四：OVS+GRE之網路節點

 

 

 

關於Neutron上的三種Agent的作用：

• Neutron-OVS-Agent：從OVS-Plugin上接收tunnel和tunnel flow的配置，驅動OVS來建立GRE Tunnel
• Neutron-DHCP-Agent：為每一個配置了DHCP的網路/子網配置dnsmasq，也負責把Mac地址/IP地址 資訊寫入dnsmasq dhcp lease 檔案
• Neturon-L3-Agent：設定iptables/routing/NAT表

 

網路節點初始建立

[root@network01 ~]# ovs-vsctl show
aa2155ed-ec27-454f-bb5c-07325a5322a9
Bridge br-ex
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "eno16777728"
Interface "eno16777728"
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.5.0"

 

[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0x98a3719566989240, duration=415.236s, table=0, n_packets=0, n_bytes=0, idle_age=415, priority=1,in_port=1 actions=resubmit(,2)
cookie=0x98a3719566989240, duration=415.236s, table=0, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.236s, table=2, n_packets=0, n_bytes=0, idle_age=415, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0x98a3719566989240, duration=415.235s, table=2, n_packets=0, n_bytes=0, idle_age=415, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=415.235s, table=3, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.235s, table=4, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.234s, table=6, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop
cookie=0x98a3719566989240, duration=415.234s, table=10, n_packets=0, n_bytes=0, idle_age=415, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x98a3719566989240,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0x98a3719566989240, duration=415.234s, table=20, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=415.230s, table=22, n_packets=0, n_bytes=0, idle_age=415, priority=0 actions=drop

[root@network01 ~]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0x80eafad15a6e6157, duration=461.942s, table=0, n_packets=84, n_bytes=10115, idle_age=17, priority=2,in_port=1 actions=drop
cookie=0x80eafad15a6e6157, duration=462.010s, table=0, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=NORMAL
cookie=0x80eafad15a6e6157, duration=462.006s, table=23, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=drop
cookie=0x80eafad15a6e6157, duration=462.002s, table=24, n_packets=0, n_bytes=0, idle_age=462, priority=0 actions=drop


[root@network01 ~]# ovs-ofctl dump-flows br-ex
NXST_FLOW reply (xid=0x4):
cookie=0x9eca13790f6a3396, duration=475.914s, table=0, n_packets=0, n_bytes=0, idle_age=475, priority=2,in_port=2 actions=drop
cookie=0x9eca13790f6a3396, duration=475.944s, table=0, n_packets=6345, n_bytes=1411407, idle_age=0, priority=0 actions=NORMAL

計算節點初始建

[root@compute01 network-scripts]# ovs-vsctl show
a621fa10-9712-4aee-9fee-b27cb993ae4d
Bridge br-tun
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type: internal
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
ovs_version: "2.5.0"

 

[root@compute01 network-scripts]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0xa05092b3bd957132, duration=85.620s, table=0, n_packets=0, n_bytes=0, idle_age=85, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xa05092b3bd957132, duration=85.619s, table=0, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=2, n_packets=0, n_bytes=0, idle_age=85, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xa05092b3bd957132, duration=85.619s, table=2, n_packets=0, n_bytes=0, idle_age=85, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xa05092b3bd957132, duration=85.619s, table=3, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=4, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.619s, table=6, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop
cookie=0xa05092b3bd957132, duration=85.618s, table=10, n_packets=0, n_bytes=0, idle_age=85, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xa05092b3bd957132,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xa05092b3bd957132, duration=85.618s, table=20, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=resubmit(,22)
cookie=0xa05092b3bd957132, duration=85.612s, table=22, n_packets=0, n_bytes=0, idle_age=85, priority=0 actions=drop

 

 

 

[root@compute01 network-scripts]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0xa7ca4aa5282a657d, duration=69.290s, table=0, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=NORMAL
cookie=0xa7ca4aa5282a657d, duration=69.285s, table=23, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=drop
cookie=0xa7ca4aa5282a657d, duration=69.281s, table=24, n_packets=0, n_bytes=0, idle_age=69, priority=0 actions=drop

 

 

新增計算節點後，網路節點的變化

 

