Learning OpenStack Networking E-Book

Learning OpenStack NetworkingThird Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Kartikey PandeyAcquisition Editor:Prachi BishtContent Development Editor:Trusha ShriyanTechnical Editor:Cymon PereiraCopy Editor:Safis EditingProject Coordinator:Kinjal BariProofreader: Safis EditingIndexer:Aishwarya GangawaneGraphics:Jisha ChirayilProduction Coordinator: Shraddha Falebhai

First published: October 2014 Second edition: November 2015 Third edition : August 2018

Production reference: 1310818

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78839-249-5

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

James Denton is a Principal Architect at Rackspace with over 15 years of experience in systems administration and networking. He has a bachelor's degree in Business Management with a focus on Computer Information Systems from Texas State University in San Marcos, Texas. He is currently focused on OpenStack operations and support within the Rackspace Private Cloud team. James is the author of the Learning OpenStack Networking (Neutron), first and second editions, as well as OpenStack Networking Essentials, both by Packt Publishing.

About the reviewers

Andy McCrae works as a Principal Software Engineer at Red Hat in the Multi-Architecture team. Andy began his career at Rackspace as a Linux systems administrator, after completing a master's in engineering, majoring in Computer Science at University College London (UCL). He specializes in deployment and operations automation using tools such as Ansible and Chef, as well as in distributed storage systems, specifically Swift (OpenStack Object Storage) and Ceph. Andy was the Project Technical Lead for the OpenStack-Ansible project for the Ocata and Pike cycles and has given talks at multiple international OpenStack events. Andy is currently a maintainer on the ceph-ansible project and was previously a core reviewer on the Chef-OpenStack project. Andy was also a technical reviewer on the third and fourth editions of the OpenStack Cloud Computing Cookbook, Packt Publishing.

Kevin Jackson is married and has three children. He has over 20 years experience working with hosted environments, and private and public clouds. He is an OpenStack specialist at Rackspace and has been working with OpenStack since the first release. Kevin has co-authored a number of OpenStack books, including the OpenStack Cloud Computing Cookbook.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Learning OpenStack NetworkingThird Edition

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Introduction to OpenStack Networking

What is OpenStack Networking?

Features of OpenStack Networking

Switching

Routing

Load balancing

Firewalling

Virtual private networks

Network functions virtualization

OpenStack Networking resources

Virtual network interfaces

Virtual network switches

Overlay networks

Virtual Extensible Local Area Network (VXLAN)

Generic Router Encapsulation (GRE)

Generic Network Virtualization Encapsulation (GENEVE)

Preparing the physical infrastructure

Configuring the physical infrastructure

Management network

API network

External network

Guest network

Physical server connections

Single interface

Multiple interfaces

Bonding

Separating services across nodes

Using a single controller node

Using a dedicated network node

Summary

Installing OpenStack

System requirements

Operating system requirements

Initial network configuration

Example networks

Interface configuration

Initial steps

Permissions

Configuring the OpenStack repository

Upgrading the system

Setting the hostnames

Installing and configuring Network Time Protocol

Rebooting the system

Installing OpenStack

Installing and configuring the MySQL database server

Installing and configuring the messaging server

Installing and configuring memcached

Installing and configuring the identity service

Configuring the database

Installing Keystone

Configuring tokens and drivers

Bootstrap the Identity service

Configuring the Apache HTTP server

Setting environment variables

Defining services and API endpoints in Keystone

Defining users, projects, and roles in Keystone

Installing and configuring the image service

Configuring the database

Defining the Glance user, service, and endpoints

Installing and configuring Glance components

Configuring authentication settings

Configuring additional settings

Verifying the Glance image service installation

Installing additional images

Installing and configuring the Compute service

Configuring the database

Defining the Nova user, service, and endpoints

Installing and configuring controller node components

Configuring authentication settings

Additional controller tasks

Installing and configuring compute node components

Additional compute tasks

Adding the compute node(s) to the cell database

Installing the OpenStack Dashboard

Updating the host and API version configuration

Configuring Keystone settings

Modifying network configuration

Uninstalling default Ubuntu theme (optional)

