- 积分
- 16840
在线时间 小时
最后登录1970-1-1
|
楼主 |
发表于 2025-12-18 08:51:30
|
显示全部楼层
2、网络服务Neutron* E" Q7 F a% x
Neutron基于软件定义网络的思想,实现了网络虚拟化下的资源管理。Neutron的设计目标是实现网络即服务(NaaS),在设计上遵循SDN(Software Defined Network,软件定义网络)架构来管理的。; w8 i- @& R" g
Neutron主要包含Neutron server、Plugin和Agent等组件。Neutron server对外提供 OpenStack网络 API,接收请求,并调用Plugin处理请求;Plugin处理 Neutron Server发来的请求,维护OpenStack逻辑网络的状态, 并调用 Agent 处理请求;Agent处理Plugin的请求,负责在network provider上真正实现各种网络功能;此外还有database,用来存放OpenStack的网络状态信息,包括Network、Subnet、Port、Router等。
& u% C1 o3 S% y* T8 R& u
; [- |; R8 B7 @) R3、OVS
; F% q6 g+ R! ^4 Q& GOVS(Open vSwitch)是虚拟交换机,遵循SDN(Software Defined Network,软件定义网络)架构来管理的。8 @' j; E3 M/ D3 O4 w
OVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect5 z- W3 ^0 G, Y; F
在这里插入图片描述
% T( \1 N# }7 D" Y! S F) l% Xovs由三个组件组成:dataPath、vswitchd和ovsdb。
$ S6 e) U" k6 Q. T; [3 G% ZdataPath(opevswitch.ko):openvswitch.ko是ovs的内核模块,当openvswitch.ko模块被加载到内核时,会在网卡上注册一个钩子函数,每当网络包到达网卡时这个钩子函数就会被调用。openvswitch.ko模块在处理网络包时,会先匹配内核中能不能匹配到策略(内核流表)来处理,如果匹配到了策略,则直接在内核态根据该策略做网络包转发,这个过程全程在内核中完成,处理速度非常快,也称之为fast path(快速通道);如果内核中没有匹配到相应策略,则把数据包交给用户态的vswitchd进程处理,此时叫作slow path(慢通道)。dataPath模块可以通过ovs-dpctl命令来配置。; n0 h! ^4 r& r5 ~0 k) W
vswitchd:vswitchd是ovs的核心模块,它工作在用户空间(user space),负责与OpenFlow控制器、第三方软件通信。vswitchd接收到数据包时,会去匹配用户态流表,如果匹配成功则根据相关规则转发;如果匹配不成功,则会根据OpenFlow协议规范处理,把数据包上报给控制器(如果有)或者丢弃。, B& k" ^+ P' y/ d
ovsdb:ovs数据库,存储整个ovs的配置信息,包括接口、交换内容、vlan、虚拟交换机信息等。5 ^) V- v2 F3 M9 ` @1 t
ovs相关术语解释:4 b9 j0 x3 J' r9 I+ m, E7 ^! j& W8 q
1、Bridge:网桥,也就是交换机(不过是虚拟的,即vSwitch),一台主机中可以创建多个网桥。当数据包从网桥的某个端口进来后,网桥会根据一定的规则把该数据包转发到另外的端口,也可以修改或者丢弃报文。Bridge桥指的是虚拟交换机。
) G+ R& l d/ _, F- M& c2、Port:交换机的端口,有以下几种类型:* i/ S+ Q1 g: e, C' @
Normal: 将物理网卡添加到bridge时它们会成为Port,类型为Normal。此时物理网卡配置ip已没有意义,它已经“退化成一根网线”只负责数据报文的进出。Normal类型的Port常用于vlan模式下多台物理主机相连的那个口,交换机的一端属于Trunk模式。
# g. k, B( F1 p( X& C* \' GInternal: 此类型的Port,ovs会自动创建一个虚拟网卡接口(Interface),此端口收到数据都会转发给这块网卡,从网卡发出的数据也会通过Port交给ovs处理。当ovs创建一个新的Bridge时,会自动创建一个与网桥同名的Internal Port,同时也会创建一个与网桥同名的Interface。另外,Internal Port可配置IP地址,然后将其up,即可实现ovs三层网络。
5 |/ t+ u0 T7 ]8 m& G! ~4 EPatch: 与veth pair功能类似,常用于连接两个Bridge。veth pair:两个网络虚拟端口(设备)4 H! \2 J" f: \5 F% F
Tunnel: 实现overlay网络,支持GRE、vxlan、STT、Geneve和IPSec等隧道协议。Tunnel:隧道,三层- V. W/ E/ G% u1 \$ N# [
3、Interface:网卡,虚拟的(TUN/TAP)或物理的都可以。TAP:单个网络虚拟端口(设备),基于二层;TUN:单个网络虚拟端口(设备),基于三层。veth pair:两个网络虚拟端口(设备),常用于连接两个Bridge。+ _: o0 ~4 a3 [% M
4、Controller:控制器,ovs可以接收一个或多个OpenFlow控制器的管理,主要功能为下发流表来控制转发规则。+ Y* `8 @% t4 w7 y, w" i4 C, e
5、FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。
5 m- x3 _3 l; b/ V s8 ^在这里插入图片描述+ L3 E4 F5 A6 F4 S; ^) G
ens160的ip地址没有了,用的是br-ex的ip地址出去的。
/ F. C* ~2 O8 R% p在这里插入图片描述. v3 r, |5 `6 T# d* ^, T' D$ o
ovs安装
7 ?: }7 m! k+ d) f1.开启一台新的linux$ e9 w2 X/ G- a. K% t" w8 C* G
2.配置在线yum源(openstack那个在线yum源)
6 @7 y8 f2 [3 V! v5 f6 m) e$ a3 n" }0 m! M, X. h! W8 N2 p
配置yum源(先把原有的备份后清空)
& n0 ]( f# |7 f) y# cd /etc/yum.repos.d/ # rm -rf *
6 A, J% Y( a, k7 n, g# cat cloud.repo
; J0 X) o+ Z) i/ P' k
: w( M- r; M3 j; r8 A[highavailability]
$ r" N! C ]7 D5 m/ ?0 oname=CentOS Stream 8 - HighAvailability/ R3 G. Q- G2 l) D( d! R
baseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/ O, S" S. Y8 K. X
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial" P8 G# b7 k, p$ H5 D" s/ t- r
gpgcheck=1. {4 ~( S" G& z" e: j4 O" f
repo_gpgcheck=07 F% ~ S4 ?# y3 p
metadata_expire=6h$ j3 F+ d; R. w O! G. w3 i
countme=1
/ d A, {$ o. p1 zenabled=1+ d; D- g1 O2 N9 W, o7 }. J
; w% |9 H& ~/ Y/ Q% g: T. }- S% \* d[nfv]
$ b! [/ s2 h0 D8 N+ f0 n! }' wname=CentOS Stream 8 - NFV% C* |% ]8 I) }3 Q$ }7 P: p3 E) q+ j
baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/# i I+ i2 i S) z9 w* w- [# _
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial9 D8 _1 d$ h8 j9 R# a! j! V
gpgcheck=1
2 {# u7 n6 `0 B3 g3 T7 s3 w' Irepo_gpgcheck=0) E! N: G3 q3 f# f) h, E( m
metadata_expire=6h
8 K$ F/ ~, {+ ]) C- i5 z- @4 I& ccountme=1
. X* C+ t( C+ Menabled=1
* g- ?) e8 C3 n8 P+ s; w$ p p: f+ k. J0 S/ r9 h0 B+ q/ ]: K! g! c
[rt]) i x! @4 s& q! T
name=CentOS Stream 8 - RT
7 H, R$ _' N( ?' W. N6 Ibaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/: J6 S: _1 A" t
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial! R- \# Q' f) N
gpgcheck=1
4 ^8 r0 e# H( xrepo_gpgcheck=03 \; U6 L7 J) a6 H6 T: h
metadata_expire=6h P; u% u" z6 m+ s- o2 M9 [
countme=1
% d% o7 r+ k& K9 ^. A) ~enabled=1+ z: i# p' L: M! @
+ u- M! f% G+ }/ C; s
[resilientstorage]
, {7 q2 d8 x6 \0 m4 ^. k" V+ Z0 Kname=CentOS Stream 8 - ResilientStorage
* {8 X: N( l& y* t2 N7 o* obaseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/
- `, x4 X; F# l6 b# Q7 Ugpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial/ E' i0 R2 ~2 g' V
gpgcheck=1
2 G9 Y' e( \0 ?. C( ]" I4 N5 qrepo_gpgcheck=0
1 s1 h- V! x' B. x6 Emetadata_expire=6h! @6 k6 r( A: i$ G; S. h1 `# g; y
countme=10 e0 \& ?) \" s% E5 ^5 v
enabled=15 @( q$ i$ T9 e+ K. _; T
1 _/ i$ }/ R) K% A+ R1 a[extras-common]
s4 }( ^3 Q) Sname=CentOS Stream 8 - Extras packages, f7 D" h' e7 c
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/
* x: a# j3 Y' I0 ~. }+ y3 Vgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA5126 b3 Z$ [5 u6 t/ Y1 r
gpgcheck=1
7 P- k% \3 N* A: O3 z8 U& K2 drepo_gpgcheck=0, R" l6 [' i1 s) H+ z
metadata_expire=6h
5 |# p! \- x# }% R* z6 w Qcountme=1# E1 s/ V1 F. p# I- f5 `: }- E# J; ?
enabled=1" ~: T( w3 m( ~. E0 U7 f
& ]) \4 p' |0 z" A. _[extras]
7 c& j: M' J# h }! ]name=CentOS Stream - Extras
5 P7 t- W3 {1 Z% rmirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=extras&infra=
) T1 }5 Y" k. l5 w#baseurl=http://mirror.centos.org///extras//os/' c& P7 }; \, @* h, L% c1 u M. P
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
/ _* K+ H2 f5 Ngpgcheck=1
2 F. f$ O& o/ K/ c k% S' {/ Q# \enabled=1$ b; E+ u- d1 Q$ j0 w5 \
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
/ e# }( n S' F2 [$ D
c. ~& C9 W; \! b. u+ O, [# m: p[centos-ceph-pacific]0 u1 ?( T0 D& F6 b
name=CentOS - Ceph Pacific
) d. D- U: G. C; W! H- kbaseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/6 a1 f( i2 P% i9 p( R
gpgcheck=0
0 I( N/ i& ?" Nenabled=1, ~ \. J$ ~. L; W3 D# n
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage
% O, c) g% N: w" ~% P( ]) i4 P& d% e' }! |
[centos-rabbitmq-38]* e( z: E/ ^8 ?' O. ]$ a+ q2 e
name=CentOS-8 - RabbitMQ 38" _' R% M: s, N# o$ t7 @ z
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38// o5 X7 O0 L- s
gpgcheck=1
" }8 k$ L! q3 w" Eenabled=1
0 }0 T3 _9 n& h l7 egpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging! ^" Q1 ^8 `, M x p' Y
+ a7 ?& ]+ q+ s( r# K/ d! a# e6 a
[centos-nfv-openvswitch]
3 e# F3 l' a7 O# D) Z) }8 Ename=CentOS Stream 8 - NFV OpenvSwitch
' q/ _. x: L- |% r8 P1 wbaseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/
( K3 Q$ {# l3 i( v9 x0 u+ k: ]: b3 j' ngpgcheck=1! J! {4 U1 N* }9 p' U9 v
enabled=1/ @1 a1 U6 ^. B2 I2 M
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV: U# g4 C3 D2 ?
