文稿成果open相关openvswtich

OpenvswitchPopsuperSoftwareDefinedNetworkCPUPoolStoragePoolVirtualInfrastructureOpenFlowSwitchComponentsOpenFlowChannel负责同Controller的交互FlowTable包含许多entry，每个entry是对packet进行处理的规则GroupTable：处理更复杂的转发规则包含一系列GroupEntry每个Entry包含一系列操作集合(actionbuckets)每个操作集合包含一系列action，以及参数Matchpackets:ingressportHeadersmetadataFlowentriesmatchpacketsinpriorityorder对packet处理:转发修改交给GroupTable交给下个TableOpenFlowPacketProcessingOpenFlowPacketProcessingActions:Output:转发Set-Queue:QoSDropGroupPush/PoptagsOpenFlowPacketProcessingActions:Output:转发Set-Queue:QoSDropGroupPush/PoptagsOpenvswitch简介Openvswitch是一个virutalswtich，支持OpenFlow协议，当然也有一些硬件Switch也支持OpenFlow协议，他们都可以被统一的Controller管理，从而实现物理机和虚拟机的网络联通。Openvswitch简介MatchField涵盖TCP/IP协议各层：Layer1–TunnelID,InPort,QoSpriority,skbmarkLayer2–MACaddress,VLANID,EthernettypeLayer3–IPv4/IPv6fields,ARPLayer4–TCP/UDP,ICMP,NDAction也主要包含下面的操作：Outputtoport(portrange,flood,mirror)Discard,ResubmittotablexPacketMangling(Push/PopVLANheader,TOS,...)Sendtocontroller,LearnOpenvswitch简介可以设置Tunnel可以支持下列的框架来监控流量。sFlowNetFlowPortMirroringSPANRSPANERSPAN支持QoSUsesexistingTrafficControlLayerPolicer(Ingressratelimiter)HTB,HFSC(Egresstrafficclasses)Controller(OpenFlow)canselectTrafficClassOpenvswitch架构Openvswitch架构实验一：查看Openvswitch的架构root@popsuper1982:~#psaux|grepopenvswitchroot9850.00.0211722120?S<Aug061:20ovsdb-server/etc/openvswitch/conf.db-vconsole:emer-vsyslog:err-vfile:info--remote=punix:/var/run/openvswitch/db.sock--private-key=db:Open_vSwitch,SSL,private_key--certificate=db:Open_vSwitch,SSL,certificate--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert--no-chdir--log-file=/var/log/openvswitch/ovsdb-server.log--pidfile=/var/run/openvswitch/ovsdb-server.pid--detach--monitorroot10080.10.824294831712?S<LlAug0632:17ovs-vswitchdunix:/var/run/openvswitch/db.sock-vconsole:emer-vsyslog:err-vfile:info--mlockall--no-chdir--log-file=/var/log/openvswitch/ovs-vswitchd.log--pidfile=/var/run/openvswitch/ovs-vswitchd.pid--detach--monitorroot@popsuper1982:~#lsmod|grepopenvswitchopenvswitch669010gre138081openvswitchvxlan376191openvswitchlibcrc32c126442btrfs,openvswitch实验一：查看Openvswitch的架构实验一：查看Openvswitch的架构实验一：查看Openvswitch的架构straceovs-vsctlshow//建立unixsocket，和ovs-dbserver进行通信socket(PF_LOCAL,SOCK_STREAM,0)=3fcntl(3,F_GETFL)=0x2(flagsO_RDWR)fcntl(3,F_SETFL,O_RDWR|O_NONBLOCK)=0connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/db.sock"},31)=0//写入命令write(3,"{\"method\":\"monitor\",\"id\":0,\"para"...,409)=409//读取结果read(3,"{\"id\":0,\"result\":{\"Port\":{\"8afee"...,512)=512read(3,"7a8\"],[\"uuid\",\"8afee51e-6e71-4d4"...,512)=501read(3,0x24b4d05,11)=-1EAGAIN(Resourcetemporarilyunavailable)向终端输出结果write(1,"c1fe4192-ae6a-457f-a2e1-dfc67284"...,37c1fe4192-ae6a-457f-a2e1-dfc6728470eb)=37write(1,"Bridgeubuntu_br\n",21Bridgeubuntu_br)=21write(1,"Portubuntu_br\n",23Portubuntu_br)=23write(1,"Interfaceubuntu_br\n",32Interfaceubuntu_br)=32write(1,"type:internal\n",31type:internal)=31write(1,"Port\