[blog 443] OVS architecture composition

OVS architecture

Open vSwitch

Open vSwitch is an open source virtual switch implementation. It is widely used in the cloud computing industry to provide network administrators with visibility and controllability of traffic between and within virtual virtual virtual machines. Open vSwitch aims to solve network problems with virtualization solutions and realize distributed virtual switching technology together with controller software. This means that the switch and controller software can create a cluster network configuration between multiple servers, so that it is not necessary to configure the network separately on each virtual machine and physical host. This switch also supports VLAN relay, realizes visibility through NetFlow, sFlow and RSPAN, and manages through OpenFlow protocol. It also has some other features: strict flow control, which is implemented by the OpenFlow exchange protocol; Remote management function, which can achieve more control through network policy.

In terms of Flow controllers or management tools of virtual switches, OvS needs to implement complex forwarding policies with the help of third-party controllers or management tools. For example, OvS supports OpenFlow protocol, so we can use any controller that supports OpenFlow protocol to remotely manage OvS. However, this does not mean that OvS must have a controller to work. Without connecting to an external controller, OvS can rely on MAC address learning to realize layer 2 packet forwarding function, just like Linux Bridge.

Feature list of Open vSwitch:

* Supported by: NetFlow,sFlow,IPFIX,SPAN,RSPAN and GRE-tunneled Mirror image
  The internal communication of the virtual machine can be monitored;
* support LACP(IEEE 802.1AX-2008,Multi port binding) protocol;
* 802.1Q VLAN Model and Trunk pattern;
* support BFD And 802.1ag Link state monitoring;
* support STP(IEEE 802.1D-1998);
* Supports fine-grained QoS;
* support HFSC System level flow control queue;
* A flow control strategy that supports the flow of each virtual machine network card;
* Support source based MAC Load balancing mode, active / standby mode L4 Multi port binding in hash mode;
* support OpenFlow Protocols (including many virtualization enhancements);
* support IPV6
* Support multiple tunnel protocols( GRE, VXLAN, IPsec, GRE and VXLAN over IPsec)
* Supported by: C perhaps Python Interface remote configuration;
* Support forwarding engine settings in kernel mode and user mode;
* A sending cache engine supporting multi list forwarding;
* Support forwarding layer abstraction to easily orient to new software or hardware platforms;

Architecture Composition

OvS is mainly composed of three components:

User space: ovsdb-server,ovs-vswitchd,ovs-vsctl/ovs-ofctl/ovs-dpctl etc.
Kernel space: datapath,vswitchd,ovsdb
Controller:  express OpenFlow Controller, controller and OvS Yes OpenFlow Protocol to connect

Three major mode diagrams:

Architecture component diagram:

Component details:

ovs-vswitchd: Main modules, implementation kernel datapath upcall Handling; and ofproto Look up the table,
             At the same time dpdk datapath Handler.
             
ovsdb-server: Database service program, Use the currently generally recognized ovsdb agreement.

ovs-vsctl: Creation, deletion, setting and query of bridges and interfaces.

ovs-dpctl: to configure vswitch Kernel module

ovs-appctl: Send command message to ovs-vswithchd, View the status of different modules

ovs-ofctl: Distribute flow table information. This command can configure other openflow Switch (with openflow Agreement)

ovsdb

Ovsdb is a lightweight database service of OvS, which is used to store the configuration information of the entire OvS, including the interface, exchange content, VLAN, virtual switch creation, network card addition and other information and operation records. All of them are saved in a conf.db file (JSON format) by ovsdb, and are passed through dB The service provided by the sock. The OvS main process OvS vswitchd works according to the configuration information in the database.

ovsdb-server /etc/openvswitch/conf.db 
    -vconsole:emer -vsyslog:err 
    -vfile:info 
    --remote=punix:/var/run/openvswitch/db.sock 
    --private-key=db:Open_vSwitch,SSL,private_key 
    --certificate=db:Open_vSwitch,SSL,certificate 
    --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir 
    --log-file=/var/log/openvswitch/ovsdb-server.log 
    --pidfile=/var/run/openvswitch/ovsdb-server.pid
    --detach 
    --monitor

## /etc/openvswitch/conf.db: 

Is the database file storage location, ovsdb-server This file is required to start,
Usable ovsdb-tool create Command creates and initializes this database file.