module_hotfixes=19 j, h q. ~/ z9 i' A& A
* L5 j r \2 f' s' Y- A" E" j* _[baseos]
" R! T; x- X8 [% N' k& N; iname=CentOS Stream 8 - BaseOS) t" w( p( ]0 Y6 |& K
baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/$ K6 {+ K' {% h& ~' f+ j8 o3 q
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
9 m& h1 C- ?! ^/ ggpgcheck=1
L/ ?4 g5 P% `: c$ u* m- p2 ~repo_gpgcheck=0
7 R2 _6 |5 F1 u- }/ g, h. b- Hmetadata_expire=6h/ [ x$ R) {% _: A9 d
countme=1
# n7 X0 K: b3 y- n/ ^* D5 x% s5 @7 denabled=1
; l& \& E5 j7 p" N
( B* b4 U+ \& d. F% h[appstream]
/ Z8 `9 h2 u( I. K. L9 Xname=CentOS Stream 8 - AppStream
c# M- L* q6 jbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/% d* P3 f! t4 l! y* w* g
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial5 P% J" s4 t; E; Z
gpgcheck=1
% {3 O' t, }& n4 Frepo_gpgcheck=0; c% A! n; V. T& h- ~( L
metadata_expire=6h& z# A( ~( x0 X9 C8 y
countme=1
& k' s$ q6 Z! C8 M5 G$ kenabled=1- }; h/ O' s H+ `9 Y& w5 H1 p
4 q! j' z3 n2 T0 D4 s
[centos-openstack-victoria]
: x2 K# H r% m( k/ Ename=CentOS 8 - OpenStack victoria) F5 j) E1 ^5 j8 }3 G0 Y* [. _
baseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/
6 y2 J' z5 n; L#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/7 \0 G. s7 @; l5 x$ n( {0 t& b
gpgcheck=1: z7 Y( m# l. t5 o, k# S
enabled=1
6 s3 k! a- _3 z5 n& u+ i0 }& K8 vgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud% v2 J8 I# U% O7 N& ~# {
module_hotfixes=1
6 w8 _& O* C- @
% ]: A% F K5 f4 `. u4 c7 E[powertools]
9 z) E5 b( l P' @# v$ D) p6 nname=CentOS Stream 8 - PowerTools
$ y1 k' Q) n% z+ u8 s2 Z#mirrorlist=http://mirrorlist.centos.org/?release=&arch=&repo=PowerTools&infra=7 Q( S5 o/ I% z
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/, m1 k) o- j3 l
gpgcheck=1
: o" c" _+ z2 G. Wenabled=12 x% S- U4 ]3 W# K* R
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
. u) M3 W; Z7 Z7 ]+ g3 e, {
0 w l) t6 U9 P/ S$ t0 \7 C3 ^# yum clean all 清理缓存4 L+ W) m* ?$ M4 |$ C- _
# yum makecache 重新建立缓存
, }" F6 ?2 t' i0 b2 w! R; w! w) B# yum repolist all 列出yum仓库(13个)/ r! Q9 J9 u1 q3 C
3.安装基础包及ovs(Tab补全命令,安装bash-completion包后执行bash就行)
( Z/ g( m+ l. I' e1 p% Z9 U! Y9 m6 k安装openvswitch3.1过程报错说找不到gpgkey文件就禁用gpgcheck=0再次安装就行了* E) m/ {( w/ B$ S1 \1 F
yum install -y vim net-tools bash-completion centos-release-openstack-victoria.noarch tcpdump openvswitch3.1
! c( Q7 _( G$ F8 s或再单独安装yum install -y openvswitch3.1*
4 [% J- B( P* G' g6 S查看安装版本:[root@ovs ~]# ovs-vsctl --version* i4 Q3 w) F) F ?4 \
4.启动ovs服务- p% d1 o% t4 Z$ n
[root@ovs ~]# systemctl start openvswitch, ^7 G7 G5 k4 n2 z4 r( S
[root@ovs ~]# systemctl enable openvswitch
+ `* }5 p4 X# n7 \1 `[root@ovs ~]# ps -ef | grep openvswitch
! H% {; A, Z/ [& b7 R) c; j[root@ovs ~]# ovs-vsctl show 查看ovs虚拟交换机信息3 [, w4 E# y. u H8 [
[root@ovs ~]# ovs-vsctl --help 求帮助 或[root@ovs ~]# man ovs-vsctl
+ b" q. V7 Z& F' _, N- k+ Q5、创建ovs虚拟交换机, k% k8 N C+ G s+ s/ G
当创建一个虚拟交换机会生成一个和虚拟交换机同名的Port 和Interface,type为internal(内部的)
& H4 `% M- @( ^ u y( Q; y0 T. R( b8 \, N
[root@ovs ~]# ovs-vsctl add-br br-int
' t0 c8 i, @) N' _' ]) _[root@ovs ~]# ovs-vsctl add-br br-memeda 添加
0 k4 }. j& Z( p6 t' t0 x[root@ovs ~]# ovs-vsctl del-br br-memeda 删除
/ Z6 ]3 p: f+ M! V3 B% x[root@ovs ~]# ovs-vsctl list-br 查看
& k9 s8 Q, B- b$ Hbr-int
6 p* _' x9 F( m& s! _- ybr-memeda
, b3 U' N5 |* M% ~" e[root@ovs ~]# ovs-vsctl show 查询ovs虚拟交换机信息,Bridge桥指的是虚拟交换机) X- q; H6 r7 X. B8 a
54c67146-9a9f-40be-8cb7-e8792879aafa
$ E( ^; t7 H% n5 f) m: V" d Bridge br-memeda+ g# E6 V/ c3 C6 r, k/ O+ n, o
Port br-memeda; c5 l" q' C8 @2 D* j
Interface br-memeda/ C7 J0 j6 ~: g% [' f
type: internal
* i) j/ ?+ g H/ ^2 B5 R3 r6 C" H Bridge br-int U1 b' |, s6 O/ `8 }: L
Port br-int o8 K2 h- @2 E
Interface br-int8 e/ O) g* w% P; A4 h
type: internal
; n+ R# {$ r& X4 ~ ovs_version: "3.1.3"' [& x, V. E8 I3 b% X8 t# I4 a: n
用轻量级namespace网络命名空间模拟虚拟机
3 B! y) a$ {! T在这里插入图片描述2 M4 x, T) n. @
# ^4 o( U; T8 q& R2 N[root@ovs ~]# ip netns 查看网络命名空间) d2 \; d- T2 f) Q
[root@ovs ~]# ip netns add ns1 添加网络命名空间
% }) Q) B4 q9 X2 c ^/ L# ~1 H[root@ovs ~]# ip netns add ns2
" y9 P4 ?" @0 i/ \8 R2 z[root@ovs ~]# ip netns
9 d# [4 F: j4 c5 C. Xns2
) ~6 D$ U# V# B8 nns1
; Z# R3 e/ O, w0 \! F- |2 q创建两个veth pair(一个veth pair有两个网络虚拟接口,veth可理解为网卡端口) 并将一端虚拟接口(veth1和veth2)连接到两个网络命名空间里面。veth pair:两个网络虚拟端口(设备)。
7 O% a0 F; ]8 d9 t1 V1 x在这里插入图片描述$ L$ }7 @: ^. F6 C
* E% C. W8 U' I8 k创建两个veth pair,并分别把这两个veth pair的一端放到上述两个网络命名空间3 V8 Y ]/ z) Q' ?
# ip link help 或# man ip link 求帮助% P) X) l0 ~. X8 N- f
第一个网络命名空间配置( l+ z8 \ ~' n& u( f, t
[root@ovs ~]# ip link add veth11 type veth peer name veth1* O* N+ U. ?2 w$ X8 G3 X
[root@ovs ~]# ip link set veth1 netns ns1
+ {. A% l4 T+ D% `5 c# ?[root@ovs ~]# ip netns exec ns1 ip link set veth1 up7 I. f* i1 W8 A7 O. h! t+ ^/ T3 w
第二个网络命名空间配置
1 ^) F* l4 |! w[root@ovs ~]# ip link add veth22 type veth peer name veth2
9 r% X9 o3 O2 w% Y[root@ovs ~]# ip link set veth2 netns ns2' Z& y2 i- Q5 b7 _3 a7 m* R
[root@ovs ~]# ip netns exec ns2 ip link set veth2 up
1 S" q/ P8 T T) V将另外一端虚拟接口(veth11和veth22)连接到ovs虚拟交换机上" _" q- H! ~9 ]& C2 h* V
在这里插入图片描述
; b" O. p, J1 _( T" b. b, r/ P* Z
7 g8 z+ `3 }5 y F) o' a/ D0 @& H[root@ovs ~]# ip link set veth11 up7 }* g! S# r i* h
[root@ovs ~]# ip link set veth22 up+ P* b. p9 a" E& I
[root@ovs ~]# ovs-vsctl add-port br-memeda veth11
" L! C; B$ j0 z' n5 P[root@ovs ~]# ovs-vsctl add-port br-memeda veth22
( g" W j, F8 T6 a( N, I[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机多了2个Port(Port veth22、Port veth11)
3 R! q& [7 O2 I/ c" @( h3b79f2e1-f433-4015-905e-8945dcada530- B7 P# S. c" U: T5 g6 W" Y) G
Bridge br-memeda
T( d! [% X# r l8 M& Z/ N% m8 X% \ Port br-memeda8 A' }& D+ P. J% T8 A9 H, ]
Interface br-memeda+ w7 H$ F9 V V) \: w1 x }* ?
type: internal
* @9 P9 I& ]% m, N9 ^4 l B6 a Port veth22
: I0 e% q/ V7 O. z4 l, \" _: q Interface veth22( E5 \$ L) J" {. ?& d
Port veth11
# c" }% S/ C& `8 V, t Interface veth118 m g3 T1 B3 _& _. R
Bridge br-int9 r* z, c+ K' S( V. w, c0 |
Port br-int, `. z5 \+ I) B$ S N6 s D
Interface br-int
$ H% v# @6 T& y+ V type: internal9 z% [3 `/ [: K7 ^
ovs_version: "3.1.3"
d5 ^. e; ]' K. ~* `6 \; }$ ]为两个网络命名空间手动设置ip地址
+ L0 A, r$ \1 ^0 ~/ n% B在这里插入图片描述4 k, s/ z5 \* u% t, O5 Y: p% H% g
. D6 u* P5 R8 n7 q
[root@ovs ~]# ip netns exec ns1 ip addr add 1.1.1.1/24 dev veth1" a$ ]) c7 j2 f
[root@ovs ~]# ip netns exec ns1 ip a2 t0 `' l, H: [; G+ T; C
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
) ?2 Y) C3 h3 V+ z link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
( R. O2 _0 t; g2 o7: veth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group d efault qlen 1000
& P8 o/ s; y. N, g$ @/ k) ?: u' G link/ether fe:f9:3b:cb:9b:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
: x" G; a7 C/ {9 b2 F inet 1.1.1.1/24 scope global veth1
: U$ ^2 w3 ]$ d3 @$ N valid_lft forever preferred_lft forever
3 c! B. F C4 Y) J& w5 G inet6 fe80::fcf9:3bff:fecb:9bc5/64 scope link
( y* Q- |, M( u2 ?! Y valid_lft forever preferred_lft forever
3 U( G' {, I. N2 j[root@ovs ~]# ip netns exec ns2 ip addr add 1.1.1.2/24 dev veth2
/ b5 n1 s4 L4 L3 u# A; j8 b[root@ovs ~]# ip netns exec ns2 ip a) C" K2 ?! `3 c& O
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
) `7 B- n8 S" w' y2 ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00* W8 |9 y) K8 b6 A
9: veth2@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000- Y% S$ Z/ J5 y1 f3 E
link/ether 0a:e3:ac:a8:f3:bc brd ff:ff:ff:ff:ff:ff link-netnsid 0
5 P! M4 g% H- t3 c/ }% [, A inet 1.1.1.2/24 scope global veth2
! W3 J& f/ j! Z* b" G- v valid_lft forever preferred_lft forever& y/ b0 D; J' @8 d+ }- S
inet6 fe80::8e3:acff:fea8:f3bc/64 scope link. D; ~* Y. r4 {, E
valid_lft forever preferred_lft forever
8 z$ ]$ A5 |% \" ~, y2 v两个网络命名空间测试连通性
( [' f, ^! U6 T6 T[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2, Y' N% Y* y% m3 F$ T8 ^
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.7 `, }7 I5 V8 [) d6 I: u1 h
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=2.98 ms3 x1 O" t. b( B3 [
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.167 ms
+ t* F9 K# h6 v1 W- i64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.081 ms: N4 r. U$ G4 j: S- j
. ?9 l1 m; ]7 d4 s--- 1.1.1.2 ping statistics ---
" ?7 ]8 |1 R. Q( h4 Y$ O0 d, H; O3 packets transmitted, 3 received, 0% packet loss, time 2065ms
/ e& |& P0 h! }2 v' l1 t' nrtt min/avg/max/mdev = 0.081/1.075/2.979/1.346 ms
& R& D3 | h" k; o[root@ovs ~]# ip netns exec ns2 ping -c 3 1.1.1.1
! I9 i! o( q6 t- U6 ^PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.6 ]- P% Q. f5 R; }) v" ^
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.923 ms
y% c3 H( Z, j5 ~) L: ?64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.084 ms! @- H) h8 \8 Y# }" U
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.091 ms
8 q% _- [! p# R- J& Y M* i1 I5 t v% x) W' @& Y |" z
--- 1.1.1.1 ping statistics ---
. K+ b6 J- Y. F( i" v: W+ \3 packets transmitted, 3 received, 0% packet loss, time 2007ms
0 u# a: u1 r: N! n* Jrtt min/avg/max/mdev = 0.084/0.366/0.923/0.393 ms
7 u) M' E9 F. A( w/ G9 y. _$ Y; _& Vvlan虚拟的本地局域网,vlan隔离为了减少网络阻塞和数据包安全- u1 {) o( b2 \8 U/ [( D0 S
ovs虚拟交换机能和物理交换机一样定义vlan,一个vlan10(tag10),一个vlan20(tag20),把插在ovs交换机上的两个虚拟网络设备对端口分别打上不同的tag(默认是0),也就是配置到不同的vlan里,再验证网络连通性。8 q- r+ N- y; j2 a$ V8 N" {' o
在这里插入图片描述" x9 w% ?. X# @/ w5 a
* ]4 {& v' l" m' S
[root@ovs ~]# ovs-vsctl set port veth11 tag=10
0 N9 F, w% c' u, X3 P- S% Q5 _[root@ovs ~]# ovs-vsctl set port veth22 tag=20- [! p/ r F3 ^0 M
[root@ovs ~]# ovs-vsctl show 发现br-memeda虚拟交换机的Port veth22和Port veth11下面多了tag标签
, R$ u9 J# Z B6 ?& P8 d, W0 v8 A3b79f2e1-f433-4015-905e-8945dcada530" G) `4 r. }1 V/ A
Bridge br-memeda
9 j& w& j% n! s4 e Port br-memeda
7 n; B$ j4 U3 E! p1 y Interface br-memeda. L2 s5 J8 x5 f
type: internal
: \% ]& |8 N: ]7 T Port veth22+ o6 Z$ Q( ]9 o( a9 h
tag: 208 Z: B: r6 y& g6 B, u0 D& B& b8 N
Interface veth22. e* n8 A1 k- Q
Port veth11
5 h- I3 x/ u! f6 Z. V2 V tag: 10; _0 f" D. ]+ l$ n1 n
Interface veth115 s5 b& ]# K0 A' E7 `% n
Bridge br-int
& g( a0 u, y9 W% N) u. G5 i; T; Y Port br-int
% S" @& p& r* v2 P% a7 a. k Interface br-int
& {! ^3 |( A5 s# p type: internal
7 E6 k1 ~, s$ `, D$ e ovs_version: "3.1.3"& c6 o4 a" l* b) k
添加不同vlan(tag标签)后ping不通,需借助路由或物理三层交换机; Q, @8 }( o, `4 I) M5 ]
0 z" I s( Y- A$ \/ b% F! N
[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
7 ^3 X" u& S. A- w. q- DPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
& q, g4 I; I; q
3 |5 ]5 L, }0 N: N( b6 Z4 U" Q; Z--- 1.1.1.2 ping statistics ---4 o7 s5 W P7 s% p6 g
3 packets transmitted, 0 received, 100% packet loss, time 2064ms
$ Y! I# i9 e a. z2 x5 S: _在这里插入图片描述
' o% w8 d' v2 h9 I5 v- n! ^7 R& y2 H5 G a
[root@ovs ~]# ovs-vsctl set port veth22 tag=10 把veth22也改成tag=10就相当于同一个vlan二层互通了
7 b6 B& i) ?% f4 S3 u+ l7 d/ P[root@ovs ~]# ovs-vsctl show( B v0 _& q7 o% a+ d" y2 d
3b79f2e1-f433-4015-905e-8945dcada530
: N' m7 w9 ^2 f Bridge br-memeda
" D9 s$ @6 }% [/ s5 A Port br-memeda: ~" s+ |" t8 |) C1 k& R
Interface br-memeda
+ I' C9 O3 G2 d type: internal
. V. x, I5 f& {8 t9 U Port veth22) D; j `) G( | w! Q9 C* m
tag: 101 J( I/ [2 G3 E1 N. ?" E
Interface veth22, q2 O" B8 \' h" ]. U5 m/ c
Port veth111 p+ {) R9 E6 L1 q' m) q, ?: N
tag: 10
! C( g4 h1 e# K0 M0 j Interface veth11
4 F) ~5 X5 G ?- K Bridge br-int
& @# A* R4 ^- K9 v Port br-int
0 m- q% `$ U' B* a4 b Interface br-int/ V- L( Q1 Q$ D. k; F3 ?
