chuck duffy june, 2015 an introduction linux for network engineers
TRANSCRIPT
Chuck Duffy
June, 2015
An Introduction
Linux For Network Engineers
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why is Linux important to a Cisco Engineer• Three Reasons
• It’s all around us – IoT, Servers, OpenStack• A good portion of our products are built on top of linux• Our Competition is promoting it, Customers are asking for it
• Leading network distributions• Monta Vista (Cavium,) Wind River (Intel)• Before linux – VxWorks, QNX, eCos
N7K – WindRiver 5
N9K – WindRiver 6APIC - Centos
ASA
IPT endpoints - Android
Cisco/SA STB & GW - RDK
CUCM- Red Hat
UCS CMC – Monta Vista
CBR-8
IOS-XECat3850CSR1KV
NCS 6000IOS-XEASR1K
IOS-XE ISR-4400Meraki - Click
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• Linux Overview and History
• The Basics
• Linux Networking
• Q&A
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is Linux• Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance
from a loosely-knit team of hackers across the Net. It aims towards POSIX and Single UNIX Specification compliance .It has all the features you would expect in a modern fully-fledged Unix, including true multitasking, virtual memory, shared libraries, demand loading, shared copy-on-write executables, proper memory management, and multistack networking including IPv4 and IPv6. Although originally developed first for 32-bit x86-based PCs (386 or higher), today Linux also runs on a multitude of other processor architectures, in both 32- and 64-bit variants – kernel.org definition
• The Linux operating system is comprised of a “Kernel” as well as libraries and programs.• The Kernel is maintained by kernel.org
• Linux is a Monolithic(but modular) Kernel (vs. Windows NT and later are micro kernel)
Source:http://en.wikipedia.org/wiki/Monolithic_kernel
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Linux? • It’s everywhere!
• Massive deployments with Facebook, Amazon, Google push the limits of scale
• Openstack/Containers
• Platform ubiquity – Wearables, Phones, Notebooks, Desktops, Servers, Super Computers
• Embedded – Set Top Boxes, network HW, home routers, phones
• Open source • Unlike other Operating Systems, Linux is completely
open source. Anyone can view the source code, make changes and redistribute the OS.
• Volume of developers• Open Source licensing allows companies to take linux
as is and build upon if for their own products
• Rapid rate of development, new features, drivers,patches,etc
• Focus on innovation
• Current trend is to expose Linux in networking devices• Leverage tools
Source:https://www.openhub.net/p/linux
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux History
Ken ThompsonDennis RitchieCreate AT&T UnixRitchie created “C” Programming Language
1969
BSD ReleasedBerkeley SoftwareDistribution
1977
AT&T CommercialUNIX – System III
1982
Richard StallmanGNU Launch
1983
Richard StallmanFree SoftwareFoundation
1985
Andy TannenbaumCreates MinixMInimal UNIX”
1987
Richard StallmanCreates GPL
1988
Linus Torvoldscreates Linux
1991
Linux LicensedUnder GPL
1992
"...the number of UNIX installations has grown to 10, with more expected...”- Dennis Ritchie and Ken Thompson, June 1972
“Hello everybody out there using minix –I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones. This has been brewing since april, and is starting to get ready. I'd like any feedback nothings people like/dislike in minix, as my OS resembles it somewhat>”-Linus Torvalds 8/25/1991 os.comp.minix
KVM merged Into kernel
Linux Foundation startedLinus Torvalds Fellow
2007
Free Unix!Starting this Thanksgiving I am going to write a complete Unix-compatible software system called GNU (for Gnu's Not Unix), and give it away free (1) to everyone who can use it. Contributions of time, money,(2) programs and equipment are greatly needed...- Richard Stallman; Posting to net.unix-wizards; 27 Sept. 1983.
Slackware ReleasedOver 100 developersWork on KernelRH founded
1993
Linux Kernel 1.0RH 1.0SUSE 1.0
1994
Kernel 2.0
1996
IBM/OracleAnnounce supportFor Linux
1998
IBM invest $1B in LinuxTech center, etc
2001
Kernel 3.0
2011
1B devices shipWith Andoid OS
2014
Unix Hobbyist Enterprise Web 2.0 IoT
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Open Source Software• Open Source Initiative – founded in 1998
• Practical benefits
• OSS – developed in a collaborative, public way
• Common Open Source Licenses• Apache License 2.0
• BSD 3-Clause "New" or "Revised" license
• BSD 2-Clause "Simplified" or "FreeBSD" license
• GNU General Public License (GPL)
• GNU Library or "Lesser" General Public License (LGPL)
• MIT license
• Mozilla Public License 2.0
• Common Development and Distribution License
• Eclipse Public License
• http://opensource.org
• Free Software Foundation, 1985 by Richard Stallman• Philosophical
• Free as in “Freedom” not cost
• Specifically, free software means users have the four essential freedoms: (0) to run the program, (1) to study and change the program in source code form, (2) to redistribute exact copies, and (3) to distribute modified versions.
