( I# cat cloud.repo % J# A- f$ m3 }$ B5 ^
: M# d& S) { v# k9 {) ]: N[highavailability]4 u9 }8 C3 ` S
name=CentOS Stream 8 - HighAvailability
0 k6 n7 K+ {0 L6 m0 ?4 J" e) ibaseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/$ l4 W5 i2 K; f0 e
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial6 _: G( @0 u% |, d1 m
gpgcheck=1
& g/ A* l7 R8 G) ^0 hrepo_gpgcheck=0
9 G2 t; a6 j, T* K# e! jmetadata_expire=6h- n H3 B' b) G% x% k) z8 J/ A1 p4 O
countme=1& v! l) D: V4 s' R
enabled=13 y+ k% U9 n% l3 o X; g/ |( N& Z. a2 J
7 L0 D+ ~' n7 ]# y+ z
[nfv]0 @* |( x# \, S/ E& A" h+ o# ?# Q( k
name=CentOS Stream 8 - NFV
E+ N2 H7 m' p' V/ P8 z' J. obaseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/8 |" `( _6 ^8 F- m2 p; F
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial2 w/ t9 H/ O2 E* b! ~: J) v
gpgcheck=13 V# E4 K# L! C; q* ~* C) q* e6 n
repo_gpgcheck=0
5 l J Q% ?6 S" rmetadata_expire=6h
; a- U4 P/ B, p0 Fcountme=1; Y/ o) E4 @& m7 _
enabled=1
3 v- m9 g: }9 @5 l7 b$ d, `# |* N7 x4 D
[rt]! S) f3 a9 n& H# I
name=CentOS Stream 8 - RT
' x6 S- H6 n* [9 W: gbaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/
; \% S& A3 G/ F$ tgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial8 e; R6 M5 r9 v+ n \
gpgcheck=1
( M3 h8 q- x# P) }7 l# Nrepo_gpgcheck=01 p: f/ B4 g, v5 o @
metadata_expire=6h
9 }3 k9 u; N) k- \8 W0 dcountme=1
# i7 Q) R0 a9 C" f. k1 T2 zenabled=1
0 D" U h7 h4 J' ^+ B, _& S8 T6 J$ p
[resilientstorage]
% b' V( V# c( t% \2 E. Nname=CentOS Stream 8 - ResilientStorage6 I; h2 w+ O4 q+ E& D
baseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/
0 N* q! c8 n; `: @9 Z& w: J, m8 mgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial0 x: Z7 x6 G' y5 W6 Y2 b
gpgcheck=1! C3 H- M3 @ s; s7 c
repo_gpgcheck=0
$ o. t) N4 \0 `9 y" K' cmetadata_expire=6h
0 l% W7 M3 ?( n1 Fcountme=1" x! O) S+ `5 G. q
enabled=1( p3 M! r& E0 [! v
& t! k. B7 @2 q
[extras-common]
! i4 |; m* y8 B' u( s T1 j& b7 K3 \7 uname=CentOS Stream 8 - Extras packages
0 `/ Q3 d* i5 ~baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/6 c( n- \+ S1 H+ H2 m$ j1 Y
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
& F" N3 p: z8 {; f4 [8 {gpgcheck=1
5 [0 f8 k- O5 j. J/ Lrepo_gpgcheck=0; n" b `2 R) L' E( X# r
metadata_expire=6h5 I$ B. h# U3 [5 S# G
countme=1! j# t% I! {/ @% Y2 e8 U
enabled=11 X& L5 _" u* X2 f
- [3 D/ M3 m8 G+ J- \4 o[extras]8 j5 Q9 w8 ~" Z. L
name=CentOS Stream - Extras# E' k5 X7 B7 ^9 s9 K3 E
mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=extras&infra=
4 B( Y; h+ M8 M N6 u#baseurl=http://mirror.centos.org///extras//os/
9 k! P0 x+ A+ |) |baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/1 O0 @+ a% n* o6 \( n a" u
gpgcheck=1' [% Y/ j% d, J( J2 ]9 x
enabled=1/ n" x& b$ x& U0 @+ C0 S( z, e0 c3 w9 r
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
* ~: { y c5 N9 ? F7 b. ~3 H& U. ?2 `+ W( X
[centos-ceph-pacific]8 A. m4 u6 h9 e9 Q
name=CentOS - Ceph Pacific8 l* a# d& y( y& j1 C
baseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/1 W% m+ d: m& j. b! L+ G
gpgcheck=00 g; M8 e$ K, ?* t0 O1 `% z8 D3 f
enabled=1; c% ~2 a9 b- n0 e5 F4 x y
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
9 R X" w2 T1 \5 l/ B- U. ~: r0 \ j% G! W3 O1 \8 @3 k
[centos-rabbitmq-38]
" w( C& r) ]+ Q( ename=CentOS-8 - RabbitMQ 38
# F$ H, e0 m0 T: m* q. U( lbaseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/( \( \; O. k7 Y7 _, E5 s4 k
gpgcheck=1
v0 c8 O, @3 l: F5 @3 a O: Yenabled=1
& p: G# M3 m5 E0 {gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging3 g3 S+ y1 C- Z( ~, ?
, |" i @2 V% j1 t! @- E h) @7 j: [5 G
[centos-nfv-openvswitch]
% Y9 C2 ?/ L/ g* O2 x: oname=CentOS Stream 8 - NFV OpenvSwitch6 T8 H. ]$ J2 ^( a, a
baseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/
4 i+ S: S9 q' k9 \% P" Igpgcheck=1) B/ M: \, B8 b# P% k- U
enabled=1
- l" G0 E; `$ pgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV. p9 V5 M9 e9 h2 D8 p
module_hotfixes=1* J8 L* ~: K3 ?: s
/ u1 \1 |1 h: c( D1 K( j[baseos]. Z4 f7 l9 p5 v' W' A2 `; `4 i4 c
name=CentOS Stream 8 - BaseOS
8 m( d0 ^& v5 v' U H. D& z8 `% \baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/
: ]- z9 y$ @. N$ B5 Y, ?3 |gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
$ l; z/ n5 m8 u d0 Lgpgcheck=1
9 Z' X. E& b+ Y" [ G" krepo_gpgcheck=0: W2 M& J! r( f+ U3 b5 F
metadata_expire=6h
2 B$ u, L9 V' S- Y) l5 R ]countme=1
3 O/ r! w% v$ m% F" nenabled=1# W' b+ [& B6 [$ W% ?
% k! U [. [# Q5 a+ a1 N% k7 ~[appstream]* T7 Y0 {: D" z) }2 W5 y
name=CentOS Stream 8 - AppStream
8 f5 c9 x2 Q4 kbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/9 ^( L) W8 ?: m! I4 G- n
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial6 p9 X/ Y; e* G( W0 x
gpgcheck=14 Q- m0 g) m1 A u
repo_gpgcheck=0
+ o' [ o/ S8 K6 |metadata_expire=6h' O9 X% O, M/ @. U2 C4 F
countme=1$ Y5 R# Z; [ X# g* b3 A
enabled=1
6 Z/ O8 g' m2 P+ t% V/ |" a
/ ?/ a) O* F5 K9 |0 u5 L6 D[centos-openstack-victoria]
2 W5 b' ^9 R W" E( ?* J" e1 qname=CentOS 8 - OpenStack victoria- A) S9 _/ H4 a) p4 L
baseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/# f1 ?$ T3 Y: ?# x. T- h3 ?
#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/
" Y7 W1 c n" u1 Xgpgcheck=1$ w3 j8 l- ~) |" ~2 Q
enabled=1+ Q% j9 Z0 q$ f+ _( o, ]- e* S8 w
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud
6 e2 Z0 U! B! K7 o3 H( }0 I; dmodule_hotfixes=1
e6 A! |/ m" p# X: v2 b* y' e% F) ]! `, O# e
[powertools]
m/ A a0 T( n( U! N; p, t+ bname=CentOS Stream 8 - PowerTools5 P4 P, K0 \ F5 Y- \6 Y% }6 i
#mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=PowerTools&infra=' B7 h, c x8 w* U) `$ d
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/
/ _+ |& B0 _$ C* Ogpgcheck=1
N! R# C. x' q9 Oenabled=16 h: t: U) m. U* k8 B
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial/ S( `( ?7 P& a- x- D
" r5 o$ I( R: Q3 ~& F& \# yum clean all 清理缓存 W7 p) z8 R0 T/ c8 f% d; {
# yum makecache 重新建立缓存
) o5 T) {" O6 F4 Q$ G# yum repolist all 列出yum仓库(13个)" i Y1 U# F0 _7 ~7 i* ^ o: h% t- v
3.安装基础包及ovs(Tab补全命令,安装bash-completion包后执行bash就行)
9 q$ t* B# c" s% p' o* N安装openvswitch3.1过程报错说找不到gpgkey文件就禁用gpgcheck=0再次安装就行了
' P* A, [0 z( T5 c' V: x0 b! pyum install -y vim net-tools bash-completion centos-release-openstack-victoria.noarch tcpdump openvswitch3.1+ N' c( M$ C, ?4 J. C1 q
或再单独安装yum install -y openvswitch3.1*6 S$ u$ C1 x) r2 Z: {2 l) ^
查看安装版本:[root@ovs ~]# ovs-vsctl --version
6 z. q' W- F* D+ O# y3 j+ [4.启动ovs服务
5 W2 i6 y- r) u, G7 m[root@ovs ~]# systemctl start openvswitch
/ L; X' j3 s5 a[root@ovs ~]# systemctl enable openvswitch
\2 c9 Z8 M- O: x[root@ovs ~]# ps -ef | grep openvswitch# P U+ ], O& q" \/ L+ `2 @; z6 ]6 [$ x
[root@ovs ~]# ovs-vsctl show 查看ovs虚拟交换机信息
& `9 `8 s) v# B: M' \[root@ovs ~]# ovs-vsctl --help 求帮助 或[root@ovs ~]# man ovs-vsctl
3 j- m2 b9 V1 E/ Z7 A" G) C5、创建ovs虚拟交换机. N/ C y3 |0 T# {
当创建一个虚拟交换机会生成一个和虚拟交换机同名的Port 和Interface,type为internal(内部的)
5 n8 e9 c7 p W, [2 k& z- J6 V7 V2 G6 [0 O5 B/ W! ~- b( l
[root@ovs ~]# ovs-vsctl add-br br-int
9 J. A, ?! K7 B* x- A' c[root@ovs ~]# ovs-vsctl add-br br-memeda 添加5 ?( K! j5 V& h0 r3 o; Z
[root@ovs ~]# ovs-vsctl del-br br-memeda 删除' V: I/ {( N) Z/ j% T0 r
[root@ovs ~]# ovs-vsctl list-br 查看
" ]+ M0 O4 Z4 f! _br-int$ `, ^7 t5 U' Q6 [# H! J
br-memeda& G- H |* k/ c
[root@ovs ~]# ovs-vsctl show 查询ovs虚拟交换机信息,Bridge桥指的是虚拟交换机
8 W" f, D! g$ C5 \54c67146-9a9f-40be-8cb7-e8792879aafa: D$ U% p1 ]4 x
Bridge br-memeda, [1 x5 N- F6 s) B5 p5 g
Port br-memeda# Z& w) Z8 r, T- h1 A% I$ R
Interface br-memeda4 J1 H" @% L; T3 R) q8 d
type: internal
" Q% A1 j" u9 M# X* v; s) J+ y Bridge br-int
' ~/ P/ x# M+ w Port br-int: Q8 K1 y1 W: T( w6 j u
Interface br-int& ?3 S, @- K0 x' ^
type: internal; y$ ~ S+ ^+ j% U1 C8 ]
ovs_version: "3.1.3"
! g0 y; t" j5 L7 g. \' o2 J) A用轻量级namespace网络命名空间模拟虚拟机
# \# I$ r& m! q: ^在这里插入图片描述8 a. M# a" h/ q- d! t7 ]
4 @( {; {# M4 G! o2 W+ i
[root@ovs ~]# ip netns 查看网络命名空间
/ \, N* O2 @/ c# s- e: o[root@ovs ~]# ip netns add ns1 添加网络命名空间
; a, y7 b, s5 q( B9 ?$ ]1 b" c[root@ovs ~]# ip netns add ns2
, ~5 y1 p3 g9 q[root@ovs ~]# ip netns1 _! l- t) V+ v. e. D! A' D: q& ?8 ^" q
ns2
1 N) {) m2 v9 j6 j7 i8 f9 A3 jns1
4 j" G3 v6 a" P- U9 T1 H& l. @创建两个veth pair(一个veth pair有两个网络虚拟接口,veth可理解为网卡端口) 并将一端虚拟接口(veth1和veth2)连接到两个网络命名空间里面。veth pair:两个网络虚拟端口(设备)。3 [7 `" V1 V2 F
在这里插入图片描述' J5 Y, R7 i3 ?0 ]# L8 z6 P; Z# r
) _/ F6 z& k6 Q7 a" i! Y创建两个veth pair,并分别把这两个veth pair的一端放到上述两个网络命名空间
) g7 k! t0 x! g0 v0 [9 U# ip link help 或# man ip link 求帮助5 T0 c, c; Z8 R* h$ C! `/ ^5 g
第一个网络命名空间配置
- T Z6 I- O9 l8 A! Q5 t[root@ovs ~]# ip link add veth11 type veth peer name veth1
8 m) `5 V4 q% K- I1 x/ \$ e[root@ovs ~]# ip link set veth1 netns ns1 R8 @. v4 q4 h. U9 {
[root@ovs ~]# ip netns exec ns1 ip link set veth1 up, v" I$ Y' e$ w* Z8 w+ [
第二个网络命名空间配置
0 A% N, N( B) `3 |[root@ovs ~]# ip link add veth22 type veth peer name veth2' v$ I8 T$ f; {% h
[root@ovs ~]# ip link set veth2 netns ns2
. r u( p5 W# z& g S' I[root@ovs ~]# ip netns exec ns2 ip link set veth2 up
) ^4 t8 M1 C0 U6 [; g' f将另外一端虚拟接口(veth11和veth22)连接到ovs虚拟交换机上3 o V* M6 b2 r2 o
在这里插入图片描述- u; I9 m5 ^0 C( H/ \* N
# ]4 d) `* F- Q9 ?7 P
[root@ovs ~]# ip link set veth11 up
" l& M; P" \( q3 h[root@ovs ~]# ip link set veth22 up