type: internal2 R4 m9 v$ d8 c8 O: F
ovs_version: "3.1.3"
! m6 S* v+ ]) I4 L# e( F- C/ S# P[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2 同一个vlan(tag标签)能ping通进行二层通信
8 U8 \" s& m8 ?: n, mPING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
! K6 F" }( z( D7 K64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1.43 ms
$ w# D& y3 y2 {% O) }$ V! k. D64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.093 ms
) T. h% N! e9 O- ?0 E: y4 f& r& ^64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.086 ms" K( _0 [) k& F7 i7 M- w
1 l) F" t$ H* m7 ^/ ~1 l--- 1.1.1.2 ping statistics ---
- \+ ~9 w1 ~. e* S( x8 p3 packets transmitted, 3 received, 0% packet loss, time 2051ms
$ Q; X3 W% c6 urtt min/avg/max/mdev = 0.086/0.535/1.426/0.630 ms/ J0 [- J( Z; J
FlowTable:流表,ovs进行数据转发的核心功能,定义了端口之间的转发数据规则。每条流表规则可以分为匹配和动作两部分,“匹配”决定哪些数据将被处理,“动作”则决定了这些数据将被如何处理。# N8 x, J( b+ e+ I' P
流量走向,添加流表,针对流量进口添加规则。
6 z/ H+ L; m6 D4 O; e- }* I在这里插入图片描述" H0 M% t5 D$ Z# L
在这里插入图片描述
8 S! j! d0 N, c: X3 [3 r* T7 Y5 k( U7 c9 o' x
查看ovs默认的流表
2 w. p0 V x# w8 N6 P& D[root@ovs ~]# ovs-ofctl dump-flows br-memeda 查看虚拟交换机的流规则: ?& z6 r! t& @4 W" {8 ?
cookie=0x0, duration=2161.884s, table=0, n_packets=49, n_bytes=3682, priority=0 action s=NORMAL' z& Z$ `& m9 H7 R- O& ` A
此时ovs就类似于传统交换机,我们给ovs交换机添加一条优先级为2(数字越大优先级越高,高于默认表项的0优先级)的流表项,把veth11进来的请求都drop掉,发现ns1不能ping通ns2。& a: t4 B( i2 `. d. {9 \7 f4 ^# |
[root@ovs ~]# ovs-ofctl add-flow br-memeda "priority=2,in_port=veth11,actions=drop" 添加流规则+ j1 E; y9 v* z1 v9 O' I( O7 T9 Y5 q
[root@ovs ~]# ovs-ofctl dump-flows br-memeda, y: N0 U5 O) t- B# d8 V7 E
cookie=0x0, duration=2.578s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=veth11 actions=drop
+ c* b! ]: Y) W: d, ]3 y cookie=0x0, duration=2217.329s, table=0, n_packets=49, n_bytes=3682, priority=0 actions=NORMAL
7 [! b) q8 r7 O& Z) t[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2
& g s% c- P# m" ePING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
7 V' | B0 o2 c7 V
) l* H! ~# o ~/ e( G. h" g2 m--- 1.1.1.2 ping statistics ---: W; o3 x: i; P9 s% k6 U) l5 {/ t
3 packets transmitted, 0 received, 100% packet loss, time 2076ms
0 P5 l9 S" K- x- k& [7 d删除刚添加的表项,ns1与ns2又能正常通信: p1 x2 z G/ q) E3 m
[root@ovs ~]# ovs-ofctl del-flows br-memeda "in_port=veth11" 删除刚添加的流规则就互通了
8 d0 e0 w, l4 {[root@ovs ~]# ip netns exec ns1 ping -c 3 1.1.1.2& u2 n& C7 s4 q7 u# V; n) G
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.. T% n O+ s+ C) {) m
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.766 ms
# w+ C& j8 `5 g' v7 z0 U64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.096 ms
* }- W/ |7 T. }! E/ o+ v/ h64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.088 ms! J3 W) L- Q/ ]: @# [
1 }$ g: k8 k+ X& m6 g
--- 1.1.1.2 ping statistics ---
- \1 l: k* a" }3 packets transmitted, 3 received, 0% packet loss, time 2043ms
$ Q8 m- j2 S. n- X. e; u8 q" }rtt min/avg/max/mdev = 0.088/0.316/0.766/0.318 ms; W3 h/ B1 c: ` s
[root@ovs ~]# ovs-ofctl dump-flows br-memeda
) a3 X7 h' a {. @ cookie=0x0, duration=2315.744s, table=0, n_packets=59, n_bytes=4438, priority=0 action s=NORMAL6 k" m6 D; ]. N: {; ^
4、OVN
& M* o8 f' ^* d! \OVN建立在OVS之上的,遵循SDN(Software Defined Network,软件定义网络)架构来管理的,用软件将控制面和转发面分离,OVN做控制面,OVS做转发面。
: ^# Y# n: E( x: q M$ R4 V8 govn是建立在ovs之上的,ovn必须有底层的ovs,ovs可理解为二层交换机,ovn可理解为三层交换机。
+ H: q$ x1 o* r# R* }( BOVS介绍参考:https://mp.weixin.qq.com/s?__biz ... 189#wechat_redirect0 u7 n7 m+ G. M& E
单纯的ovs在云计算领域还存在着一些问题,例如:; |& E0 v6 c, z$ E, {
1、ovs只能做二层转发,没有三层的能力,无法在ovs上进行路由配置等操作;3 ~8 E3 ?& x, [- @# o8 ^/ X
2、ovs没有高可用配置;7 l: z+ V4 X* k c5 K7 G; W" [
3、在虚拟化领域vm从一台物理机迁移到另一台物理机,以及容器领域container从一个节点迁移到另一个节点都是非常常见的场景,而单纯的ovs的配置只适用于当前节点。当发生上述迁移过程时,新的节点因对应的ovs没有相关配置,会导致迁移过来的vm或者container无法正常运作。5 j8 t* F4 ^) k' O
针对这些问题,出现了ovn(Open Virtual Network),ovn提供的功能包括:/ | g8 Z6 [+ e% j+ F. L: t/ Y y
1、分布式虚拟路由器(distributed virtual routers)" V( X6 f) b6 Q; o, H2 M$ r
2、分布式虚拟交换机(distributed logical switches)
6 w1 |' B9 B% |5 f8 F$ y5 `$ {3、访问控制列表(ACL)# ?/ K8 M" z+ @& h1 V) _4 g1 q
4、DHCP
: _7 T6 S' N& s2 R5、DNS server
8 P% B- v$ g! R8 w, v7 }在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。openstack创建一个网络,会以逻辑交换机(switch)的形式保存到北向数据库。. t0 i+ u, e; l
在这里插入图片描述; u. @+ u4 M0 u6 J' C' M4 _# N
在这里插入图片描述
9 R& e% x# A* {ovn官网对ovn的逻辑架构如下所示:2 \ P6 i; `; L+ j
" ^, B d! _ h$ A% b* ^$ `
CMS. N6 ` A4 Y. h- ?$ S# q% }8 c' z% y1 \
|
3 p$ `( K# K/ ?, I* D6 X |" J9 l) P6 g* p8 V
+-----------|-----------+
# V9 m' t9 [2 L) |6 c1 g | | |5 a" h i: y- v2 d/ C3 T3 c
| OVN/CMS Plugin |" D! w2 M' h- Q) X3 |& S6 a2 Y4 D
| | |
7 Y( }) }' e! E! \" m3 x | | |
l; E# b" V( [2 b) K | OVN Northbound DB |
- T( K; N4 L2 b* ^ | | |
2 k* J9 x- M) S& R | | |
! a$ v" w0 ^# v0 r6 Y& ` | ovn-northd |# E; S, Y) a; {8 N
| | |1 u4 M. d( ^* H- d: ~0 ?7 a/ r
+-----------|-----------+2 O& {- e" D+ T/ R: u
|3 F# }: Q9 ?& b6 R
|
# }: g$ L! m# j) D; Q$ ^: Y; i +-------------------+5 q9 S) e6 k4 `1 D
| OVN Southbound DB |
% {4 p' B* N4 @# ~0 \ +-------------------+
: Z( S. t8 C) k$ j$ n7 V+ G/ c0 n |$ ?; } K7 L8 O, y1 R( u( Q
|7 x, b8 h4 Y+ X) t( ]2 o
+------------------+------------------+, k; I2 b4 t( B1 Q9 K
| | |
: @" O2 t# f1 P- Y: n8 J$ V HV 1 | | HV n |( k4 \* w* V: H" \+ V
+---------------|---------------+ . +---------------|---------------+
6 m- }" Y/ v& g+ p8 Z! J | | | . | | |( U% A6 `% @* D3 S$ d" q
| ovn-controller | . | ovn-controller |; H9 U1 A' x5 o& ~% Y
| | | | . | | | |! y8 {5 x# K* [! A) v8 b
| | | | | | | |- b* j+ s" \6 Z! Y' R( w$ Q& v( p
| ovs-vswitchd ovsdb-server | | ovs-vswitchd ovsdb-server |5 ^# V$ M V3 I/ L+ S
| | | |% V, Y" D5 \, {8 o" r+ F
+-------------------------------+ +-------------------------------+
% z4 L1 q$ m+ o# zovn根据功能可以把节点分为两类:
, K4 }1 q3 p0 n9 `$ W6 v9 Wcentral: 可以看做中心节点,central节点组件包括OVN/CMS plugin、OVN Northbound DB、ovn-northd、OVN Southbound DB。
3 P/ { t5 C8 D. G! ^3 M' m" rhypervisor(hv): 可以看做工作节点,hypervisor节点组件包括ovn-controller、ovs-vswitchd、ovsdb-server。! S4 Z" Q% d1 W; j$ \/ h
central节点相关组件和hypervisor组件运行在同一个物理节点上。 @# a }+ u$ X0 l7 B Y
相关组件的功能如下:) i7 W6 h6 l% \9 y, |) _: ?' U
1、CMS: 云管软件(Cloud Management Software),例如openstack(ovn最初就是设计给openstack用的)。5 Z" O2 o' ]( `
2、OVN/CMS plugin: 云管软件插件,例如openstack的neutron plugin。它的作用是将逻辑网络配置转换成OVN理解的数据,并写到北向数据库(OVN Northbound DB)中。
1 C) s) n% ?) ?3、OVN Northbound DB: ovn北向数据库,保存CMS plugin下发的配置,它有两个客户端CMS plugin和ovn-northd。通过ovn-nbctl命令直接操作它。北向数据库保存逻辑网络信息(交换机和路由器等)1 ~7 U- k- V M3 c1 R! D$ E
4、ovn-northd: 北向进程将OVN Northbound DB中的数据进行转换并保存到OVN Southbound DB。所有信息经过北向数据库通过ovn-northd北向进程和南向数据库互通。! q* e% [* h6 B4 E
5、OVN Southbound DB: ovn南向数据库,它也有两个客户端: 上面的ovn-northd和下面的运行在每个hypervisor上的ovn-controller。通过ovn-sbctl命令直接操作它。南向数据库保存各个节点的物理网络信息。
# ]! g' q E. K6、ovn-controller: 相当于OVN在每个hypervisor上的agent(代理)。北向它连接到OVN Southbound Database学习最新的配置转换成openflow流表,南向它连接到ovs-vswitchd下发转换后的流表,同时也连接到ovsdb-server获取它需要的配置信息。
: o$ ~* s' r/ v4 |, ^+ U7、ovs-vswitchd和ovs-dbserver: ovs用户态的两个进程。
6 L3 F6 u9 X A$ Z, K每个节点都有个ovn-controller控制器,这个ovn-controller控制器是管理ovs(ovs-vswitchd、ovsdb-server)的,ovn-controller对接到南向数据库,经过ovn-northd北向进程和北向数据库互通,之后和openstack互通。$ w3 C$ _% Y+ y# a3 q1 w
南向数据库保存物理网络状态信息,北向数据库保存逻辑网络状态信息。* j" J; s1 E- d& k+ A E5 T
在这里插入图片描述
, U3 C. z, _9 z+ {2 B5 B6 ?- G0 e- M克隆出两台虚拟机,安装ovs、ovn7 p! A8 c" s! ~4 }. T- v
0 B" f1 b, c' C# `) ]& j
CentOS Stream 8 版本, V$ z7 L! B/ q% ]2 p
4 R: @. l1 B# i" n1 X( Q! gsystemctl stop firewalld.service 2 Y1 B2 g4 I" @, C( Q+ F
systemctl disable firewalld.service. |5 @$ D5 ^0 m; S/ M. D& E' V9 Y
setenforce 0# X& ]8 p! J0 z4 ~# H4 o& Y
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config: X" I: u$ q4 ^0 D* G8 s, V
mkdir /etc/yum.repos.d/bak# z9 o9 u Y7 Z5 ?