• GPL states that derivative works must also be released under the GPL
• GNU GPL guarantees the above freedoms. GPLv2(1991)is used by the kernel. GPLv3 closed some loopholes and added a clause to prevent HW restrictions (think Tivo, STB)
• Lesser GPL
• http://www.fsf.org
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Open Source Licenses Overview
Free Software• Freedom to use• Freedom to study• Freedom to copy• Freedom to modify and distribute modified copies
Copyleft licensesModified code must be released under the
same license
Non-Copyleft licensesModified code can be kept proprietary,
but still requires attribution
GPL (General Public License)
Requires derivative works to be released under the same license and programs linked with a library released under the GPL must also
be released under the GPL.
LGPL (Lesser General Public
License)Programs linked against a library under the LGPL do not need to be released under the LGPL and can
be kept proprietary. It must be linked dynamically, not statically.
• Apache license• BSD license• MIT license• X11 license
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• Linux Overview and History
• The Basics
• Automation
• Virtualization
• The Linux Networking Stack
• Practical Examples
• Q&A
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Distributions• A Linux distribution (distro) is an operating
system made as a collection of software based around the Linux kernel and often around a package management system. -Wikipedia
• Distrowatch list 300 distributions of Linux
• Distributions stem from Red Hat, Debian or Slackware
• Distro’s can be focused on a niche requirement. For example, Kali is focused on penetration/security testing while Wind River focuses on embedded and real time requirements. OpenWrt focuses on home routers
• Distributions contain a pre defined set of “packages” Server, Desktop, etc
• Distributions can favor features or stability• Ubuntu LTS, RHEL, Centos – stability, Ubuntu,
Fedora – features
• Android (Linux 3.4 kernel), Open Source maintained by Google
Image Source:http://graal.ens-lyon.fr/diet/news/diet-available-in-major-linux-distribution/image/image_view_fullscreen
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux Packages• Packages are a convenient way to deliver
software• Originally tarballs were used
• CLI tool required to install/update/remove software• Red Hat – rpm cli, .rpm package format
• Debian – dpkg cli, .deb package format
• An .rpm contains:• Header –file list, description, dependencies
• Signature –
• Files – usually compressed
• Drawbacks – • Does not resolve/remove dependencies
• Need to copy the software (.rpm) to the machine
• No directory of software
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux Package Management Systems• Addresses the drawbacks of tools like rpm /
dpkg• Find software, install/uninstall, update, resolve
dependencies
• Uses a repository(from distribution or on-site) trusted software
• Maintains a database of installed packages and their dependencies
• CLI tool required to install/update/remove software• RedHat – yum
• Debian – apt-get, aptitude
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Kernel• Maintained by Kernel.org
• Intermediary between applications and the Hardware – It abstracts the HW
• Kernel Subsystems• Process Management, Memory Management,
System Calls, Networking, File Systems, and Device Drivers
• Linux uses a Monolithic Kernel• KLM - Kernel Loadable Modules
• Modules can be loaded/unloaded dynamically
• A key attribute of Linux is the ability to recompile the kernel. A user can customer build the OS to suit their specific needs add/removing kernel sosftware.
Source:https://knowstuffs.files.wordpress.com/2012/06/linux_kernel2.png
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Kernel and User • CPU’s have several different execution
modes
• Linux uses two – O and 3
• Privilege switch
• Kernel Mode vs. User Mode
• Kernel mode – code has complete access to all hardware and memory
• User mode – code has no access to hardware and access only to it’s assigned memory
• Kernal space vs. user space
• Kernel space is reserver for the kernel
• User space is the memory where user processes run. Sometimes called userland
• System Calls
• Allow user processes to interact with the kernel
• Ex. opening a file, creating a new process
• Applicationglibc-syscall-kernel
Source:http://en.wikipedia.org/wiki/Protection_ring#mediaviewer/File:Priv_rings.svg
Source:http://en.wikipedia.org/wiki/User_space
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Startup Process• Bootloader – usually GRUBv2 (GNU Grand
Unified Bootloader)
• GRUB stages• boot.img loads from the MBR. It has to fit in one
sector and be under 512 Bytes (4096 on newer disks)
• core.img loads. This file was created during the GRUB setup process and contains various modules that are needed to read the file system, video, keyboard, etc…In addition to limited commands found in grub> CLI
• Initial RAM File System – initramfs (formally initrd) is sometimes started if there are unique device drivers, etc that won’t fit in core.img
• find the kernel on disk (CD,PXE,USB,etc) and then presents the user with a text menu asking what they want to boot
BIOSPower
ONSystemd(PID 1)GRUBv2 Kernel Programs
Stage 1 Stage 2
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
systemd• System management framework
• Developed by Lennart Poettering and Kay Sievers – Red Hat
• Replaces init (SysVinit) launched in 2010• Canonical had launched a project called
upstart(used in RH6)
• First process after the kernel loads(PID 1)
• Advantages• Allows processes to be started in parallel without
waiting for dependencies (Apple uses a similar approach called launchd – OS-X 10.1. Can restart services without losing messages
• Creates and manages sockets between processes
• Dependencies are defined explicitly instead of implied by boot order
• Replaces service and chkconfig service managers
• Eliminate differences between distributions (shell scripts)
• Can start services and features “on demand”
• Typical commands• systemctl start [name.service]
• systemctl stop [name.service]
• systemctl restart [name.service]
• systemctl reload [name.service]
• systemctl status [name.service]
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Processes• Process – a running instance of a program
• PID 0 is the scheduler or swapper, PID 1 is systemd(init).