Reloading Apache

Testing connectivity to the dashboard

Familiarizing yourself with the dashboard

Summary

Installing Neutron

Basic networking elements in Neutron

Extending functionality with plugins

Modular Layer 2 plugin

Drivers

TypeDrivers

Mechanism drivers

ML2 architecture

Network namespaces

Installing and configuring Neutron services

Creating the Neutron database

Configuring the Neutron user, role, and endpoint in Keystone

Installing Neutron packages

Configuring Neutron to use Keystone

Configuring Neutron to use a messaging service

Configuring Nova to utilize Neutron networking

Configuring Neutron to notify Nova

Configuring Neutron services

Starting neutron-server

Configuring the Neutron DHCP agent

Restarting the Neutron DHCP agent

Configuring the Neutron metadata agent

Restarting the Neutron metadata agent

Interfacing with OpenStack Networking

Using the OpenStack command-line interface

Using the Neutron command-line interface

Using the OpenStack Python SDK

Using the cURL utility

Summary

Virtual Network Infrastructure Using Linux Bridges

Using the Linux bridge driver

Visualizing traffic flow through Linux bridges

VLAN

Flat

VXLAN

Potential issues when using overlay networks

Local

Configuring the ML2 networking plugin

Configuring the bridge interface

Configuring the overlay interface

ML2 plugin configuration options

Type drivers

Mechanism drivers

Using the L2 population driver

Tenant network types

Flat networks

Network VLAN ranges

VNI ranges

Security groups

Configuring the Linux bridge driver and agent

Installing the Linux bridge agent

Updating the Linux bridge agent configuration file

Physical interface mappings

Enabling VXLAN

L2 population

Local IP

Firewall driver

Configuring the DHCP agent to use the Linux bridge driver

Restarting services

Verifying Linux bridge agents

Summary

Building a Virtual Switching Infrastructure Using Open vSwitch

Using the Open vSwitch driver

Basic OpenvSwitch commands

Base commands

ovs-vsctl

ovs-ofctl

ovs-dpctl

ovs-appctl

Visualizing traffic flow when using Open vSwitch

Identifying ports on the virtual switch

Identifying the local VLANs associated with ports

Programming flow rules

Flow rules for VLAN networks

Return traffic

Flow rules for flat networks

Flow rules for overlay networks

Flow rules for local networks

Configuring the ML2 networking plugin

Configuring the bridge interface

Configuring the overlay interface

ML2 plugin configuration options

Mechanism drivers

Flat networks

Network VLAN ranges

Tunnel ID ranges

VNI Ranges

Security groups

Configuring the Open vSwitch driver and agent

Installing the Open vSwitch agent

Updating the Open vSwitch agent configuration file

Tunnel types

L2 population

VXLAN UDP port

Integration bridge

Tunnel bridge

Local IP

Bridge mappings

Configuring the bridges

Firewall driver

Configuring the DHCP agent to use the Open vSwitch driver

Restarting services

Verifying Open vSwitch agents

Summary

Building Networks with Neutron

Network management in OpenStack

Provider and tenant networks

Managing networks in the CLI

Creating a flat network in the CLI

Creating a VLAN network in the CLI

Creating a local network in the CLI

Listing networks in the CLI

Showing network properties in the CLI

Updating network attributes in the CLI

Deleting networks in the CLI

Creating networks in the dashboard

Via the Project panel

Via the Admin panel

Subnet management in OpenStack

Working with IPv4 addresses

Working with IPv6 addresses

Creating subnets in the CLI

Creating a subnet in the CLI

Listing subnets in the CLI

Showing subnet properties in the CLI

Updating a subnet in the CLI

Creating subnets in the dashboard

Via the Project tab

Via the Admin tab

Managing subnet pools

Creating a subnet pool

Creating a subnet from a pool

Deleting a subnet pool

Assigning a default subnet pool

Managing network ports in OpenStack

Creating a port

Summary

Attaching Instances to Networks

Attaching instances to networks

Attaching instances to networks at creation

Specifying a network

Specifying a port

Attaching multiple interfaces

Attaching network interfaces to running instances

Detaching network interfaces

Exploring how instances get their addresses

Watching the DHCP lease cycle

Troubleshooting DHCP

Exploring how instances retrieve their metadata

The DHCP namespace

Adding a manual route to 169.254.169.254

Using DHCP to inject the route

Summary

Managing Security Groups

Security groups in OpenStack

An introduction to iptables

Using ipset

Working with security groups

Managing security groups in the CLI