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/
) l, p% J" H* ?3 i+ y4 |3 v- W0 |+ j, F+ u7 a$ G
cat <<EOF > /etc/yum.repos.d/cloudcs.repo8 ^+ t3 s9 M0 u' i N
[ceph]
# U9 j! k7 R4 Kname=ceph
" ^7 H. C; u5 _' ybaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/x86_64/
9 e8 |% c! I7 } ~) d& Bgpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc( F3 ~+ G7 K$ t6 b- T, a
gpgcheck=1
, z. T! ~1 q1 I& B( ^8 Zenabled=1
" }6 `5 j) p, R+ v4 s" T+ d f
[ceph-noarch]# B: R5 d; x& z
name=ceph-noarch
. i: {! P) g9 q' V% sbaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/noarch/6 B# M; Q U! r
gpgcheck=13 E+ i" \1 L1 U! X
gpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc% r7 s! W& h( U# F0 }8 B1 b! s' h2 ^) b
enabled=1
# _# {: ~0 N" r4 a! M9 _0 F1 f! n5 N5 A- J8 x$ l
[ceph-SRPMS]: g |7 x$ }# w. D" F
name=SRPMS
9 D8 ^' R+ h$ W& obaseurl=https://mirrors.aliyun.com/ceph/rpm-18.1.1/el8/SRPMS/. i! e) l5 m3 `# [* }" |
gpgcheck=18 R6 R, A' z3 B2 Y" g4 z8 a
gpgkey=https://mirrors.aliyun.com/ceph/keys/release.asc+ I# n# T8 V# b# p
enabled=1
, C) F) Q8 ]6 `- Z6 k& ^+ W d( f0 n$ S; K, I$ d$ U
[highavailability]4 X% V1 i) M7 c5 P
name=CentOS Stream 8 - HighAvailability; k, z: I* g% w" ?
baseurl=https://mirrors.aliyun.com/centos/8-stream/HighAvailability/x86_64/os/2 I: @; Z( O2 E( f* N0 j
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
( I0 f" w4 K; R+ Qgpgcheck=1% v$ j3 j9 ]1 x; ?& t, V
repo_gpgcheck=0! a6 i: j/ ~) p9 s5 p$ v
metadata_expire=6h
6 I6 w6 O# C% _7 G9 V" m$ c' ycountme=1
/ R& v# X6 f7 o! A) R0 Q% D7 A# Zenabled=1- z+ L, d; Q& _
+ e7 P0 X& f" [% |* y) x* c
[nfv]6 {0 B, S8 V1 n6 o
name=CentOS Stream 8 - NFV: V, z% G$ u) \0 x
baseurl=https://mirrors.aliyun.com/centos/8-stream/NFV/x86_64/os/
( M6 a6 Q5 T- u0 M# n2 lgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial- u2 m( q3 d2 C, d% T5 c; K; W) d
gpgcheck=1% M$ ]" A( J* a
repo_gpgcheck=0
: a$ J; g i7 }5 v8 E: R' x; ?metadata_expire=6h+ f. v: |( n* ?
countme=1
' L; M H) ]( V ~enabled=1! G+ {' \ @. F, k
9 i9 N+ q& m; i4 c! w: Q6 T S
[rt]
+ ^7 m$ z# C! Z& {! `% pname=CentOS Stream 8 - RT
* @( m7 j# o: m6 O; ubaseurl=https://mirrors.aliyun.com/centos/8-stream/RT/x86_64/os/
7 X9 M+ B3 M S( F! b) H) Ygpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
( b( d o2 S2 Ogpgcheck=1
" F* L3 Y+ ~( \% I; {2 `4 }) Y& irepo_gpgcheck=0
! A* ~: s0 I9 w' x4 E/ jmetadata_expire=6h
' \; I8 `) {% k, G$ v* Lcountme=13 r" n; j& e8 y0 L1 X
enabled=1
# L/ Z$ S! P6 G6 s3 I/ ?/ n1 p- O- U% O9 {% N
[resilientstorage]9 M& q( g) k T" F5 g' x
name=CentOS Stream 8 - ResilientStorage: l( T# z5 x2 G7 c0 f' C
baseurl=https://mirrors.aliyun.com/centos/8-stream/ResilientStorage/x86_64/os/. B/ O9 ?$ C6 _: w2 t* [
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial) _. S5 d; E' x) u7 [3 D
gpgcheck=1" _- j, p2 S6 J9 e( R. N+ i% \ I
repo_gpgcheck=08 ?9 n @4 d# b" l- v
metadata_expire=6h6 I. `. i- i- {
countme=11 {( W! a% j. j1 \( ]9 `' u
enabled=1
: q# N7 L$ e. C! J: z5 G2 Z3 _, i3 N
% w i8 {( O& J% L, h2 a2 a( O7 J[extras-common]
# a- t) }( q8 ^$ {) m9 H+ \name=CentOS Stream 8 - Extras packages) Y# S* Q9 _; Q: z& q1 ^; s
baseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/extras-common/* s" A" ]9 ] P% @
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512% N; s* ?0 b6 o6 J7 f
gpgcheck=1
" S* d0 v! d( _7 o) ^1 i6 q2 ]4 }' xrepo_gpgcheck=01 d6 r% C5 F! o8 T5 u
metadata_expire=6h
# q5 m/ n( k* {7 `7 F5 m8 Scountme=1
G' S( K9 F1 u/ Qenabled=1) Q% ]6 c5 [, V: d+ s
; Y" Y* X" @6 s[extras]
& I& j) W/ z& _9 ~5 b! D0 aname=CentOS Stream $releasever - Extras
" _3 u* M( ]2 m& V4 Y9 x) cmirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=extras&infra=$infra$ i& ^% n; y1 X/ E" w
#baseurl=http://mirror.centos.org/$contentdir/$stream/extras/$basearch/os/
4 a& H7 D$ c+ \2 cbaseurl=https://mirrors.aliyun.com/centos/8-stream/extras/x86_64/os/
' k- W( U5 g% ^3 x- igpgcheck=1: S2 r$ y0 a8 b- N# G" `
enabled=1
( d* y! [# D; K6 }gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial+ ?$ \3 L* {7 z7 f% D9 R
( b, A# h/ u' X" M[centos-ceph-pacific]7 o' T) O0 g. A l3 q# O
name=CentOS - Ceph Pacific% k( p3 Y! m, L" P
baseurl=https://mirrors.aliyun.com/centos/8-stream/storage/x86_64/ceph-pacific/: F7 i- {, p. k0 r2 |9 @
gpgcheck=0- t4 H& O/ M3 W% e; m9 [& U% Q
enabled=10 |1 I: E; N# x+ f% O2 Y+ X
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Storage9 |5 Q: j1 A+ i0 p- F8 |
0 p8 F- E( I9 I6 o& g
[centos-rabbitmq-38]0 q" m/ g! t: r P5 h. w, Q
name=CentOS-8 - RabbitMQ 38 v7 k2 G. v) r0 v( M% h, _
baseurl=https://mirrors.aliyun.com/centos/8-stream/messaging/x86_64/rabbitmq-38/6 f' ~" b6 o/ G1 s2 W5 _
gpgcheck=1/ i: B, Y3 X% {! w" J- y# F
enabled=14 L. a. c" l( B; T' Q7 z( M+ d5 v+ T
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Messaging( [: T" m/ p* v/ U
# u4 k4 {% L1 w( E[centos-nfv-openvswitch]
' L- D& y7 Z% |0 W& ename=CentOS Stream 8 - NFV OpenvSwitch
- p6 y( ^# x0 ubaseurl=https://mirrors.aliyun.com/centos/8-stream/nfv/x86_64/openvswitch-2/2 U; W4 _9 c' j8 p+ k
gpgcheck=10 T- k4 q7 ^( t, e& h4 T3 j3 M* O& K
enabled=1
4 G& e0 c- V7 R. }; hgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-NFV
# M- e: m* n2 k2 d6 i/ M* L! hmodule_hotfixes=1: G! O' K8 k. m9 q3 O$ N8 u' ]
- Q/ V& n4 B* m[baseos]
9 g* E( C4 ` @5 V2 A# d! c) Xname=CentOS Stream 8 - BaseOS8 H; m; l+ a. M- `5 @
baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/
9 D# v. N% R% `, N) R7 @" |gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
5 u3 @. i ^5 T1 q- rgpgcheck=1' E/ s6 R, F& ^- u. j. O
repo_gpgcheck=0% t. u8 y( E2 I
metadata_expire=6h
* r" l" Z- r6 _countme=19 y% b: y" E; X9 R# W* E
enabled=1; S# r/ V* }5 m6 k! R5 w
* v3 y# {1 q* {6 `0 P. ^$ C! N5 B1 Q
[appstream]
1 e! N! F. y8 [7 N( Q4 s. uname=CentOS Stream 8 - AppStream
+ A+ w3 i, q# Pbaseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/
- N5 Y6 Q9 Y2 ogpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial' z; O8 z6 @# ]
gpgcheck=1
! `9 I, \4 y2 k4 m9 v6 E" @repo_gpgcheck=0
* R( M o. O0 A9 H& m5 Imetadata_expire=6h
" y! ?8 w7 H$ Q' z! p* b: ucountme=1& ]! X# k9 T" \5 S" V0 k8 i$ d* [
enabled=11 o+ q5 |" H4 l2 ?
% ?6 Q! v* x; T1 Y2 D2 R
[centos-openstack-victoria]
% Z6 z5 e" Q, g' D% h1 O* |3 bname=CentOS 8 - OpenStack victoria
" p: ^3 o/ v! L- ybaseurl=https://mirrors.aliyun.com/centos/8-stream/cloud/x86_64/openstack-victoria/* |; q( s$ B$ b9 _5 a/ U
#baseurl=https://repo.huaweicloud.com/centos/8-stream/cloud/x86_64/openstack-yoga/& \; @; l4 H& h. s$ X# J9 l! f6 N
gpgcheck=1
; Y! ?/ y2 `3 `* h9 k) penabled=1
, F; y% z7 w7 Z1 p6 Y: T( Dgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud/ X# g& Q' \/ u7 J$ i7 W! B* w/ a
module_hotfixes=1
, ^' u( S! [" n: n: `6 B) l6 D/ R# i, v
[powertools]& k3 D! y- e' T
name=CentOS Stream 8 - PowerTools& k2 H2 h% D5 i: ]( j0 ]5 ~9 g) c4 D
#mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=PowerTools&infra=$infra% u: T6 W& t" S5 I |7 W% z
baseurl=https://mirrors.aliyun.com/centos/8-stream/PowerTools/x86_64/os/
( w% k# k; s. x. k8 R$ K' H+ }3 Zgpgcheck=1
- C5 P# r( h7 F) P; |enabled=1
6 ]. w. P1 K' w8 O% Wgpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial# E0 k0 _% d$ I7 H) z
EOF
^% w! z6 j& z- b; M
, Y8 P1 R7 K% N, G( Myum install -y vim net-tools bash-completion git tcpdump autoconf automake libtool make python3 centos-release-openstack-victoria.noarch
; U: Q7 N& P( D3 X) \yum install -y openvswitch3.1*: R' [: A8 F0 \8 _! W1 s3 s
yum install -y ovn22.12*
- K! ?% u) z8 x# _4 ^6 a* y查看安装版本来检查ovn是否安装成功,# ovn-appctl --version
: V4 H t) b* p. u2 z$ I. e6 Vecho 'export PATH=$PATH:/usr/share/ovn/scripts:/usr/share/openvswitch/scripts' >> /etc/profile
! u5 b, c. o2 {* ^7 Ysource /etc/profile 重新读取配置文件让配置文件立即生效% a+ }7 X. b @9 f9 @6 i
在这里插入图片描述
0 \; z8 s2 ]" T) x9 vcentral相关组件启动:把node1作为central节点,安装central必需的三个组件:OVN Northbound DB、ovn-northd、OVN Southbound DB。
( A. Y( K6 d! z6 I9 o3 F* i4 W在控制节点启动central,只用在一个控制节点上启动即可(node1或node2上开启都行,这里是在node1开启),central只需要一套即可。6 F' l+ W( }$ k, r/ {1 _2 f
2 u. _2 X% d& e( tovn-ctl start_northd命令会自动启动北桥数据库、ovn-northd、南桥数据库三个服务/ b0 j) k& o. p7 a
[root@node1 ~]# ovn-ctl start_northd8 B9 q5 W/ Z. B( p# W; v2 p
/etc/ovn/ovnnb_db.db does not exist ... (warning).
' ~! m, h5 S( uCreating empty database /etc/ovn/ovnnb_db.db [ OK ]6 e+ ? B9 r& q- t% V; q& L+ ~( w
Starting ovsdb-nb [ OK ]
8 x) X7 f: g9 @4 c/etc/ovn/ovnsb_db.db does not exist ... (warning).4 W# P3 x- d j8 H- l: x
Creating empty database /etc/ovn/ovnsb_db.db [ OK ]
4 I( L4 b) a* F5 zStarting ovsdb-sb [ OK ]
' R( p. \ f5 U% W. `) f- ZStarting ovn-northd [ OK ]& H# J, S: D- S6 {4 T& p" ~* Y
0 l; a: ~5 G: Q. `[root@node1 ~]# ps -ef | grep ovn
! d6 {( @/ c7 t: j. rroot 34102 34101 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-nb.log --remote=punix:/var/run ovn/ovnnb_db.sock --pidfile=/var/run/ovn/ovnnb_db.pid --unixctl=/var/run/ovn/ovnnb_db.ctl --detach --monitor --remote=db:OVN_Northbound,NB_Global,connections --private-key=db:OVN_Northbound,SSL,private_key --certificate=db:OVN_Northbound,SSL,certificate --ca-cert=db:OVN_Northbound,SSL,ca_cert --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers /etc/ovn/ovnnb_db.db
3 F: O$ P4 |5 T7 O$ `7 jroot 34118 34117 0 21:02 ? 00:00:00 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run ovn/ovnsb_db.sock --pidfile=/var/run/ovn/ovnsb_db.pid --unixctl=/var/run/ovn/ovnsb_db.ctl --detach --monitor --remote=db:OVN_Southbound,SB_Global,connections --private-key=db:OVN_Southbound,SSL,private_key --certificate=db:OVN_Southbound,SSL,certificate --ca-cert=db:OVN_Southbound,SSL,ca_cert --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers /etc/ovn/ovnsb_db.db
7 y+ z5 R6 M& ^+ c$ P5 _9 ~root 34128 1 0 21:02 ? 00:00:00 ovn-northd: monitoring pid 34129 (healthy)
& N2 `- t& _. p: Croot 34129 34128 0 21:02 ? 00:00:00 ovn-northd -vconsole:emer -vsyslog:err -vfile:info --ovnnb-db=unix:/var/run/ovn/ovnnb_db.sock --ovnsb-db=unix:/var/run/ovn/ovnsb_db.sock --no-chdir --log-file=/var/log/ovn/ovn-northd.log --pidfile=/var/run/ovn/ovn-northd.pid --detach --monitor
' \- q3 O4 [' N0 }7 b& x! D* h" qroot 34302 34259 0 21:07 pts/0 00:00:00 grep --color=auto ovn) d* ^$ f% `6 e6 o! i P3 L
在这里插入图片描述+ N5 U0 E- Q. n; O# d
hypervisor相关组件启动:hypervisor节点包含三个组件:ovn-controller、ovs-vswitchd和ovsdb-server。! k2 M! U; p# ]9 ~" E0 U. F
启动hypervisor(hv)相关组件:node1和node2两台节点上都要启动,首先启动两个节点上的 ovs-vswitchd 和 ovsdb-server
: `7 ]1 H, D+ L1 q0 `$ Q9 @( M8 N7 k& t$ W$ y; y, x
[root@node1 ~]# ovs-ctl start --system-id=random; o$ B" T: s; t
/etc/openvswitch/conf.db does not exist ... (warning).