• fork and exec – fork creates an exact but independent copy of a running process. Exec load a new program into the new copy –copy on write
• clone – creates a copy of a process that can share resources with the parent(mem, files,etc) used to implement threads – used by threads
• Process vs. thread. Processes are completely independent of one another. Threads can share memory, open files, etc
• Multitasking – Linux is a pre-emptive multitasking OS. Processes share the CPU
• Processes can be running, waiting, or sleeping (also, zombie, orphaned, stopped)
• Daemons – A server process which runs continually
• Process attributes – PID, PPID, NICE, User
• Niceness – used to set priority of a process. • Nice is used to set priority of a process
• Renice is used to change the priority of a running process
• Nice values -20(high) to 19(low) priority
• Every process has an owner
• Cgroups – Control Groups introduced in kernel 2.6.24. allows grouping, tracking and isolation of processes. Foundation for Containers
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Completely Fair Scheduler• Written by Ingo Molnar, Red Hat. Merged into
Kernel 2.6.23
• Improvement over previous schedulers• Previous linux schedulers only had two variables –
timeslice and priority
• Previous schedulers also used heuristics to determine if a process was interactive – like Firefox and needed more CPU to improve user experience
• CFS uses Weighted Fair Queuing• It divides the number of CPUs by the runnable
processes and assigns each process a fair proportion
• CFS tracks the wait time of each process and uses it to determine which process should run next and how long it should run(Red Black Tree)
• Weighting is provided by nice number -20 highest, 19 is the lowest.
• Context Switch• Each time the scheduler stops a process it must
store its complete state so that when the process runs again it can pick up exactly where it left off
Source:http://www.linuxjournal.com/magazine/completely-fair-scheduler
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux File System• Key Linux File System Concepts
• “everything is a file”
• Files have ownership
• Permissions (files and directories) user|group|other
• Key Directories• /boot – holds kernel, /etc – holds config files, /bin – systems
commands, /sbin – admin commands, /home – user directories, /lib – shared libraries, /usr - applications
• Virtual File System• /dev – devices connected to the system. Character (tty, keyboard,
mouse) or block devices (hard drives,CDROM,etc)
• /proc – Information about running processes. There is a subdirectory for each running PID
• /sys – sys filesystem(sysfs) –is a virtual file system that the kernel creates and provides info on HW/Drivers etc
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
File permissions
d = directoryL = symbolic link – points to another location- = file
User and group
User Group Other
Access rwx rwx rwxBinary 421 421 421Enabled 111 111 100Result 421 401 400
----- ----- -----Total 7 7 4
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Shell• In computing, a shell is a user interface for
access to an operating system's services. In general, operating system shells use either a command-line interface (CLI) or graphical user interface (GUI), depending on a computer's role and particular operation – Wikipedia
• Examples - Bourne Shell (sh), C Shell (csh),Bourne-Again Shell (bash), Korn Shell (ksh)
• bash is most commonly used in linux today – bash is a GNU project and it incorporates best features of C and korn into the original Bourne Shell(Stephen Bourne – Bell Labs, Unix shell)
• The shell has built in commands – like cd,pwd, logout, etc that when called execute in the same process as the shell. Other programs when called create new processes via ‘fork”
• Shell commands can be “piped” that is the output of one command can be directed to the input of the next command
• Scripting – Shell Scripts
• Ability to link together small programs, redirect output, etc
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Communications in Linux• Signals
• A form of IPC. Processes react by executing the appropriate signal handler. Ex. CTRL-C sends a SIGINT which terminates a process
• Centos 7 has 64 signals
• Pipes • Unidirectional Byte streams that connect
the stdout of one process to the stdin of another
• Uses Virtual Files System
• Sockets• Domain Sockets – within one machine –use
the AF_Local protocol• Any process can create a domain socket• Network(IP) Sockets – communications
over the network
• Netlink Sockets• Bi-directional communications between
userspace and the kernel• iproute2 uses Netlink
• d-bus• D-bus-daemon acts as a hub for IPC.
