Wednesday, October 8, 2014

Howto Connect network namespaces using OpenvSwitch and veth pairs

1)
Install OpenvSwitch
#sudo apt-get install openvswitch-switch

2)
Create Namespaces


http://www.opencloudblog.com/?p=66

2a)
Create 3 Namespaces
#sudo ip netns add ns1
#sudo ip netns add ns2
#sudo ip netns add ns3

2b)
List all namespaces
#sudo ip netns list

3)
Create an OpenvSwitch Switch

3a)
List all OpenvSwitchs
#sudo ovs-vsctl list-br

3b)
Create an OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl add-br my-ov-switch1

3c)
List all OpenvSwitchs
#sudo ovs-vsctl list-br

3d)
List all interfaces in the global namespace and find the OpenvSwitch "my-ov-switch1"
#ifconfig  -a
OR
#ifconfig my-ov-switch1

4)
Create first veth/port interface pairs (Pipe) "tap1"======="ovs-tap1"

4a)
Create first veth/port interface pairs (Pipe) "tap1"======="ovs-tap1"
#sudo ip link add tap1 type veth peer name ovs-tap1

4b)
Check the newly created interfaces in the global namespace
#ifconfig tap1
#ifconfig ovs-tap1

* At this point the interfaces "tap1" and "ovs-tap1" don't have IP associated with it.

4c)
Move/Attach "tap1" interface from global namespace to the "ns1" namespace.
OR
Attach one side of the Pipe "tap1=======ovs-tap1" to "ns1" namespace.

#sudo ip link set tap1 netns ns1

* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap1" interface there.
* Run "#ifconfig -a" in "ns1" namespace to see "tap1" interface.
* Example:#sudo ip netns exec ns1 ifconfig -a

4d)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can't see any ports

4e)
Move/Attach "ovs-tap1" interface/port from global namespace to the OpenvSwitch "my-ov-switch1".
OR
Attach other side of the Pipe "tap1=======ovs-tap1" to the OpenvSwitch "my-ov-switch1".
#sudo ovs-vsctl add-port my-ov-switch1 ovs-tap1

4f)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can see the port/interface "ovs-tap1".

4g)
Check the status of the newly created ports/interfaces "tap1" and "ovs-tap1"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ifconfig -a ovs-tap1

* At this point the ports/interfaces "tap1" and "ovs-tap1" are in DOWN state.. You can see the status as "BROADCAST MULTICAST", that means DOWN.

4h)
Set the ports/interfaces "tap1" and "ovs-tap1" to UP
#sudo ip netns exec ns1 ip link set dev tap1 up
#sudo ip link set dev ovs-tap1 up

4i)
Check the status of the newly created ports/interfaces "tap1" and "ovs-tap1"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ifconfig -a ovs-tap1

* At this point the ports/interfaces "tap1" and "ovs-tap1" are in UP state. You can see the status as "UP BROADCAST MULTICAST", that means UP.

4j)
Check the routing table in the namespace "ns1"
#sudo ip netns exec ns1 route -n

* If the entry for the interface "tap1" is not there in the routing table, that means the interface "tap1" is DOWN.
* So we need to set the interface "tap1" UP with the command (#sudo ip netns exec ns1 ip link set dev tap1 up) to get the entry in routing table.

4k)
Display the current state of OpenvSwitch database contents
#sudo ovs-vsctl show

5)
Create second veth/port interface pairs (Pipe) "tap2"======="ovs-tap2"

5a)
Create second veth/port interface pairs (Pipe) "tap2"======="ovs-tap2"
#sudo ip link add tap2 type veth peer name ovs-tap2

5b)
Check the newly created interfaces in the global namespace
#ifconfig tap2
#ifconfig ovs-tap2

* At this point the interfaces "tap2" and "ovs-tap2" don't have IP associated with it.

5c)
Move/Attach "tap2" interface from global namespace to the "ns2" namespace.
OR
Attach one side of the Pipe "tap2=======ovs-tap2" to "ns2" namespace.

#sudo ip link set tap2 netns ns2

* At this point run "#ifconfig -a" in global namespace an you would not able to see the "tap2" interface there.
* Run "#ifconfig -a" in "ns2" namespace to see "tap2" interface.
* Example:#sudo ip netns exec ns2 ifconfig -a

5d)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can see only one port "ovs-tap1".