[root@network01 ~]# ovs-vsctl show
aa2155ed-ec27-454f-bb5c-07325a5322a9
Bridge br-ex
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port br-ex
Interface br-ex
type: internal
Port "eno16777728"
Interface "eno16777728"
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-tun
fail_mode: secure
Port "vxlan-01010175"
Interface "vxlan-01010175"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port "gre-01010175"
Interface "gre-01010175"
type: gre
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.5.0"

[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0x98a3719566989240, duration=1432.934s, table=0, n_packets=0, n_bytes=0, idle_age=1432, priority=1,in_port=1 actions=resubmit(,2)
cookie=0x98a3719566989240, duration=678.011s, table=0, n_packets=0, n_bytes=0, idle_age=678, priority=1,in_port=2 actions=resubmit(,3)
cookie=0x98a3719566989240, duration=678.001s, table=0, n_packets=0, n_bytes=0, idle_age=678, priority=1,in_port=3 actions=resubmit(,4)
cookie=0x98a3719566989240, duration=1432.934s, table=0, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.934s, table=2, n_packets=0, n_bytes=0, idle_age=1432, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0x98a3719566989240, duration=1432.933s, table=2, n_packets=0, n_bytes=0, idle_age=1432, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=1432.933s, table=3, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.933s, table=4, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.932s, table=6, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
cookie=0x98a3719566989240, duration=1432.932s, table=10, n_packets=0, n_bytes=0, idle_age=1432, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0x98a3719566989240,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0x98a3719566989240, duration=1432.932s, table=20, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=resubmit(,22)
cookie=0x98a3719566989240, duration=1432.928s, table=22, n_packets=0, n_bytes=0, idle_age=1432, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
cookie=0x80eafad15a6e6157, duration=1435.422s, table=0, n_packets=252, n_bytes=29709, idle_age=30, priority=2,in_port=1 actions=drop
cookie=0x80eafad15a6e6157, duration=1435.490s, table=0, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=NORMAL
cookie=0x80eafad15a6e6157, duration=1435.486s, table=23, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=drop
cookie=0x80eafad15a6e6157, duration=1435.482s, table=24, n_packets=0, n_bytes=0, idle_age=1435, priority=0 actions=drop
[root@network01 ~]# ovs-ofctl dump-flows br-ex
NXST_FLOW reply (xid=0x4):
cookie=0x9eca13790f6a3396, duration=1437.921s, table=0, n_packets=0, n_bytes=0, idle_age=1437, priority=2,in_port=2 actions=drop
cookie=0x9eca13790f6a3396, duration=1437.951s, table=0, n_packets=24901, n_bytes=5525721, idle_age=0, priority=0 actions=NORMAL

 

在dashboard管理員下建立不帶子網的外部網路

 

此時不管在dashboard檢視，還是在網路節點執行ip netns show檢視，都看不到任何名稱空間裡有裝置產生

於是我們為該網路建立子網

 

 

 

 

 

 

 

然後先在網路節點執行

[root@network01 ~]# ip netns show
qdhcp-7619e0d9-e11d-4005-a691-f7abdd704b37

 

然後再在dashboard裡檢視

 

 

 

 

普通使用者demo建立網路，子網，及路由，

 

 

 

在網路節點

[root@network01 ~]# ip netns show
qrouter-f37e0927-1291-469f-bdbc-dd4011394835 #這就是demo-router
qdhcp-125e0c45-2d45-469c-929e-493d36d92be4 #這是demo-net的dhcp
qdhcp-7619e0d9-e11d-4005-a691-f7abdd704b37 #這是external的dhcp

 

租戶demo的網路拓撲已經構建完畢demo-net----->demo-router------->external

於是我們可以新建vm連線到demo-net了

 