Processes can register with it and receive certain types of events – USB disk plugging in, etc..
• Originally designed for communications between desktop applications
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtual Memory• Linux breaks physical memory into 2
regions – kernel space and user space• In IA32 architecture the limit is 4GB
kernel is 1GB and userspace is 3GB• User space applications cannot access
kernel space
• Linux provides each process with it’s virtual address memory space• That space is mapped into the physical
memory via a page table held in MMU
• Memory Management Unit(MMU) Modern servers have an MMU that manages the “page table”. the kernel programs the MMU
• The page table can “swap” physical memory to disk if needed
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduced in kernel 2.6.24
• Isolation - Enable a process (or several processes) to have different views of the system than other processes.
• No hypervisor layer (as in OS virtualization like KVM, Xen).
• There are currently 6 namespaces:• mnt (mount points, filesystems)
• pid (processes)
• net (network stack - netns)
• ipc (System V IPC)
• uts (hostname)
• user (UIDs)
Linux Namespaces
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduced in kernel 2.6.24
• Provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.
• cgroups allow you to allocate resources—such as CPU time, system memory, network bandwidth, or combinations of these resources—among user-defined groups of tasks (processes) running on a system.
Linux cgroups
Namespaces and control groups are the foundation for Containers
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• Linux Overview and History
• The Basics
• Linux Networking
• Q&A
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux Networking • Continuous improvement on how Linux handles
networking• Drivers - network speed from 10/100M - 1Gbps-
10Gbps, Virtualization
• NAPI - Introduced in Kernel 2.5. Changed from interrupt driven to polling model. Kernel 3.11 adds “Busy Poll”
• Linux has extensive networking features – Routing, Bridge, Firewall, Proxy, NAT, Load Balancing, etc…
• Kernel based packet forwarding• Netfilter framework
• handles L2 – 4
• Namespaces introduce routing tables per namespace(VRF)
• Userspace tools• IPRoute2 – ip route show
• Net-tools –(deprecated) ifconfig, netstat, route, arp
• Iputils – ping, ping6, arping, tracepath
• Linux Router Subsystem• A Linux host can act as a router if ip_forward = 1 in
kernel
• Basic Routing is DST based, Longest prefix match
• Linux supports 255 routing tables
• 2 tables by default -local, main
• Local maintained by kernel – ip addr from hosts
• Main is used with ip route cmd
• Policy Routing • Source interface, source address, ToS,
Fwmark(Firewall Mark from iptables)
• Creates a unique table
• Routing order• Cache
• Local table
• RPDB- Routing Policy Data Base
• Main Routing table
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Netfilter Framework• Introduced in 1998 by Rusty Russell(IBM) and
replaced Ipchains and Ipfwadm
• Linux Kernel 2.4 and later – Kernel module• Separate kernel modules
ip_tables,ip6_tablesarp_tables,ebtables
• iptables/ebtable/conntrack is the userspace interface
• Nftables is a Netfilter project to replace existing iptables kernel and userspace programs• nft replaces iptables,ip6tables,arptables ebtables
• Userspace tools communicate with kernel via Netlink
• Key Features• Stateless and stateful packet filtering (iptables)
• NAT(masquerading)
• Packet Mangling
• Connection Tracking
• Tables – NAT, Mangle, Filter
• Chains – PREROUTING, FORWARD, INPUT, OUTPUT, POSTROUTING
• The basis for secgroups in Openstack and AWS
Source:http://en.wikipedia.org/wiki/Netfilter
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Source:http://linux-ip.net/nf/nfk-traversal.pdf
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Linux Virtual Network Devices• Bridge
• Bridges connect Ethernet segments (L2). A simple learning bridge that performs a DST MAC lookup
• Kernel Module – bridge.ko
• Userspace – bridge_utils
• Each bridge maintains it’s own forwarding table
• Basic Spanning Tree – no RSTP or MSTP
• VETH – Virtual Ethernet Device• always used in pairs. Traffic that enters one side
leaves the other. Each side has a MAC address
• Uses sockets
• TUN/TAP – Network Tunnel/Network Tap interface. • Tun is L3 while Tap is L2
• Delivers packets to and from userspace into the kernel networking stack
• Openstack Compute Host with OVS - For an Ethernet frame to travel from eth0 of virtual machine vm01 to the physical network, it must pass through nine devices inside of the host.
Source:http://docs.openstack.org/admin-guide-cloud/content/under_the_hood_openvswitch.html
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
Network Programmability User's Group (NPUG)
To hear more:
Check the NPUG wiki
http://cs.co/npug
Join the Mailer for Updates and Recordings
http://cs.co/npugmailer
View Previous Recordings
http://cs.co/npughistory
Feedback – good/bad, topics, speakers, help out:
[email protected] http://cs.co/NPUG