1 g& G2 R) e( u# s- dCreating empty database /etc/openvswitch/conf.db [ OK ]
+ v5 w1 t x* @* I3 MStarting ovsdb-server [ OK ]
! ~ U- t7 F5 t& {6 B3 vConfiguring Open vSwitch system IDs [ OK ]9 v8 v" @5 N0 s4 ? q
Inserting openvswitch module [ OK ]$ o% h# H" x: m7 Q9 ~9 i
Starting ovs-vswitchd [ OK ]
+ ?; G2 J( k$ JEnabling remote OVSDB managers [ OK ]3 C9 L1 T6 D' o1 S* u/ a2 p
. |! [7 J% ^6 s6 V8 ?: n[root@node2 ~]# ovs-ctl start --system-id=random
! r9 f- \1 d! W$ z/etc/openvswitch/conf.db does not exist ... (warning).$ x: O- `: Z6 Z# J7 K' R# \
Creating empty database /etc/openvswitch/conf.db [ OK ]. J: ]% {8 x1 u$ y+ b
Starting ovsdb-server [ OK ]: W! Q3 N/ O ?1 i
Configuring Open vSwitch system IDs [ OK ]2 l/ n6 v2 e# ~9 z f8 W7 |
Inserting openvswitch module [ OK ]
$ c0 [$ ]3 F! S) c% bStarting ovs-vswitchd [ OK ]: H y$ u! F4 h c" M9 q
Enabling remote OVSDB managers [ OK ]
2 X) F: I+ o2 U; A在这里插入图片描述
; T9 M( Z. G- C9 `7 a" Z两个节点分别启动ovn-controller/ G/ Z! y% P4 C' r* ~0 H/ D
/ G& n: s$ d5 x% _( T! f1 f[root@node1 ~]# ovn-ctl start_controller
% O$ [* ^. d) t" T5 \ OStarting ovn-controller [ OK ]# I9 k+ M4 i5 C0 t8 N: m
[root@node1 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥
+ V' C" X& o C% y: S4 t; Ged157e0c-cac3-46b9-830c-f2d710b475d55 c1 R5 z% t$ C- y% t6 ~
Bridge br-int
$ }' }- b( R3 _4 M" V) R, m fail_mode: secure! M7 c# y$ u$ C0 p: c
datapath_type: system
( F3 \- s6 o- b2 Y0 H, ? Port br-int
. w# j$ h0 T `% ]* d Interface br-int0 c' q# e7 L- Z1 x
type: internal
4 o! Q8 L; o; I ovs_version: "3.1.3"
( x9 |5 s5 z8 K0 o- @; v# U8 Q
C/ G" K& \- G" h+ s+ N[root@node2 ~]# ovn-ctl start_controller
7 m& S( y. f( E: S6 WStarting ovn-controller [ OK ]- i" B3 Z7 o a1 Q. t
[root@node2 ~]# ovs-vsctl show ovn-controler启动后会自动创建br-int网桥
8 F/ o! [# w$ g/ {' Jf6669675-b42d-47de-be95-b26bf6d1e0697 F5 i8 |- j5 ]8 P( K) I3 Z! T, C! v3 R
Bridge br-int, k% n v' N" A& |5 ]- \1 F+ O7 I
fail_mode: secure* z: ~* w) s. k3 q9 T
datapath_type: system
2 @3 \# L1 `! Z& q* _- [; E Port br-int7 a7 {0 L; |. u0 \1 V3 J4 H# `* Y
Interface br-int
$ k4 q: P' ]7 i type: internal, u# C7 H- r! d0 Q: |( |
ovs_version: "3.1.3"
( q# j1 ~' }; |6 B* C! g9 d在这里插入图片描述
, B: ~! Z0 P U' q% ]可以看出此时hypervisor并没有和central关联起来(也就是ovn-controller没有和南向数据库连接)。可以在node1上验证:[root@node1 ~]# ovn-nbctl show
4 u I% q* b& | n7 m1 dhypervisor连接central,开放南北数据库端口:, L6 W L5 v# ~! S3 a" O
" H$ Q+ B7 q* G- L9 Movn-northd之所以能连上南向数据和北向数据库,是因为它们部署在同一台机器上,通过unix sock连接& V5 _1 V% O) \8 u
central节点开放北向数据库端口6441,该端口主要给CMS plugins连接使用
* M' ]0 D8 a7 fcentral节点开放南向数据库端口6442,该端口给ovn-controller连接
" C% A. a5 M' e3 H! ]0 z. R ]% a/ P[root@node1 ~]# ovn-nbctl set-connection ptcp:6641:10.1.1.41
+ X( H0 ~- s- F9 ~- V[root@node1 ~]# ovn-sbctl set-connection ptcp:6642:10.1.1.415 k; h4 r, k- d; C
[root@node1 ~]# netstat -tulnp |grep 664/ S6 Q/ q, d* \* Z/ w
tcp 0 0 10.1.1.41:6641 0.0.0.0:* LISTEN 34102/ovsdb-server; L( E! Y7 }+ l2 Q' `
tcp 0 0 10.1.1.41:6642 0.0.0.0:* LISTEN 34118/ovsdb-server
) t2 {8 w, ?' cnode1上ovn-controller连接南向数据库0 }0 v8 }* C5 f, m- K d) g+ ?
ovn-remote:指定南向数据库连接地址9 a0 m( m( J2 @
ovn-encap-ip:指定ovs/controller本地ip3 m- j+ m! E: K
ovn-encap-type:指定隧道协议,这里用的是geneve
+ @" W" F8 x& v Csystem-id:节点标识# a+ Z& m" `. M# M1 G0 Q) N
[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.41" external-ids:ovn-encap-type=geneve external-ids:system-id=node1
; z |+ I; X3 D8 w ?/ v+ n, `" \. E1 m" U: ^9 q) R" E1 B
node2上ovn-controller连接南向数据库
7 I. f) P* x* M$ \$ W2 ~[root@node1 ~]# ovs-vsctl set Open_vSwitch . external-ids:ovn-remote="tcp:10.1.1.41:6642" external-ids:ovn-encap-ip="10.1.1.42" external-ids:ovn-encap-type=geneve external-ids:system-id=node2) m( P, ]$ d" i, p* Q
$ X& @% C* _3 Y; W e0 l在node1查看南向数据库信息
0 V* m$ H4 E: p* ^# g7 W[root@node1 ~]# ovn-sbctl show
- I1 Y+ [" F c9 H0 e! @Chassis node2( ^* Y2 }" H h$ f( ~
hostname: node2& z- ~, `& `; t! X
Encap geneve5 l" H1 `. k4 |1 e, }) H+ f/ j- u/ [
ip: "10.1.1.42"# U, i% i/ E$ w) A
options: {csum="true"}
2 O9 G- K- h& J* `$ u7 r! dChassis node1
$ j# R- r4 E" t7 X _% Z1 G hostname: node1; m) e2 u7 f2 V- ^' K
Encap geneve
# ?+ C' S$ l d$ E* n/ U ip: "10.1.1.41"' W+ b6 x w B/ a: n1 N1 Y5 u; f
options: {csum="true"}: b, n* ]3 \8 `5 R% Q5 y
在这里插入图片描述% X3 h- v1 f) z* V5 O+ `
以上的逻辑架构是站在底层组件和服务的角度来看的。
( q m0 x; ~2 j$ V4 P- ^3 f接下来换一种角度,站在逻辑网络的角度来看。
4 k. f! B, D* z' s1 n& [在这里插入图片描述
4 B3 T. o3 S' s6 C9 C- ageneve隧道:ovn-controller连接南向数据库时,指定了external-ids:ovn-encap-type=geneve参数,此时看看两个节点上的ovs信息如下,会发现两个节点上都有一个ovn创建的ovs交换机br-int,而且br-int交换机上添加的节点port/interface类型都为geneve
! H& z8 I8 {: S4 {) Y f8 E; C) J+ v6 I" G; ^1 n" L3 R
[root@node1 ~]# ovs-vsctl show node1上查看ovs信息9 A: |* r4 B: \$ _' U$ f
ed157e0c-cac3-46b9-830c-f2d710b475d5& l9 v0 @' m& _( a+ ?4 F' \4 X1 \
Bridge br-int
G" N" q4 \& w fail_mode: secure
, ] k. ?$ h" i' ` datapath_type: system5 w' R. X8 r% e/ w" q8 |6 A- H
Port br-int
0 h" k% a7 W- i9 G6 j* } Interface br-int0 O" |* W' A* @6 E! Z$ ?( v, T
type: internal
# F) {" v/ V" c4 n9 ?1 D9 \ Port ovn-node2-09 y9 z3 E; ^ D1 D
Interface ovn-node2-0
) { _2 y0 G) Z$ u) ~- w type: geneve
3 I1 n7 E2 V) I$ _8 h options: {csum="true", key=flow, remote_ip="10.1.1.42"}& c0 f& ^, W% }6 D+ G/ [
ovs_version: "3.1.3"7 R$ R, G' E# J) m7 `
4 g0 Z' m$ _8 R) Z4 Y5 u2 z[root@node2 ~]# ovs-vsctl show node2上查看ovs信息' d$ Q8 t+ a0 g8 P- W; a( N- \
f6669675-b42d-47de-be95-b26bf6d1e0691 ^% ~& j- t: k& R
Bridge br-int
! d/ t3 ?. P8 {" l4 G5 N fail_mode: secure
$ K* n: E; r: y' F datapath_type: system
1 |' t' P; `) } Port ovn-node1-0% X8 ^ N8 z7 A" H* U1 K
Interface ovn-node1-0( F4 N0 k' B e* ?+ J1 A
type: geneve
1 V1 H/ X! H1 E& q% n9 S9 x/ l1 |7 F5 R options: {csum="true", key=flow, remote_ip="10.1.1.41"}
" i- b* b4 n' ]7 x; K* D Port br-int
1 K* B# m0 _8 Z: Z' h Interface br-int
% ]% g+ I, b6 Y7 y @' h6 k type: internal4 Y- A6 D, n9 ^5 s4 @% t3 O
ovs_version: "3.1.3"" j$ }1 M( g1 z% _
[root@node1 ~]# ip link | grep gene 查看geneve隧道link
5 n" I2 w. N- z% Z5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000) ?# {# M0 h8 M- `0 Y& g0 s
查看geneve隧道link详情,从dstport 6081可以看出geneve隧道udp端口是6081, |) ^4 e4 I9 L2 F, `
[root@node1 ~]# ip -d link show genev_sys_6081
( \/ ?7 r2 O L+ Q7 }5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000& z) U# T& n( n0 f
link/ether 6a:e3:ff:a5:cc:d6 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465& _" Z+ ?/ X/ X7 S
geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx
( \! d/ d% ~" T/ P openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535: m1 i7 R% [; j% P
查看geneve隧道udp端口,最后一列为“-”表示这个端口是内核态程序监听0 r- C6 q/ {) b& m
[root@node1 ~]# netstat -nulp|grep 6081
1 S- {% j2 p uudp 0 0 0.0.0.0:6081 0.0.0.0:* -
% }. P4 c( Z# ^4 Mudp6 0 0 :::6081 :::* -* ~1 Z, l+ ^7 b! U* E1 R) g) M8 ?+ \, A
1 x8 `/ X: [) ^3 ] T[root@node2 ~]# ip link | grep gene7 @) E @' r, t3 ~5 g$ j& z+ v/ ?