且慢，讓我們先將上述的網路拓撲畫出來

先畫網路節點的，檢視拓撲

[root@network01 ~]# ovs-vsctl show
b3d24647-b0e2-41d2-bd48-ef2c5d025601
Bridge br-tun
fail_mode: secure
Port "vxlan-01010175"
Interface "vxlan-01010175"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port "gre-01010175"
Interface "gre-01010175"
type: gre
options: {df_default="true", in_key=flow, local_ip="1.1.1.119", out_key=flow, remote_ip="1.1.1.117"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "qr-eab14967-a4"
tag: 3
Interface "qr-eab14967-a4"
type: internal
Port "tap8cc4ca9f-58"
tag: 2
Interface "tap8cc4ca9f-58"
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "tap8b416bf2-5f"
tag: 3
Interface "tap8b416bf2-5f"
type: internal
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port "qg-8879568d-88"
Interface "qg-8879568d-88"
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port "eno16777728"
Interface "eno16777728"
ovs_version: "2.5.0"

 

 

 此時的compute節點因為沒有vm，所以還是跟以前一樣

[root@compute01 ~]# ovs-vsctl show
00126cb0-fd70-482d-be60-a9769797d5c8
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
ovs_version: "2.5.0"

 

但是當我們新增一個vm後，再看compute，當然此時網路節點的網橋關係不會變化

[root@compute01 ~]# ovs-vsctl show
00126cb0-fd70-482d-be60-a9769797d5c8
Bridge br-tun
fail_mode: secure
Port "vxlan-01010177"
Interface "vxlan-01010177"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="1.1.1.117", out_key=flow, remote_ip="1.1.1.119"}
Port br-tun
Interface br-tun
type: internal
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qvo1ea1ad64-e2" #這就是剛剛建的那臺vm，連線到br-int上的介面
tag: 1
Interface "qvo1ea1ad64-e2"
ovs_version: "2.5.0"

 

 

插播Mac地址的基礎知識：

 

• MAC地址是乙太網二層使用的一個48bit（6位元組十六進位制數）的地址，用來標識裝置位置。MAC地址分成兩部分，前24位是組織唯一識別符號（OUI, Organizationally unique identifier），後24位由廠商自行分配。48bit的MAC地址一般用6位元組的十六進位制來表示，如XX-XX-XX-XX-XX-XX。
• 廣播地址：FF：FF：FF：FF：FF：FF
• 組播地址：MAC組播地址的特徵是頭8位的最低位是1。例如01：80：C2：00：00：00是一個組播地址，表示802.1d網橋多播組。網橋就是使用這個地址，相互之間交換配置資訊，執行分散式生成樹演算法，消除網路拓撲結構中的環路。
• 單播地址：單播地址的特徵是頭8位的最低位為0。每個網路卡出廠時被分配唯一一個單播地址，頭24位是裝置製造廠商的編號，由IEEE(電氣與電子工程師協會)分配，後24位是裝置廠商為網路卡制定的唯一編號。例如8C-70-5A-29-3A-48 是單播地址的例子 （8C = 10001100）。

[root@network01 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0xa44d2f2745487c7e, duration=6408.572s, table=0, n_packets=201, n_bytes=23932, idle_age=1514, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xa44d2f2745487c7e, duration=6398.482s, table=0, n_packets=0, n_bytes=0, idle_age=6398, priority=1,in_port=2 actions=resubmit(,3)
cookie=0xa44d2f2745487c7e, duration=6398.370s, table=0, n_packets=201, n_bytes=19348, idle_age=1514, priority=1,in_port=3 actions=resubmit(,4)
cookie=0xa44d2f2745487c7e, duration=6408.572s, table=0, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=2, n_packets=153, n_bytes=20092, idle_age=1514, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=2, n_packets=48, n_bytes=3840, idle_age=1806, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=3, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=5727.725s, table=4, n_packets=0, n_bytes=0, idle_age=5727, priority=1,tun_id=0x1 actions=mod_vlan_vid:2,resubmit(,10)
cookie=0xa44d2f2745487c7e, duration=5495.568s, table=4, n_packets=201, n_bytes=19348, idle_age=1514, priority=1,tun_id=0x47 actions=mod_vlan_vid:3,resubmit(,10)
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=4, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=6, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=drop
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=10, n_packets=201, n_bytes=19348, idle_age=1514, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xa44d2f2745487c7e,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xa44d2f2745487c7e, duration=6408.571s, table=20, n_packets=0, n_bytes=0, idle_age=6408, priority=0 actions=resubmit(,22)
cookie=0xa44d2f2745487c7e, duration=5727.741s, table=22, n_packets=5, n_bytes=390, idle_age=5719, dl_vlan=2 actions=strip_vlan,set_tunnel:0x1,output:3
cookie=0xa44d2f2745487c7e, duration=5495.573s, table=22, n_packets=19, n_bytes=1606, idle_age=1806, dl_vlan=3 actions=strip_vlan,set_tunnel:0x47,output:3
cookie=0xa44d2f2745487c7e, duration=6408.565s, table=22, n_packets=16, n_bytes=1328, idle_age=5379, priority=0 actions=drop