"vnet0\"\n",21Port"vnet0")=21write(1,"Interface\"vnet0\"\n",30Interface"vnet0")=30write(1,"ovs_version:\"2.0.1\"\n",25ovs_version:"2.0.1")=25实验一：查看Openvswitch的架构straceovs-dpctlshow实验一：查看Openvswitch的架构#straceovs-ofctlshowubuntu_brsocket(PF_LOCAL,SOCK_STREAM,0)=3connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/ubuntu_br"},33)=-1ENOENT(Nosuchfileordirectory)close(3)=0socket(PF_LOCAL,SOCK_STREAM,0)=3connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/ubuntu_br.mgmt"},38)=0Openvswitch数据库表结构实验二：打印数据库表结构cat/etc/openvswitch/conf.db，我们会发现它是json格式的数据库可以通过ovsdb-clientdump将数据库内容打印出来Openvswitch:Open_vSwitch表数据库的根全局的配置项other_config:stats-update-interval：将统计信息写入数据库的间隔时间other_config:flow-limit：在flowtable中flowentry的数量other_config:n-handler-threads：用于处理新flow的线程数other_config:n-revalidator-threads：用于验证flow的线程数.other_config:enable-statistics是否统计statistics:cpu统计cpu数量，线程statistics:load_averagesystemloadstatistics:memory总RAM，swapstatistics:process_NAME：withNAMEreplacedbyaprocessname，统计memorysize,cputime等statistics:file_systems：mountpoint,size,used指向其他表bridge表SSL表Manager表Openvswitch:ManagerManager表配置的是ovsdb-server的ovsdb-server使用manager_options中的配置来监听端口，等待client来连接。punix:file:监听unixsocketptcp:port[:ip]:监听TCP连接pssl:port[:ip]:监听SSL连接实验三：设置Manager的TCP连接ovs-vsctlset-managerptcp:8881在另外一台机器上Openvswitch:SSLSSL的配置主要包含几个部分：PrivateKey:私钥Certificate:证书CACertificate:CA的证书privatekey和publickey对，其中publickey放在certificate中，并且需要CA使用自己的privatekey进行签名，CA来担保这个certificate是合法的，为了验证这个CA签名，当然需要CA的publickey，而CA的publickey是放在cacert里面的，当然也需要被签名，被更高级的CA担保，或者自己担保自己。bootstrap_ca_cert是一个boolean，如果是true，则每次启动的时候，都会向controller去拿最新的cacert。默认表是空的实验四：设置SSL连接生成privatekey,certificate,CAkey,CAcertificate生成一个CA的privatekeyCA有一个certificate，里面放着CA的publickey，要生成这个certificate，则需要写一个certificaterequestopensslgenrsa-outcaprivate.key1024opensslreq-keycaprivate.key-new-outcacertificate.req3.由于这里的CA是rootCA，没有更高级的CA了，所以要进行自签发，用自己的privatekey对自己的certificate请求进行签发4.普通的机构需要有自己的privatekey5.也需要一个证书，里面放自己的publickey，需要一个证书请求实验四：设置SSL连接opensslx509-req-incacertificate.req-signkeycaprivate.key-outcacertificate.pemopensslgenrsa-outcliu8private.key1024opensslreq-keycliu8private.key-new-outcliu8certificate.req实验四：设置SSL连接6.要使得这个证书被认可，则需要一个CA对这个证书进行签名，我们用上面的CA的privatekey对他进行签名opensslx509-req-incliu8certificate.req-CAcacertificate.pem-CAkeycaprivate.key-outcliu8certificate.pem-CAcreateserial实验四：设置SSL连接设置manager在另一台机器上ovs-vsctldel-managerovs-vsctlset-managerpssl:8881ovs-vsctlset-ssl/root/keys/openvswitch/cliu8private.key/root/keys/openvswitch/cliu8certificate.pem/root/keys/openvswitch/cacertificate.pemOpenvswitch:ControllerOpenvswitch:ControllerOpenFlow配置项：从架构图中我们可以看出，openvwitch的一个bridge可以通过openflow协议，被一个统一的controller管理的Controllerflow_tablesfail_mode:一旦一个bridge连到一个openflowcontroller，则flowtable就由controller统一管理，如果连接断了secure：这个bridge会试图一直连接controller，并不自己建立flowtablestandalone：一旦bridge三次连不上controller，就自己建立和管理flowtabledatapath_id：Openvswitch:ControllerOpenFlowController多种多样

