multi-tenant iaas using openstack + · pdf filemulti-tenant iaas using openstack +...

Multi-tenant IaaS using OpenStack + OpenContrail

Takashi Sogabe(@rev4t)

Internet Initiative Japan., Inc.

Who am I ?

• Takashi Sogabe (@rev4t)

• I develop services and devices at IIJ

– Lately, I also verify software and implement network in order to create new services

– I call myself “full stack engineer”

What do I want to do?

• Contrail is now open source!

– Quickest way for engineer to understand is to actually try

– I want to view source codes with smirk on my face

– First, create demo environment and play with it

What is OpenContrail ?

• It’s a software that can easily create IaaS that has scalability

– It’s an SDN product

• It works with OpenStack, CloudStack

• Control plane: BGP or XMPP

• Data plane: MPLS over GRE

– It appears to support MPLS over UDP and VXLAN as well

Source of Information

• http://opencontrail.org/

– Documents and packages are provided here

• https://github.com/Juniper/contrail-controller

– Source codes are provided openly at github

• http://juni.pr/17tlcQh

– Valuable information in Japanese regarding OpenContrail, posted by Juniper Arimura-san on J-NET

Why MPLS/BGP ?

• They are mature technology so you can use it with peace of mind

– ISPs are already using MPLS for IP-VPN services

– Performance is maintained with lots of VPN connections in place

– It’s easy to establish inter-DC connections or hybrid clouds

• Use of L3VPN router for external router makes it easy to interconnect

What else can you do?

• Service Chaining

– NFV in other words

– You can combine Firewall or many other features in between VMs

• Network Monitoring

– You can monitor in-communication session information from web screen

– If necessary, you can tcpdump from the web screen

• Imagine overlay network version of Remote SPAN (RSPAN)

Minimum configuration needed for testing?

• PC server * 1 unit

– Juniper recommends 5 units or more

– If it’s just testing purpose, 1 unit is enough

• Router * 1 unit

– One which can talk MPLS VPN

– Juniper MX and SRX are examples

– If you don’t need External Router, then not necessary

Server configuration of demo environment

External Router(Gateway Router)

• Contrail System • OpenStack (controller, etc) • OpenStack(nova-compute)

• vRouter

Router for internet connection

192.168.192.0/24

.64

.79

10.0.0.1/24

OpenContrail Architecture

Install (1)

• http://juni.pr/1alNn7h – Building from source

• git + repo – Setting up is cumbersome so this is adequate for building only

• devstack – https://github.com/dsetia/devstack

– Use of Binary package • OS image provided by Juniper • Rpm package (CentOS or Fedora) • Juniper.net account is needed

– Juniper says if you apply from online form, an account is created for you in a day or two

• OS image is used for the demo this time – Contrail Install Media for CentOS 90-day EVAL (Release 1.02) – OpenStack Grizzly

Install (2)

1. Download OS image and install on PC

2. Run setup.sh – cd /opt/contrail/contrail_packages; ./setup.sh

3. Create testbed file

4. Install system – cd /opt/contrail/utils; fab install_contrail

– (rebooted automatically)

– cd /opt/contrail/utils; fab setup_all

– (rebooted automatically)

Testbed file

• cd /opt/contrail/utils/fabfile/testbeds • cp testbed_singlebox_example.py testbed.py • Edit vi testbed.py

ext_routers = *(‘srx1’, ‘192.168.192.79’)+ (if external router does not exist, comment out)

host1 = ‘[email protected]’ host_build = ‘[email protected]’ env.passwords = { host1: ‘<host password>’, host_build: ‘<host password>’, }

Install (3)

• If installation is successful, you can log in Horizon and Contrail Web screen

– Horizon

• http://(host ip address)/

• username: admin

• password: contrail123

– Contrail

• http://(host ip address):8080/

• username, password … Same as Horizon

External Router configuration(1)

• Interface configuration

interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.192.79/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.0.1/24; } } }


• L3VPN configuration

routing-options { static { route 0.0.0.0/0 next-hop 192.168.192.5; } route-distinguisher-id 192.168.192.79; autonomous-system 64512; dynamic-tunnels { setup1 { source-address 192.168.192.79; gre; destination-networks { 192.168.192.0/24; } } } }

protocols { bgp { group contrail-controller { type internal; local-address 192.168.192.79; family inet-vpn { unicast; } neighbor 192.168.192.64; } } stp; }