0 M, A, E8 M0 Z- ?0 W[root@ovs ~]# ovs-vsctl add-port br-memeda veth111 D. u1 ^3 v, F0 R. p4 V% G
[root@ovs ~]# ovs-vsctl add-port br-memeda veth22
3 N q% g: W# c[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机多了2个Port(Port veth22、Port veth11)
/ b+ Y0 d) D$ T i N) F3 G/ q/ t( y) i3b79f2e1-f433-4015-905e-8945dcada530
) m! h$ G, l; m, B2 ]3 O/ C5 P' Z4 _ Bridge br-memeda ?; `0 {3 d5 E% a3 o4 S
Port br-memeda
2 ]0 n- \% k/ r6 Y, D* T Interface br-memeda
k% L% F' A! @4 B* v* U type: internal- H7 L' W( I" ^' h* _
Port veth22; t; K, |3 Y7 ` i' n
Interface veth224 e: u; k0 z. ~ K
Port veth11
5 }# p) q. d( a C" Z Interface veth111 Q# `1 |4 `1 _
Bridge br-int
, Y' M x2 G- i, v9 Q( n9 m Port br-int/ j. V9 e9 }( G- y" i8 O
Interface br-int
' D. M( w4 |) f4 [& N" }" N- S type: internal
7 Y1 A8 Z* h0 j/ D! A' \3 e ovs_version: "3.1.3"
3 j8 B; V" G! }$ m$ H为两个网络命名空间手动设置ip地址5 ~9 \9 }7 e3 ~. m9 f9 s# G
在这里插入图片描述
( l7 C/ U8 ]5 J" G5 e6 {# S% R- T; y o5 \8 Q% ^: H
[root@ovs ~]# ip netns exec ns1 ip addr add 1.1.1.1/24 dev veth1# W/ ^1 _9 F% [7 O* h8 V3 @, T
[root@ovs ~]# ip netns exec ns1 ip a
) e! Z4 ^2 C9 A$ ~) k. @$ u$ e1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000& m# ]" V B4 e
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
, R% ~9 E; e ]7: veth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group d efault qlen 1000
3 @$ W1 W% Q0 S* d5 h link/ether fe:f9:3b:cb:9b:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
! m, z6 d4 m" s0 d0 X inet 1.1.1.1/24 scope global veth1
$ Q0 @& q' k' [' t0 a' P. r valid_lft forever preferred_lft forever6 W+ l$ q( h- K1 |; y. s
inet6 fe80::fcf9:3bff:fecb:9bc5/64 scope link8 u$ \5 H( }9 K: B" h
valid_lft forever preferred_lft forever4 w W" ^3 n! j: M& Z8 e
[root@ovs ~]# ip netns exec ns2 ip addr add 1.1.1.2/24 dev veth25 Y( t+ s( b/ F2 c V
[root@ovs ~]# ip netns exec ns2 ip a% x1 H$ c5 J8 ^1 D: X
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 10006 e1 T' A8 I; F0 F! j1 y
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00* L' m# j7 v/ Z- v# I: d' q
9: veth2@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
4 D, O& R1 `7 m( m link/ether 0a:e3:ac:a8:f3:bc brd ff:ff:ff:ff:ff:ff link-netnsid 02 k2 u' X* t! Y: [5 m7 L. W: c
inet 1.1.1.2/24 scope global veth23 ~2 \! d1 N; X1 v" O
valid_lft forever preferred_lft forever. j4 d! E/ f+ ?3 B2 @: u
inet6 fe80::8e3:acff:fea8:f3bc/64 scope link/ k1 x0 L2 ?. m4 K* _2 t
valid_lft forever preferred_lft forever
9 Y, v# e$ Z* G$ N: a两个网络命名空间测试连通性) p" ~1 m4 f0 U% m: k
[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
) e6 ]5 F% [6 b4 x' IPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
& P/ D" F# X/ M: J' ^0 K64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=2.98 ms n2 P( t8 K& Y" m
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.167 ms
1 ~/ c3 m- ?+ c" x: d6 `1 x$ H64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.081 ms
, \) C o* Q/ E% ], k/ }* O: v; t6 `
--- 1.1.1.2 ping statistics ---/ K3 Q& a( u( K% A9 i8 l" y0 R
3 packets transmitted, 3 received, 0% packet loss, time 2065ms
6 u% R% X1 f2 |! `$ r7 f3 D: qrtt min/avg/max/mdev = 0.081/1.075/2.979/1.346 ms; V8 t' ~8 A5 p- A' q3 d4 j& Z
[root@ovs ~]# ip netns exec ns2 ping -c 3 1.1.1.1
. z! X6 s# T2 n5 BPING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
- f9 {5 b; `5 r) [; ?64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.923 ms
" S9 ?1 R W' I64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.084 ms' [* m+ ~' r+ P, t
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.091 ms1 {* \4 |0 I) x& |7 y3 L' A
$ k: o/ }1 a4 m3 Q q: H
--- 1.1.1.1 ping statistics --- \2 V; S4 a* v9 u
3 packets transmitted, 3 received, 0% packet loss, time 2007ms
* X; w% j" g+ V% }, u$ Q6 Urtt min/avg/max/mdev = 0.084/0.366/0.923/0.393 ms
/ x3 |2 _* v3 e5 c) Rvlan虚拟的本地局域网,vlan隔离为了减少网络阻塞和数据包安全9 Y. v3 ]3 U' b2 g% a
ovs虚拟交换机能和物理交换机一样定义vlan,一个vlan10(tag10),一个vlan20(tag20),把插在ovs交换机上的两个虚拟网络设备对端口分别打上不同的tag(默认是0),也就是配置到不同的vlan里,再验证网络连通性。5 j. ?& j4 Z( ]0 |" e7 o( A
在这里插入图片描述
) R6 ]+ ?& _2 P) M/ Q
2 T( F: u8 k3 p7 x: u[root@ovs ~]# ovs-vsctl set port veth11 tag=10; |& [+ n! f) F$ d$ Z6 E u
[root@ovs ~]# ovs-vsctl set port veth22 tag=20
- j0 e% J% l% q* R4 F% v0 t' Z[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机的Port veth22和Port veth11下面多了tag标签
" k3 D: m8 g9 C( K" k3 e3b79f2e1-f433-4015-905e-8945dcada530
! L( U7 \+ S9 v5 E Bridge br-memeda5 g8 J" D$ X$ R) I h
Port br-memeda
+ q9 x) \' A( p. E Interface br-memeda
i3 f# k8 }* @+ d type: internal
+ F/ g8 ~2 s6 f. B Port veth22
" I* ^4 R3 H; o+ F tag: 203 s1 y0 y$ m# ^2 C* e; |
Interface veth22
3 [8 \/ }6 A* F l Port veth11
+ F" |6 d$ f3 z tag: 103 X$ ]+ w8 e) X8 j
Interface veth11
7 ?3 X4 z: ]7 U: V9 B* l/ W% n Bridge br-int
) Y# G [- ?4 T6 }( v# w B3 J Port br-int
+ f: r8 r/ n) O& m' h" G0 g3 a% V0 C Interface br-int, {3 J% c: r. g: n8 n( ~
type: internal& u4 e) j# b, ^0 a
ovs_version: "3.1.3"
1 e, s; o; M& R+ n/ W添加不同vlan(tag标签)后ping不通,需借助路由或物理三层交换机
6 y' E0 {7 J1 {4 v! T
: c' E' p" e1 d9 j[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
) P% @( a6 C9 Y( Y% N" ~PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.' _3 d0 y; B" p% s% a2 a) y+ I) e
- d! }, c0 ~) ^( s8 f0 e2 q+ a
--- 1.1.1.2 ping statistics ---2 r* b' N! C/ s, A# {+ e9 ^
3 packets transmitted, 0 received, 100% packet loss, time 2064ms
, U* K; g) z) `, s, c在这里插入图片描述( F; ]0 n6 k+ t6 d3 J1 a! P
/ @3 ~5 }. ^9 z/ f0 C9 e
[root@ovs ~]# ovs-vsctl set port veth22 tag=10 把veth22也改成tag=10就相当于同一个vlan二层互通了
3 f' \' `7 p. \$ X# Y2 j0 j2 h[root@ovs ~]# ovs-vsctl show: M7 G) `; Q" u! U) r8 t4 R
3b79f2e1-f433-4015-905e-8945dcada530
& T" G" h" a2 h# z0 c Bridge br-memeda7 p' y1 C, w0 j
Port br-memeda
0 H1 I3 ^: E n$ o% @. Q Interface br-memeda$ _2 m+ q2 W' w2 x% E( J
type: internal) x: o1 \7 A4 q1 P* X6 m
Port veth22
. O% n8 x1 `) A5 f H) T1 w tag: 10
! l4 X* Y. p' K7 j/ `7 S Interface veth22& ^/ ^1 L- N' J+ C, r( ~
Port veth11
6 x2 Q6 ]5 n7 h tag: 10
; U) t" |) e0 f/ F4 e- l Interface veth11
& T0 r7 ]! _! f" {2 u Bridge br-int
& H" x# `5 H* x/ [, G* S/ h) a3 D Port br-int
* d6 z$ p7 E9 X8 g5 P3 Z0 Z! u Interface br-int( ^ f; _& Q' z* v5 c, x
type: internal
/ J/ J, u6 @# C- x3 d: W ovs_version: "3.1.3"
" L) i4 F B& {$ k[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2 同一个vlan(tag标签)能ping通进行二层通信
) Z/ A' d/ t- H4 f2 H h. L. F7 oPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.2 I6 j3 N, h5 e5 h2 q3 d% _+ }! M
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1.43 ms
: P5 f+ o) O# k6 R64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.093 ms
' U3 U$ h( x$ v; \) U3 Z64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.086 ms* A1 S) Z9 B. |' c8 K
* O7 T6 ^6 |5 Y8 p x Y--- 1.1.1.2 ping statistics ---# ~) }+ k' d! D- G& L' ]: n6 [8 j
3 packets transmitted, 3 received, 0% packet loss, time 2051ms" ]$ X& o$ w; S! O, w, H
rtt min/avg/max/mdev = 0.086/0.535/1.426/0.630 ms, B J4 d+ Q% T& W2 d @+ O7 Z
FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
+ z" q4 Z$ |2 q: @7 P流量走向,添加流表,针对流量进口添加规则。7 U) [ ~' y( T8 S+ o
在这里插入图片描述% {/ M- N0 x1 ~7 e4 Q" l
在这里插入图片描述
! o) O3 H A4 w! S5 o& s' J9 O$ I' T1 p# ~
查看ovs默认的流表1 P6 a! |" ^3 T+ L) y( Q" J' e1 U
[root@ovs ~]# ovs-ofctl dump-flows br-memeda 查看虚拟交换机的流规则, Q8 x( \* B0 o" A$ s: k4 e
cookie=0x0, duration=2161.884s, table=0, n_packets=49, n_bytes=3682, priority=0 action s=NORMAL, A1 {8 U6 N0 i1 d- b( Z
此时ovs就类似于传统交换机,我们给ovs交换机添加一条优先级为2(数字越大优先级越高,高于默认表项的0优先级)的流表项,把veth11进来的请求都drop掉,发现ns1不能ping通ns2。: Y# e, P( k9 o0 T4 V* K8 O# D( D
[root@ovs ~]# ovs-ofctl add-flow br-memeda "priority=2,in_port=veth11,actions=drop" 添加流规则7 G$ \. a% [, X- F# q
[root@ovs ~]# ovs-ofctl dump-flows br-memeda
. \9 V/ h7 K9 w cookie=0x0, duration=2.578s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=veth11 actions=drop, L5 h: `1 L4 W- k4 w u
cookie=0x0, duration=2217.329s, table=0, n_packets=49, n_bytes=3682, priority=0 actions=NORMAL
( ]) K" f8 A! C! \$ E" ^; G; c[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.24 H$ x# T- s# |! f8 w4 ]2 V
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
2 d2 k) v' p+ ]; U. H1 C" w
" ^, _/ w1 j4 ]( @+ j/ [4 X4 O--- 1.1.1.2 ping statistics ---
* k( e# j# t* N5 S6 c3 packets transmitted, 0 received, 100% packet loss, time 2076ms
+ c5 q, V: _$ W* H6 n删除刚添加的表项,ns1与ns2又能正常通信
, r4 S4 I5 g. D; M[root@ovs ~]# ovs-ofctl del-flows br-memeda "in_port=veth11" 删除刚添加的流规则就互通了
) P9 \, ^0 ^9 |& a# ^' o/ }+ N[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.26 m( s4 J( Y" j" s U
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
- P7 v3 \- K$ y+ t, c64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.766 ms
6 b# K6 [( j& z. ]; ^64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.096 ms
: P+ [' {2 v; _6 C3 l" n64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.088 ms
& j+ Q% `; o5 ?" g* M) P; Y) F6 F1 y
--- 1.1.1.2 ping statistics ---6 d6 k. d1 U2 N' g3 M$ F5 S5 e
3 packets transmitted, 3 received, 0% packet loss, time 2043ms
' H3 Q* ]$ P$ drtt min/avg/max/mdev = 0.088/0.316/0.766/0.318 ms4 h- z' ?* {; ~* U& [3 h- x2 j- [9 S
[root@ovs ~]# ovs-ofctl dump-flows br-memeda
% ^) l% g3 {7 i8 Z* z cookie=0x0, duration=2315.744s, table=0, n_packets=59, n_bytes=4438, priority=0 action s=NORMAL* A+ Y j/ l4 U6 V) ?