Beacon

isaJava-basedcontrollerthatsupportsbothevent-basedandthreadedoperation.BeaconwasdevelopedatStanford.Floodlight

isaJava-basedcontrollerthatwasforkedfromtheBeaconcontroller,andnowissupportedbyacommunityofdevelopers.FloodlightisreleasedundertheApacheLicense.Maestro

isamulti-threadedJava-basedplatformthatallowsdeveloperstoimplementnewOpenFlowcontrollers.MaestrowasdevelopedatRiceUniversity.NodeFlow

isan

OpenFlow

controllerwritteninpureJavaScriptforNode.JS.Node.JSprovidesanasynchronouslibraryoverJavaScriptforserversideprogrammingwhichisperfectforwritingnetworkbasedapplications.NOX

isaC++basedplatformthatgivestheabilitytodeveloperstoimplementnewcontrollersbywritingNOXmodulesineitherC++.POX

isaPythonbasedplatformthatgivestheabilitytodeveloperstoimplementnewcontrollersbywritingNOXmodulesineitherPython.PoxwaspartofwhatisnowcalledNoxclassic,butitwasseparatedintoadifferentcontrollerplatformthatonlysupportsPython.Trema

isaCbasedplatformthatallowsdeveloperstowritenewcontrollersbywritingTremamodulesineitherCorRuby.TremawasdevelopedbyNEC.Openvswitch:Controller使用Floodlight实验五：配置使用OpenFlowController创建三个虚拟机实验五：配置使用OpenFlowController安装floodlight

gitclonegit:///floodlight/floodlight.gitcdfloodlight/antnohupjava-jartarget/floodlight.jar>floodlight.log2>&1&设置Controllerovs-vsctlset-controllerubuntu_brtcp::6633实验五：配置使用OpenFlowController访问floodlight的界面

Floodlight的RestAPI+API默认情况下，三台机器可以相互ping的通Instance01Instance02Instance03ubuntu_br实验五：配置使用OpenFlowController调用RestAPI设定规则，只允许Instance01和Instance03之间相互通信curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow1","cookie":"0","priority":"32768","src-mac":"52:54:00:9b:d5:11","active":"true","actions":"output=12"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow2","cookie":"0","priority":"32768","src-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=10"}'实验五：配置使用OpenFlowController用RESTAPI清除所有规则将正确的mac导向正确的portcurlcurl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow1","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:11","active":"true","actions":"output=10"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow2","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:33","active":"true","actions":"output=11"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow3","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=12"}'实验五：配置使用OpenFlowController从Instance01来pingInstance03，用tcpdump监听Instance02和Instance03，在这个过程中，用RESTAPI将Instance03的包转发给Instance02curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow3","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=11"}'Openvswitch:sFlow,NetFlow/IPFIX采样流sFlow（SampledFlow）是一种基于报文采样的网络流量监控技术，主要用于对网络流量进行统计分析。Flow采样是sFlowAgent设备在指定端口上按照特定的采样方向和采样比对报文进行采样分析,该采样方式主要是关注流量的细节，这样就可以监控和分析网络上的流行为。Counter采样是sFlowAgent设备周期性的获取接口上的流量统计信息,只关注接口上流量的量，而不关注流量的详细信息。Openvswitch:sFlow,NetFlow/IPFIXCiscoNetFlowand

IPFIX

(theIETFstandardbasedonNetFlow)

也是一个协议，将流量记录发送给服务器Openvswitch:sFlow,NetFlow/IPFIXsFlowNetFlow/IPFIXInMonsFlowTrendSolarWindsReal-TimeNetFlowAnalyzer流量统计包括L2仅仅包含L3NoCache,real-timeWithflowcachemonitoralltypesoftraffic:ARP,IPv6,

