本文实验如何通过ovn的localnet类型端口将ovn网络连接到外部网络。也是一种l2gateway,但是相比l2gateway来说,localnet类型的端口会在vm所在的chassis上都连接到外部网络,减少了东西向流量。
逻辑拓扑如下
image.png
执行如下命令创建逻辑拓扑
//创建 logical switch ls1
ovn-nbctl ls-add ls1
//添加第一个 logical port ls1-vm1
ovn-nbctl lsp-add ls1 ls1-vm1
ovn-nbctl lsp-set-addresses ls1-vm1 00:00:00:00:00:03
ovn-nbctl lsp-set-port-security ls1-vm1 00:00:00:00:00:03
//添加第二个 logical port ls1-vm2
ovn-nbctl lsp-add ls1 ls1-vm2
ovn-nbctl lsp-set-addresses ls1-vm2 00:00:00:00:00:04
ovn-nbctl lsp-set-port-security ls1-vm2 00:00:00:00:00:04
//添加第三个 logical port ls1-localnet,类型为localnet,用来连接外部网络
ovn-nbctl lsp-add ls1 ls1-localnet
ovn-nbctl lsp-set-addresses ls1-localnet unknown
ovn-nbctl lsp-set-type ls1-localnet localnet
ovn-nbctl lsp-set-options ls1-localnet network_name=externalnet
ls1上添加了localnet类型的端口,同时也存在连接vm的vif类型的端口,localnet的选项 network_name 指定的
网络名称只能在vif所在的chassis上存在(如果chassis没有vif,也就没有必要创建patch端口了)。
本实验中vm1和vm2分别在master和node1节点上,所以需要在master和node1节点分别执行下面命令
//在master节点上执行
ovs-vsctl add-br br-ens8
ovs-vsctl add-port br-ens8 ens8
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=externalnet:br-ens8
ip link set dev br-ens8 up
ip addr add 10.10.10.4/24 dev br-ens8
//在node1节点上执行
ovs-vsctl add-br br-ens8
ovs-vsctl add-port br-ens8 ens8
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=externalnet:br-ens8
ip link set dev br-ens8 up
ip addr add 10.10.10.5/24 dev br-ens8
//在master上创建vm1 namespace
ip netns add vm1
ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
ip link set vm1 netns vm1
ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:03
ip netns exec vm1 ip addr add 10.10.10.2/24 dev vm1
ip netns exec vm1 ip link set vm1 up
//通过iface-id=ls1-vm1和逻辑端口ls1-vm1绑定
ovs-vsctl set Interface vm1 external_ids:iface-id=ls1-vm1
//在node1上创建vm2 namespace
ip netns add vm2
ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
ip link set vm2 netns vm2
ip netns exec vm2 ip link set vm2 address 00:00:00:00:00:04
ip netns exec vm2 ip addr add 10.10.10.3/24 dev vm2
ip netns exec vm2 ip link set vm2 up
//通过iface-id=ls1-vm2和逻辑端口ls1-vm2绑定
ovs-vsctl set Interface vm2 external_ids:iface-id=ls1-vm2
生成的物理网络拓扑
image.png
ping报文在vm之间,vm和外部网络之间都可以通。
root@master:~# ip netns exec vm1 ping 10.10.10.3
PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data.
64 bytes from 10.10.10.3: icmp_seq=1 ttl=64 time=2.05 ms
^C
--- 10.10.10.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.048/2.048/2.048/0.000 ms
root@master:~# ip netns exec vm1 ping 10.10.10.4
PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
64 bytes from 10.10.10.4: icmp_seq=1 ttl=64 time=0.818 ms
^C
--- 10.10.10.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.818/0.818/0.818/0.000 ms
root@master:~# ip netns exec vm1 ping 10.10.10.5
PING 10.10.10.5 (10.10.10.5) 56(84) bytes of data.
64 bytes from 10.10.10.5: icmp_seq=1 ttl=64 time=1.04 ms
^C
--- 10.10.10.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.038/1.038/1.038/0.000 ms
root@node1:~# ip netns exec vm2 ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2) 56(84) bytes of data.
64 bytes from 10.10.10.2: icmp_seq=1 ttl=64 time=2.14 ms
^C
--- 10.10.10.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.141/2.141/2.141/0.000 ms
root@node1:~# ip netns exec vm2 ping 10.10.10.4
PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
64 bytes from 10.10.10.4: icmp_seq=1 ttl=64 time=1.96 ms
^C
--- 10.10.10.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.962/1.962/1.962/0.000 ms
root@node1:~# ip netns exec vm2 ping 10.10.10.5
PING 10.10.10.5 (10.10.10.5) 56(84) bytes of data.
