1fbcf5fef7
Add content from Solly Ross Remove plugin info Flatten deployment use cases Fix typos, mispellings, missing periods Change-Id: I68334c2ea910326623474dab5e7632569d164acd
85 lines
6.4 KiB
XML
Executable File
85 lines
6.4 KiB
XML
Executable File
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="install-neutron"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:svg="http://www.w3.org/2000/svg"
|
|
xmlns:html="http://www.w3.org/1999/xhtml"
|
|
version="5.0">
|
|
<title>Neutron concepts</title>
|
|
<para>Like Nova Networking, Neutron manages software-defined networking for your OpenStack
|
|
installation. However, unlike Nova Networking, Neutron can be configured for advanced virtual
|
|
network topologies, such as per-tenant private networks, and more.</para>
|
|
<para>Neutron has three main object abstractions: networks, subnets, and routers. Each has
|
|
functionality that mimics its physical counterpart: networks contain subnets, and routers route
|
|
traffic between different subnet and networks.</para>
|
|
<para>In any given Neutron setup, there is at least one external network. This network, unlike the
|
|
other networks, is not merely an virtually defined network. Instead, it represents the view into
|
|
a slice of the external network, accessible outside the OpenStack installation. IP addresses on
|
|
Neutron's external network are in fact accessible by anybody physically on the outside network.
|
|
Because this network merely represents a slice of the outside network, DHCP is disabled on this
|
|
network.</para>
|
|
<para>In addition external networks, any Neutron setup will have one or more internal networks.
|
|
These software-defined networks connect directly to the VMs. Only the VMs on any given internal
|
|
network, or those on subnets connected via interfaces to a similar router, can access VMs
|
|
connected to that network directly.</para>
|
|
<para>In order for the outside network to be able to access VMs, and vice versa, routers between
|
|
the networks are needed. Each router has one gateway, connected to a network, and many
|
|
interfaces, connected to subnets. Like a physical router, subnets can access machines on other
|
|
subnets connected to the same router, and machines can access the outside network through the
|
|
router's gateway.</para>
|
|
<para>Additionally, IP addresses on an external networks can be allocated to ports on the internal
|
|
network. Whenever something is connected to a subnet, that connection is called a port. External
|
|
network IP addresses can be associated with ports to VMs. This way, entities on the outside
|
|
network can access VMs.</para>
|
|
<para>Neutron also supports "security groups." Security groups allow administrators to define
|
|
firewall rules in groups. Then, a given VM can have one or more security groups to which it
|
|
belongs, and Neutron will apply those rules to block or unblock ports, port ranges, or traffic
|
|
types for that VM.</para>
|
|
<para>Each of the plugins that Neutron uses has its own concepts as well. While not vital to
|
|
operating Neutron, these concepts can be useful to help with setting up Neutron. All Neutron
|
|
installations use a core plugin, as well as a security group plugin (or just the No-Op security
|
|
group plugin). Additionally, Firewall-as-a-service (FWaaS) and Load-balancing-as-a-service
|
|
(LBaaS) plugins are available.</para>
|
|
<section xml:id="concepts-neutron.openvswitch">
|
|
<title>Open vSwitch Concepts</title>
|
|
<para>The Open vSwitch plugin is one of the most popular core plugins. Open vSwitch
|
|
configurations consists of bridges and ports. Ports represent connections to other things,
|
|
such as physical interfaces and patch cables. Packets from any given port on a bridge is
|
|
shared with all other ports on that bridge. Bridges can be connected through Open vSwitch
|
|
virtual patch cables, or through Linux virtual Ethernet cables (<literal>veth</literal>).
|
|
Additionally, bridges appear as network interfaces to Linux, so they can be assigned IP
|
|
addresses.</para>
|
|
<para>In Neutron, there are several main bridges. The integration bridge, called
|
|
<literal>br-int</literal>, connects directly to the VMs and associated services. The
|
|
external bridge, called <literal>br-ex</literal>, connects to the external network. Finally,
|
|
the VLAN configuration of the Open vSwitch plugin uses bridges associated with each physical
|
|
network.</para>
|
|
<para>In addition to defining bridges, Open vSwitch has OpenFlow, which allows you to define
|
|
networking flow rules. These rules are used in certain configurations to transfer packets
|
|
between VLANs.</para>
|
|
<para>Finally, some configurations of Open vSwitch use network namespaces. This allows linux to
|
|
group adapters into unique namespaces that are not visible to other namespaces, allowing
|
|
multiple Neutron routers to be managed by the same network node.</para>
|
|
<para>With Open vSwitch, there are two different technologies that can be used to create the
|
|
virtual networks: GRE or VLANs.</para>
|
|
<para>Generic Routing Encapsulation, or GRE for short, is the technology used in many VPNs. In
|
|
essence, it works by wrapping IP packets and entirely new packets with different routing
|
|
information. When the new packet reaches its destination, it is unwrapped, and the underlying
|
|
packet is routed. To use GRE with Open vSwitch, Neutron creates GRE Tunnels. This tunnels are
|
|
ports on a bridge, and allow bridges on different systems to act as though they were in fact
|
|
one bridge, allowing the compute node and network node to act as one for the purposes of
|
|
routing.</para>
|
|
<para>Virtual LANs, or VLANs for short, on the other hand, use a special modification to the
|
|
Ethernet header. They add a 4-byte VLAN tag that ranges between 1 and 4094 (the 0 tag is
|
|
special, and the 4095 tag, made of all ones, is equivalent to an untagged packet). Special
|
|
NICs, switches, and routers know how to interpret the VLAN tags, as does Open vSwitch. Packets
|
|
tagged for one VLAN will only be shared with other devices configured to be on that VLAN,
|
|
despite the fact that all of the devices are on the same physical network.</para>
|
|
<para>The most common security group driver used with Open vSwitch is the Hybrid IPTables/Open
|
|
vSwitch plugin. It uses a combination for IPTables and OpenFlow rules. IPTables is a tool used
|
|
for creating firewalls and setting up NATs on Linux. It uses a complex rule system and
|
|
"chains" of rules to allow for the complex rules required by Neutron's security groups.</para>
|
|
</section>
|
|
</section>
|