Ironic 裸金属管理服务的网络模型

目录

文章目录

• 目录
• Bare-Metal networking in Neutron
• 核心网络类型
• 网络拓扑
• 抽象网络拓扑图
• Neutron Implementation
• Neutron 了解裸金属节点网络拓扑的实现
• Control physical switches
• 裸金属节点的网络生命周期
• 部署网络与租户网络的切换过程
• 基于 SDN 的网络切换流程
• 参考

Bare-Metal networking in Neutron

Ironic use Neutron (the networking API of OpenStack) for configuring the network. “Bare-metal” deployment is little bit different than VM and Ironic had some extra requirement from the Neutron ml2 impelmation.

核心网络类型

Cleaning Network：network that is used to clean the bare-metal server - and make sure that the “bare metal”-node is ready for new workload. That network is recommended to be created as a provider-VLAN network for separation from the tenant VLAN ranges.

Provisioning Network：network that is used for regular management of the node (tear-down, reboot, pxe-boot etc…). Also that network is recommended to be created as a provider-VLAN network for the same reasons of cleaning networks. (The operator can use same network for Provisioning and Cleaning, but Ironic enable define those 2 types for enable the separation（分开）between the the new/clean-nodes that are waiting to deploy and the dirty-nodes, that are waiting for clean)

• Created by administrator as a Neutron network
• Ironic compute node is connected to this VLAN
• Each baremetal node connects to this VLAN only when deployment

Tenant Network：networks that can be used for accessing to the “bare metal” for any other purpose - those networks should be managed like any network on the cloud. When “bare-metal” node is connected to tenant network , it’s should not be connected to the provision network for security reasons. (the same provision network is used for all bare-metal servers, and it breaks isolation requirements).

• Created by a tenant user as a Neutron network
• Baremetal nodes in a tenant connect to this type of VLAN after deployment

网络拓扑

• Management Network：OpenStack 管理网络。
• External Network：外部网络。
• Data Network：业务网络，承载业务流量，其作为 OpenStack underlying 网络。
• OOB (Out-of-Band) Network：带外网络，即 IPMI 网络。

抽象网络拓扑图

• Tenant network - can be dynamically attached and detached from the “bare metal” node.
• Provider networks - for cleaning and provisioning - and for any other needs.
• Ironic conductor - the software component of Ironic that actually controls the “bare metal” server (that includes the TFTP server for the PXE boot).
• DHCP server - for the assigning IP address to the “bare metal” server, and support PXE-BOOT param as well.
• Top of rack switch - we assume that the bare-metal server is physically connected to along with all other components (compute-node, ironic conductor-node etc…).
• The bare-metal server itself.

Neutron Implementation

Supporting port-groups：Bare-Metal often required to treat a group of physical ports - as logical port (e.g BOND/LAG). Those port-groups are required to be managed by Neutron.

Support PXE boot with DHCP：the most common way to boot a Bare-metal servers is by PXE boot. The PXE-boot procedure uses dhcp for retrieving the boot-file-name and tftp-server address. Ironic pass the value of those parameters to neutron (by using neutron extra_dhcp_opt ), and the dhcp-server implementation in neutron should use those parameters for answering pxe-dhcp-requests.

Neutron 了解裸金属节点网络拓扑的实现

neutron-port configurations: To notify neutron about “bare metal” ports, Ironic uses it’s own mechanisms to inspect the hardware , and forward that information as part of neutron-port configuration. For that 2 new fields introduced in neutron lport (spec) :

• local_link_information - that field located in the lport binding-profile and used for inform neutron how the port is connected the TOR switch. it’s include 3 parameters:
  • switch_id - identifier of the switch that the port connected to. It’s can be switch MAC address OpenFlow based datapath_id.
  • port_id - a physical port-identifier in the switch.
  • switch_info - other information about the switch (optional param).
• port-groups - a list of parameters for configuring the LAG/BOND on the TOR.

The neutron mechanism-drivers should use that information , while binding the lport.

DHCP configuration: Ironic uses the extra_dhcp_option attribute on neutron-port for configuring the the DHCP to support PXE boot (dhcp options: boot-file-name and tftp-server-address). Neutron ML2 driver should configure the DHCP server to answer these values upon request.

Control physical switches

• Control switches by Neutron plugin, configure VLAN of a port.
• Implement this plugin as a ML2 mechanism driver

裸金属节点的网络生命周期

1. Cleaning：make the node ready for new a job (use the cleaning network).
2. Provisioning：ironic-conductor uses IPMI on the provisioning network in order to start the machine - and use PXE for booting the machine with the desired image. The PXE boot process includes the following steps (all steps done on provisioning networks):
   • Use DHCP to obtain tftp-server addresses
   • Download boot-file from the tftp-server
   • Boot from the downloaded file
3. Connect to tenant network：after the machine is up and running. It can be connected to tenant network and managed like any VM. At this phase traffic from “bare metal” server interacts with all other component in the deployment (e.g vm , SNAT, DNAT etc… ).
   • Ironic can change the physical-ports that were used for provisioning network to be bind to tenant network. In such case the “bare metal” server will lose the connectivity with Ironic-conductor, and with “bare metal” provisioning.
4. Cleaning - back to step 1…

部署网络与租户网络的切换过程

• A baremetal node is deployed by using the Provisioning VLAN Network
  
  
• After deployment, Ironic changes the VLAN ID so that the baremetal node connects to the tenant VLAN
  
  
• A baremetal node of another tenant also can be deployed by using the Provisioning VLAN Network
  
  
• By switching VLANs, Ironic can manage all tenants
  
  

基于 SDN 的网络切换流程

NOTE：Tenant Port 的个数是由用户创建裸金属实例时指定的 Network 个数来决定的，而 Tenant Port 与 Ironic Port 的关联关系根据 Port Group 的个数以及每一个 Port Group 对应的优先级来决定。管理员在上架裸机时，会根据实际的连线情况将连接到同一个网络平面的两张网卡（Ironic Port），用一个 Port Group 关联。两个 Ironic Port 的 MAC 地址不同，但 Port Group 的 MAC 地址需要在 Ironic 和裸机操作系统层面保持一致，所以会选择一个 Ironic Port 作为主网卡，Port Group 的 MAC 地址继承主网卡的 MAC。Port Group 的优先级是用来保证当一个裸机有多个 Port Group，但用户值请求了一个 Network 来创建裸金属实例，此时仅关联至优先级大的 Port Group。

1. nova-compute 调用 Ironic API 发起部署请求。
2. 每一个裸机在 Provision 前，ironic-api 会根据 Ring HASH 方法从当前可用的 ironic-conductor 服务中选择一个来负责这个裸机的部署工作。而这个 ironic-conductor 服务配置的 Provision Network 就决定了裸机会加入到特定的 Provision Network。
3. ironic-conductor 将裸机主网卡的 LLDP 信息更新到 Provision Port 中。这一步对于 SDN 来说，意味着需要下发转发规则到 LLDP 对应的交换机端口上，也就是将这个交换机端口加入到 Provision Network 中。
4. 当部署完毕后，ironic-conductor 删除临时的 Provision Port。
5. ironic-conductor 将属于同一个 Port Group 的两个 Ironic Port 的 LLDP 信息更新到 Tenant Port 中。这一步对于 SDN 来说，意味着需要下发转发规则到两条 LLDP 信息对应的两个交换机端口上。也就是将这两个交换机端口加入到 Tenant Network 中。

参考

http://www.dragonflow.net/2017/

https://www.fujitsu.com/jp/documents/products/software/os/linux/catalog/LinuxConJapan2015-Shiina.pdf