Creating security groups in the CLI

Deleting security groups in the CLI

Listing security groups in the CLI

Showing the details of a security group in the CLI

Updating security groups in the CLI

Creating security group rules in the CLI

Deleting security group rules in the CLI

Listing security group rules in the CLI

Showing the details of a security group rule in the CLI

Applying security groups to instances and ports

Removing security groups from instances and ports in the CLI

Implementing security group rules

Stepping through the chains

Working with security groups in the dashboard

Creating a security group

Managing security group rules

Applying security groups to instances

Disabling port security

Configuring Neutron

Disabling port security for all ports on a network

Modifying port security on an individual port

Allowed address pairs

Summary

Role-Based Access Control

Working with access control policies

Managing access control policies in the CLI

Creating access control policies in the CLI

Deleting access control policies in the CLI

Listing access control policies in the CLI

Showing the details of an access control policy in the CLI

Updating access control policies in the CLI

Applying RBAC policies to projects

Creating projects and users

Creating a network to share

Creating a policy

Viewing the policy in action

Creating policies for external networks

Summary

Creating Standalone Routers with Neutron

Routing traffic in the cloud

Installing and configuring the Neutron L3 agent

Defining an interface driver

Enabling the metadata proxy

Setting the agent mode

Enabling the router service plugin

Enabling router management in the dashboard

Restarting services

Router management in the CLI

Creating routers in the CLI

Listing routers in the CLI

Displaying router attributes in the CLI

Updating router attributes in the CLI

Working with router interfaces in the CLI

Attaching internal interfaces to routers

Attaching a gateway interface to a router

Listing interfaces attached to routers

Deleting internal interfaces

Clearing the gateway interface

Deleting routers in the CLI

Network address translation

Floating IP addresses

Floating IP management

Creating floating IPs in the CLI

Associating floating IPs with ports in the CLI

Listing floating IPs in the CLI

Displaying floating IP attributes in the CLI

Disassociating floating IPs in the CLI

Deleting floating IPs in the CLI

Demonstrating traffic flow from an instance to the internet

Setting the foundation

Creating an external provider network

Creating a Neutron router

Attaching the router to an external network

Identifying the L3 agent and namespace

Testing gateway connectivity

Creating an internal network

Attaching the router to the internal network

Creating instances

Verifying instance connectivity

Observing default NAT behavior

Assigning floating IPs

Reassigning floating IPs

Router management in the dashboard

Creating a router in the dashboard

Attaching internal interfaces in the dashboard

Viewing the network topology in the dashboard

Associating floating IPs to instances in the dashboard

Disassociating floating IPs in the dashboard

Summary

Router Redundancy Using VRRP

Using keepalived and VRRP to provide redundancy

VRRP groups

VRRP priority

VRRP working mode

Preemptive

Non-preemptive

VRRP timers

Advertisement interval timer

Preemption delay timer

Networking of highly available routers

Dedicated HA network

Limitations

Virtual IP

Determining the master router

Installing and configuring additional L3 agents

Defining an interface driver

Setting the agent mode

Restarting the Neutron L3 agent

Configuring Neutron

Working with highly available routers

Creating highly-available routers

Deleting highly-available routers

Decomposing a highly available router

Examining the keepalived configuration

Executing a failover

Summary

Distributed Virtual Routers

Distributing routers across the cloud

Installing and configuring Neutron components

Installing additional L3 agents

Defining an interface driver

Enabling distributed mode

Setting the agent mode

Configuring Neutron

Restarting the Neutron L3 and Open vSwitch agent

Managing distributed virtual routers

Creating distributed virtual routers

Routing east-west traffic between instances

Reviewing the topology

Plumbing it up

Distributing router ports

Making it work

Demonstrating traffic between instances

Centralized SNAT

Reviewing the topology

Using the routing policy database

Tracing a packet through the SNAT namespace

Floating IPs through distributed virtual routers