## --remote=punix:/var/run/openvswitch/db.sock: 

Realized a Unix Sockets connect, OvS Main process ovs-vswitchd Or other command tools
(e.g. ovsdb-client) Through this Socket Connect to manage ovsdb.

ovs-vswitchd

OvS vswitchd is a daemon in nature and is the core component of OvS. OvS vswitchd and Datapath together realize the data exchange of OvS based on flow based switching.

Functions:

adopt OpenFlow Agreements may be made with: OpenFlow Controller communication
 use ovsdb Agreement and ovsdb-server Database service communication
 use netlink and Datapath Kernel module communication.

Responsibilities:

ovs-vswitchd Support multiple independent Datapath,ovs-vswitchd Need to load Datapath The kernel module can operate normally.
ovs-vswitchd Read at startup ovsdb-server Configuration information in, and then automatically configure Datapaths and OvS Switches
 of Flow Tables,Therefore, the user does not need to execute additional ovs-dpctl Instruct tools to operate Datapath. 
When ovsdb The configuration content in is modified, ovs-vswitched Its configuration is also automatically updated to keep the data synchronized.
ovs-vswitchd You can also OpenFlow The controller gets the flow table entry.

to configure:

ovs-vswitchd unix:/var/run/openvswitch/db.sock 
    -vconsole:emer 
    -vsyslog:err 
    -vfile:info 
    --mlockall 
    --no-chdir 
    --log-file=/var/log/openvswitch/ovs-vswitchd.log 
    --pidfile=/var/run/openvswitch/ovs-vswitchd.pid 
    --detach 
    --monitor

datapath

The Datapath module can receive and process traffic from the network card:

After the Datapath is loaded into the kernel, a hook function will be registered on the network card. Whenever a network packet arrives at the network card,
This function will be called to unpack the network packet layer by layer (MAC layer, IP layer, TCP layer, etc.),
Then it matches with the flow table entry. If a matching flow table entry is found, the network packet is processed according to the established policy
(e.g. modify MAC, modify IP, modify TCP port, which network card to send from, etc.),
And then send the network packet from the network card.

In the semantics of OpenFlow Switch rules, a professional term is used for switches or bridges, which is called datapath. The kernel module of Open vSwitch is openvswitch Ko implements multiple datapaths, and each datapath can have multiple Ports. Each datapath defines the flow direction of network packets by associating a Flow Table. Datapath monitors the network card interface device, first matches the monitored data packets in the Flow Table, finds the matching Flow Table entries, and then returns the corresponding Actions to datapath as a description of the data processing behavior. Datapath supports data exchange in kernel space.

Kernel module information of Datapath:

# modinfo openvswitch
filename:       /lib/modules/3.10.0-327.el7.x86_64/kernel/net/openvswitch/openvswitch.ko
license:        GPL
description:    Open vSwitch switching datapath
rhelversion:    7.2
srcversion:     F75F2B83324DCC665887FD5
depends:        libcrc32c
intree:         Y
...

working principle:

Bridge processes data frames according to the following rules:

* In a Port The frames received on the will not go this way again Port Send this frame.

* All received frames need to learn their Source MAC Address.

* If the data frame is a multicast or broadcast packet (through layer 2 MAC Address determination) to receive Port Extraneous
  All Port If the upper layer protocol is interested in forwarding, it will also be submitted to the upper layer for processing.
   
* If the address of the data frame cannot be CAM(MAC-Port Mapping)Found in the table,
  Receive to Port All except Port forward.
  
* If CAM If it can be found in the table, it will be forwarded to the corresponding Port,If both sending and receiving are the same Port,It is not transmitted.

* Bridges work in hybrid mode, and all MAC The data frame of the address can pass through.