DHCP/BOOTP,STP,

LLDPIPv4traffic服务器负责解析包Switch负责解析包ovs-vsctl----id=@sflowcreatesflowagent=eth0

target=\"1:6343\"header=128sampling=512polling=10--setbridgeubuntu_brsflow=@sflowovs-vsctllistsflowovs-vsctl--clearBridgeubuntu_brsflowovs-vsctl----id=@nfcreateNetFlowtargets=\"1:2055\"active-timeout=60--setBridgeubuntu_brnetflow=@nfovs-vsctllistNetFlowovs-vsctl--clearBridgeubuntu_brNetFlow实验六:使用sFlow和NetFlowOpenvswitch:MirrorMirror就是配置一个bridge，将某些包发给指定的mirroredports对于包的选择：select_all，所有的包select_dst_portselect_src_portselect_vlan对于指定的目的：output_port(SPAN

SwitchedPortANalyzer)output_vlan(RSPANRemoteSwitchedPortANalyzer)Openvswitch:MirrorSPANSource(SPAN)port

-AportthatismonitoredwithuseoftheSPANfeature.Destination(SPAN)port

-Aportthatmonitorssourceports,usuallywhereanetworkanalyzerisconnected.Openvswitch:MirrorRSPAN被监控的流量不是发送到一个指定的端口，而是Flood给指定的VLAN

监听的端口不一定要在本地switch上，可以在指定的VLAN的任意switch上S1isasourceswitchS2andS3areintermediateswitchesS4andS5aredestinationswitches.

