Flexible, Software-Defined Networking Infrastructure

Flexible, software-defined networking infrastructure

Red Hat Enterprise Linux enabling the clouds Clouds Need Red Hat Enterprise Linux

Rashid Khan Russell Bryant Networking Services Office of Technology

Wednesday, May 03, 2017

#redhat #rhsummit OS Matters Red Hat Enterprise Linux Enables, Empowers, Excels, Enterprise

Cloud

Red Hat Enterprise Linux (RHEL)

#redhat #rhsummit OS Matters !

Core operating system needs support ● Evaluation of patches regarding stability and ● Dedicated to RHEL impact (Hardening) ○ ~700 Developers ● Single point of support (no tennis match of bugs) ○ ~ 400 QA ● Minimizes downtime with balance of stability and

security (CVE) ● In addition

○ Layered products Guarantee of API and ABI ■ Developers ● Applications will work after minor upgrades ■ QA ● 3rd party kernel modules under kabi program will ○ Support Services continue work ○ ~14,000 people ready to ● Synchronization of user space with kernel ensure your success features ○

● Somethings like HW Integration with layered products, and Ansible, and a acceleration cannot be done whole portfolio of products without the OS!

#redhat #rhsummit Network Security, Isolation, Tunnels Security and Isolation

For Multi-tenancy, Fairness, Enterprise readiness

● Robust Firewalling ○ Connection Tracking with NAT in OVS ○ NetFilter ● Network Namespaces ● L2 Security via MACsec ● L3 Security via IPsec

#redhat #rhsummit Tunnels and Isolation

● VLANs (limited identifiers) ● VXLAN with HW offload with IPv6 also ● Geneve (more flexible) ● QinQ 802.1ad (great results)

C C C C C V C V M V V V V M M M M M

Vxlan Red Hat Red Hat Geneve Enterprise Enterprise QinQ Linux (RHEL) Linux (RHEL)

#redhat #rhsummit Packets to/from Virtual Machines Kernel Networking DPDK+vhost-user Device Assignment

U Vm-1 Vm-2 Vm-n Vm-1 Vm-2 Vm-n Vm-1 Vm-2 Vm-n S E Vhost-USER / QEMU R vhost -net / QEMU D D D s i i i Open vswitch Open vswitch SR-IOV p r r r a e e e c DPDK c c c e PMD t t t Driver K e Kernel Networking Kernel Kernel r Networking Networking Device Driver n e l IP IP IP Cloud s Cloud Cloud p a c e #redhat #rhsummit Ready for NFV and Enterprise

Vm-1 Vm-2 Vm-n

● Fully integrated with Vhost-USER / QEMU ○ Red Hat Openstack Platform ○ Red Hat Virtualization Open vswitch Zero packet loss absolutely possible! ● Full support with Frame Mpps Gbps Mpps/core Mpps ○ Network Namespaces size @0.002% @0.002% @0.002% @0% ○ VXLAN loss loss loss loss ○ Geneve 64 22.93 15.41 5.73 13.46 DPDK ○ Conntrack ○ NAT ○ MQ ○ CPU Pinning NIC ○ Kernel-DP / DPDK on Host DPDK NOT “experimental” anymore ○ DPDK inside the Guest Intel 82599 NIC Max ~23Mpps ○ Optimized for 10G ○ Tuning

#redhat #rhsummit CPUs are needed for SW solutions

What about 25G? 40G? 50G?

Is it game over?

#redhat #rhsummit OVS HW offload emerging as an answer

Red Hat working with ● Mellanox ● Netronome ● Cavium ● Chelsio ● Others RH Value add ● Open Source upstream solution (Must) ● Integrated solution with layered products (Must) ● Unified / Common API for Kernel and DPDK (Goal) ● No Vendor lock-in (Goal)

#redhat #rhsummit HW partner A

● Initial results look very promising

● Fully integrated solution with layered products achievable

● Physical-to-Virtual-to-Physical in this test

#redhat #rhsummit HW partner A

● Crawl, Walk, Run

● Huge Potential Of Success

● Physical-to-Virtual-to-Physical

● RHEL is a must for success

#redhat #rhsummit HW partner B

● Initial results look very promising

● Fully integrated solution with layered products achievable

● Physical-to-Virtual-to-Physical

#redhat #rhsummit HW partner B

● Crawl, Walk, Run

● Huge Potential Of Success

● Physical-to-Virtual-to-Physical

● RHEL is a must for success

#redhat #rhsummit Containers Networking (BTW Containers are Linux!) Container Versus VM Networking

Packet Flow

DPDK Accelerated NIC Open vSwitch

Userspace vhost-user container container VM VM App App OS OS executing executing App App Networking Networking Stack Stack

Kernel Open vSwitch

NIC

Performance #redhat #rhsummit Containers: DPDK or not DPDK?

