OpenvSwitch Patch Ports
Summary
Recently I've been doing some prototyping for a commercial project using my Orabuntu-LXC software and needed to get some new OVS switches talking to each other that had been added to the Orabuntu-LXC configuration, and had some difficulty figuring out how to do this.
However, thanks to a very helpful blog post here by Scott Lowe which provided at least one way, or if you will, the first way to do this that will meet my requirement, which allows me to move forward on my commerical project as well as enhances Orabuntu-LXC project too, so I'm writing it up here at my blog.
Background
Two switches were added, sw10 and sw11, to the Orabuntu-LXC host, to support containers on 10.21.70.0/24 and 10.191.70.0/24, respectively, which need to talk to each other. The containers are at 10.21.70.[1,2,3,4] and 10.191.70.[1,2]. The sw10 switch is on VLAN 12 and the sw11 switch is on VLAN 13. The containers themselves are clones of Orabuntu-LXC oel69 (Oracle Linux 6.9) seed containers previously prepared by Orabuntu-LXC automation for use with Oracle Enterprise RDBMS software.
Here's what the finished patch port setup looks like as shown below. There are other OVS switches in this deployment, but only those OVS switches relevant to this post are shown. Trunks are bold as well as the patch ports that were added.
ubuntu@ubuntu:~$ sudo ovs-vsctl show
[sudo] password for ubuntu:
812e6f24-1e49-4b7b-9855-3d1a04d71b7b
Bridge "sw10"
Port "g1"
tag: 12
trunks: [10, 11, 12, 13]
Interface "g1"
type: patch
options: {peer="f1"}
Port "xxxxxxxx"
tag: 12
Interface "xxxxxxxx"
Port "sw10"
tag: 12
trunks: [10, 11, 12, 13]
Interface "sw10"
type: internal
Port "xxxxxxxx"
tag: 12
Interface "xxxxxxxx"
Bridge "sw11"
Port "sw11"
tag: 13
trunks: [10, 11, 12, 13]
Interface "sw11"
type: internal
Port "xxxxxxxx"
tag: 13
Interface "xxxxxxxx"
Port "f1"
tag: 13
trunks: [10, 11, 12, 13]
Interface "f1"
type: patch
options: {peer="g1"}
The commands used to build the basic switches shown above (crt_ovs_sw10.sh and crt_ovs_sw11.sh) are just modified copies of crt_ovs_sx1.sh script which is part of Orabuntu-LXC project, modified with the subnets required for the added networks.
In addition to those scripts which build the basic switches, the commands that were issued to build the patch ports were issued at the command line, but they will be incorporated into the crt_ovs_sw10.sh and crt_ovs_sw11.sh scripts too eventually once all testing has been done.
The commands that were used to add the patch ports are shown below, including the VLAN tagging as well. Note, there are more trunks added here than actually necessary, really only trunks=12,13 is needed.
sudo ovs-vsctl set interface f1 type=patch
sudo ovs-vsctl set interface g1 type=patch
sudo ovs-vsctl set interface f1 options:peer=g1
sudo ovs-vsctl set interface g1 options:peer=f1
sudo ovs-vsctl set port g1 trunks=10,11,12.13
sudo ovs-vsctl set port g1 trunks=10,11,12,13
sudo ovs-vsctl set port f1 trunks=10,11,12,13
The networking section of the containers configs to be connected are also shown below.
# Networking
lxc.network.type = veth
lxc.network.flags = up
lxc.network.script.up = /etc/network/if-up.d/openvswitch/xxxxxxxx-pub-ifup-sw10
lxc.network.script.down = /etc/network/if-down.d/openvswitch/xxxxxxxx-pub-ifdown-sw10
lxc.network.veth.pair = xxxxxxxx
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 10.21.70.1
lxc.network.ipv4.gateway = 10.21.70.253
lxc.network.hwaddr = 00:16:3e:c7:48:d8
# Networking
lxc.network.type = veth
lxc.network.flags = up
lxc.network.script.up = /etc/network/if-up.d/openvswitch/xxxxxxxx-pub-ifup-sw11
lxc.network.script.down = /etc/network/if-down.d/openvswitch/xxxxxxxx-pub-ifdown-sw11
lxc.network.veth.pair = xxxxxxxx
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 10.191.70.1
lxc.network.ipv4.gateway = 10.191.70.253
lxc.network.hwaddr = 00:16:3e:98:b5:e9
Also, here is what the /etc/network/if-up.d/openvswitch/xxxxxxxx-pub-ifup.sw10 file looks like as shown below. Notice that these files put the VLAN on the dynamically created port at container startup time.
#!/bin/bash
ovsBr='sw10'
ovs-vsctl add-port ${ovsBr} $5
ovs-vsctl set port $5 tag=12
And here is what the /etc/network/if-up.d/openvswitch/xxxxxxxx-pub-ifup.sw11 file looks like as shown below.
#!/bin/bash
ovsBr='sw11'
ovs-vsctl add-port ${ovsBr} $5
ovs-vsctl set port $5 tag=13
The static networking directive in the container config file as shown below results in a container that has the following routes as shown below. The directive:
lxc.network.ipv4.gateway = 10.21.70.253
in the config file of the container generates the route shown in bold below.
bash-4.1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.21.70.253 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
bash-4.1#
Even without the patch ports, the configuration so far is sufficient to provide DNS resolution to olive DNS/DHCP nameserver containers at 10.207.39.2 and 10.207.29.2 and also to provide resolution of yahoo.com google.com and so on. However, without the patch ports, 10.21.70.0/24 could not ping/ssh to 10.191.70.0/24 and vice versa.
And over on the other container it has similar routing setup as shown below.
# Networking
lxc.network.type = veth
lxc.network.flags = up
lxc.network.script.up = /etc/network/if-up.d/openvswitch/xxxxxxxx-pub-ifup-sw11
lxc.network.script.down = /etc/network/if-down.d/openvswitch/xxxxxxxx-pub-ifdown-sw11
lxc.network.veth.pair = xxxxxxxx
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.ipv4 = 10.191.70.1
lxc.network.ipv4.gateway = 10.191.70.253
lxc.network.hwaddr = 00:16:3e:98:b5:e9
and the routes
bash-4.1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.191.70.253 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
Once the patch ports are configured as shown previously, the two containers on the two different OVS switches and networks and VLANs can now successfully ping/ssh as shown below.
ubuntu@ubuntu:~$ sudo lxc-attach -n xxxxxxxx
bash-4.1# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.191.70.253 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
bash-4.1# ssh oracle@10.21.70.1
oracle@10.21.70.1's password:
Last login: Sun Aug 27 14:03:16 2017 from 10.191.70.1
[oracle@xxxxxxxx ~]$ ssh oracle@10.191.70.1
The authenticity of host '10.191.70.1 (10.191.70.1)' can't be established.
RSA key fingerprint is 5e:06:2e:63:de:b9:c7:d6:35:38:1b:fc:6e:99:e4:f2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.191.70.1' (RSA) to the list of known hosts.
oracle@10.191.70.1's password:
Last login: Sat Aug 26 15:48:00 2017 from 10.21.70.253
[oracle@xxxxxxxx ~]$ exit
logout
Connection to 10.191.70.1 closed.
[oracle@xxxxxxxx ~]$ exit
logout
Connection to 10.21.70.1 closed.
bash-4.1# exit
exit
ubuntu@ubuntu:~$