learningisdisabledtoenableflooding实验七:测试Mirror的SPAN和RSPANubuntu_brInstance01first_brfirst_ifsecond_brsecond_ifvnet0vnet1vnet2Instance02Instance030102helloworldthird_ifthird_br00实验七:测试Mirror的SPAN和RSPAN创建拓扑结构ovs-vsctladd-brhelloworldiplinkaddfirst_brtypevethpeernamefirst_ifiplinkaddsecond_brtypevethpeernamesecond_ifiplinkaddthird_brtypevethpeernamethird_ifovs-vsctladd-portubuntu_brfirst_brovs-vsctladd-portubuntu_brsecond_br--setPortsecond_brtag=110ovs-vsctladd-porthelloworldsecond_if--setPortsecond_iftag=110ovs-vsctladd-porthelloworldthird_br--setPortthird_brtag=110实验七:测试Mirror的SPAN和RSPAN在first_br上面mirror所有进出vnet0的包监听first_if，并且从instance01里面ping02ovs-vsctl--setbridgeubuntu_brmirrors=@m----id=@vnet0getPortvnet0----id=@first_brgetPortfirst_br----id=@mcreateMirrorname=mirrorvnet0select-dst-port=@vnet0select-src-port=@vnet0output-port=@first_br实验七:测试Mirror的SPAN和RSPAN对进入vnet1的所有进出包，然而ouput到一个vlan110在helloworld中也要配置从110来的，都output到vlan110Disablemacaddresslearningforvlan110ovs-vsctl--setbridgeubuntu_brmirrors=@m----id=@vnet1getPortvnet1----id=@mcreateMirrorname=mirrorvnet1select-dst-port=@vnet1select-src-port=@vnet1output-vlan=110ovs-vsctl--setbridgehelloworldmirrors=@m----id=@mcreateMirrorname=mirrorvlanselect-vlan=110output-vlan=110ovs-vsctlsetbridgeubuntu_brflood-vlans=110ovs-vsctlsetbridgehelloworldflood-vlans=110实验七:测试Mirror的SPAN和RSPAN监听third_if，并且从instance02里面ping02实验七:测试Mirror的SPAN和RSPAN删除Mirror查看ubuntu_brovs-vsctllistbridgeubuntu_br清除里面的mirrorsovs-vsctlclearBridgeubuntu_brmirrors清除flood_vlansovs-vsctlclearBridgeubuntu_brflood_vlans查看所有的Mirrorovs-vsctllistMirrorovs-vsctlclearBridgehelloworldmirrorsovs-vsctlclearBridgehelloworldflood_vlansOpenvswitch:Port一般来说一个Port就是一个Interface，当然也有一个Port对应多个Interface的情况，成为BondOpenvswitch:PortPort的一个重要的方面就是VLANConfiguration，有两种模式：trunkport这个port不配置tag，配置trunks如果trunks为空，则所有的VLAN都trunk，也就意味着对于所有的VLAN的包，本身带什么VLANID，就是携带者什么VLANID，如果没有设置VLAN，就属于VLAN0，全部允许通过。如果trunks不为空，则仅仅带着这些VLANID的包通过。accessport这个port配置tag，从这个port进来的包会被打上这个tag如果从其他的trunkport中进来的本身就带有VLANID的包，如果VLANID等于tag，则会从这个port发出从其他的accessport上来的包，如果tag相同，也会被forward到这个port从accessport发出的包不带VLANID如果一个本身带VLANID的包到达accessport，即便VLANID等于tag，也会被抛弃。实验八:测试Port的VLAN功能ubuntu_brInstance01Instance02Instance03first_br(tag=103)first_ifsecond_br(trunk)second_if000102third_br(trunks=101,102)third_ifvnet0(tag=101)vnet1(tag=102)vnet2(tag=103)030405实验八:测试Port的VLAN功能创建拓扑结构ovs-vsctladd-portubuntu_brfirst_brovs-vsctladd-portubuntu_brsecond_brovs-vsctladd-portubuntu_brthird_brovs-vsctlsetPortvnet0tag=101ovs-vsctlsetPortvnet1tag=102ovs-vsctlsetPortvnet2tag=103ovs-vsctlsetPortfirst_brtag=103ovs-vsctlclearPortsecond_brtagovs-vsctlsetPortthird_brtrunks=101,102需要监听ARP，所以禁止MAC地址学习ovs-vsctlsetbridgeubuntu_brflood-vlans=101,102,103实验八:测试Port的VLAN功能从02来ping03，应该first_if和second_if能够收到包first_if收到包了，从first_br出来的包头是没有VLANID的second_if也收到包了，由于second_br是trunkport，因而出来的包头是有VLANID的，103third_if收不到包实验八:测试Port的VLAN功能从00在ping05,则second_if和third_if可以收到包(当然ping不通，因为third_if不属于某个VLAN)first_if收不到包second_if能够收到包，而且包头里面是VLANID=101third_if也能收到包，而且包头里面是VLANID=101实验八:测试Port的VLAN功能从01来ping04,则second_if和third_if可以收到包first_if收不到包second_br能够收到包，而且包头里面是VLANID=102third_if也能收到包，而且包头里面是VLANID=102实验八:测试Port的VLAN功能清理环境ovs-vsctlclearBridgeubuntu_brflood_vlansovs-vsctllistPortovs-vsctlclearPortvnet1tagovs-vsctlclearPortvnet0tagovs-vsctlclearPortfirst_brtagovs-vsctlclearPortthird_brtrunksOpenvwitch:Bond有关Interface，就不得不提BondBond将设备用多个连接在一起，形成一个虚拟的连接，从而实现高可用性以及高吞吐量很多别名：LACPTrunk,Bond,EtherchannelLACP(LinkAggregationControlProtocol)Openvwitch:Bondbond_modeactive-backup:一个连接是active，其他的backup，当active失效的时候，backup顶上balance-slb:流量安装源MAC和outputVLAN进行负载均衡balance-tcp:必须在支持LACP协议的情况下才可以，可根据L2,