4、OVN
- [0 c2 k. l$ u: O0 fOVN建立在OVS之上的,遵循SDN(Software Defined Network,软件定义网络)架构来管理的,用软件将控制面和转发面分离,OVN做控制面,OVS做转发面。
( r0 D; ^/ |/ l2 q5 i( ^4 zovn是建立在ovs之上的,ovn必须有底层的ovs,ovs可理解为二层交换机,ovn可理解为三层交换机。! d6 o( P$ t. f- W( A
OVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect
7 L/ m& t7 d6 Z# j' M$ G: e! A3 I单纯的ovs在云计算领域还存在着一些问题,例如:
% W0 a, B! W7 \ V, }7 D3 ?! j# V3 ]1、ovs只能做二层转发,没有三层的能力,无法在ovs上进行路由配置等操作;
* x2 y# ^& \0 y) y2、ovs没有高可用配置;
* `0 l3 G2 g. Z/ C, N' G( q3、在虚拟化领域vm从一台物理机迁移到另一台物理机,以及容器领域container从一个节点迁移到另一个节点都是非常常见的场景,而单纯的ovs的配置只适用于当前节点。当发生上述迁移过程时,新的节点因对应的ovs没有相关配置,会导致迁移过来的vm或者container无法正常运作。
! j- ]* f4 k% E" E7 k4 ^针对这些问题,出现了ovn(Open Virtual Network),ovn提供的功能包括:0 [; u: a h2 Z S0 U; X- B
1、分布式虚拟路由器(distributed virtual routers)
- t1 v* d M1 M/ }$ x2、分布式虚拟交换机(distributed logical switches)$ Y0 `% S3 j3 H1 A! s: b5 \% Q
3、访问控制列表(ACL). u% Q7 q* l; B& P3 _ j% W
4、DHCP8 a" q& i( H" v, u( R; N/ i6 T' _* {
5、DNS server
. p/ t" p: Y2 I% r5 x在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。openstack创建一个网络,会以逻辑交换机(switch)的形式保存到北向数据库。
- N6 e9 k/ E( T1 r9 T在这里插入图片描述
2 |9 k; d8 n' ~5 b( |" E' j4 S; ^( J在这里插入图片描述
7 K/ s8 @; w3 B: w8 Bovn官网对ovn的逻辑架构如下所示:
9 N" l1 y+ y4 n7 D# D
5 E7 B7 j) @3 h4 @; H2 \ CMS
4 w1 K9 w' P) ], Z: b7 [ |
# a1 a& ~5 R% I( Z+ C# S' s: a. t |, [) E+ o5 y7 V, }! A5 E4 O+ F
+-----------|-----------+1 b9 A4 u% R' I) Q$ `
| | |
$ q) ^5 Q' J2 R+ ` | OVN/CMS Plugin |; {5 G( q, L0 K. `* a0 j
| | |& o) p, _% l- v) I4 W( ?1 d
| | |* j/ y# M4 ~ {6 |7 Y8 o+ h
| OVN Northbound DB |, H$ o1 F# x! c0 }
| | |
J" {) \$ \3 f! x | | |% z' C9 S2 B# h3 \$ R
| ovn-northd |& P; z: n. c1 G/ u0 x7 k. L5 G
| | |. T0 d' g( ^# A; R
+-----------|-----------+
$ Q- R0 }# o) \" x3 h |% v8 N: d, P. T
|
& Q+ J5 t* W7 p# W6 _8 R +-------------------+
. N6 a# J5 U2 G: j: H+ q" v | OVN Southbound DB |
! D, P% C5 @+ ^1 b4 u0 U: f +-------------------+
1 v! W: G7 c# J6 A, G9 n+ i2 P |7 `9 K" y, e6 R. H: b0 |3 ^) @/ k
|
5 R, K4 k* w" x0 p +------------------+------------------+
$ B1 N, k' |1 Z6 h v5 i | | |2 f+ `, o E( W( k* o5 {$ J) B
HV 1 | | HV n |( M* d1 a) _: C" i
+---------------|---------------+ . +---------------|---------------+6 {9 L2 E+ Z+ k8 s5 E; N
| | | . | | |
! u' R) s1 j* F7 Z8 b8 U | ovn-controller | . | ovn-controller |
& g ]6 y& w; M | | | | . | | | |
; p: F! F( C6 J( S8 y | | | | | | | |3 _# ]+ q$ ~6 k1 w
| ovs-vswitchd ovsdb-server | | ovs-vswitchd ovsdb-server |. j6 e. p- d/ g. d5 ^9 H }
| | | |
3 T& m6 {* v% \' q8 h +-------------------------------+ +-------------------------------+9 a6 ~" i$ f, t! X1 u5 I" z
ovn根据功能可以把节点分为两类:' V. ?& \) D% c9 m! f z
central: 可以看做中心节点,central节点组件包括OVN/CMS plugin、OVN Northbound DB、ovn-northd、OVN Southbound DB。$ Y# x/ r1 U0 f9 }+ w
hypervisor(hv): 可以看做工作节点,hypervisor节点组件包括ovn-controller、ovs-vswitchd、ovsdb-server。
1 W- B1 f. `6 F/ I! Ecentral节点相关组件和hypervisor组件运行在同一个物理节点上。+ O6 \$ f! j4 @7 L# i
相关组件的功能如下:0 `, K6 e' K+ }) y2 V: o
1、CMS: 云管软件(Cloud Management Software),例如openstack(ovn最初就是设计给openstack用的)。 R( f9 a& Z) G2 E9 i; O
2、OVN/CMS plugin: 云管软件插件,例如openstack的neutron plugin。它的作用是将逻辑网络配置转换成OVN理解的数据,并写到北向数据库(OVN Northbound DB)中。$ s r* j) w! O1 r
3、OVN Northbound DB: ovn北向数据库,保存CMS plugin下发的配置,它有两个客户端CMS plugin和ovn-northd。通过ovn-nbctl命令直接操作它。北向数据库保存逻辑网络信息(交换机和路由器等)
' m: w5 K' }* y" V. G4、ovn-northd: 北向进程将OVN Northbound DB中的数据进行转换并保存到OVN Southbound DB。所有信息经过北向数据库通过ovn-northd北向进程和南向数据库互通。
! J% ^0 j2 f/ G5、OVN Southbound DB: ovn南向数据库,它也有两个客户端: 上面的ovn-northd和下面的运行在每个hypervisor上的ovn-controller。通过ovn-sbctl命令直接操作它。南向数据库保存各个节点的物理网络信息。$ h) k+ x t. r5 S% I
6、ovn-controller: 相当于OVN在每个hypervisor上的agent(代理)。北向它连接到OVN Southbound Database学习最新的配置转换成openflow流表,南向它连接到ovs-vswitchd下发转换后的流表,同时也连接到ovsdb-server获取它需要的配置信息。- @5 T9 I( I1 C! A; v
7、ovs-vswitchd和ovs-dbserver: ovs用户态的两个进程。
$ s( z6 Y7 s6 R- s每个节点都有个ovn-controller控制器,这个ovn-controller控制器是管理ovs(ovs-vswitchd、ovsdb-server)的,ovn-controller对接到南向数据库,经过ovn-northd北向进程和北向数据库互通,之后和openstack互通。
3 ], N6 f% N# o) D南向数据库保存物理网络状态信息,北向数据库保存逻辑网络状态信息。
$ \' y+ S+ \2 N在这里插入图片描述" x& O" p5 R$ e$ ]
克隆出两台虚拟机,安装ovs、ovn4 D* H3 U, f! }8 }( \
, P' ~$ ^' D1 _9 ]( V/ ]
CentOS Stream 8 版本
. @; |9 _) s8 M+ ~
) {" w, S$ W9 E5 m1 jsystemctl stop firewalld.service
: J! a( \& |1 J% o% h& ?systemctl disable firewalld.service) U3 P' v+ L" o' t
setenforce 0
" ]* V' \, ^9 E msed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
- t) {4 A9 |5 Lmkdir /etc/yum.repos.d/bak9 J% l5 w; M2 `+ }
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/4 u# N# V- Y: i: L' C
: m+ H r* b* e: K% B* [- u
cat <<EOF > /etc/yum.repos.d/cloudcs.repo
! c4 k7 J3 r1 i! U! o1 g) X+ e& Q[ceph]9 F4 Z6 f" M. b1 C; H" l" w6 O
name=ceph
! A" Z& X( W1 {baseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/x86_64/
9 V' } s; v6 S6 u( D6 Ygpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc% n( h4 |5 ?; k* V8 O8 i5 k
gpgcheck=1, _5 K, V C$ F5 ?# \+ x% J9 l$ |
enabled=1+ ^, D$ B& u ^; X0 O" @
+ X2 g9 E4 f( C& `2 `- [0 I
[ceph-noarch]
! _6 x* t0 G2 n- wname=ceph-noarch n& @9 J* L- G# Z# `! v
baseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/noarch/
+ K* ^& z$ X5 G0 }- Ggpgcheck=1
2 n. |) i4 X1 b6 z0 mgpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc# c9 b- W( l" D
enabled=1
3 P7 ?# I* n, K3 w" r! M7 \
9 E9 c4 Q9 _ [: a[ceph-SRPMS]: Q4 \: [4 k$ \" H" b0 \) j
name=SRPMS: `) j. u; c2 b& C
baseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/SRPMS/# `6 Y- Y7 V A( Z% V
gpgcheck=1: G, e" R/ w4 B) i& s% S
gpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc* _; g- m9 s8 N$ i
enabled=1
3 R6 Q" S3 M7 t/ }/ a( c0 B0 [' ] k, C( K; f! V
[highavailability]
) S9 ^/ z# v4 ^ ename=CentOS Stream 8 - HighAvailability
# W0 y$ `* S8 X- l* z; X7 D0 n+ Dbaseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/
2 w2 [ l z7 X& A" \gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial, [% `# w0 Q. T# a8 j2 a( R" v
gpgcheck=17 W( }. T6 e4 R! a) ]
repo_gpgcheck=0! Z( e5 r, h$ Z9 t3 V6 |. A
metadata_expire=6h2 y1 Q% j+ x1 S+ J0 t6 x' x4 m
countme=12 X1 Q1 Y. ~+ B3 s$ Z7 _6 m ?