 

[root@compute01 ~]# ovs-ofctl dump-flows br-tun

NXST_FLOW reply (xid=0x4):
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=0, n_packets=206, n_bytes=19730, idle_age=1815, priority=1,in_port=1 actions=resubmit(,2)
cookie=0xaec5db959d6a6f09, duration=2113.576s, table=0, n_packets=154, n_bytes=20134, idle_age=1815, priority=1,in_port=2 actions=resubmit(,4)
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=0, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=2, n_packets=1, n_bytes=42, idle_age=2107, priority=1,arp,dl_dst=ff:ff:ff:ff:ff:ff actions=resubmit(,21)
cookie=0xaec5db959d6a6f09, duration=6700.403s, table=2, n_packets=193, n_bytes=18204, idle_age=1815, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=2, n_packets=12, n_bytes=1484, idle_age=2097, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=3, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=2114.249s, table=4, n_packets=154, n_bytes=20134, idle_age=1815, priority=1,tun_id=0x47 actions=mod_vlan_vid:1,resubmit(,10)
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=4, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=6, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=drop
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=10, n_packets=154, n_bytes=20134, idle_age=1815, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xaec5db959d6a6f09,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=20, n_packets=1, n_bytes=42, idle_age=2102, priority=2,dl_vlan=1,dl_dst=fa:16:3e:1d:79:ea actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=20, n_packets=192, n_bytes=18162, idle_age=1815, priority=2,dl_vlan=1,dl_dst=fa:16:3e:b3:b4:f7 actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=20, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=21, n_packets=0, n_bytes=0, idle_age=2113, priority=1,arp,dl_vlan=1,arp_tpa=172.16.45.2 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:1d:79:ea,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163e1d79ea->NXM_NX_ARP_SHA[],load:0xac102d02->NXM_OF_ARP_SPA[],IN_PORT
cookie=0xaec5db959d6a6f09, duration=2113.575s, table=21, n_packets=1, n_bytes=42, idle_age=2107, priority=1,arp,dl_vlan=1,arp_tpa=172.16.45.1 actions=move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],mod_dl_src:fa:16:3e:b3:b4:f7,load:0x2->NXM_OF_ARP_OP[],move:NXM_NX_ARP_SHA[]->NXM_NX_ARP_THA[],move:NXM_OF_ARP_SPA[]->NXM_OF_ARP_TPA[],load:0xfa163eb3b4f7->NXM_NX_ARP_SHA[],load:0xac102d01->NXM_OF_ARP_SPA[],IN_PORT
cookie=0xaec5db959d6a6f09, duration=6700.402s, table=21, n_packets=0, n_bytes=0, idle_age=6700, priority=0 actions=resubmit(,22)
cookie=0xaec5db959d6a6f09, duration=2113.570s, table=22, n_packets=8, n_bytes=1144, idle_age=2097, dl_vlan=1 actions=strip_vlan,set_tunnel:0x47,output:2
cookie=0xaec5db959d6a6f09, duration=6700.396s, table=22, n_packets=4, n_bytes=340, idle_age=2114, priority=0 actions=drop

 

名稱空間檢視

 

檢視路由

[root@network01 ~]# ip netns exec qrouter-f37e0927-1291-469f-bdbc-dd4011394835 bash