L3,L4进行负载均衡实验九:测试Bond功能helloworldInstance03Instance04Instance01first_brfirst_ifsecond_brsecond_if000203ubuntu_brInstance02vnet0vnet1vnet2vnet3bond0bond101ovs-vsctladd-bondubuntu_brbond0first_brsecond_brovs-vsctladd-bondhelloworldbond1first_ifsecond_ifovs-vsctlsetPortbond0lacp=activeovs-vsctlsetPortbond1lacp=active实验九:测试Bond功能查看Bond查看LACProot@popsuper1982:/home/openstack#ovs-appctllacp/show----bond0----status:activenegotiatedsys_id:2a:96:0e:c7:85:49sys_priority:65534aggregationkey:7lacp_time:slowslave:first_br:currentattachedport_id:7port_priority:65535may_enable:trueactorsys_id:2a:96:0e:c7:85:49actorsys_priority:65534actorport_id:7actorport_priority:65535actorkey:7actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:72:d2:d3:59:8c:41partnersys_priority:65534partnerport_id:3partnerport_priority:65535partnerkey:3partnerstate:activityaggregationsynchronizedcollectingdistributingslave:second_br:currentattachedport_id:8port_priority:65535may_enable:trueactorsys_id:2a:96:0e:c7:85:49actorsys_priority:65534actorport_id:8actorport_priority:65535actorkey:7actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:72:d2:d3:59:8c:41partnersys_priority:65534partnerport_id:4partnerport_priority:65535partnerkey:3partnerstate:activityaggregationsynchronizedcollectingdistributing----bond1----status:activenegotiatedsys_id:72:d2:d3:59:8c:41sys_priority:65534aggregationkey:3lacp_time:slowslave:first_if:currentattachedport_id:3port_priority:65535may_enable:trueactorsys_id:72:d2:d3:59:8c:41actorsys_priority:65534actorport_id:3actorport_priority:65535actorkey:3actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:2a:96:0e:c7:85:49partnersys_priority:65534partnerport_id:7partnerport_priority:65535partnerkey:7partnerstate:activityaggregationsynchronizedcollectingdistributingslave:second_if:currentattachedport_id:4port_priority:65535may_enable:trueactorsys_id:72:d2:d3:59:8c:41actorsys_priority:65534actorport_id:4actorport_priority:65535actorkey:3actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:2a:96:0e:c7:85:49partnersys_priority:65534partnerport_id:8partnerport_priority:65535partnerkey:7partnerstate:activityaggregationsynchronizedcollectingdistributing实验九:测试Bond功能默认情况下bond_mode是active-backup模式，一开始active的是first_br和first_if从00ping02，以及01ping03，都是从first_if通过实验九:测试Bond功能如果把first_if设成down，则包的走向会变iplinksetfirst_ifdown发现second_if开始有流量，京first_if变成down,00和01似乎没有收到影响second_br和second_if变成active实验九:测试Bond功能重启first_if，但是second_br和second_if仍然是activeiplinksetfirst_ifup实验九:测试Bond功能把bond_mode设为balance-slbovs-vsctlsetPortbond0bond_mode=balance-slbovs-vsctlsetPortbond1bond_mode=balance-slb同时00ping02,01ping03,已经分流了把bond_mode设为balance-tcpovs-vsctlsetPortbond0bond_mode=balance-tcpovs-vsctlsetPortbond1bond_mode=balance-tcp同时在00上：netperf-H02-tUDP_STREAM---m1024在01上：netperf-H03-tUDP_STREAM---m1024Openvswitch:QoSLinuxingressegressPolicyShapingOpenvswitch:QoSClasslessQueuingDisciplines默认为pfifo_fastOpenvswitch:QoSSFQ,StochasticFairQueuing有很多的FIFO的队列，TCPSession或者UDPstream会被分配到某个队列。包会RoundRobin的从各个队列中取出发送。这样不会一个Session占据所有的流量。但不是每一个Session都有一个队列，而是有一个Hash算法，将大量的Session分配到有限的队列中。这样两个Session会共享一个队列，也有可能互相影响。Hash函数会经常改变，从而session不会总是相互影响。Openvswitch:QoSTBF,TokenBucketFilter两个概念Tokensandbuckets所有的包排成队列进行发送，但不是到了队头就能发送，而是需要拿到Token才能发送Token根据设定的速度rate生成，所以即便队列很长，也是按照rate进行发送的当没有包在队列中的时候，Token还是以既定的速度生成，但是不是无限累积的，而是放满了buckets为止，篮子的大小常用burst/buffer/maxburst来设定Buckets会避免下面的情况：当长时间没有包发送的时候，积累了大量的Token，突然来了大量的包，每个都能得到Token，造成瞬间流量大增Openvswitch:QoSClassfulQueuingDisciplinesHTB,HierarchicalTokenBucketShaping：仅仅发生在叶子节点，依赖于其他的QueueBorrowing:当网络资源空闲的时候，借点过来为我所用Rate：设定的发送速度Ceil：最大的速度，和rate之间的差是最多能向别人借多少typeofclassclassstateHTBinternalstateactiontakenleaf<