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000- M# k6 L, s9 ~ d% W
[root@node2 ~]# ip -d link show genev_sys_6081+ W8 E( f, M) K) J& G( N
5: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN mode DEFAULT group default qlen 1000
; |, G2 I) }8 F! _. N% S link/ether 4e:db:f1:e4:43:94 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 68 maxmtu 65465
# y% N9 I: [. m* n2 ]& D geneve external id 0 ttl auto dstport 6081 udp6zerocsumrx
0 q) h' h: F& m) g openvswitch_slave addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
1 \+ M) {5 W& U4 {! J/ n4 `[root@node2 ~]# netstat -nulp|grep 6081
; Y. J6 H0 q5 C& budp 0 0 0.0.0.0:6081 0.0.0.0:* -5 H' g8 r' R v$ y+ O* P* u5 G
udp6 0 0 :::6081 :::* -
" Z( N; s1 x& q% [" y: h" F. |' m+ y在这里插入图片描述
: X8 o# }- ^8 S7 @+ y- L& y; r0 G+ v7 t9 h
在做以下实验验证时需要注意MAC地址的合法性,不要误配置。MAC地址分为三类:
0 {4 m8 s9 {. `广播地址(全F)
: B; L, x) c$ |; g% uFF:FF:FF:FF:FF:FF
, C; q# p) k$ W* G A& Q主播地址(第一个字节为奇数)$ Y# b7 y$ j5 j- d- `7 x/ I
X1:XX:XX:XX:XX:XX
& u& @5 O& X n& N5 oX3:XX:XX:XX:XX:XX; H: n5 t/ `% g& ]8 O" ]9 t
X5:XX:XX:XX:XX:XX6 g3 x R; z4 d, K
X7:XX:XX:XX:XX:XX+ B- ]: ^1 K" X5 [% M, ^+ r- Y
X9:XX:XX:XX:XX:XX# ^/ ]5 O3 Y4 q* ?# U, h9 U
XB:XX:XX:XX:XX:XX
, K) m3 z3 q0 q* \7 iXD:XX:XX:XX:XX:XX
& ^! f! Z" Z, y, ^XF:XX:XX:XX:XX:XX
$ a6 {- `: g1 x3 J# y) ]1 V# ?可用MAC地址(第一个字节为偶数)
0 s: ^; o: o* ^( J, lX0:XX:XX:XX:XX:XX
6 I* R) Z9 ?, CX2:XX:XX:XX:XX:XX4 ^+ g! A5 W' E' B7 }# H
X4:XX:XX:XX:XX:XX4 A5 r% }9 R, Z
X6:XX:XX:XX:XX:XX5 D! o! \5 v; H& E3 i. B
X8:XX:XX:XX:XX:XX
2 {8 s2 {$ F7 [* m1 l1 S9 OXA:XX:XX:XX:XX:XX
$ f; Z. [8 D4 M( E0 w7 x/ w# m7 zXC:XX:XX:XX:XX:XX
' y9 A' [. o1 j aXE:XX:XX:XX:XX:XX
% G# g0 f& L; V, q" N3 b5 n ?在每个节点上创建一个网络命名空间ns1(因为在两个节点上所以同名ns1不会冲突),网络命名空间可理解为虚拟机,并且在ovs交换机上创建一组port和interfacce,然后把interface放到网络命名空间下。veth pair:两个网络虚拟端口(设备),veth可理解为网卡端口,一个端口在虚拟机上,一个端口在br-int虚拟交换机上。% k& X5 H0 P$ i6 |4 F! V' }
/ R2 E# v; x1 ?1 K( @& unode1上执行
: q" i9 I& A* D* i0 S, y[root@node1 ~]# ip netns add ns1. n! N7 a8 S7 c1 t" x
[root@node1 ~]# ip link add veth11 type veth peer name veth12
% P [( U4 ^! d3 Y9 s[root@node1 ~]# ip link set veth12 netns ns1
7 Z$ }, f: |3 X7 ?. K' y% b- @+ J[root@node1 ~]# ip link set veth11 up
, I. N# n0 n7 K9 d[root@node1 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:01
( t' ]6 z# q% Y8 L) l0 B- u[root@node1 ~]# ip netns exec ns1 ip link set veth12 up5 E4 \# {8 o4 j$ m( Z% b
[root@node1 ~]# ovs-vsctl add-port br-int veth11
3 q7 h+ X* Q# R: k8 T# O' m) j[root@node1 ~]# ip netns exec ns1 ip addr add 192.168.1.10/24 dev veth12
- N- G1 P K) X8 }8 V
+ d v' C. k. l0 W* t& u% ^3 cnode2上执行,注意veth12的ip和和node1上veth12 ip在同一个子网
4 J: g$ H% s, F9 o+ s- ~1 n h2 u$ O[root@node2 ~]# ip netns add ns1 q& Y( E% w: m2 C Q
[root@node2 ~]# ip link add veth11 type veth peer name veth12( n3 Y, R4 }% G; k9 ^! A
[root@node2 ~]# ip link set veth12 netns ns1
0 c( a8 T: h0 I9 a0 @' g" R6 A[root@node2 ~]# ip link set veth11 up
* G# E6 z8 S/ I( w[root@node2 ~]# ip netns exec ns1 ip link set veth12 address 00:00:00:00:00:025 U A' |: _3 T6 L
[root@node2 ~]# ip netns exec ns1 ip link set veth12 up3 b' D, l; w) I* n" Z3 A8 t
[root@node2 ~]# ovs-vsctl add-port br-int veth11
" k' X& V3 e- j# Q$ o" ?# A! J/ o[root@node2 ~]# ip netns exec ns1 ip addr add 192.168.1.20/24 dev veth12/ e5 U2 n9 a/ F! ?2 ?
/ [9 `7 A' M& A0 v4 v7 X( s
查看node1上br-int交换机信息
6 a' J( ~, m8 O: [[root@node1 ~]# ovs-vsctl show
* o" Z `7 D4 C5 ]* \6 i Xed157e0c-cac3-46b9-830c-f2d710b475d5
: q! }0 h6 o8 L6 S. h Bridge br-int" A0 B' \9 g6 X8 W) y/ M7 |5 T
fail_mode: secure" K$ a, B+ i& {% W( |0 x; i
datapath_type: system. o3 U {0 c( _/ G. m+ M* u1 E
Port br-int- H& |3 F8 K, A7 Z2 K
Interface br-int
& y& B6 l+ B; }' m type: internal. G- I) o3 q* n& m2 Q1 W
Port veth11
3 R2 n4 R5 f( t+ `& C Interface veth112 e& m- g$ F; N: B( s& |& J
Port ovn-node2-0, s! G: K5 F- `$ }0 r$ K- t
Interface ovn-node2-04 g# M. z0 _# H2 e% ~8 H
type: geneve, x8 d- Q( C3 H4 Z
options: {csum="true", key=flow, remote_ip="10.1.1.42"}2 T; B, [% V& _% C# t9 a3 F8 \
ovs_version: "3.1.3". t. |6 V2 o/ P ?$ R% g
查看node2上br-int交换机信息0 R7 k u1 Z5 A# `; R. k
[root@node2 ~]# ovs-vsctl show7 z6 L4 M1 p- S) l2 e0 V! N
f6669675-b42d-47de-be95-b26bf6d1e069! f3 _' C8 \7 x }( @3 L7 K
Bridge br-int+ r% _6 C8 K6 ~" U1 {) X% A
fail_mode: secure. ~! f" F" V& F) n- G
datapath_type: system
! P6 u) s- K' a( [1 E% g# H* Q1 O Port veth11
' P) I) b: p2 D7 ]$ S- \- v3 O! ^; {, B Interface veth11. W" T5 `; o( s" }
Port ovn-node1-0
; T. T- l" @* h9 E+ Y Interface ovn-node1-0( c+ G1 V2 r; r
type: geneve7 A& p! O/ V* _0 L6 }( o [& B
options: {csum="true", key=flow, remote_ip="10.1.1.41"}
5 a7 B' P( D- l4 S( @ Port br-int
6 K9 u9 v' P7 c& e Interface br-int
2 U0 n0 T4 B9 \: ` type: internal
9 b9 K. D0 F$ Q ovs_version: "3.1.3" D7 G2 D8 S1 ?3 J# [) E
: x; p( B+ s$ D
现在从node1上的ns1 ping node2上的ns1是不通的,因为它们是不同主机上的网络,二/三层广播域暂时还不可达。0 [4 Z8 W3 n8 b* a# t# y6 K% X
[root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.20
9 ?# ]5 o9 ~; ^4 x sPING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
3 c0 r, y4 j R! _# i
! _! X- ?6 {+ T, `; X--- 192.168.1.20 ping statistics ---# ~- }2 O [, y( p* c
3 packets transmitted, 0 received, 100% packet loss, time 2047ms
1 h9 P) a6 q0 x6 k在这里插入图片描述# t( a- t2 b% w0 p& Z1 C' ~4 x
查看openstack的控制节点发现,ovn的北向数据库中有逻辑交换机信息。, ^% C# e5 d' _ [% B9 L" t* e! N4 T
在openstack里面,创建一个网络,就相当于创建了一个逻辑虚拟交换机,这个逻辑交换机(网络)信息会被保存到北向数据库里面。一个网络就是一个逻辑交换机。4 O8 b; {3 C2 O! d6 ~$ q3 T
在这里插入图片描述 F% _) i( ~; n7 @: u* X* k
在node1中查看发现,ovn的北向数据库中没有逻辑交换机信息) f% @( b* q6 o0 e
在这里插入图片描述3 x* Y7 [9 q* }1 l
在openstack不同节点的虚拟机ip互通,这两个虚拟机ip连的是同一个网络,是同一个逻辑交换机上的同一个子网不同ip所以互通。3 d, Z# l8 _3 A- r8 z, z* M
这两个节点的虚拟机ns1的ip是手工配置的独立的、不互通,这两个虚拟机ip没有连到逻辑交换机上,加个逻辑交换机就能互通。
8 ]+ J1 U: F0 {% }/ H在这里插入图片描述
1 g5 q( }; q4 {& ]" J逻辑交换机(Logical Switch):为了使node1和node2上两个连接到ovs交换机的ns能正常通信,需借助ovn的逻辑交换机,注意逻辑交换机是北向数据库概念。) A0 [4 r! Z5 r9 W& f! m: v
- b- ?1 h6 @6 R( k在node1上创建逻辑交换机
! J9 I* o5 u3 ^0 z[root@node1 ~]# ovn-nbctl ls-add ls1
[0 ~5 z" S R' E: N[root@node1 ~]# ovn-nbctl show& c9 G- F1 J! L3 ?
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)9 H; D, O1 S7 i" h2 d
在逻辑交换机上添加端口" c1 q3 V' S# G# z
添加并设置用于连接node1的端口,注意mac地址要和veth pair网络命名空间内的那端匹配起来4 L) \* c7 K2 f' f/ [' N% O
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node1-ns1
; e9 A( N3 C! C; O[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01& {6 o9 x2 x. F: V+ N, O
[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node1-ns1 00:00:00:00:00:01) p8 {! D* [8 }# D) J1 d4 }% y
添加并设置用于连接node2的端口,注意mac地址要匹配起来8 v* G' B* B" u3 j
[root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-node2-ns1
9 L2 y$ F- s+ t. m( S& M0 i[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:025 e5 R+ V) c. w' C! `
[root@node1 ~]# ovn-nbctl lsp-set-port-security ls1-node2-ns1 00:00:00:00:00:02
, d' u3 M( ]( {" H/ H5 p0 _/ N' N查看逻辑交换机信息
9 B4 s1 u @9 v) k. F[root@node1 ~]# ovn-nbctl show. y& ^( E2 ~# w
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
! i" a1 G3 j: m& p4 w) e% | port ls1-node1-ns1
+ E8 | O# }) J5 M addresses: ["00:00:00:00:00:01"]- S" H' w; L( t8 f' r: Y2 b0 B
port ls1-node2-ns1( \! O0 E9 z' S$ E- Z
addresses: ["00:00:00:00:00:02"]
* l" C2 U/ W2 ^; G; c& i) M, L+ S. y0 }- m, F" F8 e0 k" s0 n% \
node1上执行,veth11端口连接逻辑交换机端口' K7 p# a M" N0 O" t' Z
[root@node1 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node1-ns1
1 H- R/ U- s8 l# N/ ~- W Pnode2上执行,veth11端口连接逻辑交换机端口
! O3 }2 X! o" X% @. ]# l[root@node2 ~]# ovs-vsctl set interface veth11 external-ids:iface-id=ls1-node2-ns1# m1 U! }) p; z* D
再次查看南向数据库信息,发现端口已连接
0 [8 J/ }# M4 V4 c7 e7 ~/ I[root@node1 ~]# ovn-sbctl show
. ~& [; g" `8 Y W+ ~Chassis node2/ p" c& o; E0 a; N' ~( B$ R6 @! u/ U
hostname: node2+ d+ _, [+ s# P7 n2 W5 d2 b& \
Encap geneve5 b& U2 V: N# m& x% A8 g
ip: "10.1.1.42"
: g; W$ M, c4 S* |6 P, X' H! R options: {csum="true"}
; F' m2 k% |! b: `0 F. R Port_Binding ls1-node2-ns1
8 E* A1 D; B. e6 HChassis node16 C2 O! \& |' _- n! n
hostname: node1( Q2 S9 L. b6 `* y/ b; c
Encap geneve
& G- S( D5 j/ D" l4 ]% v5 ? ip: "10.1.1.41"
+ t/ Y6 i8 ?$ O4 S$ i; F: L+ `, @ options: {csum="true"}" s; `- f" b I0 Z! |- Y
Port_Binding ls1-node1-ns15 m7 ?( S, M! a% d! g
node1上验证网络连通性
8 r0 d1 s% I% b! Z$ f, j' w+ U9 ][root@node1 ~]# ip netns exec ns1 ping -c 3 192.168.1.206 h) K S" G1 H0 e$ f
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.2 V( t( O6 `- v, s& v
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=4.68 ms
0 M p, j7 C& f' `# M1 `4 a64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.908 ms% P( C7 }# I* D: O$ g7 D
64 bytes from 192.168.1.20: icmp_seq=3 ttl=64 time=0.756 ms* j: I. T* m) s$ x
. y9 u8 }* b+ G9 q4 a/ E( F8 R
--- 192.168.1.20 ping statistics ---
/ g, d5 m! U7 C* ]( m3 packets transmitted, 3 received, 0% packet loss, time 2004ms
5 N+ |5 W$ F4 U! o" W" ~9 Crtt min/avg/max/mdev = 0.756/2.115/4.682/1.816 ms
/ E+ u! n9 S! L" ?' i. A3 I1 Inode2上验证网络连通性
7 A: S4 G! m1 u5 Z[root@node2 ~]# ip netns exec ns1 ping -c 3 192.168.1.10% H& p2 ]$ ~( s! n9 E
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
& `/ m5 [4 Z5 v2 F$ k; `. ^5 X64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=3.34 ms
" ?' L9 s- I! S0 T# w* i% S64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.863 ms
$ T( D4 C3 N2 V# E& R1 [/ i6 v$ f64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=0.372 ms
, x7 Y. `8 R/ j$ W/ g- e4 V7 J+ K, p8 W5 F, \$ N' P
--- 192.168.1.10 ping statistics ---
- P) l0 Q- \5 w$ P3 packets transmitted, 3 received, 0% packet loss, time 2003ms
: }, H( n; B) R8 C& mrtt min/avg/max/mdev = 0.372/1.525/3.342/1.300 ms2 C% ~( \% H) i: G8 J