• VRF configuration

routing-instances { cusotomer-public { instance-type vrf; interface ge-0/0/1.0; vrf-target target:64512:10000; routing-options { static { route 0.0.0.0/0 next-hop 10.0.0.2; } } } }


• If you use SRX, set forwarding mode as packet based

security { forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } }

root> show security flow status Flow forwarding mode: Inet forwarding mode: packet based Inet6 forwarding mode: packet based MPLS forwarding mode: packet based ISO forwarding mode: packet based Flow trace status Flow tracing status: off

If you use Flow base, it appears there is no way to add dynamic tunnel in the security zone

CREATING TENANT NETWORK USING OPENCONTRAIL

Network Configuration (1)

• 3 ways to configure

– Configure from OpenContrail Web screen

– Configure from OpenStack

• However, some parameters cannot be configured usingneutron(quantum)

– OpenContrail REST API

• API server: http://(controller_host):8082/

• There is no document at all at this time – However, you can probably use most of it if you go through

Top level URL

Tenant network

vRouter

private 10.254.0.0/24

.253

.254

.254

public 10.255.0.0/24

test-private-1

test-public-1

.253

external network 10.0.0.0/24

.252

test-private-2

10.1.0.253 global 10.1.0.0/24

Floating-ip

.254

vRouter

External router

.252

test-public-2

.1

Create network (public)

Create IP address block (public)

Configure Global network

Activate test-public-1, test-public-2

Ping from test-public-1 to 10.0.0.1

Create Private network

Activate test-private-1, test-private-2

Ping from test-private-1 to test-public-1

Create Policy

Apply Policy

Again, Ping from test-private-1 to test-public-1

Create and assign Floating-ip

Ping from ext-router to test-public-1

root> ping 10.1.0.253 routing-instance cusotomer-public PING 10.1.0.253 (10.1.0.253): 56 data bytes 64 bytes from 10.1.0.253: icmp_seq=0 ttl=62 time=31.423 ms 64 bytes from 10.1.0.253: icmp_seq=1 ttl=62 time=2.510 ms ^C --- 10.1.0.253 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss

External router show route (1)

root> show route inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 192.168.192.5 via ge-0/0/0.0 10.1.0.1/32 *[Local/0] 1d 20:49:29 Reject 192.168.192.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/0.0 192.168.192.79/32 *[Local/0] 1d 20:49:20 Local via ge-0/0/0.0


inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.0/24 *[Tunnel/300] 1d 20:49:46 Tunnel 192.168.192.64/32 *[Tunnel/300] 00:56:35 > via gr-0/0/0.32769


cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 10.0.0.2 via ge-0/0/1.0 10.0.0.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/1.0 10.0.0.1/32 *[Local/0] 1d 20:49:19 Local via ge-0/0/1.0 10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16


mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 299792 *[VPN/170] 02:02:08 > to 10.0.0.2 via ge-0/0/1.0, Pop bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.64:2:10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16

Network Management(1)

Network Management (2)

Network Management (3)

You can monitor Flow information real-time

Network Management(4)

Verify Routing Table

Using Analyzer (1)

• Imagine L3SW Remote SPAN(RSPAN) feature became more useful – Specify network to capture packet and type of

packet • Analyzer instance activates automatically

• Administrator can peruse packet dump from OpenStack admin screen using Wireshark

– You can also log in Compute Node, directly tcpdump tap interface, however, Analyzer is much more easier to use

Using Analyzer (2)

Using Analyzer (3)

Summary

• Very easy to use admin screen – You can monitor communications on overlay

• Architecture that enables scalability – Controller workload is small as communications by

each node is doen by itself on overlay

– Use of Cassandra for backend database which allows scalability

– Use of L3VPN routers for external router which allows scalability of uplinks • I heard VXLAN can be used as well but it appears it cannot

be configured from admin screen yet

Things I would like to investigate further

• Service Chaining

• Measure scalability by increasing number of nodes

• Terminate external router using VXLAN

• I would like to try the version supporting Havana