Introducing the FIP namespace

Tracing a packet through the FIP namespace

Sending traffic from an instance with a floating IP

Returning traffic to the floating IP

Using proxy ARP

Summary

Load Balancing Traffic to Instances

Fundamentals of load balancing

Load balancing algorithms

Monitoring

Session persistence

Integrating load balancers into the network

Network namespaces

Installing LBaaS v2

Configuring the Neutron LBaaS agent service

Defining an interface driver

Defining a device driver

Defining a user group

Configuring Neutron

Defining a service plugin

Defining a service provider

Updating the database schema

Restarting the Neutron LBaaS agent and API service

Load balancer management in the CLI

Managing load balancers in the CLI

Creating load balancers in the CLI

Deleting load balancers in the CLI

Listing load balancers in the CLI

Showing load balancer details in the CLI

Showing load balancer statistics in the CLI

Showing the load balancer's status in the CLI

Updating a load balancer in the CLI

Managing pools in the CLI

Creating a pool in the CLI

Deleting a pool in the CLI

Listing pools in the CLI

Showing pool details in the CLI

Updating a pool in the CLI

Managing pool members in the CLI

Creating pool members in the CLI

Deleting pool members

Listing pool members

Showing pool member details

Updating a pool member

Managing health monitors in the CLI

Creating a health monitor in the CLI

Deleting a health monitor in the CLI

Listing health monitors in the CLI

Showing health monitor details

Updating a health monitor

Managing listeners in the CLI

Creating listeners in the CLI

Deleting listeners in the CLI

Listing listeners in the CLI

Showing listener details in the CLI

Updating a listener in the CLI

Building a load balancer

Creating a load balancer

Creating a pool

Creating pool members

Creating a health monitor

Creating a listener

The LBaaS network namespace

Confirming load balancer functionality

Observing health monitors

Connecting to the virtual IP externally

Load balancer management in the dashboard

Creating a load balancer in the dashboard

Assigning a floating IP to the load balancer

Summary

Advanced Networking Topics

VLAN-aware VMs

Configuring the trunk plugin

Defining the workflow

Managing trunks in the CLI

Creating trunks in the CLI

Deleting trunks in the CLI

Listing trunks in the CLI

Showing trunk details in the CLI

Updating a trunk in the CLI

Building a trunk

Creating the parent port

Creating a sub-port

Creating a trunk

Booting an instance with a trunk

Configuring the instance

Reviewing the network plumbing

BGP dynamic routing

Prefix advertisement requirements

Operations with distributed virtual routers

Configuring BGP dynamic routing

Installing the agent

Configuring the agent

Restarting services

Managing BGP speakers in the CLI

Network availability zones

Configuring network availability zones

Scheduling routers to availability zones

Scheduling DHCP services to availability zones

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

OpenStack is open source software for building public and private clouds as well as privately hosted software defined infrastructure services. In the fall of 2017, the OpenStack Foundation released the 16th version of OpenStack, known as Pike, to the public. Since its introduction as an open source project in 2010 by NASA and Rackspace, OpenStack has undergone significant improvements in its features and functionality thanks to developers and operators worldwide. Their hard work has resulted in production-ready cloud software that powers workloads of all sizes throughout the world.

In 2012, the Folsom release of OpenStack introduced a standalone networking component known then as Quantum. Long since renamed Neutron, the networking component of OpenStack provides cloud operators and users with an API used to create and manage network resources in the cloud. Neutron's extensible framework allows for third-party plugins and additional network services, such as load balancers, firewalls, and virtual private networks, to be deployed and managed.

As an architect and operator of hundreds of OpenStack-based private clouds since 2012, I have seen much of what OpenStack has to offer in terms of networking capabilities. In this book, I have condensed what I feel are its most valuable and production-ready features to date. Throughout this book, we will take a look at a few common network and service architectures and lay a foundation for deploying and managing OpenStack Networking that can help you develop and sharpen your skills as an OpenStack cloud operator.