rateHTB_CAN_SENDLeafclasswilldequeuequeuedbytesuptoavailabletokens(nomorethanburstpackets)leaf>

rate,<

ceilHTB_MAY_BORROWLeafclasswillattempttoborrowtokens/ctokensfromparentclass.Iftokensareavailable,theywillbelentin

quantum

incrementsandtheleafclasswilldequeueupto

cburst

bytesleaf>

ceilHTB_CANT_SENDNopacketswillbedequeued.Thiswillcausepacketdelayandwillincreaselatencytomeetthedesiredrate.inner,root<

rateHTB_CAN_SENDInnerclasswilllendtokenstochildren.inner,root>

rate,<

ceilHTB_MAY_BORROWInnerclasswillattempttoborrowtokens/ctokensfromparentclass,lendingthemtocompetingchildrenin

quantum

incrementsperrequest.inner,root>

ceilHTB_CANT_SENDInnerclasswillnotattempttoborrowfromitsparentandwillnotlendtokens/ctokenstochildrenclasses.Openvswitch:QoSOpenvswitch:QoS创建一个HTB的qdisc在eth0上，句柄为1:，default12表示默认发送给1:12tcqdiscadddeveth0roothandle1:htbdefault12创建一个rootclass，然后创建几个子class同一个rootclass下的子类可以相互借流量，如果直接不在qdisc下面创建一个rootclass，而是直接创建三个class，他们之间是不能相互借流量的。tcclassadddeveth0parent1:classid1:1htbrate100kbpsceil100kbpstcclassadddeveth0parent1:1classid1:10htbrate30kbpsceil100kbpstcclassadddeveth0parent1:1classid1:11htbrate10kbpsceil100kbpstcclassadddeveth0parent1:1classid1:12htbrate60kbpsceil100kbps创建叶子qdisc，分别为fifo和sfqtcqdiscadddeveth0parent1:10handle20:pfifolimit5tcqdiscadddeveth0parent1:11handle30:pfifolimit5tcqdiscadddeveth0parent1:12handle40:sfqperturb10设定规则：从来的，发送给port80的包，从1:10走；其他从发送来的包从1:11走；其他的走默认tcfilteradddeveth0protocolipparent1:0prio1u32matchipsrcmatchipdport800xffffflowid1:10tcfilteradddeveth0protocolipparent1:0prio1u32matchipsrcflowid1:11Openvswitch:QoS时间0的时候，0,1,2都以90k的速度发送数据，在时间3的时候，将0的发送停止，红色的线归零，剩余的流量按照比例分给了蓝色的和绿色的线。在时间6的时候，将0的发送重启为90k，则蓝色和绿色的流量返还给红色的流量。在时间9的时候，将1的发送停止，绿色的流量为零，剩余的流量按照比例分给了蓝色和红色。在时间12,将1的发送恢复，红色和蓝色返还流量。在时间15，将2的发送停止，蓝色流量为零，剩余的流量按照比例分给红色和绿色。在时间19，将1的发送停止，绿色的流量为零，所有的流量都归了红色。Openvswitch:QoSOpenvswitch支持两种：Ingresspolicyovs-vsctlsetInterfacetap0ingress_policing_rate=100000ovs-vsctlsetInterfacetap0ingress_policing_burst=10000Egressshaping:PortQoSpolicy仅支持HTB在port上可以创建QoS一个QoS可以有多个Queue规则通过Flow设定QoSQueue实验十:测试QoS功能helloworldInstance03Instance04Instance01first_brfirst_if000203ubuntu_brInstance02vnet0vnet1vnet2vnet301实验十:测试QoS功能在什么都没有配置的时候，测试一下速度，从00netperf03设置一下first_ifovs-vsctlsetInterfacefirst_ifingress_policing_rate=100000ovs-vsctlsetInterfacefirst_ifingress_policing_burst=10000实验十:测试QoS功能清理现场ovs-vsctlsetInterfacefirst_ifingress_policing_burst=0ovs-vsctlsetInterfacefirst_ifingress_policing_rate=0ovs-vsctllistInterfacefirst_if添加QoS添加Flow(first_br是ubuntu_br上的port5)ovs-vsctlsetportfirst_brqos=@newqos----id=@newqoscreateqostype=linux-htbother-config:max-rate=10000000queues=0=@q0,1=@q1,2=@q2----id=@q0createqueueother-config:min-rate=3000000other-config:max-rate=10000000----id=@q1createqueueother-config:min-rate=1000000other-config:max-rate=10000000----id=@q2createqueueother-config:min-rate=6000000other-config:max-rate=10000000ovs-ofctladd-flowubuntu_br"in_port=6nw_src=00actions=enqueue:5:0"ovs-ofctladd-flowubuntu_br"in_port=7nw_src=01actions=enqueue:5:1"ovs-ofctladd-flowubuntu_br"in_port=8nw_src=02actions=enqueue:5:2"实验十:测试QoS功能实验十:测试QoS功能单独测试从00，01，02到03如果三个一起测试，发现是按照比例3:1:6进行的实验十:测试QoS功能如果Instance01和Instance02一起，则3:1如果Instance01和Instance03一起，则1:2如果Instance02和Instance03一起，则1:6实验十:测试QoS功能清理环境Openvswitch:Tunnelgrevxlanipsec_greOpenvswitch:TunnelGREGenericRoutingEncapsulation(GRE)isatunnelingprotocolthatcanencapsulateawidevarietyofnetworklayerprotocolsinsidevirtualpoint-to-pointlinksoveranInternetProtocolinternetwork.Openvswitch:TunnelGREGREHeader从L2到L3，数据可打包后跨越网关和路由器然后解包称为L2的数据Openvswitch:TunnelGRE缺点：点对点，扩展性不好网络设备对GRE包头支持有限，往往负载均衡和防火墙ACL都是根据IP和Port来的。Openvswitch:TunnelVXLANVXLAN：通过对L2包的打包和解包实现不同的L2网络感觉在同一个L2网络里面Components:Multicastsupport,IGMPandPIMVXLANNetworkIdentifier(VNI):24-bitsegmentIDVXLANGatewayVXLANTunnelEndPoint(VTEP)VXLANSegment/VXLANOverlayNetworkOpenvswitch:TunnelVXLANEthernetHeader:DestinationAddress