enabled=1" k/ t7 t- z$ V! C
- k" e4 ?% k1 M! L% e) g. ~[nfv]
9 U ?7 v# W; O# E* }name=CentOS Stream 8 - NFV0 r' h$ m( d. c
baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/6 u- p9 A3 h4 H u
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial& C, @2 Z V9 Q% Z0 e {& j5 k
gpgcheck=17 F* e5 _; p5 \6 x% }! ?: F7 J
repo_gpgcheck=0+ H8 n |$ M% N
metadata_expire=6h6 ?0 R m& ?8 w
countme=1 ]+ u0 O) N9 W }# O' Q
enabled=1
/ o+ n" A3 D( b- n0 \
1 [! F1 g, s( V[rt]
% k" `9 n3 U+ g+ c# x* J$ fname=CentOS Stream 8 - RT
) H" k/ K, O: n6 kbaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/! _4 Z& E! V$ ]4 ? h. G4 s" L7 \
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial/ A0 d5 k( t+ d, b0 v% p. b
gpgcheck=1, Z0 R9 ^+ A, A8 i3 h7 E7 R4 k0 f
repo_gpgcheck=0( ~, v C0 R" m1 }2 D
metadata_expire=6h
V" q# O, q; F. S. }countme=1
8 g5 s, S; k- L$ I! B0 o& ]enabled=1+ }# O. }* }0 [* x0 {8 \
4 c q6 _- Z2 Z1 C L x) h( u
[resilientstorage]
# v0 {* h! |- ~name=CentOS Stream 8 - ResilientStorage2 g. o! s" f( h1 x; j% Y& x
baseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/
+ G/ B; q( u& e7 Y1 s- Egpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial6 f5 N: G+ n5 z% d2 }/ Z* U
gpgcheck=1
+ I- Y0 Y9 m9 \9 g2 B4 f) Lrepo_gpgcheck=00 j% x( `) U* w" W& W4 q
metadata_expire=6h
8 _7 `* c/ A/ e, J- _/ K2 bcountme=1
5 o- Y3 f |! m' u, \! }3 Cenabled=1
+ C( u5 ?3 }1 ?" l$ w* ], E. Q( l: D" @
[extras-common]
) h2 g; e: ]8 y. n# }name=CentOS Stream 8 - Extras packages
z# T+ @. z+ v* l3 pbaseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/
& j+ d8 S# \% [9 s8 Qgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512, A( ~ a& ?( _0 f
gpgcheck=1
6 H6 C6 Z# N. ]# Krepo_gpgcheck=0
& |$ j" p: ^, V2 C0 C' Qmetadata_expire=6h
8 A L: M% a' X0 y0 k( P' x" S' e& }countme=1- g- j2 g: R7 @/ Z5 d0 o
enabled=1( u# ?- V8 t) q
; b' p1 c7 u4 j2 F[extras]
, t4 r. w( D; W& }! p% P' [name=CentOS Stream $releasever - Extras! R$ W- x5 h4 t3 K; V0 w
mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=extras&infra=$infra1 x, ^' f* M7 w) ]# l* N0 ]
#baseurl=http://mirror.centos.org/$contentdir/$stream/extras/$basearch/os/' |& U! M% \4 z# S8 g% E/ w8 b
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
/ [8 N% L- H9 J% Pgpgcheck=1
' a, b) g; V6 ?1 U1 F+ {9 Zenabled=11 e- X5 ]$ o, K, D+ ~4 I+ |6 D
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
4 Q% R8 d, ^* i. H9 u7 F
; |& {; C1 g, f' Q8 t6 M1 K: K1 c. R[centos-ceph-pacific]
# @5 ?" {" \! E( I0 Fname=CentOS - Ceph Pacific
! `. W8 M" z; nbaseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/
, g9 X! e/ ?8 g" ygpgcheck=0% j. V5 D; M9 Z: r7 _4 u1 x0 t
enabled=1
1 E% m5 [0 ~* c r% \9 G$ j; Jgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
: c* Y# Z9 L d' f: b2 ~0 R' M1 F" a3 j
( o w0 A: h4 `6 k[centos-rabbitmq-38]* u7 {7 ~+ M; Q- j% ]
name=CentOS-8 - RabbitMQ 380 `) Q# r6 B" J7 F! }/ i- B
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/. z1 ~! N4 p) K5 k' a. G
gpgcheck=1* f. g3 ~( W; u# S
enabled=1) G9 m7 b& ~1 S: B* e
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging/ J! Z3 [5 t) ]0 d5 y$ u# c
p+ n- w, D, {1 v \[centos-nfv-openvswitch]
+ M+ r3 W; m, \/ l) Vname=CentOS Stream 8 - NFV OpenvSwitch P/ X8 m; @+ F" b. F% g
baseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/! v- I o) e. Y
gpgcheck=1
9 j( K; n! v d' L* cenabled=1
, a# {2 U2 \) i y" V1 t; Pgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV
, b( e5 Q9 v) G' }: X/ nmodule_hotfixes=15 z, t5 _9 t0 `7 a; b0 G" T
# b0 T# u4 b. Z5 B/ G1 s[baseos]/ p! A2 s% |% f2 p* R+ R; a# y
name=CentOS Stream 8 - BaseOS
0 Q* B9 h- j5 R) g5 a9 z/ T$ w: Lbaseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/# x- J6 ?/ Q7 q! J( n( V' @9 t
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
, h1 w0 R2 ]+ Egpgcheck=1
% P: s9 P0 P) f( A( x5 g3 E, v( prepo_gpgcheck=06 c1 I! i v* p; S; S+ K8 e0 w7 t
metadata_expire=6h
# \) K7 T3 m8 g1 Z" w/ h' zcountme=1
# D+ l9 {2 e8 l+ k+ {enabled=1
& G% Z5 m% ~9 Y7 q7 M: R4 q' n [2 O4 t: X1 K
[appstream]" p0 h$ T, C2 e# Q
name=CentOS Stream 8 - AppStream
; ^ ^. S0 z2 i9 |" B R8 Tbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/
5 @# f1 i; w! [. F2 d3 Ogpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
/ G5 W2 G* ?7 `7 `- ?5 Qgpgcheck=1
; Z5 `' J4 B8 Y: Q2 `: mrepo_gpgcheck=0
7 f9 O2 u7 k2 J( qmetadata_expire=6h# u* t: I& t# ]6 I3 d7 n9 @
countme=1
# _( T7 s9 |8 c" Renabled=1* G- f7 T1 Z) j
4 |) m+ p$ y- w, y, P% e# _( ^
[centos-openstack-victoria]8 D; @2 X$ `0 R f! m* c3 |
name=CentOS 8 - OpenStack victoria
; r* |" A5 L0 w( lbaseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/
6 C# S! E- Z9 U" x+ d#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/4 T) F8 R" V! ^- e; r9 @
gpgcheck=1+ y3 D- i ^1 ~" p v+ Q9 W
enabled=1
3 Q6 o! o. x) t- D. ]7 e7 V7 g ~gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud) Q0 L" e8 C" y" q6 q K2 n
module_hotfixes=1% Y8 F- U1 G/ R5 I6 s; r0 o
0 S( q0 M" X+ b W H N# H; o. y
[powertools], r u6 R: ~; v) M) H e( A. V
name=CentOS Stream 8 - PowerTools
! p. U) K% o$ z" ^#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=PowerTools&infra=$infra
$ s+ L4 S$ O1 u% q* m$ m; tbaseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/8 Q4 y; f0 R6 `$ C' Q
gpgcheck=1
7 _- F# `; e: u* `/ xenabled=1) Z; U) f6 m$ S
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
" n4 R; m) r. ~; `8 aEOF% c+ k( B6 {; g/ W6 M8 H! A
5 n y, U2 T5 S8 |" ~
yum install -y vim net-tools bash-completion git tcpdump autoconf automake libtool make python3 centos-release-openstack-victoria.noarch
2 H! J$ b( \7 h# Z# `8 f. I5 Eyum install -y openvswitch3.1*
- c0 P. \! D9 \yum install -y ovn22.12*6 \3 {8 e u+ T) F( r, Q
查看安装版本来检查ovn是否安装成功,# ovn-appctl --version
# E6 |: t1 ^: e: \: I: J% ^echo 'export PATH=$PATH:/usr/share/ovn/scripts:/usr/share/openvswitch/scripts' >> /etc/profile
* C0 u, n. I) X" Rsource /etc/profile 重新读取配置文件让配置文件立即生效+ O1 ]& R& i, B9 ]9 B& h' ~ X, A/ d
在这里插入图片描述. y$ c, H3 M$ t
central相关组件启动:把node1作为central节点,安装central必需的三个组件:OVN Northbound DB、ovn-northd、OVN Southbound DB。
+ L3 l, M# s }- J' z8 A7 z在控制节点启动central,只用在一个控制节点上启动即可(node1或node2上开启都行,这里是在node1开启),central只需要一套即可。
c! `0 I, z# W3 X% K' H" [) C8 H' J5 v4 K
ovn-ctl start_northd命令会自动启动北桥数据库、ovn-northd、南桥数据库三个服务' y& K2 ]( c1 Z/ P1 b
[root@node1 ~]# ovn-ctl start_northd$ c0 h/ `3 j( }
/etc/ovn/ovnnb_db.db does not exist ... (warning).
0 N( U) T! C" s; dCreating empty database /etc/ovn/ovnnb_db.db [ OK ]' b3 e" O$ n8 N! I* [9 V
Starting ovsdb-nb [ OK ]
" M/ v7 u7 Y* V/ \9 B3 K$ Z/etc/ovn/ovnsb_db.db does not exist ... (warning).
: F8 `! a, z( Z7 `0 r. }Creating empty database /etc/ovn/ovnsb_db.db [ OK ]
6 q& ?, n# L. A5 XStarting ovsdb-sb [ OK ]
. E8 v& e" D L8 b6 G9 X7 P% ~. tStarting ovn-northd [ OK ]
6 I# u+ r: [- `2 q
- I+ x0 c' n5 \; J" [[root@node1 ~]# ps -ef | grep ovn
% w5 a) l4 D- rroot 34102 34101 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-nb.log --remote=punix:/var/run ovn/ovnnb_db.sock --pidfile=/var/run/ovn/ovnnb_db.pid --unixctl=/var/run/ovn/ovnnb_db.ctl --detach --monitor --remote=db:OVN_Northbound,NB_Global,connections --private-key=db:OVN_Northbound,SSL,private_key --certificate=db:OVN_Northbound,SSL,certificate --ca-cert=db:OVN_Northbound,SSL,ca_cert --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers /etc/ovn/ovnnb_db.db8 r" g( [# `' b5 u) S" z" T* }
root 34118 34117 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --detach --monitor --remote=db:OVN_Southbound,SB_Global,connections --private-key=db:OVN_Southbound,SSL,private_key --certificate=db:OVN_Southbound,SSL,certificate --ca-cert=db:OVN_Southbound,SSL,ca_cert --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /etc/ovn/ovnsb_db.db
1 j" b$ {9 p% D0 D8 i4 K, hroot 34128 1 0 21:02 ? 00:00:00 ovn-northd: monitoring pid 34129 (healthy)& k# N. W2 J7 N) s5 m
root 34129 34128 0 21:02 ? 00:00:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/ovn/ovnnb_db.sock --ovnsb-db=unix:/var/run/ovn/ovnsb_db.sock --no-chdir --log-file=/var/log/ovn/ovn-northd.log --pidfile=/var/run/ovn/ovn-northd.pid --detach --monitor. [9 E; P- ]) Z( ^4 {
root 34302 34259 0 21:07 pts/0 00:00:00 grep --color=auto ovn# O" x9 Z! s/ i' P
在这里插入图片描述% v1 n8 G5 C3 x/ u6 X
hypervisor相关组件启动:hypervisor节点包含三个组件:ovn-controller、ovs-vswitchd和ovsdb-server。5 Q1 ^. R. N) x* w3 [4 t# b$ G1 y& o
启动hypervisor(hv)相关组件:node1和node2两台节点上都要启动,首先启动两个节点上的 ovs-vswitchd 和 ovsdb-server
4 Y2 {" _% K9 T. S+ ^1 F7 j w- i. x; R& X* \' [
[root@node1 ~]# ovs-ctl start --system-id=random$ v5 N/ s' `, O0 g$ P
/etc/openvswitch/conf.db does not exist ... (warning).* H% s0 B6 I8 f) b
Creating empty database /etc/openvswitch/conf.db [ OK ]; Q/ l$ Q3 o2 y* l/ g# b9 l7 _
Starting ovsdb-server [ OK ]6 ~( @/ ~* b+ t3 j( N
Configuring Open vSwitch system IDs [ OK ]
! F, F4 n# {2 P$ d* f2 T# `2 U' QInserting openvswitch module [ OK ]# a; q: e! w' M9 g
Starting ovs-vswitchd [ OK ]# t; z- C# ^3 @8 ]
Enabling remote OVSDB managers [ OK ]8 `4 I8 d+ Q$ D
) X; P F; `3 d% M[root@node2 ~]# ovs-ctl start --system-id=random$ {; O, m& ]; U6 u5 P
/etc/openvswitch/conf.db does not exist ... (warning).