现在node1和node2的ns1互通了,相当于创建了两个实例,这两个实例ip用的子网是连在同一个逻辑交换机上的,是同一个逻辑交换机上的同一个子网不同ip所以互通。
6 {9 ]5 q% b# M; g在这里插入图片描述
, ?5 F/ o: Q, M8 Z& ]在这里插入图片描述
" B, L; d! }7 a8 [+ a, kgeneve隧道验证:从node1上的ns1 ping node2上的ns1的例子,抓包看看各个相关组件报文,验证geneve隧道封解包。通过抓包分析,可以看出geneve隧道在ovn/ovs跨主机通信的重要作用,同时也能看到ovn逻辑交换机可以把不同宿主机上的二层网络打通,或者说ovn逻辑交换机可以把ovs二层广播域扩展到跨主机。! X( h! b5 d- Q, S
( k$ t# Y, V' c6 l& e) r$ W// node1上ns1 ping node2上ns1
b$ x( O, H% G# u$ b2 n# ip netns exec ns1 ping -c 1 192.168.1.201 `- x8 O+ V) u
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
4 ?, A5 g/ p) f9 U- D# H+ z64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=1.00 ms
% B/ S5 d' ?% ]--- 192.168.1.20 ping statistics ---
o1 J% n6 _5 O# R/ f1 packets transmitted, 1 received, 0% packet loss, time 0ms% x K. f) V$ H/ _' X4 ~' C- g
rtt min/avg/max/mdev = 1.009/1.009/1.009/0.000 ms$ a% S# h/ S7 f' i2 s
i6 ?2 K! b5 i// node1上ns1中的veth12抓包 w5 |4 d5 R' ?. _# H2 l& ]! d( y
# ip netns exec ns1 tcpdump -i veth12 -n) }8 {* q1 S5 D# r8 [
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
" W0 z( @+ Z- K' f4 _listening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes
' z ?0 c- R$ d- W22:23:11.364011 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 64
- g; L5 Q# g. `, ]% }! s22:23:11.365000 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 649 P5 n$ R# B& p& F+ `. |6 w
22:23:16.364932 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28" ?# v4 l. l5 f: I
22:23:16.365826 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28, Y* W7 M: W- I7 I2 j! J( b0 ~! E
; d# K$ o: y7 d! W5 |9 c9 W
// node1上veth12的另一端veth11抓包$ ~$ M5 B8 @- T5 z0 n, g8 ~* h# `& G
# tcpdump -i veth11 -n
& F' V, x/ S4 p" K: N1 c" U9 P# Itcpdump: verbose output suppressed, use -v or -vv for full protocol decode
r8 n0 e6 d" o+ _listening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
) z4 z* y2 O. T0 S& k22:25:11.225987 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
* s) [( H6 i+ D8 g# r& g22:25:11.226914 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64
# Q: S ~/ I8 O5 A8 b9 l# y; E22:25:16.236933 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
8 S0 X+ {9 ?/ B( N6 M' H7 ~22:25:16.237563 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 286 k+ W1 p4 }' P5 W7 M
22:25:16.237627 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 287 R6 j( `; {2 x: l
22:25:16.237649 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
% M' @- d4 [6 @& d7 Z& E4 v9 s- R1 ]% U# V; @' t
// node1上genev_sys_6081网卡抓包
+ ]- M5 }/ z2 H8 M. Y/ P& s! K# tcpdump -i genev_sys_6081 -n
0 e: O" I: G9 q- E; Y% X% `tcpdump: verbose output suppressed, use -v or -vv for full protocol decode4 l. u. P- `3 r3 G a+ H2 {
listening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes
% P( o% d7 i0 u; T- ~: _" l8 n7 y+ F22:28:15.872064 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64
- T. x6 G. R1 e' m: s22:28:15.872717 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 64/ V3 K( I, g, |
22:28:20.877100 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
4 d; F. U! {, ]0 S, ~$ L. w22:28:20.877640 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28
0 {2 s* B9 _5 I7 W22:28:20.877654 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
( r8 |. A( o7 b( N, ^2 [22:28:20.877737 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28
3 s2 y( `) b) g& r7 u/ N- L4 J6 n$ z7 A# }7 y4 T
// node1上eth0抓包,可以看出数据包经过genev_sys_6081后做了geneve封装) q. A7 f) m. J S8 q
# tcpdump -i eth0 port 6081 -n
4 z& j1 L5 f% Q7 F8 ]tcpdump: verbose output suppressed, use -v or -vv for full protocol decode" S: K* g* `* ]. z* `7 \
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes8 E) L F' F. f
22:30:23.446147 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64 J- X7 Y s" e5 r0 u4 w8 d
22:30:23.446659 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64
/ v7 F- l; q" S5 T( M, l s22:30:28.461137 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 280 J% N2 M: Z& R, ^/ M; ?% M
22:30:28.461554 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28# x+ c( j [. N& V
22:30:28.461571 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 283 J8 c% V: R. G6 P' m/ `+ L9 ]
22:30:28.461669 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 287 i9 `: e6 M8 d0 {& Z
1 l$ I* C2 w8 L0 _===================跨主机===================/ m: d# Z8 U# \' F2 h7 R# v Z+ U
+ d3 b: B5 Y$ W9 d4 p) _* R
// node2上eth0抓包
0 l6 a8 E. [& ~ `+ ]# tcpdump -i eth0 port 6081 -n
( b* c$ l6 b# h* e ytcpdump: verbose output suppressed, use -v or -vv for full protocol decode
, F$ ?3 x8 f5 B( Z. E8 \listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
9 P) w7 o1 X+ N22:23:11.364189 IP 10.0.12.7.51123 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 24275, seq 1, length 648 |4 R8 k' W" f
22:23:11.364662 IP 10.0.12.11.50319 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 24275, seq 1, length 64
% l8 |0 n! ?- r, I% ^& h% N22:23:16.365086 IP 10.0.12.7.49958 > 10.0.12.11.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
7 A# ^8 v: _ \: @1 y' m22:23:16.365487 IP 10.0.12.11.61016 > 10.0.12.7.6081: Geneve, Flags [C], vni 0x1, options [8 bytes]: ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
7 _5 q5 _: _ w2 Z$ ~
$ O' m6 R/ t$ ?! q// node2上genev_sys_6081网卡抓包,可以看到数据包从genev_sys_6081出来后做了geneve解封5 T6 C, c& W* H9 |3 l- K& k* B
# tcpdump -i genev_sys_6081 -n; e8 ?; V2 K( `5 C0 n7 a8 R! x% X J
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
* p' D8 j, ]) n2 J7 G0 h" C' D, Flistening on genev_sys_6081, link-type EN10MB (Ethernet), capture size 262144 bytes2 @2 {8 r! m7 U: I W/ L: `
22:25:11.226186 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 25166, seq 1, length 64
0 O/ X$ v' d+ _" R# x/ h s, F c22:25:11.226553 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 25166, seq 1, length 64
! }1 F) p9 r K# Y. r" f7 [2 C22:25:16.237070 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28- x5 t( K: C8 W$ g7 q% ]2 Y$ r
22:25:16.237162 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 287 y& W5 x: H9 I+ \ {6 h4 k( D) u
22:25:16.237203 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
" j5 _; x8 m" S2 l9 F' T22:25:16.237523 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28" `: y# ^. q3 u* {9 |, F( r: ^
q5 i4 d" T4 I& o
// node2上veth11抓包" P9 f: E! k& R4 `& T& a
# tcpdump -i veth11 -n H3 j4 v: J7 {4 f6 h2 P* R6 |1 m
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode# t+ `' I [" }5 A8 u8 [- ?
listening on veth11, link-type EN10MB (Ethernet), capture size 262144 bytes
: y" K M& q0 t2 m22:28:15.872198 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 26492, seq 1, length 64. _6 q5 y" l. w+ B+ [ F y
22:28:15.872235 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 26492, seq 1, length 643 n7 C5 A8 r8 o' Q* N0 b
22:28:20.876913 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 28& e. [5 q7 ?2 N2 A$ p- K
22:28:20.877274 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 28
2 T2 f8 A) H; z+ [22:28:20.877287 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 283 Q8 ^2 W/ D) e1 `
22:28:20.877613 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 287 e- K5 E1 L5 c5 ~. A! ~7 h( L: ~
, @$ M$ ~$ h. R0 |6 ?; H// node2上ns1中的veth12抓包
$ r* l/ r$ J# B, N0 K2 u# ip netns exec ns1 tcpdump -i veth12 -n' j5 Z9 D+ v4 ]5 K2 t
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode4 ~9 B& b# G# h
listening on veth12, link-type EN10MB (Ethernet), capture size 262144 bytes2 W" g2 H) V# [4 T
22:30:23.446212 IP 192.168.1.10 > 192.168.1.20: ICMP echo request, id 27458, seq 1, length 64+ A C+ l; g& ?7 |/ \' _! Y& C
22:30:23.446242 IP 192.168.1.20 > 192.168.1.10: ICMP echo reply, id 27458, seq 1, length 64
* ^! V5 J) [3 m% v, }22:30:28.460912 ARP, Request who-has 192.168.1.10 tell 192.168.1.20, length 285 l. g* J% G% O# N U1 ^
22:30:28.461260 ARP, Request who-has 192.168.1.20 tell 192.168.1.10, length 286 _* ?' Q7 A# ^. t" S% ]# Z Y+ Y
22:30:28.461272 ARP, Reply 192.168.1.20 is-at 00:00:00:00:00:02, length 28
# k" j7 N) [! D" F$ p7 M& r22:30:28.461530 ARP, Reply 192.168.1.10 is-at 00:00:00:00:00:01, length 28$ ?: z/ y4 C% Z0 p0 E
逻辑路由器(Logical Router):
& K( e: ~! `" O前面验证了ovn逻辑交换机跨主机同子网的通信,那不同子网间又该如何通信呢?这就要用到ovn的逻辑路由器了。7 R3 J( N$ l' C u
先在node2上再创建个网络命名空间ns2,ip设置为另外一个子网192.168.2.30/24,并且再增加一个逻辑交换机。4 @9 i# Q/ z1 L* r( Q7 m
在这里插入图片描述5 f7 @* \* K' v! T
+ k, e! D# v! k( L5 c
node2上执行
( b3 N% O# {/ n+ {: O* G1 c6 Y. g0 r[root@node2 ~]# ip netns 查看网络命名空间+ ^& s" b+ t4 s. i! E
ns1 (id: 0)
& o* G0 F, k$ w5 p[root@node2 ~]# ip netns add ns27 \* t6 Q+ Q% {/ `
[root@node2 ~]# ip link add veth21 type veth peer name veth222 a5 p. v, O7 g, P: ~, {( _% H$ E
[root@node2 ~]# ip link set veth22 netns ns20 o* v2 e+ c0 t: X7 W# R$ P/ J; P K
[root@node2 ~]# ip link set veth21 up. {& f- x/ B& w
[root@node2 ~]# ip netns exec ns2 ip link set veth22 address 00:00:00:00:00:033 s- C4 X+ ^5 v+ `9 n
[root@node2 ~]# ip netns exec ns2 ip link set veth22 up
' E* d" d D. b' a[root@node2 ~]# ovs-vsctl add-port br-int veth21; _* K, c6 ?" u7 l- \8 F
[root@node2 ~]# ip netns exec ns2 ip addr add 192.168.2.30/24 dev veth22' A# k+ `6 G3 Z$ p4 p. p% P: D
[root@node2 ~]# ip netns
: M) t L2 _3 D) L" _% N- cns2 (id: 1)6 m( P2 `/ C/ s# V8 L `
ns1 (id: 0)9 c+ c7 f" d: f
5 g6 I `& s" X/ R3 Xnode1上用ovn命令新增一个逻辑交换机,并配置好端口
8 y9 j9 W2 \1 p. n% q. F[root@node1 ~]# ovn-nbctl ls-add ls2
6 ]- P) c9 @- g+ O+ g1 q" e3 F' S[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-node2-ns2
! |( c! a9 ~" `4 i! n[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03/ e. |3 n* j7 t
[root@node1 ~]# ovn-nbctl lsp-set-port-security ls2-node2-ns2 00:00:00:00:00:03
F1 r- c% V3 C/ B; c% d; \- ], Y6 c, C# b# N: d$ {9 n5 A% ?
