Network Namespace Provisioning

I’d written previously on how to use OpenContrail with Linux network namespaces. I managed to find the cycles to put together a configuration wrapper that can be used as a pre-start and post-stop scripts when starting a daemon out of init.d. The scripts are in a python package available in github.

As in the previous post, the test application i used was the apache web server. But most Linux services follow a rather similar pattern when it comes to their init scripts.

I started by installing two bare metal servers with the OpenContrail community packages; one server running the configuration service and both of them running both control-node and compute-node components.

For this exercise, the objective was to be able to select the routing for the outbound traffic for a specific application. For this purpose, I started by creating two virtual-networks, one used for incoming traffic and separate one to be used for outbound traffic for a specific application. The script can be used for this purpose; it can create and delete virtual-networks as well as add and delete external route targets.

After creating an inbound and app-specific outbound networks, one can use the netns-daemon-start script to create a Linux network namespace. A network namespace contains a set of interfaces and its own routing table; one or more applications can use the namespace. Using this mechanism an application can be bound to one or more virtual-networks.

When the netns-daemon-start script is given both a “–network” and a “–outbound” parameter it creates two virtual interfaces; with the default route being added only to the “outbound” virtual-network. This makes it such that all traffic exists through this network.

The script hides a couple of tricks such as disabling the default RPF check in Linux for the “inbound” interface as well as configuring the interface address via “ip addr set” rather than using the DHCP client. Currently it is not possible to control whether or not to advertise the default route via DHCP in a virtual network, despite the fact that i’d previously written a post on how to implement it.

Once the application is bound to the virtual-networks, the script above allows one to selectively import routes from other virtual-networks. The command “ –import-only –rtarget x:y rtarget_add <network>” can be used to control which routes are imported into the outbound VRF.

Please note that the way that the script is currently implemented is a bit of an “hack”. It is changing the routing-instance directly given that at the moment there is no way to specify that a route-target is supposed to be import-only at the routing-table level. Hopefully this will be fixed soon.

While the package above lacks support for several features typically available in an OpenContrail OpenStack cluster (floating-ip comes to mind) it is capable of attaching a specifically application directly to one or more virtual-networks. Fine grain control of outbound application traffic is something that i see more and more people interested in.

Enjoy !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s