) O: x6 z4 h; e0 m/ p* ZCreating empty database /etc/openvswitch/conf.db [ OK ]5 z4 H+ N) f& I$ a2 k
Starting ovsdb-server [ OK ]6 N! |# H% {8 |- o$ @3 ^ E
Configuring Open vSwitch system IDs [ OK ]
4 F5 c) {: b: E3 BInserting openvswitch module [ OK ]3 e- a9 g7 l+ H3 | i J# t
Starting ovs-vswitchd [ OK ]/ E8 _, @0 q7 x4 j! V" r
Enabling remote OVSDB managers [ OK ]
* p& Z' b- P8 N# B& B* ^7 v在这里插入图片描述& `# _ Q- Z w0 n& o
两个节点分别启动ovn-controller. ^( s x( P0 Z' E
* b( l+ a" p1 G' o: U9 l$ d
[root@node1 ~]# ovn-ctl start_controller( ^, Y" O+ {% k- o' m
Starting ovn-controller [ OK ]
5 }9 A* T9 O1 h5 C. b4 @0 O0 ^& M[root@node1 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥( P) ?/ [% d5 N( e
ed157e0c-cac3-46b9-830c-f2d710b475d5
: \7 M6 S) I, n7 Y$ O9 _ Bridge br-int
" v" i$ c7 S3 g% t" c fail_mode: secure
o D3 N1 `/ h' q datapath_type: system
% w9 o g; \% q- ~. R# {7 t Port br-int# P3 k" E2 Z( I% j, v
Interface br-int
3 H: C3 B4 M1 i4 y type: internal2 u l6 J, c; x1 _
ovs_version: "3.1.3"
2 @0 S9 e. `( k) R
& W7 V5 N# r% e* a# @, D[root@node2 ~]# ovn-ctl start_controller
U5 {: A* ^, Y, w" E. ?1 a. UStarting ovn-controller [ OK ]' M8 _3 C! x5 [9 j& G. F
[root@node2 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥
6 c, ]; a& |1 j2 J8 g% Z X4 }0 m# pf6669675-b42d-47de-be95-b26bf6d1e0696 W* `! E/ R3 j' i
Bridge br-int
5 t7 O3 E7 o I" n fail_mode: secure+ }1 E! f9 j% K6 O4 N- g# r! `
datapath_type: system
: Q9 n6 d6 }0 f4 t% S) p+ ~ Port br-int$ _0 n. j- ?, Y O5 X+ `+ d
Interface br-int
6 M, A- \2 ~: j4 l' ^$ y5 y' E) j type: internal& ~7 u! E: `8 b6 R$ L' L
ovs_version: "3.1.3"
% t' e: S4 z, u8 ^- P在这里插入图片描述" k7 N; n2 l( B2 o2 a
可以看出此时hypervisor并没有和central关联起来(也就是ovn-controller没有和南向数据库连接)。可以在node1上验证:[root@node1 ~]# ovn-nbctl show
- l- x6 V6 H1 L* x" ?0 whypervisor连接central,开放南北数据库端口:
% F$ f- A6 b+ e+ i2 K' E- i3 j3 `, ?2 s7 T4 d
ovn-northd之所以能连上南向数据和北向数据库,是因为它们部署在同一台机器上,通过unix sock连接) B: |" n+ v f7 _, O
central节点开放北向数据库端口6441,该端口主要给CMS plugins连接使用
2 g- A8 l& _6 ~+ W. R* [central节点开放南向数据库端口6442,该端口给ovn-controller连接* M$ L7 ~3 D1 f* D) ^
[root@node1 ~]# ovn-nbctl set-connection ptcp:6641:10.1.1.41- O6 j7 \. U8 V6 o5 G( j. Q
[root@node1 ~]# ovn-sbctl set-connection ptcp:6642:10.1.1.415 H+ l9 B" o. O" w5 O" R# n$ Z
[root@node1 ~]# netstat -tulnp |grep 6642 ^/ [, S4 X& p) t
tcp 0 0 10.1.1.41:6641 0.0.0.0:* LISTEN 34102/ovsdb-server
0 y! N$ {. o4 |2 X6 f8 `tcp 0 0 10.1.1.41:6642 0.0.0.0:* LISTEN 34118/ovsdb-server
. P* ]$ o* B0 l! t) o! Mnode1上ovn-controller连接南向数据库5 S1 y: ~1 e/ u' `& Y
ovn-remote:指定南向数据库连接地址
' ?9 q7 [: H; X f( Dovn-encap-ip:指定ovs/controller本地ip
* U+ u; P5 a6 |6 |: Jovn-encap-type:指定隧道协议,这里用的是geneve. Y+ f6 U" O" Z- J( I/ W- z9 O' M
system-id:节点标识8 S8 t2 [9 n# a/ k4 s
[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.41" external-ids:ovn-encap-type=geneve external-ids:system-id=node1; c& u" d6 a& O
3 \; _ ^! |2 y& I' ~node2上ovn-controller连接南向数据库
& f- G P6 M1 ^9 a[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.42" external-ids:ovn-encap-type=geneve external-ids:system-id=node2, i' a( } Q! _7 I, g
4 W5 T9 P' f9 m3 P5 d; ~
在node1查看南向数据库信息( O4 ]! k$ b( s8 i c3 E2 C9 w
[root@node1 ~]# ovn-sbctl show
" O! K8 U% j3 W% U f( i ~Chassis node2
+ |- L) o: S9 u, T( i1 s- l. J6 K8 f hostname: node2, M8 L. I9 E4 L, n' r
Encap geneve
5 A; ?6 [) K6 D2 M$ t) A ip: "10.1.1.42"5 X; J. E& ~. j3 y: y; f
options: {csum="true"}5 X P; V6 x5 f
Chassis node1
Y$ r1 K( Y6 C; L4 O' e+ P hostname: node17 o5 b/ b ^' N- A- S( A
Encap geneve
2 h* |6 Z; e( B, R$ E2 s6 B ip: "10.1.1.41"* X; S# v: i. ]9 p- A7 W4 q7 Z
options: {csum="true"}
5 e& g8 d) N T f& Q o9 k( m在这里插入图片描述6 L0 r* t% M/ |5 W- g
以上的逻辑架构是站在底层组件和服务的角度来看的。2 p* C3 e6 ^2 w0 u( b$ K2 E
接下来换一种角度,站在逻辑网络的角度来看。- ^) {# H d& A' g; t
在这里插入图片描述+ u% k7 }6 g, E0 _4 r) G2 L8 J6 j% B
geneve隧道:ovn-controller连接南向数据库时,指定了external-ids:ovn-encap-type=geneve参数,此时看看两个节点上的ovs信息如下,会发现两个节点上都有一个ovn创建的ovs交换机br-int,而且br-int交换机上添加的节点port/interface类型都为geneve
" X+ a4 K: g# v9 n# S6 t& f; U6 ? t, p! k. I( i
[root@node1 ~]# ovs-vsctl show node1上查看ovs信息 G3 }; W; ^& j \" ~
ed157e0c-cac3-46b9-830c-f2d710b475d5. o, V5 j* \5 p# q
Bridge br-int
+ b7 g/ t; b* I# _( U5 _/ W( J% t fail_mode: secure+ O+ j* o- c1 x& r6 F, W/ B1 a
datapath_type: system
, r9 Z% B4 k: {5 G3 ^: n Port br-int
, l- j7 D3 O$ [! t6 h# F Interface br-int
) ~! n1 @+ F: N9 j type: internal
3 S; L$ }' v5 P4 c( g+ P Port ovn-node2-0" U# { n; G. ]5 J& J/ X+ m( M
Interface ovn-node2-0
3 J$ Z! u8 z5 ?4 o type: geneve
: K" H# {, x% ~0 S2 k options: {csum="true", key=flow, remote_ip="10.1.1.42"}$ \7 V0 O8 b7 W# ^
ovs_version: "3.1.3"
) g* ]* ~. L" j( F+ g I
4 Y5 t# y. U, B- u[root@node2 ~]# ovs-vsctl show node2上查看ovs信息" ]. B( M2 r8 d- h1 Z/ O
f6669675-b42d-47de-be95-b26bf6d1e069
: A* G4 \6 J4 N1 w& K% l Bridge br-int
$ Y$ C& @ g( F9 R- Z$ w! q0 Z+ ] fail_mode: secure
P! M: K8 @# w% `0 U8 W datapath_type: system- m# @; d O" q: c- K
Port ovn-node1-07 h4 P( C+ X3 q S
Interface ovn-node1-0
( ]4 A9 v0 x) L, j6 r: d type: geneve3 p, K- b5 l; g- m- M4 }
options: {csum="true", key=flow, remote_ip="10.1.1.41"}
0 ]5 }$ c% K2 @+ t8 i+ F8 S: t+ s Port br-int
& G/ L0 n3 G. ]3 K Interface br-int
! |! `8 A& |' B) T8 E0 e t type: internal: W+ W! p, n/ v J2 m' D
ovs_version: "3.1.3"
+ M* n }: ~' M, G6 @[root@node1 ~]# ip link | grep gene 查看geneve隧道link
3 [( p. f3 D' t9 v f5 D5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000" {/ R+ o4 n% x+ Y
查看geneve隧道link详情,从dstport 6081可以看出geneve隧道udp端口是60818 T# t5 m _( S0 O4 g
[root@node1 ~]# ip -d link show genev_sys_6081 6 @0 @: I5 M# n: F
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
7 M3 c. K6 `. M link/ether 6a:e3:ff:a5:cc:d6 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465% P. Y" w% X( {8 D
geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx! V e: |( E4 [7 y" l
openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535+ P9 V1 T# d' p
查看geneve隧道udp端口,最后一列为“-”表示这个端口是内核态程序监听+ G% b, z# z5 }& W5 S: R
[root@node1 ~]# netstat -nulp|grep 6081" t0 z" O3 n. X' U
udp 0 0 0.0.0.0:6081 0.0.0.0:* -- Y2 J- G4 @/ K) z
udp6 0 0 :::6081 :::* -
9 u3 j$ n$ F% h( u2 _
0 l, A) l4 z1 ]) f3 P[root@node2 ~]# ip link | grep gene; ?& Y0 M1 y7 N. L2 B& {7 I9 I- P
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 10000 Z9 r, J/ ~/ p1 _
[root@node2 ~]# ip -d link show genev_sys_6081
. T9 G7 s2 U- [; j a. _4 u5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 10004 O1 `6 q! x2 ~
link/ether 4e:db:f1:e4:43:94 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465
, q) A0 o/ N4 g. s8 Y% q geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx
8 h1 \$ g0 n% A" L; V& G openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 655359 D# `( F; V9 b5 i4 Y& ~8 \8 w2 @7 Q8 P
[root@node2 ~]# netstat -nulp|grep 60812 S0 v7 L( B- H
udp 0 0 0.0.0.0:6081 0.0.0.0:* -
0 w. q0 c: i7 z/ _6 S) ] e8 qudp6 0 0 :::6081 :::* -
% z1 ~0 L& g- F6 W5 g在这里插入图片描述8 V0 k' ~8 c7 t" Y
6 c) [* m2 e7 l. |" l% `# x在做以下实验验证时需要注意MAC地址的合法性,不要误配置。MAC地址分为三类:' B F8 u! j a/ _0 }1 d
广播地址(全F)
" F7 V* k/ y6 ?2 k3 Z1 H/ |$ C& p3 vFF:FF:FF:FF:FF:FF
% m% P% u7 O9 A5 D5 k! N' Z: M2 t主播地址(第一个字节为奇数)# {5 j0 F6 R* K- h% q
X1:XX:XX:XX:XX:XX
& V7 L {+ J/ F, d0 O0 k7 VX3:XX:XX:XX:XX:XX0 o. \' w' n; F+ u' Y8 p
X5:XX:XX:XX:XX:XX8 s3 A5 H+ d$ `( z* J, F
X7:XX:XX:XX:XX:XX
! ^$ j$ r8 o9 ]' ?. r9 n- l6 rX9:XX:XX:XX:XX:XX
+ H" z% F3 u/ `+ z( \XB:XX:XX:XX:XX:XX6 Z$ ~8 [0 B5 a; K
XD:XX:XX:XX:XX:XX
: o0 e1 L2 ^* N; {# A+ KXF:XX:XX:XX:XX:XX
/ V7 @. K! T7 u: ? v可用MAC地址(第一个字节为偶数)7 B9 X8 \1 `0 ]! D
X0:XX:XX:XX:XX:XX
0 q9 O, J+ q/ O1 n5 _# d# x+ M. yX2:XX:XX:XX:XX:XX
' b1 @" f, O6 M" xX4:XX:XX:XX:XX:XX
9 C; c- ]9 P9 n- K- `% HX6:XX:XX:XX:XX:XX( G6 v# r4 x/ H8 L
X8:XX:XX:XX:XX:XX3 U- e) P- _" f0 h
XA:XX:XX:XX:XX:XX
5 _0 k7 r) }; w1 |+ mXC:XX:XX:XX:XX:XX
" a6 G* t: ]) Q$ L% VXE:XX:XX:XX:XX:XX6 Q0 |& f/ R% ~. z
在每个节点上创建一个网络命名空间ns1(因为在两个节点上所以同名ns1不会冲突),网络命名空间可理解为虚拟机,并且在ovs交换机上创建一组port和interfacce,然后把interface放到网络命名空间下。veth pair:两个网络虚拟端口(设备),veth可理解为网卡端口,一个端口在虚拟机上,一个端口在br-int虚拟交换机上。5 J2 ~3 o$ U& ]( |9 B
3 e. U0 }& [- F0 S+ o8 qnode1上执行
9 \$ h5 ?3 I9 ~* d c( K3 ^. r: \[root@node1 ~]# ip netns add ns1
9 I& O; t; W8 P0 g- I( l; P[root@node1 ~]# ip link add veth11 type veth peer name veth124 ]! u. }( _3 ~( R/ Z) a
[root@node1 ~]# ip link set veth12 netns ns1) p+ D0 G; U* O/ ~
[root@node1 ~]# ip link set veth11 up3 Z( n3 S! `& S/ K2 f1 e
[root@node1 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:014 q- A0 w. Y' j) g6 g D3 f
[root@node1 ~]# ip netns exec ns1 ip link set veth12 up' }0 ]$ x7 t/ w! E0 ]& m/ H
[root@node1 ~]# ovs-vsctl add-port br-int veth11
/ p. B2 \9 \' Y2 T: v[root@node1 ~]# ip netns exec ns1 ip addr add 192.168.1.10/24 dev veth121 Q% a+ E( k, _* m( i; s1 }" y
" N% J' K7 P# y
node2上执行,注意veth12的ip和和node1上veth12 ip在同一个子网
/ H1 t, `6 j7 g( c( j. \; R[root@node2 ~]# ip netns add ns1
r# F1 c! s+ d2 Z5 d$ I T: q2 b/ f[root@node2 ~]# ip link add veth11 type veth peer name veth12
7 B4 b& @$ G& A5 U[root@node2 ~]# ip link set veth12 netns ns1
5 J& ?7 `# Q% I8 c; F; X7 I% q) K[root@node2 ~]# ip link set veth11 up
: L0 [! C! F. u* F) G$ { w& ?% W[root@node2 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:029 i/ y( ^" P& t/ C8 b+ N
[root@node2 ~]# ip netns exec ns1 ip link set veth12 up
& u7 b, i8 o4 f0 d: ^. w[root@node2 ~]# ovs-vsctl add-port br-int veth11
- d7 p- T7 I2 I5 F[root@node2 ~]# ip netns exec ns1 ip addr add 192.168.1.20/24 dev veth12
: k ]& _% P4 f) V( g2 T* d$ g2 C6 e7 P9 P4 L! }
查看node1上br-int交换机信息
" V+ T: J7 M' R5 H& o: E3 i[root@node1 ~]# ovs-vsctl show( R8 ]+ P: b; @
ed157e0c-cac3-46b9-830c-f2d710b475d5
; e1 T! g" K7 _: `6 f Bridge br-int; }6 c+ X, x! z) D6 @& j
fail_mode: secure7 g# l; w: Y, z& ?# t$ C, Z8 ^
datapath_type: system
$ O' j- F4 ?& c7 _& S7 ` Port br-int# c3 ~' v8 y) [9 X2 h2 t