[root@network01 ~]# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

qg-8879568d-88: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 192.168.31.3 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::f816:3eff:fe64:f3d8 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:64:f3:d8 txqueuelen 0 (Ethernet)
RX packets 2774 bytes 245126 (239.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 89 bytes 7908 (7.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

qr-eab14967-a4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.16.45.1 netmask 255.255.255.0 broadcast 172.16.45.255
inet6 fe80::f816:3eff:feb3:b4f7 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:b3:b4:f7 txqueuelen 0 (Ethernet)
RX packets 200 bytes 19306 (18.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 161 bytes 20190 (19.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@network01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.31.1 0.0.0.0 UG 0 0 0 qg-8879568d-88
172.16.45.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-eab14967-a4
192.168.31.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-8879568d-88

 

浮動ip

安全組

檢視浮動ip，在網路節點

[root@network01 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
neutron-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0

Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
DNAT all -- 0.0.0.0/0 192.168.31.4 to:172.16.45.3 #=============================》外訪問內

Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 169.254.169.254 tcp dpt:80 redir ports 9697
DNAT all -- 0.0.0.0/0 192.168.31.4 to:172.16.45.3

Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 172.16.45.3 0.0.0.0/0 to:192.168.31.4#===========================》內訪問外

Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.31.3
SNAT all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x2/0xffff ctstate DNAT to:192.168.31.3

Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0 /* Perform source NAT on outgoing traffic. */

 

DHCP server

 

每一個有DHCP的網路都在Neutron節點上有一個DHCP服務，每個DHCP Server都是一個執行在一個network namespace中的dnsmasq程式。 dnsmasq是一個用在Linux上的輕型DNS和DHCP服務，具體見 http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html.

[root@network01 ~]# ps aux |grep dnsmasq |grep -v 'grep'
nobody 4049 0.0 0.0 15556 900 ? S 05:58 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/host --addn-hosts=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/opts --dhcp-leasefile=/var/lib/neutron/dhcp/7619e0d9-e11d-4005-a691-f7abdd704b37/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap8cc4ca9f-58 --dhcp-range=set:tag0,192.168.31.0,static,86400s --dhcp-option-force=option:mtu,1450 --dhcp-lease-max=256 --conf-file= --domain=openstacklocal

 

nobody 4617 0.0 0.0 15556 948 ? S 06:02 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host --addn-hosts=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/opts --dhcp-leasefile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tap8b416bf2-5f --dhcp-range=set:tag0,172.16.45.0,static,86400s --dhcp-option-force=option:mtu,1450 --dhcp-lease-max=256 --conf-file= --domain=openstacklocal

 在虛機的建立過程中，Neutron會把這些資訊（應該是從neutron db中拿到一個可用的IP地址）寫到該檔案中，這樣，當虛機使用Mac地址向DHCP Server查詢IP地址的時候，dnsmasq會讀取該檔案把IP地址返回給它。

 

1.  -interface=tap8b416bf2-5f： 該process繫結/監聽一個TAP裝置，即上圖的H1

2.  --dhcp-hostsfile=/var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host

[root@network01 ~]# cat /var/lib/neutron/dhcp/125e0c45-2d45-469c-929e-493d36d92be4/host
fa:16:3e:1d:79:ea,host-172-16-45-2.openstacklocal,172.16.45.2
fa:16:3e:b3:b4:f7,host-172-16-45-1.openstacklocal,172.16.45.1
fa:16:3e:4b:72:ef,host-172-16-45-3.openstacklocal,172.16.45.3

 在虛機的建立過程中，Neutron會把這些資訊（應該是從neutron db中拿到一個可用的IP地址）寫到該檔案中，這樣，當虛機使用Mac地址向DHCP Server查詢IP地址的時候，dnsmasq會讀取該檔案把IP地址返回給它。

 

檢視dhcp的埠

[root@network01 ~]# ip netns exec qdhcp-125e0c45-2d45-469c-929e-493d36d92be4 bash
[root@network01 ~]# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1 bytes 576 (576.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 576 (576.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tap8b416bf2-5f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.16.45.2 netmask 255.255.255.0 broadcast 172.16.45.255
inet6 fe80::f816:3eff:fe1d:79ea prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:1d:79:ea txqueuelen 0 (Ethernet)
RX packets 29 bytes 3717 (3.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11 bytes 1456 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

可以在dhcp的名稱克空間裡，抓包分析