node2上ovs交换机端口和ovn逻辑交换机端口匹配起来, c% n( {; p$ m
[root@node2 ~]# ovs-vsctl set interface veth21 external-ids:iface-id=ls2-node2-ns2
. J. b% v- a8 t( }! e" ?, t( l# O" S" {: T# q- `& w+ Q
查看北向数据库和南向数据库信息6 s# C. v& r# m( ^, M- R. P
[root@node1 ~]# ovn-nbctl show1 V+ m2 k& k; G8 |& G1 K
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)9 g# }/ U s* H
port ls2-node2-ns2
6 J8 c9 |" C: \& S/ Y+ Z% I& | addresses: ["00:00:00:00:00:03"]! `/ y+ j4 G% N9 h' N% {( e S# }
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
& ~+ x- O2 |1 F- t% `' i port ls1-node1-ns10 n1 g. Q5 [5 y
addresses: ["00:00:00:00:00:01"]2 p( c+ r# y7 @ @
port ls1-node2-ns13 }$ u8 e# ]$ g \, v; N
addresses: ["00:00:00:00:00:02"]2 S' U9 c# B- p/ \! b
[root@node1 ~]# ovn-sbctl show
. ~4 R! a/ k2 j2 KChassis node2
' j' ?+ A2 S) D2 G hostname: node2
1 I, k+ u5 A; f: a. B5 n- Y Encap geneve7 ]7 r( q, d9 j. u- E$ T
ip: "10.1.1.42"2 e0 M! `/ @9 D9 k
options: {csum="true"}
. a) W& J9 d( r1 M; T; S5 A Port_Binding ls2-node2-ns2
* L8 F$ R! M* v# j8 U$ O Port_Binding ls1-node2-ns1
' E: T- a3 M$ e5 _$ [5 uChassis node1
( l; \" r. F: M& E8 ] hostname: node16 _. f1 B6 p: h4 ?& q! o
Encap geneve
& W$ l' y! j2 l: U+ z5 L ip: "10.1.1.41"
' _; U* G( c" ?9 C: Z7 Y options: {csum="true"}# T$ {1 I3 \9 Y6 v; L, a( P
Port_Binding ls1-node1-ns1
7 m7 e4 \6 v( U x/ u创建ovn逻辑路由器连接两个逻辑交换机3 z6 s8 }+ H* T6 e" W- Q9 o
1 O& o: M5 }; l/ W添加逻辑路由器,路由信息保存在北向数据库' u- X9 ^. k9 a9 i2 h
[root@node1 ~]# ovn-nbctl lr-add lr1
: F! H/ C$ _# T2 t$ Y; e逻辑路由器添加连接交换机ls1的端口" R8 ]+ a! e/ ]3 J# x
[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:11:00 192.168.1.1/24) ]* I: ^( ?' @2 D- Q! b+ ^
逻辑路由器添加连接交换机ls2的端口
& s! c. q; ?! z! V[root@node1 ~]# ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:12:00 192.168.2.1/24
4 ~: d6 U8 A5 Q' \/ C- r y7 z! \: v9 S/ K
逻辑路由器连接逻辑交换机ls1
' u2 p! z( v3 X% r4 ][root@node1 ~]# ovn-nbctl lsp-add ls1 ls1-lr1) E. q2 J5 M4 G7 N, Y/ v
[root@node1 ~]# ovn-nbctl lsp-set-type ls1-lr1 router
0 K5 B+ T: g; _7 d t) s[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-lr1 00:00:00:00:11:005 B$ k& Y, O5 b
[root@node1 ~]# ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1
3 T8 B! l: a3 V7 S5 r, s8 F0 `" D& T- K/ O; o$ f
逻辑路由器连接逻辑交换机ls2
+ E1 P9 T3 `4 e q& _" k0 S[root@node1 ~]# ovn-nbctl lsp-add ls2 ls2-lr1
Z# [) u1 E& D4 G! r# H[root@node1 ~]# ovn-nbctl lsp-set-type ls2-lr1 router6 O2 _* m2 W+ Z
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-lr1 00:00:00:00:12:00
9 T& c' \; D# o- d7 M[root@node1 ~]# ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2- u- \% @3 j4 [/ m! ~
+ Q+ `3 F8 c6 [& x. V. W* }查看北向数据库和南向数据库信息
0 e- s0 |3 L! r: Y[root@node1 ~]# ovn-nbctl show1 A) w7 i/ ?2 `
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
# X6 Q8 I' q0 K, C port ls2-node2-ns2
* Q8 b4 b m; T+ j% S4 U addresses: ["00:00:00:00:00:03"]% i" h5 ^/ a' ?9 | N9 k7 Z6 {" h) E
port ls2-lr10 a' D3 `5 f" L ^6 X
type: router
/ g4 r! d& H+ c addresses: ["00:00:00:00:12:00"]
: P& Q4 }% M; |8 w" `, ]1 c* F router-port: lr1-ls2; g+ O7 a, a9 t% }2 y5 T
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
3 |! k5 L7 B. | F( s# w port ls1-node1-ns1 @: T( J, G. ]" R' @, B- l# c3 E
addresses: ["00:00:00:00:00:01"]7 A) y( X$ n( g' `1 n5 l
port ls1-node2-ns1! F/ t" t3 d: V0 @) Y5 A4 Y
addresses: ["00:00:00:00:00:02"]
9 l2 g0 t! s5 c0 v) ? port ls1-lr1
( T8 }" e0 Y; { type: router
1 c1 p" A- J. u3 Y" D! v addresses: ["00:00:00:00:11:00"]. R( @- A( H) x! J# \2 x. ?5 k
router-port: lr1-ls1/ t9 K, u7 y7 t1 X& r
router e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)* M& f0 F5 H: K/ y; d- q* \) s9 F
port lr1-ls2
9 Z) h1 S9 V: _ mac: "00:00:00:00:12:00"
0 ~. J* w; K) y _( f6 L( W; t5 r- v networks: ["192.168.2.1/24"]# Z, p0 L0 ~2 n% D: L7 E1 E
port lr1-ls18 R" W4 K( F& e4 B$ ^# _7 x
mac: "00:00:00:00:11:00"
+ i$ Q) X- n% M$ ?) ]( L l networks: ["192.168.1.1/24"]& O) x$ H; s; i! W
[root@node1 ~]# ovn-sbctl show
' `1 L! Z# B! EChassis node28 _/ W) s2 ^. E* L
hostname: node2
& C' y) z `, H+ U, j; s Encap geneve
( K0 p' H3 S- _# n. \$ s ip: "10.1.1.42"! H" d" X8 Z2 J" }
options: {csum="true"}
3 [) t! I5 A F. y! Y Port_Binding ls2-node2-ns2; T/ M3 ]5 X, K! Q& L% C5 t
Port_Binding ls1-node2-ns1( J" E: P7 T/ @) m+ D% _6 E
Chassis node11 s0 j( t7 b+ B* j. S6 V" d
hostname: node1: e; L& G) r( C4 W X( U
Encap geneve, M+ S+ R1 \9 I% K6 |3 d/ Y
ip: "10.1.1.41"& i0 o7 ^/ Z8 V/ J% F6 Z
options: {csum="true"}6 Z) {1 C" f3 n) w
Port_Binding ls1-node1-ns1
Z- r( K0 ?# `/ d1 H在这里插入图片描述* m& [/ ]$ }# g3 ~& j
从node1的ns1(192.168.1.10/24) ping node2的ns2(192.168.2.30),验证跨节点不同子网的连通性。) A4 e' z( G! c# a$ \7 h" y
/ X0 |2 D% c* x2 f' I
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.307 H/ L# U) s% l: U+ E: I5 Q
connect: Network is unreachable connect: 网络不可达4 M# B: _ V: e; t$ e% J. N
查看ns1上的路由配置,显然此时没有到192.168.2.0/24网段的路由" {0 G8 p3 s7 G% C+ P+ Q% }& R
[root@node1 ~]# ip netns exec ns1 ip route show5 W8 [2 O8 q! Y2 P* r
192.168.1.0/24 dev veth12 proto kernel scope link src 192.168.1.10" b Y) E0 I- Z0 c. w1 A
[root@node1 ~]# ip netns exec ns1 route -n
; n" X7 T/ Y' ~$ \" uKernel IP routing table- n9 E8 J- v3 r( j/ T5 P5 ]
Destination Gateway Genmask Flags Metric Ref Use Iface
2 Z) d% c7 k! f* x- f J/ k Q192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 veth12, M @# }. ?: b) g8 C# B
因为路由器是三层概念,要先给ovs的相关port配置上ip/ }6 ^# i; \' u! j4 n& h
3 i9 i G7 X, O& ^[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node1-ns1 00:00:00:00:00:01
" z7 {( W/ j3 _; t[root@node1 ~]# ovn-nbctl lsp-set-addresses ls1-node2-ns1 00:00:00:00:00:02( K1 j d& Y0 R
[root@node1 ~]# ovn-nbctl lsp-set-addresses ls2-node2-ns2 00:00:00:00:00:03! E: p; |, E* j* J
再给三个网络命名空间添加默认路由,网关为ovn逻辑路由器对应的port ip, I2 [8 n4 U* `1 j% C
# X6 M' m" i# M) {2 {: S5 k3 Q6 _
node1上ns1 r' R) S( s) s& p' ]* C1 }
[root@node1 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12 e- g" e+ F: U P
node2上ns1! {& @) l0 C6 Z1 t9 x6 y
[root@node2 ~]# ip netns exec ns1 ip route add default via 192.168.1.1 dev veth12
* {7 ?! A/ k4 E node2上ns2- s; o+ U& d5 @
[root@node2 ~]# ip netns exec ns2 ip route add default via 192.168.2.1 dev veth22* O/ ^7 ] M# N4 m( ~, @/ N
再次查看下南北向数据库信息5 x% Z: ?+ \2 _* [
% Y" w B/ [# x
[root@node1 ~]# ovn-nbctl show, e% G# m3 L B2 N
switch 484606e0-944d-4c6b-9807-502f05bebb18 (ls2)
+ ~. {& S- J$ @; V; f+ {* E port ls2-node2-ns2+ l+ V4 F! t8 N$ \
addresses: ["00:00:00:00:00:03"]
; Z& u% K& p7 d9 D port ls2-lr1
9 K) R7 P8 _7 A& n! V- O! c type: router0 `, ~( q2 k4 O: q& Y
addresses: ["00:00:00:00:12:00"]5 ~" \: ^7 q n2 e2 B" r6 K. r
router-port: lr1-ls2( x4 H r. }" I2 g- l. |
switch 86349e35-cdb4-42f7-a702-4b4a9d5653ef (ls1)
; R( R! j% d% U/ C( ]2 R port ls1-node1-ns1
2 L; U# j8 k1 t# a4 G. ?) m& l addresses: ["00:00:00:00:00:01"]! Y/ M: u9 j+ l3 }& U
port ls1-node2-ns1
4 p- Q3 @( |5 Q addresses: ["00:00:00:00:00:02"]; L9 P$ B0 u- C3 A
port ls1-lr1
( y5 M+ m9 _. |$ r type: router
' B; d6 C+ u! X2 ^8 h5 r addresses: ["00:00:00:00:11:00"]
" S5 K3 o: w* X6 }9 T- @6 j router-port: lr1-ls1
7 m: v2 m+ S2 O5 y" Rrouter e9c151a0-5db7-4af6-91bd-89049c4bbf9f (lr1)
7 G( J* @5 r* L3 _3 m9 M port lr1-ls2( b: v2 b" Y @- R0 Q6 }: _
mac: "00:00:00:00:12:00"
5 G9 k0 X9 J# j' ^# @5 Z! z% p networks: ["192.168.2.1/24"]
?& G5 k% |0 f4 A. }" l port lr1-ls15 W3 Z5 {, n) V
mac: "00:00:00:00:11:00"
8 X7 h9 p4 K: i- K& ` networks: ["192.168.1.1/24"]
6 Q& R, ? n2 c8 V[root@node1 ~]# ovn-sbctl show
8 s) a. k' Q; A4 ~2 QChassis node2
! E7 v# b. X# J hostname: node2
5 |! t( _. Z" ^ Encap geneve- Y9 L" D/ ~9 K
ip: "10.1.1.42"
1 N# C! K/ z5 D6 F% f; g- W5 x options: {csum="true"}
& R6 T0 N( C- h0 w7 S Port_Binding ls2-node2-ns2
2 S! e- W# {3 L( r' f' P- F Port_Binding ls1-node2-ns1
, ]7 a9 o- i: uChassis node1% P. ^- S$ ~- Q K
hostname: node1/ K- }/ ~2 g# D5 k7 z- w2 ^" v
Encap geneve6 s1 d4 ]) k3 ~& t
ip: "10.1.1.41"
% o3 C8 r6 F5 U* V options: {csum="true"}' y! D D: z( C3 L( @
Port_Binding ls1-node1-ns10 ?# D/ p: R7 t- s* b
在这里插入图片描述
F8 Z$ k& L @) L% ` h验证网络连通性
2 N, Z' r2 J$ l) h8 J% H9 j2 A& m" w" `1 D1 M4 H* M
node1上ns1连通网关! `+ R/ R% J% R: B; _0 O2 E% G" N" g
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.1.18 X( w# w' Y+ C0 `9 W6 L2 b
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
( H6 K) g* c1 s/ A A2 _' E) u7 l64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=20.10 ms8 Z' [! h0 X4 d/ _
. M# t& |% i# Q% O" W--- 192.168.1.1 ping statistics ---
" w; \7 }" i- u7 }) `" J' H# C6 o' }1 packets transmitted, 1 received, 0% packet loss, time 0ms
6 ~9 M' q/ q" p! N0 krtt min/avg/max/mdev = 20.950/20.950/20.950/0.000 ms r- P' a* e6 z
- S4 S4 M6 h) t+ i+ i6 p7 z9 x
node2上ns2连通网关
* u6 d7 T3 Z* E[root@node2 ~]# ip netns exec ns2 ping -c 1 192.168.2.1
" K4 X/ f1 M7 MPING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
. e6 a2 a8 h9 `9 p2 {64 bytes from 192.168.2.1: icmp_seq=1 ttl=254 time=38.5 ms
0 U2 H' Q! A8 L! y, ^
- G2 Y: P f/ r--- 192.168.2.1 ping statistics ---
8 M0 W$ ?8 ?' v) }1 packets transmitted, 1 received, 0% packet loss, time 0ms( i7 Z4 L# u B( _
rtt min/avg/max/mdev = 38.477/38.477/38.477/0.000 ms
_. u' _! E3 q& `/ p& o5 m+ g3 V
$ M9 L! b+ a' ^5 k1 Wnode1上ns1 ping node2上ns2 J) i+ ?0 E0 K
[root@node1 ~]# ip netns exec ns1 ping -c 1 192.168.2.30+ b c0 i6 O% }) V8 r1 P- a; C
PING 192.168.2.30 (192.168.2.30) 56(84) bytes of data.0 o! o+ \7 D% b# ^# A# ^
64 bytes from 192.168.2.30: icmp_seq=1 ttl=63 time=1.23 ms1 i g+ i) b- {" u
; D3 M) O2 H- {0 x+ `
--- 192.168.2.30 ping statistics ---
8 n+ A6 F+ W# K1 packets transmitted, 1 received, 0% packet loss, time 0ms
, I8 a& v8 ?7 }6 x9 v$ J# v+ A. mrtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms0 |; I* k q' U. n% ^
复制
' w; \8 m6 r0 W$ C# C$ M, j `注意:ovn逻辑交换机/逻辑路由器是北向数据库概念,这两个逻辑概念经过ovn-northd“翻译”到了南向数据库中,再通过hypervisor上的ovn-controller同步到ovs/ovsdb-server,最终形成ovs的port和流表等数据。0 `- ?0 a$ a1 w% n, e4 z( K
ovn逻辑交换机通过geneve隧道,把二层广播域扩展到了不同主机上的ovs;而ovn逻辑路由器则是把三层广播域扩展到了不同主机上的ovs,从而实现跨主机的网络通信。
0 n- m! ]- U% B& z$ {7 q6 x) bovn逻辑交换机和逻辑路由器都会在所有的hypervisor中生成对应的流表配置,这也是ovn网络高可用以及解决实例迁移等问题的原理。 |
|
/4 
窥视卡
雷达卡
发表于 2025-12-18 08:50:57
/ \" J$ K6 h. d0 |
/ G' Z5 @+ M- Z0 \+ ]
6 O( n7 {9 ^4 O( i
; \) O0 o* J$ t* M
3 O1 d/ [" z4 T8 d8 p {
; m: y! X6 @' H$ l: m5 A8 x. L2 O
% g. H. N2 f8 o
" D' ?; P x: r I5 [) \
& R: |( ]; ]3 V2 _ q' e( u1 E" [
' X8 d1 ]- l' S& i2 I6 H! ]
9 j) p% p1 p7 E% X
" h. H0 a# ~: \* k
8 H. j2 l* m! j; Y1 ]2 j! y
; l* U7 X+ J3 m' W) y( J6 t
/ c! B% q7 l2 z6 G4 u2 t
6 r# n; D' i; [- V/ T6 k% W3 l! I
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