Interface br-int
6 ~0 e# k2 z' q# P type: internal
3 C: Q: y8 n3 ]% h8 x! c8 \" Z Port veth11
& s+ q9 a* k. j+ I2 @6 a Interface veth115 c0 m! E) a: [+ |3 e/ O
Port ovn-node2-0 h7 ?" U$ ^: e$ d% M
Interface ovn-node2-0
0 x: C3 u6 F5 p9 H* w8 F, s type: geneve
) f M% m, u9 u1 o0 O options: {csum="true", key=flow, remote_ip="10.1.1.42"}
`! z" \5 O( G: H0 L) T ovs_version: "3.1.3"
* [' C+ [4 F3 p" W- s d; d查看node2上br-int交换机信息8 J9 Z2 j) v; s- c6 v$ l6 N
[root@node2 ~]# ovs-vsctl show3 D4 O4 o( H/ Q1 k% f
f6669675-b42d-47de-be95-b26bf6d1e069
: U' D" b9 \* f: y" p Bridge br-int8 d, _& l) _ i/ [, J0 z
fail_mode: secure
& n2 c5 [2 r6 N- K. M datapath_type: system
; e& \8 J! Z ~6 C) f8 {3 {" M Port veth11
' O0 i1 \" f' U4 K, _ Interface veth11
! O) j! [0 |6 ~/ }% [ Port ovn-node1-0
0 w: N* Z/ F8 m7 m' y& L Interface ovn-node1-0! d5 a+ z. M7 X$ O' c `& f
type: geneve
, d' F- _) Y* _5 { options: {csum="true", key=flow, remote_ip="10.1.1.41"}
: b1 M! ]5 [, b2 P% L& H Port br-int
k4 ~, h$ M% X* T" q \ Interface br-int
2 C2 G/ s7 L8 m0 w$ N8 W; l5 V& Z type: internal
' j! t. V( ^, i5 k0 f& p- } ovs_version: "3.1.3"
2 s e! M) y2 i' l
0 B0 Q/ `7 _" i现在从node1上的ns1 ping node2上的ns1是不通的,因为它们是不同主机上的网络,二/三层广播域暂时还不可达。
0 d! R+ `9 S! {2 r: j[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20
% n! ^, O; m# ?. j9 dPING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
$ x7 B, W. n3 Q; r7 o' v- {1 g* _
4 o3 p' r- i' c' r6 d3 Y) v--- 192.168.1.20 ping statistics ---5 N% h+ F% J) C- C" f
3 packets transmitted, 0 received, 100% packet loss, time 2047ms
: b0 q: M, c0 B4 ~. P3 U在这里插入图片描述) e* _0 q w( }; v
查看openstack的控制节点发现,ovn的北向数据库中有逻辑交换机信息。
, Q6 W6 C5 x) n4 I& N, p在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。一个网络就是一个逻辑交换机。# a; A! w2 L. M) v1 n( x
在这里插入图片描述
1 w1 q" y. R4 M- E在node1中查看发现,ovn的北向数据库中没有逻辑交换机信息
k9 o( c3 z% A* d在这里插入图片描述; K8 T. Q7 D9 ~+ ?
在openstack不同节点的虚拟机ip互通,这两个虚拟机ip连的是同一个网络,是同一个逻辑交换机上的同一个子网不同ip所以互通。 { y' w+ e% H% S: ~5 q, B6 H
这两个节点的虚拟机ns1的ip是手工配置的独立的、不互通,这两个虚拟机ip没有连到逻辑交换机上,加个逻辑交换机就能互通。
; M6 u1 T" D+ W$ t& O/ x在这里插入图片描述8 W* `9 d) e/ o: X+ }" |6 G8 w
逻辑交换机(Logical Switch):为了使node1和node2上两个连接到ovs交换机的ns能正常通信,需借助ovn的逻辑交换机,注意逻辑交换机是北向数据库概念。. g0 M8 Z0 h' l
" ]* E) H& O5 X, o% B5 \$ t在node1上创建逻辑交换机5 Y2 U' @' e, A1 e* ]
[root@node1 ~]# ovn-nbctl ls-add ls1. s6 ]) X* k# r; X
[root@node1 ~]# ovn-nbctl show
, G$ U& z; k5 G h, f" z. p* Lswitch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
! s7 n Y" k: d在逻辑交换机上添加端口
1 x$ A5 N/ f: l( y添加并设置用于连接node1的端口,注意mac地址要和veth pair网络命名空间内的那端匹配起来4 Y) Z5 D* n7 N. b' |" F [1 q J
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node1-ns1# r$ P- N! V5 t) c0 g
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
* d' M2 z& Q% E, J* r[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node1-ns1 00:00:00:00:00:01" D2 @1 ~; ~& Q3 L7 C5 e4 v! m
添加并设置用于连接node2的端口,注意mac地址要匹配起来
! { P( n# A& r U- R. F1 k[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node2-ns1
! k; C7 T$ q4 R4 H% P4 N- B[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:02
- K9 w3 [% U7 O- q9 A1 }[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node2-ns1 00:00:00:00:00:02
) d2 L* O- n" s/ m; K$ @% v查看逻辑交换机信息3 `$ g. E, A5 U, ?. C% t
[root@node1 ~]# ovn-nbctl show3 f% E+ J& e) }/ p
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
! w0 i' V8 I% q6 A0 G7 z port ls1-node1-ns1
+ S8 G! H E/ ?1 S, }' t- R4 Q9 m addresses: ["00:00:00:00:00:01"]
& |( b, G1 y9 [* r port ls1-node2-ns18 j2 j, m) w/ o
addresses: ["00:00:00:00:00:02"]
- n- e5 y; k+ ]( ?, m+ w. k& @: a, l2 m% A! M1 s; M
node1上执行,veth11端口连接逻辑交换机端口
$ m' q# [& Q9 `9 j: v- Q[root@node1 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node1-ns1
' _2 X- p9 u# n* ^& D3 c! t9 w4 @& Inode2上执行,veth11端口连接逻辑交换机端口
2 L' [4 F! K" v8 C[root@node2 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node2-ns1( a V1 k g4 x5 N
再次查看南向数据库信息,发现端口已连接
! V' D) R$ Q h7 g6 X& G ^' F[root@node1 ~]# ovn-sbctl show
* X( y- B2 B3 O6 eChassis node25 q; X' a5 w: c% R- p
hostname: node2
( O# `* I9 Y) Y8 P' B. r8 J5 h9 u Encap geneve; K8 l1 A. A8 {3 n3 ~. M. u
ip: "10.1.1.42"
1 ^; l7 `" x8 g options: {csum="true"}
5 I2 k; L% D5 ] q: i( ?4 Q1 o Port_Binding ls1-node2-ns1( ^) @; j( u1 c! N, X, s: u2 \
Chassis node1
! l& Y9 C! P) l: g" B. K$ N hostname: node1/ M( ^; Y8 \& S/ ~/ o. I6 f
Encap geneve/ M- e6 Y, `' j! g, G/ P
ip: "10.1.1.41"
/ u4 m. E) e( b% U8 V! ^0 ~0 G& A options: {csum="true"}' K7 Y, \# l3 b, r* u
Port_Binding ls1-node1-ns18 x5 G- E% j, j* W
node1上验证网络连通性
3 C5 p% Y9 y, t8 n/ }+ i[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20
6 k7 s# `3 P( N0 JPING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
3 y7 U, N1 U0 P5 X; y. V6 l64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=4.68 ms$ x9 w4 F* z/ Z) P0 ~
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.908 ms
& q1 z% T0 @9 _5 ^# I# s" ^ y64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.756 ms
9 f y8 {' N8 Q0 j- B1 ~2 J, C8 I
5 u! R+ X" J3 p* R: e. y& k. O% B2 K--- 192.168.1.20 ping statistics ---
7 n: S5 o& Z. T# r6 N3 _! M. L3 packets transmitted, 3 received, 0% packet loss, time 2004ms
. S; W( w% M0 q: O& H, Urtt min/avg/max/mdev = 0.756/2.115/4.682/1.816 ms
( q2 F; A9 u" |" f6 wnode2上验证网络连通性
, v& L& G$ U+ x$ c[root@node2 ~]# ip netns exec ns1 ping -c 3 192.168.1.10, A; Q" S! c0 ^. P* B* u6 f8 q
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
; s* \3 L8 w i t64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.34 ms* ~& D& |9 E; }' X( `7 Y
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.863 ms2 A! }, C' r* E! L% S7 a! x
64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=0.372 ms2 P: D0 z6 l" j5 z
* Z Y0 V. G R: s) w--- 192.168.1.10 ping statistics ---
" U/ o! _+ ^& t: d. v; q3 packets transmitted, 3 received, 0% packet loss, time 2003ms
4 S2 ~* x' ]8 \3 X/ H1 _' m9 Brtt min/avg/max/mdev = 0.372/1.525/3.342/1.300 ms# _0 w* }3 H0 c
现在node1和node2的ns1互通了,相当于创建了两个实例,这两个实例ip用的子网是连在同一个逻辑交换机上的,是同一个逻辑交换机上的同一个子网不同ip所以互通。* A# X: r! n# i
在这里插入图片描述7 l! S- T; t( f
在这里插入图片描述
* X+ h' S. h" A0 ?7 i7 \geneve隧道验证:从node1上的ns1 ping node2上的ns1的例子,抓包看看各个相关组件报文,验证geneve隧道封解包。通过抓包分析,可以看出geneve隧道在ovn/ovs跨主机通信的重要作用,同时也能看到ovn逻辑交换机可以把不同宿主机上的二层网络打通,或者说ovn逻辑交换机可以把ovs二层广播域扩展到跨主机。( ^2 O( E) A2 m% @
! ^8 j1 }' M& H8 R$ c1 n7 \& }9 i9 D/ a
// node1上ns1 ping node2上ns1) Z9 n ?1 z4 w& |$ m
# ip netns exec ns1 ping -c 1 192.168.1.20' L6 z8 z2 |0 U. {% M* Y
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.1 r" g1 |& @$ s% E0 b
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=1.00 ms
- L: }* l7 o4 _/ w/ T--- 192.168.1.20 ping statistics ---
6 v, p( A) Z1 v, K) M1 packets transmitted, 1 received, 0% packet loss, time 0ms( y0 a4 ?0 B9 t, J' C% k& k
rtt min/avg/max/mdev = 1.009/1.009/1.009/0.000 ms* \ _( j3 V3 T$ q1 A! J+ a5 r# a9 W) O
; |3 v1 B8 C; ?" v$ L
// node1上ns1中的veth12抓包
- c4 q" l! P) r. y7 n# ip netns exec ns1 tcpdump -i veth12 -n
: ^5 p- s. ~/ g& }tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
8 j) g g- X: k- n7 u, elistening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes; P6 j% W; O4 }$ d& _* }- z6 [
22:23:11.364011 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 644 y. m5 p3 z p' u7 I; J7 w) W
22:23:11.365000 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64! U3 F8 j# H+ G$ m/ b) x! W' h
22:23:16.364932 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28 t1 u A, r% ?4 P$ `. t$ ], w$ d
22:23:16.365826 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 286 w7 w' n+ }+ r8 ~
$ h' s% t3 X, Z" h// node1上veth12的另一端veth11抓包
* R0 H( H/ H' ~5 c# tcpdump -i veth11 -n
9 X! y r2 d- n8 D( u$ p5 Htcpdump: verbose output suppressed, use -v or -vv for full protocol decode
; q C* z8 R. k( blistening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
7 a: H h5 B$ u0 I6 {22:25:11.225987 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
; F; V4 I# I- {5 u8 ~1 n, L/ a22:25:11.226914 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64$ T7 c5 k% a( a* G4 K, ]! \& f2 f2 M" a
22:25:16.236933 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28- a. V2 G* s8 W, [" ?. i0 `" k9 F
22:25:16.237563 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28/ [ Y5 y+ l4 O) D* d
22:25:16.237627 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28& K; r9 l4 F# S- ?3 m2 O1 ^/ f
22:25:16.237649 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28! d9 c9 a! p8 b
9 E+ f! S" D: d4 {" C
// node1上genev_sys_6081网卡抓包
, L9 C3 {5 O& b2 A# tcpdump -i genev_sys_6081 -n" |* q% E$ p, q* x% S/ T6 ?6 q
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
4 x" C3 g* E- m4 ylistening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes
7 [% q/ Q' o/ q# p7 p7 R/ w1 {22:28:15.872064 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64
- D0 U g: W6 a( w U22:28:15.872717 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 64+ H% v- |. v5 [$ V/ _) o) h$ L
22:28:20.877100 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
X% ~; M* o5 r* W# I4 m' Q* p22:28:20.877640 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
- [6 i* M5 i3 k! d" Q8 i* d3 I22:28:20.877654 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
9 P# A- `8 u3 N+ s22:28:20.877737 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 283 {4 |0 |7 N) |
7 y4 }) o5 X; h4 W0 a* k// node1上eth0抓包,可以看出数据包经过genev_sys_6081后做了geneve封装2 M* t- r! Q2 ]0 O, e, H- _ V
# tcpdump -i eth0 port 6081 -n& {$ F& G* U% }
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
1 H) A, Q# ^$ A& W6 tlistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
2 J' ~" a2 R8 c# j# [: v4 g9 X22:30:23.446147 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64
& g" l' y9 m3 Y R0 U& M22:30:23.446659 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64) A( L* f- u3 B H
