Application specific networking

Linux namespaces and OpenContrail can be combined to create application specific networks where a specific process on a Linux host can be associated with a virtual-network.

With OpenContrail this application can be placed directly in a Layer 3 VPN which can extend across the WAN; load-balancing can be performed via “floating-ip” addresses associated with multiple instances of the application; routing between virtual-networks is performed in a fully distributed manner; ACLs can be configured; and flow records are collected in a time-series data-base for subsequent analysis.

As an example, lets start an apache web server in a virtual-network on a Linux machine.

The first step is to install OpenContrail in the machine. This can be achieved via a binary distribution or by compiling the source code and manually installing.

This script contains all the steps involved in preparing a build VM, compiling the code and starting the software. While it has been developed to run as part of devstack it can be executed independently. OpenContrail can run independently of OpenStack/CloudStack. For a production deployment, you will need to start the configuration and control components of OpenContrail in a couple of servers (for redundancy). For test purposes one can run the configuration, control and virtual router components in the same server.

Once the software is installed, one needs to define application instances and their networking properties using the contrail API.

This script contains an example of how to define an instance and associate it with a virtual-network. The contrail configuration management component allocates an IP address and mac address for the application instance. Currently the API uses the terminology “virtual-machine” and “virtual-machine-interface” but there the implementation supports any kind of application instance.

Next we need to define a networking namespace on the server running the application:

ip link add veth0 type veth peer name veth1
ip netns add service-1
ip link set veth0 netns service-1

 

And associate the “veth1” interface with the “virtual-machine-interface” created on the OpenContrail configuration API. This script can be invoked with the VM and VMI uuids created above. It takes as arguments the VM uuid and VMI uuid and veth1.

Once this is done, the veth1 interface should be visible in the OpenContrail vrouter agent (http://server-ip:8085/Snh_ItfReq?name=veth1).

Now we need to configure the veth0 mac and set the peer up. It is important that the veth0 mac address be the same address as defined for the “virtual-machine-interface” on the contrail API. Incoming traffic will be rejected by the Linux kernel otherwise.

ip netns exec service-1 ifconfig veth0 hw ether xx:xx:xx:xx:xx:xx
ip set link veth1 up

Now we can setup the networking on the namespace:

ip netns exec service-1 dhclient veth0

And start an application:

APACHE_LOG_DIR=/var/log/httpd APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data sudo -E ip netns exec service-1 /usr/sbin/apache2

Once this is done any other host in the virtual-network should be able to access this HTTP server. OpenContrail network policies can then be used to define connectivity between virtual-networks as well as access control lists (ACLs). And OpenContrail’s standards based interoperability means that the virtual network can be extended from the overlay to a WAN via any RFC 4364 capable router.

OpenContrail is a great replacement for the current combination of haproxy, vrrp, ipchains, dnsmasq and who-knows what else is currently necessary to deploy a load balanced application.

Advertisements

One thought on “Application specific networking

  1. Pingback: Network Namespace Provisioning | pedrormarques

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s