MACaddressofthedestinationVTEPifitislocal,MACaddrofgatewaywhenthedestinationVTEPisonadifferentL3network.IPHeader:Protocol

–Set0×11toindicatethattheframecontainsaUDPpacketSourceIP

–IPaddressoforiginatingVTEPDestinationIP

–IPaddressoftargetVTEP.UDPHeader:SourcePort

–SetbytransmittingVTEPVXLANPort

–IANAassignedVXLANPort.

VXLANHeader:VNI

–24-bitfieldthatistheVXLANNetworkIdentifierOpenvswitch:TunnelVXLANARP VM2 MAC2

VTEP2IGMPreport:加入组 VM1 MAC1

VTEP1IGMPreport:加入组

VM1及VM2连接到VXLAN网络100,两个VXLAN主机加入IP多播组VTEP–VXLAN隧道终端(VXLANTunnelingEndPoint)1L2/L3networkinfrastructureOpenvswitch:TunnelVXLANARPNetIDMACIPNetIDMACIP100MAC1IP1_vtep1VTEP2 VM2MAC2VTEP1 VM1MAC1BCASTMAC1ARPReq1MACHdrIPHdrDA:SA:IP_vtep1UDPHdrVXLANHdrVXLANID:100BCASTMAC1ARPReq2用IP多播封装原广播报文BCASTMAC1ARPReq5MACHdrIPHdrDA:SA:IP_vtep1UDPHdrVXLANHdrVXLANID:100BCASTMAC1ARPReq4学习内层MAC到外层源IP地址 的映射VM1发送ARP请求(广播)以获得VM2的MAC地址，VXLANID为100VTEP–VXLAN隧道终端(VXLANTunnelingEndPoint)12L2/L3网络3封装后的报文经多播转发到达Openvswitch:TunnelVXLANARPNetIDMACIP100MAC2IP_vtep2NetIDMACIP100MAC1IP_vtep1VTEP2 VM2MAC2VTEP1 VM1MAC1MAC1MAC2ARPResp42已知MAC1的外层IP地址,使用IP单播封装MAC1MAC2ARPResp1MACHdrIPHdrDA:IP_vtep1SA:IP_vtep2UDPHdrVXLANHdrVXLANID:100MAC1MAC2ARPResp3学习内层MAC到外层源IP地址的映射MACHdrIPHdrDA:IP_vtep1SA:IP_vtep2UDPHdrVXLANHdrVXLANID:100MAC1MAC2ARPRespVM2发送ARP应答(单播)到VM1VTEP–VXLAN隧道终端(VXLANTunnelingEndPoint)3L2/L3网络Openvswitch:TunnelVXLANOpenvswitch:TunnelVXLAN可支持Multicas