Who this book is for

This book is geared towards OpenStack cloud administrators or operators with a novice to intermediate level of experience in managing OpenStack-based clouds who are looking to build or enhance their cloud using the networking service known as Neutron. By laying down a basic installation of OpenStack based on the upstream documentation found at docs.openstack.org, the reader should be able to follow the examples laid out in the book to obtain a functional understanding of the various components of OpenStack Networking using open source reference architectures.

What this book covers

Chapter 1,Introduction to OpenStack Networking, introduces OpenStack Networking along with supported networking technologies and examples of how to architect the physical network to support an OpenStack cloud.

Chapter 2, Installing OpenStack, provides instructions to install the core components of the Pike release of OpenStack on the Ubuntu 16.04 LTS operating system, including Keystone, Glance, Nova, and Horizon.

Chapter 3, Installing Neutron, explains how to install the Neutron networking components of OpenStack. We will also cover the internal architecture of Neutron, including the use of agents and plugins to orchestrate network connectivity.

Chapter 4, Virtual Network Infrastructure Using Linux Bridges, helps you to install and configure the ML2 plugin to support the Linux bridge mechanism driver and agent, and demonstrates how Linux bridges can be used to connect instances to the network.

Chapter 5, Building a Virtual Switching Infrastructure Using Open vSwitch, helps you to install and configure the ML2 plugin to support the Open vSwitch mechanism driver and agent, and demonstrates how Open vSwitch can be used to connect instances to the network.

Chapter 6, Building Networks with Neutron, walks you through creating networks, subnets, subnet pools, and ports.

Chapter 7, Attaching Instances to Networks, demonstrates attaching instances to networks and explores the process of obtaining DHCP leases and metadata.

Chapter 8, Managing Security Groups, examines the use of iptables to secure instance traffic at the compute node and walks you through creating and managing security groups and associated rules.

Chapter 9, Role-Based Access Control, explains how access control policies can limit the use of certain network resources to groups of projects.

Chapter 10, Creating Standalone Routers with Neutron, walks you through creating standalone virtual routers and attaching them to networks, applying floating IPs to instances, and following the flow of traffic through a router to an instance.

Chapter 11, Router Redundancy Using VRRP, explores the Virtual Routing Redundancy Protocol and its use in providing highly-available virtual routers.

Chapter 12, Distributed Virtual Routers, walks you through creating and managing virtual routers that are distributed across computes nodes for better scale.

Chapter 13, Load Balancing Traffic to Instances, explores the fundamental components of a load balancer in Neutron, including listeners, pools, pool members, and monitors, and walks you through creating and integrating a virtual load balancer into the network.

Chapter 14, Advanced Networking Topics, looks at other advanced networking features, including VLAN-aware VM functionality that allows virtual machine instances to apply 802.1q VLAN tags to traffic, BGP Speaker functionality that provides dynamic routing to project routers, and network availability zone functionality that can be used to separate critical networking components such as DHCP and L3 agents into zones.

To get the most out of this book

This book assumes a moderate level of networking experience, including experience with Linux networking configurations as well as physical switch and router configurations. While this book walks the reader through a basic installation of OpenStack, little time is spent on services other than Neutron. Therefore, it is important that the reader has a basic understanding of OpenStack and its general configuration prior to configuring OpenStack networking.

In this book, the following operating system is required:

Ubuntu 16.04 LTS

The following software is needed:

OpenStack Pike (2017.2)

Internet connectivity is required to install OpenStack packages and to make use of the example architectures in the book. While virtualization software such as VirtualBox or VMware can be used to simulate servers and the network infrastructure, this book assumes that OpenStack is installed on physical hardware and that a physical network infrastructure is in place.

In the event that the OpenStack installation procedure documented in this book is no longer current, refer to the installation guide at docs.openstack.org for instructions on installing the latest version of OpenStack.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register to our website using your e-mail address and password.

Hover the mouse pointer on the

SUPPORT

tab at the top.

Click on

Code Downloads & Errata

.