22:30:28.461137 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
7 J/ l9 J, g' f: L; B0 _' s: x22:30:28.461554 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
8 w5 I6 Z/ A; C' ?22:30:28.461571 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 285 \5 m8 c! E9 J$ s1 T
22:30:28.461669 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 286 I2 U9 D2 K+ \! Z0 k& ^0 |
3 `$ W( w" W' d: ^8 K===================跨主机===================
5 n6 Q% a* b; J8 J
1 u7 P; `) K5 x2 }; ^// node2上eth0抓包
% `- k: M6 d8 c% Z# tcpdump -i eth0 port 6081 -n
, E' Q- S1 s* ]! E* u$ l4 n- z) ?( Ktcpdump: verbose output suppressed, use -v or -vv for full protocol decode
" [7 v6 W' e6 m' [+ @) `! p; Llistening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes/ o6 q7 \5 k+ c& ?. M7 g5 A
22:23:11.364189 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 642 i' \, B4 E. k# |
22:23:11.364662 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
0 \8 ~* l \4 }22:23:16.365086 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
% a+ c& C4 V! D3 ?- T; S1 ~" Y" T22:23:16.365487 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 284 T% ]7 a$ n3 x4 A7 e9 n
5 H7 }( ], H2 |4 Y+ L0 a. b// node2上genev_sys_6081网卡抓包,可以看到数据包从genev_sys_6081出来后做了geneve解封
0 T2 V9 U) A; G k* `- q2 H& `# tcpdump -i genev_sys_6081 -n
" |9 r5 e/ @ ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode0 ? p! D0 l# [" c. L/ i0 b* t
listening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes
; x9 L% Y" u& M- {22:25:11.226186 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
: p$ x5 {+ C; h! @; V$ _- `# F9 w22:25:11.226553 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64
9 F9 w/ m. T/ _; A. ^22:25:16.237070 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
- v3 _+ Y" `/ r" P% ?22:25:16.237162 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28+ }3 T8 ~) G0 U5 m# s Z
22:25:16.237203 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28( p* K6 M6 h. p8 {8 q
22:25:16.237523 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
$ o# p5 @6 M# t+ u. Z3 ]" j& W* ~6 A
// node2上veth11抓包
; ^1 z) g! Y2 Z0 j5 p4 M$ z1 S# G* Y2 P# tcpdump -i veth11 -n9 G# j9 e( d+ m! ~# y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode1 Y2 P6 g( q" ^& Z6 g$ ?- @- e
listening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
/ u, q* ~7 O6 P: v; A; x22:28:15.872198 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 648 [ [* L" s3 Y7 h6 v2 c
22:28:15.872235 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 64
% X, s# h" f- D/ Y22:28:20.876913 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
0 }# {) a4 n$ H# N22:28:20.877274 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28: ]: L2 o3 `0 x! w3 E
22:28:20.877287 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
3 l1 d D2 a6 ?# I22:28:20.877613 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
7 K& F/ F1 a7 Y4 z, }. z: v' X" L. k0 w/ v: S9 E3 C
// node2上ns1中的veth12抓包
! [* O0 K- @- H* J9 r4 p# ip netns exec ns1 tcpdump -i veth12 -n
& Q3 H U9 g! Ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode$ B5 ]' }: J/ r( W, P2 f
listening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes: d. h9 ^- ~0 v _6 Q1 }" _
22:30:23.446212 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64. r1 S+ J' M/ s! {5 i# q
22:30:23.446242 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64$ {4 T4 Z+ o( l# y, F2 t M4 @% N
22:30:28.460912 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28( X9 F3 m! ^/ C( y: R" _2 }* E
22:30:28.461260 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
4 g ? ?# ~5 s22:30:28.461272 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
/ e3 b& a" f. I1 J K22:30:28.461530 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28+ R" H% Q- `$ A. r+ O; d6 ^
逻辑路由器(Logical Router):( r6 J1 h$ l# i: O& u
前面验证了ovn逻辑交换机跨主机同子网的通信,那不同子网间又该如何通信呢?这就要用到ovn的逻辑路由器了。2 s& A+ j/ e# s) I7 K
先在node2上再创建个网络命名空间ns2,ip设置为另外一个子网192.168.2.30/24,并且再增加一个逻辑交换机。
4 X; N! M# G( k3 r" s在这里插入图片描述
8 g! O |' u8 B/ z* K/ W
: S8 y1 f% }/ a( Enode2上执行
9 L X1 |% U' R0 }3 k$ D[root@node2 ~]# ip netns 查看网络命名空间
5 U6 Y; S/ P# i j( s( sns1 (id: 0)
9 O+ g8 d9 c( w( ^. w1 i6 H; ?[root@node2 ~]# ip netns add ns2 K* o& ?+ K9 t9 O. H9 @
[root@node2 ~]# ip link add veth21 type veth peer name veth22
1 V" T6 A( z, @[root@node2 ~]# ip link set veth22 netns ns2+ s, U7 J3 `+ _6 y/ y
[root@node2 ~]# ip link set veth21 up7 s* I. Q- H+ z2 {1 H: z8 Y% n
[root@node2 ~]# ip netns exec ns2 ip link set veth22 address 00:00:00:00:00:03' n G6 H& b7 i) ?* o) c7 c3 U
[root@node2 ~]# ip netns exec ns2 ip link set veth22 up) E f1 B, q* |3 f# M; I+ F
[root@node2 ~]# ovs-vsctl add-port br-int veth21
9 b! K% m& `4 D/ m! p! w[root@node2 ~]# ip netns exec ns2 ip addr add 192.168.2.30/24 dev veth22
! r- N% F( Z* d) z2 R# r r: F[root@node2 ~]# ip netns
8 }3 t: E4 ?( R' J# |ns2 (id: 1)
% f* b& C# ], a1 v) Pns1 (id: 0)
* `- n$ A- ^) i+ j# C0 }7 O; q2 x% u% e' t; w5 h/ U
node1上用ovn命令新增一个逻辑交换机,并配置好端口( |3 d( \& |5 f2 l% w# e+ H0 {
[root@node1 ~]# ovn-nbctl ls-add ls27 T: G; y5 L \/ U$ n0 e0 f, \7 {
[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-node2-ns2
9 H" S. `' ~9 Y9 B k[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03
- a% V9 \( V; t. ?/ K[root@node1 ~]# ovn-nbctl lsp-set-port-security ls2-node2-ns2 00:00:00:00:00:034 ^. F* f" I1 L' V9 D( B
, i; ~5 M: N4 R' h8 Onode2上ovs交换机端口和ovn逻辑交换机端口匹配起来0 I& T6 w1 U5 k+ F
[root@node2 ~]# ovs-vsctl set interface veth21 external-ids:iface-id=ls2-node2-ns2
2 R) Q2 P$ Y. y1 l- u7 K7 u K' Y, [* v# L% w
查看北向数据库和南向数据库信息8 o$ P R! l) T- d% M# @$ Q0 C/ J
[root@node1 ~]# ovn-nbctl show
8 {9 ?9 l7 p! c! D3 n" ^4 f( W @switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
b4 G& F) z' \% d port ls2-node2-ns2) g+ K0 G* d' m% @
addresses: ["00:00:00:00:00:03"]: w3 ?+ R9 x5 h9 }5 H
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1), R2 Q% `/ _- B: O: n- S9 g
port ls1-node1-ns1
/ ?; W. r+ c, M# ]5 H; L3 Z addresses: ["00:00:00:00:00:01"]. p" h3 v. }) L7 \( a
port ls1-node2-ns1' f; j: f- T9 y
addresses: ["00:00:00:00:00:02"]3 r4 Z9 K: e( l6 X( s/ s
[root@node1 ~]# ovn-sbctl show' L0 K% T- [7 d# k
Chassis node2
! g# B$ {( w$ L( ?7 Z( u hostname: node2
8 x9 |9 \/ {: n3 l" }# Z* e4 ^* ?* ] Encap geneve: k! ~4 ^4 A1 J2 _# {$ J' t
ip: "10.1.1.42"- o+ n Y2 v, ^8 s# Y( k
options: {csum="true"}
( R: c! m7 V' b Port_Binding ls2-node2-ns2, D2 K& J0 i0 T- W# P2 ^
Port_Binding ls1-node2-ns13 I6 D1 I- {/ _( D& L
Chassis node1* G% K4 X1 o4 s! N
hostname: node1
4 H8 W+ T$ v F5 G# R! R% ^ Encap geneve0 Y" i S7 N( v6 y9 n& [" T! |
ip: "10.1.1.41"
: G/ F8 c" _" l( ^& D options: {csum="true"}
& a( y! i6 z+ m j# v" [ Port_Binding ls1-node1-ns1
1 t! t& `* C+ F$ I. h# D* _创建ovn逻辑路由器连接两个逻辑交换机
# o, ~7 B+ F: x/ V" r0 O, v4 s2 B8 e3 T2 b3 J7 m' l6 f
添加逻辑路由器,路由信息保存在北向数据库
* U; _) }$ z: i9 j* C/ C/ R[root@node1 ~]# ovn-nbctl lr-add lr1
# H8 V! z2 c8 u2 c. G. D, b! Z2 t逻辑路由器添加连接交换机ls1的端口
$ o8 k7 z0 P& ?; P[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:11:00 192.168.1.1/24/ p0 |0 O7 q- T: L& u5 O; b
逻辑路由器添加连接交换机ls2的端口9 x3 o3 T& u+ c
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:12:00 192.168.2.1/24+ W( p5 j' y4 U: R1 a
- r. s7 k7 z# n* S! C! P7 W+ Z1 q
逻辑路由器连接逻辑交换机ls10 z5 p- p0 N1 L1 C; ~$ I
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-lr10 V$ j9 c* T" d3 r/ \; `. z: y9 ]
[root@node1 ~]# ovn-nbctl lsp-set-type ls1-lr1 router( S" ?) B2 i$ @7 ]- a. W' C
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-lr1 00:00:00:00:11:00
- U1 l+ S2 V* J[root@node1 ~]# ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
( K* ]; Y) l# N5 m
) i4 y9 z- l5 F9 ?逻辑路由器连接逻辑交换机ls2
( s. b n# r4 f[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-lr1- ~% X! A! ~ w, P; z( d+ S4 g5 y
[root@node1 ~]# ovn-nbctl lsp-set-type ls2-lr1 router
0 z5 {; t- I! N9 U$ h[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-lr1 00:00:00:00:12:00
1 p2 n0 k( T, r; J[root@node1 ~]# ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2+ l* a" U l) B
9 ~' _+ X6 g8 Z) K; y2 U" D/ N
查看北向数据库和南向数据库信息/ x7 D- f) t' x3 t- ]$ _
[root@node1 ~]# ovn-nbctl show1 Q ?2 d3 D% Y* w& I' ]
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)0 e; W/ v' h5 a5 z% ]) Y
port ls2-node2-ns2
4 e" E( T4 Y- g1 E. P0 q1 U s addresses: ["00:00:00:00:00:03"]( Q0 o2 U: i+ I, t0 Y3 |1 j
port ls2-lr15 y: y' x( n+ i5 B' `1 r7 `0 Y: ]
type: router
; N! o. V8 ?( F; o0 }1 ?0 C7 m addresses: ["00:00:00:00:12:00"]
# }( z& R+ g# g T router-port: lr1-ls2
n# R4 Y! o4 ~7 O& }switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)5 S, E# Q- \" [1 |) u" j! w) h7 a
port ls1-node1-ns1
% U5 P3 N4 U4 C) C( \: A addresses: ["00:00:00:00:00:01"]
" J* p' g% B( Y2 B* P" K t port ls1-node2-ns1" E' X+ H, U3 ]5 V
addresses: ["00:00:00:00:00:02"]8 X1 ]5 J. D5 s& q+ t
port ls1-lr1
7 Y3 ?+ U4 P* |3 n8 G. o9 W type: router. J# b' i) F' }, n
addresses: ["00:00:00:00:11:00"]
) f, Y! W% S$ r router-port: lr1-ls1/ s( c J" f7 i$ y0 O$ o
router e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)! G- n4 g( D. _8 y& ~5 I) u6 G
port lr1-ls2
" X9 y. p6 h* M7 M( n. X$ F) c mac: "00:00:00:00:12:00"& ~+ ` q( ~ W8 s; t. [( v W" _9 }
networks: ["192.168.2.1/24"]3 K/ a$ T6 H$ B0 X2 O; ]" T- t
port lr1-ls1+ o% w. l5 p) ], h w
mac: "00:00:00:00:11:00"
2 @# j& F3 T6 ^. {( r/ ]9 e networks: ["192.168.1.1/24"]
) Y7 J; [2 f5 C8 w9 K7 i[root@node1 ~]# ovn-sbctl show' [8 S8 @; {5 d9 o) W
Chassis node2
8 X' J0 b, v5 }( p, B+ S hostname: node2
8 Q2 \7 x: ?& c! D# F Encap geneve
" t( W8 v) |; c0 u# A' i ip: "10.1.1.42", I* S; [* X. |
options: {csum="true"}
" C r: r: V3 |; S0 i# p9 s r4 ` Port_Binding ls2-node2-ns2
- `8 @0 s' f" G+ ]' c8 o: w4 l Port_Binding ls1-node2-ns1
/ h5 g& Y# x SChassis node14 m1 T2 S, J9 \7 c7 ?