The user space OVS vswitchd and the kernel module Datapath determine the forwarding of data packets, as shown in the following figure:

Data flow:

1,Kernel Datapath Monitor the incoming data packets from the interface device.

2,If Datapath If no corresponding matching stream table item is found in the kernel stream table cache, the data packet is passed in
   (upcall)To user status ovs-vswitchd Daemon processing.

3,((optional) user status ovs-vswitchd Have a complete flow table entry, through OpenFlow Agreement and
    OpenFlow Controller or ovs-ofctl The command line tool communicates,
    Mainly receiving OpenFlow The controller sends the flow table entry of the southbound interface. Or according to the flow table item setting,
    ovs-vswitchd The network package may be Packet-In Message sent to OpenFlow Controller processing.
    
4,ovs-vswitchd Received from OpenFlow Controller or ovs-ofctl After the message of the command line tool
   It will affect the kernel mode Flow Table Update. Or according to the local principle,
   User status ovs-vswitchd The just executed Datapath No cached stream table entries are injected into Flow Table

5,ovs-vswitchd After matching the flow table entries, inject the data packets again( reinject)reach Datapath. 

6,Datapath Visit again Flow Table Get the flow table items for matching.

7,Finally, the network packet is Datapath According to flow table item Actions Forward or discard.

As mentioned above, Datapath and OVS vswitchd cooperate with each other in two ways to process network packets:

Fast Path: 

Datapatch After loading into the kernel, a hook function will be registered on the network card. Whenever a network packet arrives at the network card,
This function will be called to unpack the network packet layer by layer( MAC Layers, IP Layers, TCP Layers, etc.),
Then it matches with the flow table entry. If a matching flow table entry is found, the network packet is processed according to the established policy
(e.g. modify MAC,modify IP,modify TCP Port from which network card it is sent,
And then send the network packet from the network card. This process is all completed in the kernel, so it is very fast, which is called Fast Path.

Slow Path: (the reason for the delay of the first packet)

The kernel state is not allocated too much memory, so there are very few stream table entries that can be saved in the kernel state, and often when new stream table entries arrive,
The old flow table entry is discarded. If the stream table item cannot be found in the kernel state, it needs to be queried in the user state,
The network packet will pass netlink(A mechanism for interaction between kernel mode and user mode) ovs-vswitchd,
ovs-vswitchd There is a listening thread. When it finds a network packet sent from the kernel state, it enters its own processing flow,
Then inject the network packet into the Datapath. 
Obviously, the processing in user mode is relatively slow, so the value is Slow Path.

OvS vswtichd in user mode does not need to save memory. It contains all flow table items. These flow table items may be issued by the OpenFlow controller through the OpenFlow protocol or set by OvS ofctl, an OvS command-line tool. OvS vswtichd will match layer by layer according to the information of the network package until it finds a flow table item to process. If it cannot be found, the default flow table entry is generally used, such as discarding the packet.

When a stream table entry is finally matched, the policy will be distributed to the kernel state through the netlink protocol according to the "locality principle (local data will be frequently accessed for a period of time, which is the basic principle of cache design)". When this policy is distributed to the kernel, if the memory space of the kernel is insufficient, some old strategies will be eliminated. This ensures that the next network packet of the same type can be directly matched from the kernel, thus speeding up the execution efficiency. Due to the proximate effect, the next network packet should probably match this strategy. For example, when a file is transferred, network packets of the same type will come in an endless stream.

Tool commands:

ovs-vsctl: For Administration ovs-vswitchd Configuration information of.
ovs-ofctl: For Administration OvS Flow table information of.
ovs-pki: For Administration OvS And OpenFlow Controller Between TSL Communication framework.
ovs-dpctl: For Administration Datapath,For example, check Datapath Information.
ovs-appctl: Instruction set of application layer, for example: simulation data package for testing OvS Switch Data forwarding process.

Tags: Linux Operation & Maintenance architecture computer networks network

Posted by seidel on Wed, 07 Sep 2022 22:02:50 +0530

Hot Tags

©2023 Programs Team