Enterthe name of the book in the

Search

box.

Select the book for which you're looking to download the code files.

Choose from the drop-down menu where you purchased this book from.

Click on

Code Download

.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub athttps://github.com/PacktPublishing/Learning-OpenStack-Networking-Third-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/LearningOpenStackNetworkingThirdEdition.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy: Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Introduction to OpenStack Networking

In today's data centers, networks are composed of more devices than ever before. Servers, switches, routers, storage systems, and security appliances that once consumed rows and rows of data center space now exist as virtual machines and virtual network appliances. These devices place a large strain on traditional network management systems, as they are unable to provide a scalable and automated approach to managing next-generation networks. Users now expect more control and flexibility of the infrastructure with quicker provisioning, all of which OpenStack promises to deliver.

This chapter will introduce many features that OpenStack Networking provides, as well as various network architectures supported by OpenStack. Some topics that will be covered include the following:

Features of OpenStack Networking

Physical infrastructure requirements

Service separation

What is OpenStack Networking?

OpenStack Networking is a pluggable, scalable, and API-driven system to manage networks in an OpenStack-based cloud. Like other core OpenStack components, OpenStack Networking can be used by administrators and users to increase the value and maximize the utilization of existing data center resources.

Neutron, the project name for the OpenStack Networking service, complements other core OpenStack services such as Compute (Nova), Image (Glance), Identity (Keystone), Block (Cinder), Object (Swift), and Dashboard (Horizon) to provide a complete cloud solution.

OpenStack Networking exposes an application programmable interface (API) to users and passes requests to the configured network plugins for additional processing. Users are able to define network connectivity in the cloud, and cloud operators are allowed to leverage different networking technologies to enhance and power the cloud.

OpenStack Networking services can be split between multiple hosts to provide resiliency and redundancy, or they can be configured to operate on a single node. Like many other OpenStack services, Neutron requires access to a database for persistent storage of the network configuration. A simplified example of the architecture can be seen here:

In figure 1.1, the Neutron server connects to a database where the logical network configuration persists. The Neutron server can take API requests from users and services and communicate with agents via a message queue. In a typical environment, network agents will be scattered across controller and compute nodes and perform duties on their respective node.

Features of OpenStack Networking

OpenStack Networking includes many technologies you would find in the data center, including switching, routing, load balancing, firewalling, and virtual private networks.

These features can be configured to leverage open source or commercial software and provide a cloud operator with all the tools necessary to build a functional and self-contained cloud networking stack. OpenStack Networking also provides a framework for third-party vendors to build on and enhance the capabilities of the cloud.

Switching

A virtual switch is defined as a software application or service that connects virtual machines to virtual networks at the data link layer of the OSI model, also known as layer 2. Neutron supports multiple virtual switching platforms, including Linux bridges provided by the bridge kernel module and Open vSwitch. Open vSwitch, also known as OVS, is an open source virtual switch that supports standard management interfaces and protocols, including NetFlow, SPAN, RSPAN, LACP, and 802.1q VLAN tagging. However, many of these features are not exposed to the user through the OpenStack API. In addition to VLAN tagging, users can build overlay networks in software using L2-in-L3 tunneling protocols, such as GRE or VXLAN. Virtual switches can be used to facilitate communication between instances and devices outside the control of OpenStack, which include hardware switches, network firewalls, storage devices, bare-metal servers, and more.

Additional information on the use of Linux bridges and Open vSwitch as switching platforms for OpenStack can be found in Chapter 4,Virtual Network Infrastructure Using Linux Bridges, and Chapter 5,Building a Virtual Switching Infrastructure Using Open vSwitch, respectively.

Routing

OpenStack Networking provides routing and NAT capabilities through the use of IP forwarding, iptables, and network namespaces. Each network namespace has its own routing table, interfaces, and iptables processes that provide filtering and network address translation. By leveraging network namespaces to separate networks, there is no need to worry about overlapping subnets between networks created by users. Configuring a router within Neutron enables instances to interact and communicate with outside networks or other networks in the cloud.