Packet Flow

DPDK Accelerated NIC Open vSwitch

Userspace container container container container

App App App App

Networking Networking Networking Networking Stack Stack Stack Stack

Kernel Open vSwitch

Additional Context Switches NIC

Performance #redhat #rhsummit Container Networking

App

Container Container Container App App App App Private Network Container Container Container Container Namespace Open vSwitch veth Private Net Node 2 Private Net Private Net Private Net Namespace Namespace Namespace Namespace NIC veth Open vSwitch/Bridge Container Container SRIO-V Host Network Namespace Open vSwitch or Linux Bridge

Open vSwitch Node 3 Node 1 NIC IP cloud ● Namespaces provide private network stacks inside each container ● Kernel enforces privacy without need for heavy-weight virtualization ● Standard kernel network interfaces, iptables, routing, OVS, can all be used

#redhat #rhsummit Containers for NFV Containers NFV (Needs / Requests)

● Multiple networks (SDN, physical, SAN, etc) ● Physical NICs and SR-IOV (DPDK inside container) ● Flexible IP addressing and overlapping IP networks (multi-tenancy) ● Flat architecture for line-rate processing and low latency ● NUMA and CPU affinity of containerized VFs ● Coordinating widely separated premises ● IPv6 support and availability, especially in public cloud ● Provide existing orchestration and optional micro-service features

#redhat #rhsummit Container NFV Proof-of-Concept Using OpenShift

vCPE Operator Datacenter Server

GPON NID Demarc Point

Management VF Container VF VF Container Container Service Function Chains NIC NIC NIC Customer Metro/GPON Already Done! Under investigation: ● Static IPv6 addressing ● Overlapping IP networks ● Service Function Chains ● NUMA/CPU affinity ● Flexible IP addressing ● IPv6 SLAAC addressing ● No bridging or SDN in packet fast-paths ● Dynamic Service Function ● Multiple interfaces per container (NIC, VLAN, SDN) Chains/NSH #redhat #rhsummit ● Robust SRIO-V OVN / SDN Virtual Networking ● Decouple logical network topology from physical network

A B D E HV1 HV2 S S A B C F C R S S S D E G H

F G H

Logical Network Topology Cloud Physical Network

#redhat #rhsummit Open Virtual Network (OVN) ● Provide common virtual networking implementation as a part of the base platform (RHEL) ● Comes with OVS and introduces no new dependencies ● Use lessons learned from previous OVS based virtual networking implementations ● Started upstream in 2015 and has now matured

#redhat #rhsummit Context - OpenStack Services

API and common services

Backend specific orchestration

Backend specific host technology

#redhat #rhsummit Context - OpenStack Neutron

REST API neutron-server

Orchestration layer ML2/OVS driver (Translate Neutron config into configuration of a network across a Neutron agents deployment) (OVS, L3, DHCP, Metadata)

Per-host programmable virtual switch Open vSwitch programmed by the orchestration layer

#redhat #rhsummit Context - OpenStack Neutron with OVN

neutron-server neutron-server

ML2/OVS driver ML2/OVN driver

Neutron agents OVN services (OVS, L3, DHCP, Metadata) (ovn-northd, ovn-controller, OVN DBs)

Open vSwitch Open vSwitch

#redhat #rhsummit OVN - Virtual Networking Across Products

OpenStack OpenShift RHV neutron-server (Kubernetes) (oVirt) THANK YOU OVN CNI plugin + kubernetes ML2/OVN driver OVN network provider resource watcher

OVNplus.google.com/+RedHat services facebook.com/redhatinc OVN services OVN services (ovn-northd, ovn-controller, (ovn-northd, ovn-controller, (ovn-northd, ovn-controller, OVNlinkedin.com/company/red-hat DBs) twitter.com/RedHatNews OVN DBs) OVN DBs)

youtube.com/user/RedHatVideos

Open vSwitch Open vSwitch Open vSwitch

#redhat #rhsummit OVN Architecture

#redhat #rhsummit 1) Logical Configure in Northbound Database

Neutron with networking-ovn

OVN Northbound DB

#redhat #rhsummit 2) ovn-northd Populates Southbound Database

Neutron with networking-ovn

OVN Northbound DB ovn-northd OVN Southbound DB

#redhat #rhsummit 3) ovn-controller Generates Physical Flows Neutron with networking-ovn

OVN Northbound DB ovn-northd OVN Southbound DB

ovn-controller ovn-controller ovn-controller

OVS OVS ... OVS

#redhat #rhsummit Thank You!

Questions? Backup Differences Kernel Networking DPDK + Vhost-user Device Assignment

Pros Pros Pros ● Feature Rich / Robust solution ● Packets directly sent to user ● Line rate performance ● Ultra Flexible space ● Packets directly sent to VMs ● Integration with SDN ● Line rate performance with tiny ● HW based isolation ● Integration with OVS packets ● Supports Live Migration ● Integration with OVS Cons ● Supports Overlay Networking ● Limited number of VMs ● Full Isolation support / Cons ● Not as flexible Namespace / Multi-tenancy ● Everything has to be in user ● Less control from the host space ● No OVS Cons ● No SDN ● Non line rate performance for ● No live Migration of VMs tiny packets ● No Overlay

#redhat #rhsummit #redhat #rhsummit