64 bytes from 10.10.10.5: icmp_seq=1 ttl=64 time=0.310 ms
^C
--- 10.10.10.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
ping报文路径
vm1(10.10.10.2) ping vm2(10.10.10.3):
vm1 -> br-int(master) -> ovn-node1-0 -> ens3(master) -> ens3(node1) -> ovn-master-0 -> br-int(node1) -> vm2
vm1(10.10.10.2) ping 10.10.10.4:
vm1 -> br-int(master) -> patch -> br-ens8(master)
vm1(10.10.10.2) ping 10.10.10.5:
vm1 -> br-int(master) -> patch -> br-ens8(master) -> ens8(master) -> ens8(node1)
vm2(10.10.10.3) ping vm1(10.10.10.2):
vm2 -> br-int(node1) -> ovn-master-0 -> ens3(node1) -> ens3(master) -> ovn-node1-0 -> br-int(master) -> vm1
vm2(10.10.10.3) ping 10.10.10.4:
vm2 -> br-int(node1) -> patch -> br-ens8(master)
vm2(10.10.10.3) ping 10.10.10.5:
vm2 -> br-int(node1) -> patch -> br-ens8(node1) -> ens8(node1) -> ens8(master)
查看nbdb信息
root@master:~# ovn-nbctl show
switch a6248736-46db-4533-842e-6269f7f65652 (ls1)
port ls1-localnet
type: localnet
addresses: ["unknown"]
port ls1-vm1
addresses: ["00:00:00:00:00:03"]
port ls1-vm2
addresses: ["00:00:00:00:00:04"]
root@master:~# ovn-nbctl list logical_switch
_uuid : a6248736-46db-4533-842e-6269f7f65652
acls : []
dns_records : []
external_ids : {}
forwarding_groups : []
load_balancer : []
name : ls1
other_config : {}
ports : [12a22e4d-6118-4584-8df6-b684db23d3fb, 35f11e54-e2f0-4bb0-b6a3-ca69e8f7d918, 4231a2b1-941b-48ec-8ce7-0d5523c503b1]
qos_rules : []
root@master:~# ovn-nbctl list logical_switch_port
_uuid : 35f11e54-e2f0-4bb0-b6a3-ca69e8f7d918
addresses : ["00:00:00:00:00:03"]
dhcpv4_options : []
dhcpv6_options : []
dynamic_addresses : []
enabled : []
external_ids : {}
ha_chassis_group : []
name : ls1-vm1
options : {}
parent_name : []
port_security : ["00:00:00:00:00:03"]
tag : []
tag_request : []
type : ""
up : true
_uuid : 4231a2b1-941b-48ec-8ce7-0d5523c503b1
addresses : ["00:00:00:00:00:04"]
dhcpv4_options : []
dhcpv6_options : []
dynamic_addresses : []
enabled : []
external_ids : {}
ha_chassis_group : []
name : ls1-vm2
options : {}
parent_name : []
port_security : ["00:00:00:00:00:04"]
tag : []
tag_request : []
type : ""
up : true
_uuid : 12a22e4d-6118-4584-8df6-b684db23d3fb
addresses : [unknown]
dhcpv4_options : []
dhcpv6_options : []
dynamic_addresses : []
enabled : []
external_ids : {}
ha_chassis_group : []
name : ls1-localnet
options : {network_name=externalnet}
parent_name : []
port_security : []
tag : []
tag_request : []
type : localnet
up : false
查看sbdb信息
root@master:~# ovn-sbctl show
Chassis node1
hostname: node1
Encap geneve
ip: "192.168.122.21"
options: {csum="true"}
Port_Binding ls1-vm2
Chassis master
hostname: master
Encap geneve
ip: "192.168.122.20"
options: {csum="true"}
Port_Binding ls1-vm1
root@master:~#
root@master:~# ovn-sbctl list port_binding
_uuid : 3ad09074-565f-4bac-856d-e1d2fcc8f577
chassis : b0261728-db55-4e0b-bfd5-b930081010fc
datapath : 0f61ea54-5070-49f9-8701-06d9f1fc54d2
encap : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
logical_port : ls1-vm1
mac : ["00:00:00:00:00:03"]
nat_addresses : []
options : {}
parent_port : []
tag : []
tunnel_key : 1
type : ""
up : true
virtual_parent : []
_uuid : 938e0ff5-c93b-4541-89de-51cb7bde6b10
chassis : 29a2b734-b27b-4dd9-b1ae-935292757377
datapath : 0f61ea54-5070-49f9-8701-06d9f1fc54d2
encap : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
logical_port : ls1-vm2
mac : ["00:00:00:00:00:04"]
nat_addresses : []
options : {}
parent_port : []
tag : []
tunnel_key : 2
type : ""
up : true
virtual_parent : []
_uuid : 15a19e85-c21b-4202-8114-5303d5efe117
chassis : []
datapath : 0f61ea54-5070-49f9-8701-06d9f1fc54d2
encap : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
logical_port : ls1-localnet
mac : [unknown]
nat_addresses : []
options : {network_name=externalnet}
parent_port : []
tag : []
tunnel_key : 3
type : localnet
up : false
virtual_parent : []
查看ovsdb信息
root@master:~# ovs-vsctl show
a891c32e-dec1-4168-8e17-1516fa55341b
Bridge br-int
fail_mode: secure
Port ovn-node1-0
Interface ovn-node1-0
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.122.21"}
Port br-int
Interface br-int
type: internal
Port vm1
Interface vm1
type: internal
Port patch-br-int-to-ls1-localnet
Interface patch-br-int-to-ls1-localnet
type: patch
options: {peer=patch-ls1-localnet-to-br-int}
Bridge br-ens8
Port ens8
Interface ens8
Port br-ens8
Interface br-ens8
type: internal
Port patch-ls1-localnet-to-br-int
Interface patch-ls1-localnet-to-br-int
type: patch
options: {peer=patch-br-int-to-ls1-localnet}
root@node1:~# ovs-vsctl show
c9da68e6-3d3f-49a3-b649-9f0345985648
Bridge br-int
fail_mode: secure
Port patch-br-int-to-ls1-localnet
Interface patch-br-int-to-ls1-localnet
type: patch
options: {peer=patch-ls1-localnet-to-br-int}
Port vm2
Interface vm2
type: internal
Port br-int
Interface br-int
type: internal
Port ovn-master-0
Interface ovn-master-0
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.122.20"}
Bridge br-ens8
Port br-ens8
Interface br-ens8
type: internal
Port patch-ls1-localnet-to-br-int
Interface patch-ls1-localnet-to-br-int
type: patch
options: {peer=patch-br-int-to-ls1-localnet}
Port ens8
Interface ens8