More information on routing within OpenStack can be found in Chapter 10, Creating Standalone Routers with Neutron, Chapter 11,Router Redundancy Using VRRP, and Chapter 12, Distributed Virtual Routers.

Load balancing

First introduced in the Grizzly release of OpenStack, Load Balancing as a Service (LBaaS v2) provides users with the ability to distribute client requests across multiple instances or servers. Users can create monitors, set connection limits, and apply persistence profiles to traffic traversing a virtual load balancer. OpenStack Networking is equipped with a plugin for LBaaS v2 that utilizes HAProxy in the open source reference implementation, but plugins are available that manage virtual and physical load-balancing appliances from third-party network vendors.

More information on the use of load balancers within Neutron can be found in Chapter 13,Load Balancing Traffic to Instances.

Firewalling

OpenStack Networking provides two API-driven methods of securing network traffic to instances: security groups and Firewall as a Service (FWaaS). Security groups find their roots in nova-network, the original networking stack for OpenStack built in to the Compute service, and are based on Amazon's EC2 security groups. When using security groups in OpenStack, instances are placed into groups that share common functionality and rule sets. In a reference implementation, security group rules are implemented at the instance port level using drivers that leverage iptables or OpenFlow. Security policies built using FWaaS are also implemented at the port level, but can be applied to ports of routers as well as instances. The original FWaaS v1 API implemented firewall rules inside Neutron router namespaces, but that behavior has been removed in the v2 API.

More information on securing instance traffic can be found in Chapter 8, Managing Security Groups. The use of FWaaS is outside the scope of this book.

Virtual private networks

A virtual private network (VPN) extends a private network across a public network such as the internet. A VPN enables a computer to send and receive data across public networks as if it were directly connected to the private network. Neutron provides a set of APIs to allow users to create IPSec-based VPN tunnels from Neutron routers to remote gateways when using the open source reference implementation. The use of VPN as a Service is outside the scope of this book.

Network functions virtualization

Network functions virtualization (NFV) is a network architecture concept that proposes virtualizing network appliances used for various network functions. These functions include intrusion detection, caching, gateways, WAN accelerators, firewalls, and more. Using SR-IOV, instances are no longer required to use para-virtualized drivers or to be connected to virtual bridges within the host. Instead, the instance is attached to a Neutron port that is associated with a virtual function (VF) in the NIC, allowing the instance to access the NIC hardware directly. Configuring and implementing SR-IOV with Neutron is outside the scope of this book.

OpenStack Networking resources

OpenStack gives users the ability to create and configure networks and subnets and instruct other services, such as Compute, to attach virtual devices to ports on these networks. The Identity service gives cloud operators the ability to segregate users into projects. OpenStack Networking supports project-owned resources, including each project having multiple private networks and routers. Projects can be left to choose their own IP addressing scheme, even if those addresses overlap with other project networks, or administrators can place limits on the size of subnets and addresses available for allocation.

There are two types of networks that can be expressed in OpenStack:

Project/tenant network

: A virtual network created by a project or administrator on behalf of a project. The physical details of the network are not exposed to the project.

Provider network

: A virtual network created to map to a physical network. Provider networks are typically created to enable access to physical network resources outside of the cloud, such as network gateways and other services, and usually map to VLANs. Projects can be given access to provider networks.

A project network provides connectivity to resources in a project. Users can create, modify, and delete project networks. Each project network is isolated from other project networks by a boundary such as a VLAN or other segmentation ID. A provider network, on the other hand, provides connectivity to networks outside of the cloud and is typically created and managed by a cloud administrator.

The primary differences between project and provider networks can be seen during the network provisioning process. Provider networks are created by administrators on behalf of projects and can be dedicated to a particular project, shared by a subset of projects, or shared by all projects. Project networks are created by projects for use by their instances and cannot be shared with all projects, though sharing with certain projects may be accomplished using role-based access control (RBAC) policies. When a provider network is created, the administrator can provide specific details that aren't available to ordinary users, including the network type, the physical network interface, and the network segmentation identifier, such as a VLAN ID or VXLAN VNI. Project networks have these same attributes, but users cannot specify them. Instead, they are automatically determined by Neutron.