5e)
Move/Attach "ovs-tap2" interface/port from global namespace to the OpenvSwitch "my-ov-switch1".
OR
Attach other side of the Pipe "tap2=======ovs-tap2" to the OpenvSwitch "my-ov-switch1".
#sudo ovs-vsctl add-port my-ov-switch1 ovs-tap2

5f)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can see the port/interface "ovs-tap1" and "ovs-tap2"

5g)
Check the status of the newly created ports/interfaces "tap1" and "ovs-tap1"
#sudo ip netns exec ns2 ifconfig -a tap2
#sudo ifconfig -a ovs-tap2

* At this point the ports/interfaces "tap2" and "ovs-tap2" are in DOWN state. You can see the status as "BROADCAST MULTICAST", that means DOWN.

5h)
Set the ports/interfaces "tap2" and "ovs-tap2" to UP
#sudo ip netns exec ns2 ip link set dev tap2 up
#sudo ip link set dev ovs-tap2 up

5i)
Check the status of the newly created ports/interfaces "tap2" and "ovs-tap2"
#sudo ip netns exec ns2 ifconfig -a tap2
#sudo ifconfig -a ovs-tap2

* At this point the ports/interfaces "tap2" and "ovs-tap2" are in UP state. You can see the status as "UP BROADCAST MULTICAST", that means UP.

5j)
Check the routing table in the namespace "ns2"
#sudo ip netns exec ns2 route -n

* If the entry for the interface "tap2" is not there in the routing table, that means the interface "tap2" is DOWN.
* So we need to set the interface "tap2" UP with the command (#sudo ip netns exec ns2 ip link set dev tap2 up) to get the entry in routing table.

5k)
Display the current state of OpenvSwitch database contents
#sudo ovs-vsctl show


6)
Assign IP address to the interfaces "tap1" in the namespace "ns1 and "tap2" in the namespace "ns2" and ping from "ns1" to "ns2".

6a)
Assign IP address to the interface "tap1" in the namespace "ns1".
#sudo ip netns exec ns1 ip addr add 10.1.1.4/24 dev tap1

6b)
Assign IP address to the interface "tap2" in the namespace "ns2".
#sudo ip netns exec ns2 ip addr add 10.1.1.5/24 dev tap2

6c)
Check the IP address of the interfaces "tap1" and "tap2"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ip netns exec ns2 ifconfig -a tap2

* You should see the IP for the interfaces "tap1" and "tap2"

6d)
Check the routing table in the namespace "ns1" and "ns2"
#sudo ip netns exec ns1 route -n
#sudo ip netns exec ns2 route -n

* You should see the entry for "tap1" and "tap2" in routing table of namespaces "ns1" and "ns2" respectively. If you can't see, that means interface is DOWN.

6e)
Ping from "ns1" to "ns2".
#sudo ip netns exec ns1 ping 10.1.1.5

* Ping should work

7)
Check the Flow Table of OpenvSwitch "my-ov-switch1"

http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8.in


#sudo ovs-ofctl show my-ov-switch1
#sudo ovs-ofctl dump-tables my-ov-switch1
#sudo ovs-ofctl dump-flows my-ov-switch1

8)
Ping to "173.194.36.16" (www.google.com)


8a)
Ping to "173.194.36.16" (www.google.com) from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16

* Ping will not work

8b)
Capture Ping (ICMP) packets from the OpenvSwitch "my-ov-switch1"
#sudo tshark -i my-ov-switch1 icmp

* We will not get any ICMP packets from the OpenvSwitch "my-ov-switch1" since the packet are dropping from the namespace "ns1" itself since there is no default gateway (path to redirect all packets whose dest address not in 10.1.1.4/24 network) defined in the routing table of namespace "ns1".

8c)
Check the routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n

* You can see that there is no default gateway defined

8d)
Check the IP of the OpenvSwitch "my-ov-switch1"
#ifconfig -a my-ov-switch1

8e)
Attach IP to OpenvSwitch "my-ov-switch1"
#sudo ip addr add 10.1.1.3/24 dev my-ov-switch1

8f)
Check the IP of the OpenvSwitch "my-ov-switch1"
#ifconfig -a my-ov-switch1

8g)
Add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.
Default gateway has to be set the IP address of the OpenvSwitch "my-ov-switch1"
#sudo ip netns exec ns1 route add default gw 10.1.1.3 tap1

8f)
Check the routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n

* You can see the entry of default gateway

8g)
Ping to 173.194.36.16 from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16

* Ping will not work, But you will get the ICMP request packets in OpenvSwitch "my-ov-switch1" nad no reply packets.
* Use the command (#sudo tshark -i my-ov-switch1 icmp) to capture the packets from the OpenvSwitch "my-ov-switch1"
* That means reply packets are not routing properly. So we need to add SNAT in global namespace for packet which has source IP:10.1.1.4 or 10.1.1.x. OR we need to add MASQURIDE rule for interface "eth0"(virtualBox NAT).



1 comment: