'networking-sfc'에 해당되는 글 3건

  1. 2016.07.06 OpenStack SFC Flow 분석 (1)
  2. 2016.06.11 OpenStack SFC manual Install (Liberty) (4)
  3. 2016.03.23 OpenStack with networking-sfc (devstack) (6)

OpenStack SFC Flow 분석

OpenStack/Research_OpenStack 2016.07.06 14:27

'OpenStack > Research_OpenStack' 카테고리의 다른 글

OpenStack SFC Flow 분석  (1) 2016.07.06
OpenStack SFC manual Install (Liberty)  (4) 2016.06.11
OpenStack with networking-sfc (devstack)  (6) 2016.03.23
OpenStack REST 확인  (0) 2015.10.19
OpenStack DVR - SlideShare  (0) 2015.06.29
OpenStack DVR – DNAT Traffic  (0) 2015.06.29
Trackbacks 0 : Comments 1

OpenStack SFC manual Install (Liberty)

OpenStack/Research_OpenStack 2016.06.11 14:24

OpenStack Liberty SFC Install (not devstack)


최근 NFV (Network Function Virtualization)이 각광을 받으면서 OpenStack이 더욱 뜨겁게 달아오르고 있다.

아무래도 Telco에서 적극적으로 NFV 환경을 뒤에서 밀어주기 때문일지 모르겠으나 OpenStack 기반으로 NFV 환경을 구축하고자 하는 사례들이 여기저기서 보이고 있다.


그 이유를 찾아보자면 여러가지가 있겠으나 가장 큰 이유는 가상 네트워크 및 NFV의 핵심이 될 SF (Service Function)을 쉽게  구성할 수 있으며 이를 활용하는 SFC (Service Function Chaining) 서비스를 제공할 수 있기 때문일 것으로 추측한다.


NFV 환경을 구성하는 기반 기술은 아무래도 네트워크 가상화와 함께 가상 네트워크 상에서 서비스를 유연하게 연결하는 것이 될 것이다.


이미 OpenStack을 활용하여 가상 네트워크 및 SF VM을 구성하고 SDN Controller (ODL/ONOS)를 활용하는 서비스는 PoC 단계로 구현되고 있다.



[그림1] OpenStack 기반 Service Function Chaining Flow



위 대표도에서 굉장히 광범위하게 설명하자면 SF들이 VM 형태로 생성될 경우 VM간의 통신에서 패킷의 흐름을 그 목적에 맞도록 연결하는 것인데 SF VM 이라고 함은 '네트워크 서비스가 포함된 가상 머신'으로 간주할 수 있다.


즉, 소스 SF01에서 목적지 SF05를 향하는 트래픽이 있다고 가정하는 경우 해당 트래픽은 Firewall 기능을 담당하는 SF02를 거쳐야 하고 Loadbalancing을 담당하는 SF04를 거쳐 목적지를 향하게 하는 것 이다.


OpenStack에서는 networking-sfc 라는 프로젝트로 시작이 되고 있으며 아래 내용은 networking-sfc wiki 페이지를 참조한 implementation 방법이다.


참조사이트

- https://wiki.openstack.org/wiki/Neutron/ServiceInsertionAndChaining

- http://docs.openstack.org/developer/networking-sfc/

- https://github.com/openstack/networking-sfc



Special Thanks to : 아래 내용 작성에 도움을 주신 KT 정치욱님께 감사의 말씀을 드립니다.



OpenStack 기반 networking-sfc Basic Setup




1. 기본 설정


1-1. Environment

  • OpenStack Liberty Documentation (http://docs.openstack.org/liberty/install-guide-ubuntu/)
  • ubuntu 14.0.4 이미지 활용
  • 3 Server Node
    • Controller Node / Compute01 / Compute02

[그림2] OpenStack Environment

  • NIC Interface
    • eth0 (Controller Node의 경우 br-ex와 바인딩) / eth1 (Management) / eth2 (Data)

###### Controller Node  ######


$ sudo vi /etc/network/interfaces


# OVS br-ex bind eth0

auto br-ex

iface br-ex inet static

      address <public_ip>

      gateway <public_gateway_IP>

      netmask 255.255.255.0

      dns-nameservers 8.8.8.8


# Public Network

auto eth0

iface eth0 inet manual

       up ip link set dev $IFACE up

       down ip link set dev $IFACE down


# Management Network

auto eth1

iface eth1 inet static

      address 192.168.56.10

      netmask 255.255.255.0


# Data Network

auto eth2

iface eth2 inet static

      address 172.168.56.10

      netmask 255.255.255.0

################################


###### Compute Node 01 ######


$ sudo vi /etc/network/interfaces


# Public Network

auto eth0

iface eth0 inet static

      address <public_ip>

      gateway <public_gateway_IP>

      netmask 255.255.255.0

      dns-nameservers 8.8.8.8


# Management Network

auto eth1

iface eth1 inet static

      address 192.168.56.20

      netmask 255.255.255.0



# Data Network

auto eth2

iface eth2 inet static

      address 172.168.56.20

      netmask 255.255.255.0

################################


###### Compute Node 02 ######


$ sudo vi /etc/network/interfaces


# Public Network

auto eth0

iface eth0 inet static

      address <public_ip>

      gateway <public_gateway_IP>

      netmask 255.255.255.0

      dns-nameservers 8.8.8.8


# Management Network

auto eth1

iface eth1 inet static

      address 192.168.56.30

      netmask 255.255.255.0



# Data Network

auto eth2

iface eth2 inet static

      address 172.168.56.30

      netmask 255.255.255.0

################################


1-2. 업데이트 & 업그레이드 / 필수 프로그램 설치


$ sudo apt-get update

$ sudo apt-get -y upgrade


1-3. OpenStack liberty Repository 설정


sudo apt-get install software-properties-common

$ sudo add-apt-repository cloud-archive:liberty



2. networking-sfc setup


2-1. networking-sfc download (All Nodes)


sudo apt-get install -y git

$ git clone git://git.openstack.org/openstack/networking-sfc.git -b stable/liberty

$ sudo pip install -e /home/{user}/networking-sfc

$ sudo su

$ . admin-openrc.sh

$ neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --subproject networking-sfc upgrade head

$ exit

$ cd /networing-sfc

$ sudo python setup.py install

$ sudo cp /usr/local/bin/neutron-openvswitch-agent /usr/bin/neutron-openvswitch-agent




3. neutron configuration


3-1. Controller Node (Controller+Network)


sudo vi /etc/nova/nova.conf


[DEFAULT]

dhcpbridge_flagfile=/etc/nova/nova.conf

dhcpbridge=/usr/bin/nova-dhcpbridge

logdir=/var/log/nova

state_path=/var/lib/nova

lock_path=/var/lock/nova

force_dhcp_release=True

libvirt_use_virtio_for_bridges=True

verbose=True

ec2_private_dns_show_ip=True

api_paste_config=/etc/nova/api-paste.ini

enabled_apis=osapi_compute,metadata

 

rpc_backend = rabbit

 

auth_strategy = keystone

 

my_ip =  <Controller Node eth1 IP>

 

network_api_class = nova.network.neutronv2.api.API

security_group_api = neutron

linuxnet_interface_driver = nova.network.linux_net.LinuxOVSBridgeInterfaceDriver

firewall_driver = nova.virt.firewall.NoopFirewallDriver

 

[keystone_authtoken]

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

project_name = service

username = nova

password = NOVA_PASS

 

[database]

connection = mysql+pymysql://nova:NOVA_DBPASS@controller/nova

 

[oslo_messaging_rabbit]

rabbit_host = controller

rabbit_userid = openstack

rabbit_password = RABBIT_PASS

 

[vnc]

vncserver_listen = $my_ip

vncserver_proxyclient_address = $my_ip

 

[glance]

host = controller

 

[oslo_concurrency]

lock_path = /var/lib/nova/tmp

 

[neutron]

url = http://controller:9696

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

region_name = RegionOne

project_name = service

username = neutron

password = NEUTRON_PASS

 

service_metadata_proxy = True

metadata_proxy_shared_secret = METADATA_SECRET

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/neutron.conf


[DEFAULT]

 

verbose = True

core_plugin = ml2

service_plugins = router,networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin,networking_sfc.services.sfc.plugin.SfcPlugin

auth_strategy = keystone

allow_overlapping_ips = True

...

notify_nova_on_port_status_changes = True

...

notify_nova_on_port_data_changes = True

...

nova_url = http://controller:8774/v2

rpc_backend=rabbit

 

[agent]

...

root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf

 

[keystone_authtoken]

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

project_name = service

username = neutron

password = NEUTRON_PASS

 

[database]

connection = mysql+pymysql://neutron:NEUTRON_DBPASS@controller/neutron

 

[nova]

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

region_name = RegionOne

project_name = service

username = nova

password = NOVA_PASS

 

[oslo_concurrency]

...

lock_path = $state_path/lock

...

 

[oslo_messaging_rabbit]

...

...

rabbit_host = controller

rabbit_userid = openstack

...

rabbit_password = RABBIT_PASS

...

 

[sfc]

drivers=ovs

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/l3_agent.conf


[DEFAULT]

..

verbose = True

...

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

...

...

external_network_bridge = br-ex

router_delete_namespaces = True

...

...

agent_mode = legacy

...

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/dhcp_agent.conf


[DEFAULT]

...

verbose = True

...

interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

...

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

...

use_namespaces = True

...

enable_isolated_metadata = True

...

enable_metadata_network = True

...

dnsmasq_config_file = /etc/neutron/dnsmasq-neutron.conf

...

dhcp_delete_namespaces = True

...

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/metadata_agent.conf


[DEFAULT]

...

verbose = True

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_region = RegionOne

auth_plugin = password

project_domain_id = default

user_domain_id = default

...

project_name = service

username = neutron

password = NEUTRON_PASS

nova_metadata_ip = controller

...

nova_metadata_port = 8775

...

...

metadata_proxy_shared_secret = METADATA_SECRET

...

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/plugins/ml2/ml2_conf.ini


[ml2]

...

type_drivers = flat,vlan,gre,vxlan,geneve

...

tenant_network_types = vxlan

...

mechanism_drivers = openvswitch

...

extension_drivers = port_security

...

 

[ml2_type_vxlan]

...

vni_ranges = 1001:2000

...

 

[securitygroup]

...

firewall_driver = neutron.agent.firewall.NoopFirewallDriver

...

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/plugins/ml2/openvswitch_agent.ini


[ovs]

integration_bridge = br-int

...

tunnel_bridge = br-tun

...

local_ip = <eth2 IP>

...

 

[agent]

tunnel_types = vxlan

...

vxlan_udp_port = 4789

...


3-2. Compute01, Compute02


sudo vi /etc/nova/nova.conf


[DEFAULT]

dhcpbridge_flagfile=/etc/nova/nova.conf

dhcpbridge=/usr/bin/nova-dhcpbridge

logdir=/var/log/nova

state_path=/var/lib/nova

lock_path=/var/lock/nova

force_dhcp_release=True

libvirt_use_virtio_for_bridges=True

verbose=True

ec2_private_dns_show_ip=True

api_paste_config=/etc/nova/api-paste.ini

enabled_apis=ec2,osapi_compute,metadata

 

rpc_backend = rabbit

 

auth_strategy = keystone

 

my_ip = <Compute Node eth1 IP>

 

network_api_class = nova.network.neutronv2.api.API

security_group_api = neutron

linuxnet_interface_driver = nova.network.linux_net.LinuxOVSInterfaceDriver

firewall_driver = nova.virt.firewall.NoopFirewallDriver

 

[oslo_messaging_rabbit]

rabbit_host = controller

rabbit_userid = openstack

rabbit_password = RABBIT_PASS

 

[keystone_authtoken]

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

project_name = service

username = nova

password = NOVA_PASS

 

[vnc]

enabled = True

vncserver_listen = 0.0.0.0

vncserver_proxyclient_address = $my_ip

novncproxy_base_url = http://<Controller Node br-ex IP>:6080/vnc_auto.html

 

[glance]

host = controller

 

[oslo_concurrency]

lock_path = /var/lib/nova/tmp

 

[neutron]

url = http://controller:9696

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

region_name = RegionOne

project_name = service

username = neutron

password = NEUTRON_PASS

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/neutron.conf


[DEFAULT]

...

verbose = True

...

core_plugin = ml2

service_plugins = router,networking_sfc.services.flowclassifier.plugin.FlowClassifierPlugin,networking_sfc.services.sfc.plugin.SfcPlugin

auth_strategy = keystone

allow_overlapping_ips = True

...

rpc_backend=rabbit

 

[agent]

...

root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf

 

[keystone_authtoken]

auth_uri = http://controller:5000

auth_url = http://controller:35357

auth_plugin = password

project_domain_id = default

user_domain_id = default

project_name = service

username = neutron

password = NEUTRON_PASS

 

[oslo_concurrency]

...

lock_path = $state_path/lock

...

 

[oslo_messaging_rabbit]

...

...

rabbit_host = controller

rabbit_userid = openstack

...

rabbit_password = RABBIT_PASS

...

 

[sfc]

drivers=ovs

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/plugins/ml2/ml2_conf.ini


[ml2]

...

type_drivers = flat,vlan,gre,vxlan,geneve

...

tenant_network_types = vxlan

...

mechanism_drivers = openvswitch

...

extension_drivers = port_security

...

 

[ml2_type_vxlan]

...

vni_ranges = 1001:2000

...

 

[securitygroup]

...

firewall_driver = neutron.agent.firewall.NoopFirewallDriver

...

------------------------------------------------------------------------------------------------------


$ sudo vi /etc/neutron/plugins/ml2/openvswitch_agent.ini


[ovs]

integration_bridge = br-int

...

tunnel_bridge = br-tun

...

local_ip = <eth2 IP>

...

 

[agent]

tunnel_types = vxlan

...

vxlan_udp_port = 4789

...



4. 사용자 UI 접속 및 서비스 사용


horizon url : http://<Controller Node br-ex IP>/horizon


user name : admin

password : admin




#############################################################


많은 도움을 주신 KT 정치욱님께 깊은 감사를 드립니다.

'OpenStack > Research_OpenStack' 카테고리의 다른 글

OpenStack SFC Flow 분석  (1) 2016.07.06
OpenStack SFC manual Install (Liberty)  (4) 2016.06.11
OpenStack with networking-sfc (devstack)  (6) 2016.03.23
OpenStack REST 확인  (0) 2015.10.19
OpenStack DVR - SlideShare  (0) 2015.06.29
OpenStack DVR – DNAT Traffic  (0) 2015.06.29
Trackbacks 0 : Comments 4

OpenStack with networking-sfc (devstack)

OpenStack/Research_OpenStack 2016.03.23 10:35

OpenStack SFC 서비스


OpenStack 환경에서 여러가지 서비스를 제공할 수 있는데 대표적인 것이 Firewall As A Service(FaaS)이다.


최근 NFV(Network Function Virtualization)가 각광을 받으면서 당연히 OpenStack이 더욱 주목을 받고 있다.


쉽게 말하면 OpenStack을 사용하여 Cloud 환경을 구축하고 NFV 개념이 포함된 VM을 생성하여 네트워킹 서비스를 제공하는 것이다.


네트워킹 서비스를 제공하는데 있어 NFV VM들을 묶어 끊임없는 네트워크 서비스를 제공하는 것이 SFC의 골자인데 SFC라고 함은 Service Function Chaining의 약자이다.


SDN | Open Source | Software Defined Networking | MWC | Mobile World Congress | ETSI | NFV Orchestration | Network Automation | Network Functions Virtualization

<Service Function Chaining 대표도, 참고: http://getcloudify.org/2016/02/24/sdn-mwc-open-source-network-cloud-etsi-vnf-nfv-orchestration-automation.html>


위 대표도에서 굉장히 광범위하게 설명하자면 Firewall, Malware Detection, Parental Controls, Video Optimizer 등이 OpenStack에서 구성한 VM(NFV 기능)이라고 할때 사용자들은 하나의 서비스를 받기위하여 Firewall 등의 서비스를 거칠 수 있게 하는 것이다.


즉 사용자가 Video 서비스를 제공받는다고 하는 경우 별도의 Firewall, Video Optimizer 없이 해당 기능이 포함된 VM을 통하여 네트워킹 될 수 있도록 하는 서비스이다.


OpenStack에서는 networking-sfc 라는 프로젝트로 시작이 되고 있으며 아래 내용은 networking-sfc wiki 페이지를 참조한 implementation 방법이다.


참조사이트: https://wiki.openstack.org/wiki/Neutron/ServiceInsertionAndChaining



devstack & networking-sfc Basic Setup




1. 기본 설정


1-1. VirtualBox

  • ubuntu 14.0.4 이미지 활용
  • VM 2개 생성: devstack all-in-one / compute
  • VM 인터페이스는 어댑터1: NAT, 어댑터2: 호스트전용어댑터
    • 각자의 환경에 맞도록 설정

###### VirtualBox All-in-One VM  ######


$ sudo vi /etc/network/interfaces


# Public Network

auto eth0

iface eth0 inet static

      address 10.0.2.5

      gateway 10.0.2.2

      netmask 255.255.255.0

      dns-nameservers 8.8.8.8


# Management Network

auto eth1

iface eth1 inet static

      address 192.168.56.5

      netmask 255.255.255.0


################################


###### VirtualBox Compute VM  ######


$ sudo vi /etc/network/interfaces


# Public Network

auto eth0

iface eth0 inet static

      address 10.0.2.10

      gateway 10.0.2.2

      netmask 255.255.255.0

      dns-nameservers 8.8.8.8


# Management Network

auto eth1

iface eth1 inet static

      address 192.168.56.10

      netmask 255.255.255.0


################################


1-2. 업데이트 & 업그레이드 / 필수 프로그램 설치


$ sudo apt-get update

$ sudo apt-get -y upgrade


1-3. OpenStack liberty Repository 설정


sudo apt-get install software-properties-common

$ sudo add-apt-repository cloud-archive:liberty


1-4. devstack 및 networking-sfc 설치 디렉토리


$ sudo mkdir /opt/stack

sudo chown stack.stack /opt/stack



2. networking-sfc setup


2-1. networking-sfc download (All_in_one & Compute)


sudo apt-get install -y git

$ cd /opt/stack

$ git clone git://git.openstack.org/openstack/networking-sfc.git -b stable/liberty



3. devstack setup


3-1. devstack download (All_in_one & Compute)


$ cd /opt/stack

git clone git://git.openstack.org/openstack-dev/devstack.git -b stable/liberty



4. devstack 실행


4-1. 버추얼박스 VM01: All-in-One (Controller+Network+Compute)


cd /opt/stack/devstack

$ vi localrc


SERVICE_TOKEN=admin

ADMIN_PASSWORD=admin

MYSQL_PASSWORD=admin

RABBIT_PASSWORD=admin

SERVICE_PASSWORD=$ADMIN_PASSWORD

 

HOST_IP=192.168.56.5 (All-in-One VM의 eth1 IP)

SERVICE_HOST=192.168.56.5 (All-in-One VM의 eth1 IP)

SYSLOG=True

SYSLOG_HOST=$HOST_IP

SYSLOG_PORT=516


LOGFILE=$DEST/logs/stack.sh.log

LOGDAYS=2


disable_service tempest


RECLONE=no

PIP_UPGRADE=False


MULTI_HOST=TRUE


# Disable Nova Networking

disable_service n-net


# Disable Nova Compute

#disable_service n-cpu


# Neutron - Networking Service

enable_service q-svc

enable_service q-agt

enable_service q-dhcp

enable_service q-l3

enable_service q-meta

enable_service neutron


# Cinder

disable_service c-api

disable_service c-sch

disable_service c-vol


# Disable security groups

Q_USE_SECGROUP=False

LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver


enable_plugin networking-sfc /opt/stack/networking-sfc


$ ./stack.sh


4-2. 버추얼박스 VM02: Compute


cd /opt/stack/devstack

$ vi localrc


SERVICE_TOKEN=admin

ADMIN_PASSWORD=admin

MYSQL_PASSWORD=admin

RABBIT_PASSWORD=admin

DATABASE_PASSWORD=admin

SERVICE_PASSWORD=$ADMIN_PASSWORD

DATABASE_TYPE=mysql


HOST_IP=192.168.56.10 (Compute VM의 eth1 IP)

SERVICE_HOST=192.168.56.5 (All-in-One VM의 eth1 IP)

SYSLOG=True

SYSLOG_HOST=$HOST_IP

SYSLOG_PORT=516

MYSQL_HOST=$SERVICE_HOST

RABBIT_HOST=$SERVICE_HOST

Q_HOST=$SERVICE_HOST

GLANCE_HOSTPORT=$SERVICE_HOST:9292


NOVA_VNC_ENABLED=True

NOVNCPROXY_URL="http://$SERVICE_HOST:6080/vnc_auto.html"

VNCSERVER_LISTEN=$HOST_IP

VNCSERVER_PROXYCLIENT_ADDRESS=$VNCSERVER_LISTEN


LOGFILE=$DEST/logs/stack.sh.log

LOGDAYS=2


disable_service tempest


RECLONE=no

PIP_UPGRADE=False


MULTI_HOST=TRUE


# Disable Nova Networking

disable_service n-net

disable_service neutron


# Neutron - Networking Service

ENABLED_SERVICES=n-cpu,q-agt


# Disable security groups

Q_USE_SECGROUP=False

LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver


enable_plugin networking-sfc /opt/stack/networking-sfc


$ ./stack.sh



5. 사용자 UI 접속 및 서비스 사용


horizon url : http://<All-in-One eth1 IP>


user name : admin

password : admin




#############################################################


현재 DevStack 만 지원하는 듯 함...


Multi Node 에 설치하는 경우 설치는 문제 없으나 networking-sfc의 flow가 보이지 않음

(https://ask.openstack.org/en/question/91643/using-networking-sfc-with-liberty-neutron-not-a-devstack/)


WARNING!!!

현재 devstack stable/liberty 와 networking-sfc 사이의 ovs 버전이 매치되지 않아 에러가 발생함...

now a time. devstack ovs and networking-sfc miss-match.

'OpenStack > Research_OpenStack' 카테고리의 다른 글

OpenStack SFC Flow 분석  (1) 2016.07.06
OpenStack SFC manual Install (Liberty)  (4) 2016.06.11
OpenStack with networking-sfc (devstack)  (6) 2016.03.23
OpenStack REST 확인  (0) 2015.10.19
OpenStack DVR - SlideShare  (0) 2015.06.29
OpenStack DVR – DNAT Traffic  (0) 2015.06.29
Trackbacks 0 : Comments 6