There are other foundational network resources that will be covered in further detail later in this book, but are summarized in the following table for your convenience:

Resource

Description

Subnet

A block of IP addresses used to allocate ports created on the network.

Port

A connection point for attaching a single device, such as the virtual network interface card (vNIC) of a virtual instance, to a virtual network. Port attributes include the MAC address and the fixed IP address on the subnet.

Router

A virtual device that provides routing between self-service networks and provider networks.

Security group

A set of virtual firewall rules that control ingress and egress traffic at the port level.

DHCP

An agent that manages IP addresses for instances on provider and self-service networks.

Metadata

A service that provides data to instances during boot.

Virtual network interfaces

OpenStack deployments are most often configured to use the libvirt KVM/QEMU driver to provide platform virtualization. When an instance is booted for the first time, OpenStack creates a port for each network interface attached to the instance. A virtual network interface called a tap interface is created on the compute node hosting the instance. The tap interface corresponds directly to a network interface within the guest instance and has the properties of the port created in Neutron, including the MAC and IP address. Through the use of a bridge, the host can expose the guest instance to the physical network. Neutron allows users to specify alternatives to the standard tap interface, such as Macvtap and SR-IOV, by defining special attributes on ports and attaching them to instances.

Virtual network switches

OpenStack Networking supports many types of virtual and physical switches, and includes built-in support for Linux bridges and Open vSwitch virtual switches. This book will cover both technologies and their respective drivers and agents.

Overlay networks

Neutron supports overlay networking technologies that provide network isolation at scale with little to no modification of the underlying physical infrastructure. To accomplish this, Neutron leverages L2-in-L3 overlay networking technologies such as GRE, VXLAN, and GENEVE. When configured accordingly, Neutron builds point-to-point tunnels between all network and compute nodes in the cloud using a predefined interface. These point-to-point tunnels create what is called a mesh network, where every host is connected to every other host. A cloud consisting of one combined controller and network node, and three compute nodes, would have a fully meshed overlay network that resembles figure 1.2:

Using the overlay network pictured in figure 1.2, traffic between instances or other virtual devices on any given host will travel between layer 3 endpoints on each of the underlying hosts without regard for the layer 2 network beneath them. Due to encapsulation, Neutron routers may be needed to facilitate communication between different project networks as well as networks outside of the cloud.

Virtual Extensible Local Area Network (VXLAN)

This book focuses primarily on VXLAN, an overlay technology that helps address scalability issues with VLANs. VXLAN encapsulates layer 2 Ethernet frames inside layer 4 UDP packets that can be forwarded or routed between hosts. This means that a virtual network can be transparently extended across a large network without any changes to the end hosts. In the case of OpenStack Networking, however, a VXLAN mesh network is commonly constructed only between nodes that exist in the same cloud.

Rather than use VLAN IDs to differentiate between networks, VXLAN uses a VXLAN Network Identifier (VNI) to serve as the unique identifier on a link that potentially carries traffic for tens of thousands of networks, or more. An 802.1q VLAN header supports up to 4,096 unique IDs, whereas a VXLAN header supports approximately 16 million unique IDs. Within an OpenStack cloud, virtual machine instances are unaware that VXLAN is used to forward traffic between hosts. The VXLAN Tunnel Endpoint (VTEP) on the physical node handles the encapsulation and decapsulation of traffic without the instance ever knowing.

Because VXLAN network traffic is encapsulated, many network devices cannot participate in these networks without additional configuration, if at all. As a result, VXLAN networks are effectively isolated from other networks in the cloud and require the use of a Neutron router to provide access to connected instances. More information on creating Neutron routers begins in Chapter 10, Creating Standalone Routers with Neutron.

While not as performant as VLAN or flat networks on some hardware, the use of VXLAN is becoming more popular in cloud network architectures where scalability and self-service are major drivers. Newer networking hardware that offers VXLAN offloading capabilities should be leveraged if you are considering implementing VXLAN-based overlay networks in your cloud.

More information on how VXLAN encapsulation works is described in RFC 7348, available at the following URL: https://tools.ietf.org/html/rfc7348