hostname: node1
4 z& N6 g1 y% c, { Encap geneve0 l u! y. @2 a' E3 X; s
ip: "10.1.1.41"
* X% P$ d8 ~3 i% _% o) V options: {csum="true"}
* R% i% Z; b" J% e8 g' V& o Port_Binding ls1-node1-ns1
5 S+ L/ N5 e* `4 w1 _7 b在这里插入图片描述+ E G5 q/ N) o. Q; t
从node1的ns1(192.168.1.10/24) ping node2的ns2(192.168.2.30),验证跨节点不同子网的连通性。
l2 \( ]7 B. z# m0 d# g, u5 }7 E4 ? }2 d( ^
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30# m! y2 W9 T4 B0 r) l% f# `; m
connect: Network is unreachable connect: 网络不可达
* X6 t/ r# z0 `查看ns1上的路由配置,显然此时没有到192.168.2.0/24网段的路由& s: `/ T8 S b% z/ Y" e
[root@node1 ~]# ip netns exec ns1 ip route show
; H/ E; E4 y$ l5 w ?% X' \- x/ }192.168.1.0/24 dev veth12 proto kernel scope link src 192.168.1.10) R8 `4 |4 `$ J& C) {" Z6 ]4 h& L
[root@node1 ~]# ip netns exec ns1 route -n
0 o9 E) n3 [ f# ] D( G( F6 e- ~Kernel IP routing table; o& Q# v" T7 G& X" w
Destination Gateway Genmask Flags Metric Ref Use Iface
' f! j6 ^3 V9 M5 D7 I$ m5 P192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 veth123 ?/ L( t7 K7 \2 ~* u
因为路由器是三层概念,要先给ovs的相关port配置上ip# ~* @$ D9 _! ^$ n3 k
0 P7 P c( ~! m0 `6 J7 L
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
6 N5 ~+ S, X F/ _; v5 \+ a* c[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:02
2 C8 X0 i# n. i7 `[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03& I" E @/ d' g
再给三个网络命名空间添加默认路由,网关为ovn逻辑路由器对应的port ip
$ u+ h( o V7 o' { Y5 [+ n& P* o. y' \( J7 m8 K$ N
node1上ns1
$ m9 H7 y0 c) y [root@node1 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12. D5 ^, j! k9 L ]
node2上ns1; |9 P) {7 G/ s, S* V8 p) J
[root@node2 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12
) H7 i; u/ y4 y node2上ns23 |. N5 x% Q7 W: ^' M
[root@node2 ~]# ip netns exec ns2 ip route add default via 192.168.2.1 dev veth22. ~- D. {& t! J, m) Y$ w
再次查看下南北向数据库信息
* f. B- f- }1 p' p. \3 s" G& L y2 C2 p) h4 X1 e1 h5 n
[root@node1 ~]# ovn-nbctl show$ k! d. ]3 ~1 p/ I. u V3 m
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
3 f: a* B, q1 c6 T port ls2-node2-ns22 V/ u2 q6 `$ @ Z3 S
addresses: ["00:00:00:00:00:03"]: g6 J) M) V4 f5 g2 @- c- B
port ls2-lr1
# d+ B7 F+ k5 g( \ type: router
4 j! v0 V8 x1 \, [, x; } addresses: ["00:00:00:00:12:00"]* n4 ]3 r) s$ H4 z" J% m/ P
router-port: lr1-ls2
2 C, c9 ^; ^* v: c6 { |switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
^/ T! ]9 v7 z8 U" D port ls1-node1-ns1
9 Z! e9 M2 k8 J* O3 a# S6 p! D% ` addresses: ["00:00:00:00:00:01"]+ k# K& H' Y n/ y6 V
port ls1-node2-ns1
/ `+ s! ^. g+ Q$ m7 G addresses: ["00:00:00:00:00:02"]' y8 U% R: h9 M, V
port ls1-lr1
, p0 Y& o) h# d; z/ |% S7 M$ h- C0 T type: router- K- G" e) E8 e; z
addresses: ["00:00:00:00:11:00"]% ~$ P& ~+ ^9 P
router-port: lr1-ls1& P, o3 j+ l: q$ T3 m
router e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)
8 z. g; p& b; ^! K& _/ c port lr1-ls26 ?# }8 h- @$ ~: s6 G' X% ^
mac: "00:00:00:00:12:00"* L4 |# Y' j$ s0 e* ^
networks: ["192.168.2.1/24"]
) M1 w$ b1 b+ z! } port lr1-ls1: ?+ S" p; M8 ]5 ~
mac: "00:00:00:00:11:00"4 S4 F, }" Q& [1 H" n. g9 u
networks: ["192.168.1.1/24"]
4 u2 h; q5 c7 v" i1 X[root@node1 ~]# ovn-sbctl show/ c Z! p& Z4 K; @8 \" h5 \1 a
Chassis node2+ l5 L& M+ R* [" D! ~" v. a
hostname: node2
! L7 C: c, C1 A( D: c- } Encap geneve3 L% U( @1 M* @: |% U
ip: "10.1.1.42"5 X! T' t8 B7 I" X4 `7 c
options: {csum="true"}
. B5 e3 q! P! b! B7 p4 ~# Q! H" D" { Port_Binding ls2-node2-ns23 J$ V% A( B! {* ]1 l, @# E
Port_Binding ls1-node2-ns1
. Y: b/ e4 d; X% f' X$ QChassis node1
* N. [! s& v2 |# d$ h& ? hostname: node1; p# p/ B5 u: \! q0 @- z( m$ E
Encap geneve' x$ s: r% y0 Q
ip: "10.1.1.41"
4 O" C4 k& e; `' a1 b4 P options: {csum="true"}3 Z( k- l% [5 H8 i
Port_Binding ls1-node1-ns1
+ ~# M7 V: i7 o9 i a在这里插入图片描述; {4 x" [$ A9 ~
验证网络连通性) l n' [+ p( c$ i! k* D$ }
2 j* e& F) D9 I/ q' m
node1上ns1连通网关
& J* @1 `! b/ }[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.1.1
/ \* f# U9 f( ?$ |6 h9 sPING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.7 N, ^* j2 P5 @& O( f; b0 f) m
64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=20.10 ms& G5 i. B( s4 [2 F0 ]8 K
& _! \. {% O+ g0 [. V) {9 ^--- 192.168.1.1 ping statistics ---) F, Z3 ?, m2 L- X+ V
1 packets transmitted, 1 received, 0% packet loss, time 0ms5 J' K( V8 ]7 h/ ?
rtt min/avg/max/mdev = 20.950/20.950/20.950/0.000 ms
/ t; |0 W4 ~+ n5 p# T+ J1 h
+ }2 s' ~! \7 e# inode2上ns2连通网关
9 N* B1 m6 d4 \# \, W% g- \" s[root@node2 ~]# ip netns exec ns2 ping -c 1 192.168.2.1
1 O+ B+ E( n# \+ R9 KPING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
: N' V6 p1 y0 ^7 d3 r- V64 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=38.5 ms' l w1 E4 l/ K5 M
$ H* J2 e8 ^' x& ?+ T
--- 192.168.2.1 ping statistics ---
* }5 v1 Q y9 y+ J8 Y1 packets transmitted, 1 received, 0% packet loss, time 0ms
* R) j( v1 v: ?9 \, o) O& `( q ?rtt min/avg/max/mdev = 38.477/38.477/38.477/0.000 ms3 h* w: V: G5 _* {1 p# i p7 X# t
* U% [) g6 G8 M9 W4 `9 |node1上ns1 ping node2上ns29 S I0 a3 B) K* {+ R) k! G; i# _
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.305 z) l: }3 O4 o+ b, p/ I( |7 j7 g
PING 192.168.2.30 (192.168.2.30) 56(84) bytes of data.7 w6 E" B& s4 _- A0 T
64 bytes from 192.168.2.30: icmp_seq=1 ttl=63 time=1.23 ms
}( G4 ]; I+ z$ Z
( A' w3 ]2 z- J& ^% i+ r--- 192.168.2.30 ping statistics ---
8 C. v6 N* y' N2 m0 d1 packets transmitted, 1 received, 0% packet loss, time 0ms4 F7 L6 ^# D, F- f) |
rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms/ }( Q; G8 f5 B6 ^% l& J
复制 K% w H! J$ }( Q
注意:ovn逻辑交换机/逻辑路由器是北向数据库概念,这两个逻辑概念经过ovn-northd“翻译”到了南向数据库中,再通过hypervisor上的ovn-controller同步到ovs/ovsdb-server,最终形成ovs的port和流表等数据。
) G# ]( B7 J: P( _% h ] zovn逻辑交换机通过geneve隧道,把二层广播域扩展到了不同主机上的ovs;而ovn逻辑路由器则是把三层广播域扩展到了不同主机上的ovs,从而实现跨主机的网络通信。5 P% P6 w% ^4 v+ \6 Y( C
ovn逻辑交换机和逻辑路由器都会在所有的hypervisor中生成对应的流表配置,这也是ovn网络高可用以及解决实例迁移等问题的原理。 |
|
/4 
窥视卡
雷达卡
发表于 2025-12-18 08:50:57
, s* R* z) r: \& U( e% o
- ?+ D8 K$ M& }5 L6 }$ m
_: j& N" S/ X7 \: f
: g1 ` V5 S' o% c2 K
$ R/ ]' h2 Q4 Z8 }
- |0 W% Q! O0 h4 ^7 `
# `. e+ }6 Z! a, H; t( O' y
% n( J1 P1 W3 M9 r" P1 G; C. L6 K; J& K
6 X" k7 c z( y% T) |3 i2 @, U
2 @ a" s. X6 O5 C2 E* L
% o4 _9 x3 R' J9 A+ p, u
. L. z$ \: P3 y* r
, H: z9 U& E/ F+ ^4 U) f
5 p9 o8 E: D. P
" _& J* d6 e- D. t8 H6 R
( R. s# L# m- Y4 k
8 P# U8 _. U7 {6 D+ `3 r
3 L7 `4 B, v5 ?: i4 o
5 b, @, @% F) }9 b6 V$ i- S2 m; `8 f
: R x4 q$ Y6 F
1 ~5 n9 U# g8 V5 e) u2 |
6 d: {) O6 i- I: ~
* @: S1 @9 Q; X) p8 I" P. ~) {
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
