12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

ARIE BREGMAN
Linux And Stu

Openstack Neutron: L2 & L3 agents

JANUARY 3, 2016 / BREGMAN / 1 COMMENT

Important note: This post is a written form of this great presention of Carl Baldwin
and Rossella Sblendido. Usually when I watching vids, I write down some notes. In this
case I decided to gather most of the presention content here in one post and share it
with you as you may nd it also useful. Enjoy

L2 Agent
Its main responsibility is to wire new devices (TAP interfaces created by Nova) and to
con gure the software bridges on the compute nodes. There are usually two bridges:
br-int and br-tun.

br-int is the integration bridge. Its the bridge that takes care of tagging & untagging
the traf c which coming in or out of the VMs. To tag the traf c, it uses local vlan id and
assign it to the network.

br-tun is the tunneling bridge. It takes care of translating the tagged traf c. It
translates the vlan id into segmentation and using it then for tunneling. If for example
you use GRE tunnels, the segmentation id is used to specify the tunnel id.

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 1/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

The L2 agent is also responsible for applying security group rules ( rewall rules)
which implemented in neutron by using iptables and ip sets.

L2 constantly communicates with neutron-server using RPC.

What happens when a VM is created

vif driver is the driver that nova uses to plug and unplug the virtual interfaces into the
integration bridge. You need to use the vif driver that match the speci c neutron
driver you are using. If for example you are using neutron with openvswitch, youll
also need to use the vif openswitch driver.

The last step of this process would be L2 agent noti es neutron-server that the
device is up.

L2 Agent Work ow
L2 agent has a loop and there are speci c events which trigger some processing. The
loop is entered when one of the following events occur:

OVSDB monitor has an update OVSDB monitor is the tool that L2 agent uses to
know if something changed on the compute node (e.g port added/deleted)
http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 2/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

Messages from neutron server messages could be about security group changes
and port updates.

OVS restarted.

How ports changes detected?

L2 agent scans all ports in the machine and keeps track of those ports using internal
dictionary named registered ports.

When changes occur on the node, the OVSDB monitor signals OVS agent about the
changes. The OVS compares between registered_ports to the result of the new scan
in order to infer what devices were added or deleted.ovs

Before Liberty, the OVS agent needed to scan the ports most of the time, but in
liberty, ovsdb monitor was improved in a way it sends the actual ports that added or
deleted instead of simply setting a ag when a change occurred.

Process Port Added event

When a new port added, L2 agent request the device details. Once it gets the device
details it knows how to wire it and by wiring we mean assigning a local VLAN id to the
device If its the rst device of the network. Then it installs the proper ows (e.g
tagging and untagging the traf c).

Next, it setting up the port lters (= install the proper iptables rules) and the last step
would be to notify neutron-server that the device is up.

Process Port Deleted event

The previous process is reversed. It removes lters ( iptables rules), noti es neutron-
server that the device is down (using update_device_down) and the local VLAN id is
claimed if its the last device of the network on the host.

Process Updated port and Security group changes.

The process for Updated port event is the same as for Added port.

For security group changes, the lters are reapplied for all the affected devices.
http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 3/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

OVS Restart
When the L2 agent installed for the rst time, it installs a ow called canary ow.
Once in every loop it checks if ow is still installed. If its there, it means OVS is ne. If
its not there it means it restarted and the bridges should be recon gured along with
reprocessing all ports on the host. The ows should also be re-installed in such case.

What happens when exception is thrown?

If exception is thrown while the agent loop, the L2 agent is doing full rsync because it
doesnt know which device has issues. It will clear registered_ports and reprocess all
the ports on the node

L3 Agent
While the L3 agent shares a lot of the same architectural aspects as the L2 agent, its
completely different. L2 agent getting you attached to your networks. The L3 agent
gets your routers attached to each other. It moving data from one network to anther
and from your network to the external world.

HA and DVR
Since introduced in juno release, HA mode allows you to deploy your router on more
than one network node. If you have 50 network nodes in your deployment, you can
get it installed on all of them. To monitor the routers, it uses the virtual redundancy
protocol which also name the active router. In case of failure, it moves it accordingly.

DVR works differently. It takes the virtually created router, breaks into pieces and
push those to the compute nodes. So as soon as the vm produces traf c that needs to
be routed to a different network, that traf c routed on the compute node, before it
leaves the nic. There is an API to manage those routers location so you could move
them around.

Lets examine simple work ow between two VMs on different networks and
separate compute hosts.

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 4/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

When vm-1 sends data to vm-2, it goes through the br-int which says I know these
packets need to be routed. Im going to send those straight to the router on my
compute host. Then the packets goes through the routing table, coming out and
travel to the second compute host just like as the two vms where on the same
compute host.

The replies, originate from vm-2, travel based on the same logic. They are sent rst to
the router on the second compute host, they get routed and sent back to vm-1 on the
rst compute host.

L3 Agent Work ow
L3 agent listens for noti cations. When anything changes on the router, neutron-
server sends noti cation to the L3 agent. The L3 agent takes the noti cation it

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 5/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

received and push it into processing queue because it may have more work than it
handle at a given time. Normally it pops right up to the top of the processing queue
and pulled out for processing.

The agent has a capacity of working on few routers at a time. If its working on every
router at the same time, things may get a little slower.

There are two types of events that can be put in the processing queue.

1. Changes in the router. Usually caused by user action that changes something in
the router con guration.

2. L3 agent restart or exception thrown in such case it does a full rsync ( similar to
L2 agent process when exception thrown).

The user actions getting higher priority than the rsync or maintenance events.

L3 agent also sends status updates in case of ports or oating IPs changes.

Router Internals
A network namespace is like container or vm for network device. Its all about the
network stack virtualization.

Just like nova relies on the L2 agent to plug the port and do all the L2 wiring, L3 relies
on the L2 agent for that. Once those ports exists, whether its the ovs port or a veth
pair (virtual cable), they can be moved into a namespace, just like taking a wire and
plug it into your device.

Next, the L3 agent con gures the IP addresses on the interfaces. It con gures the
routing, whether its a basic routing table or extra routes that had been con gured on
the router. It uses iptables to implement the oating IP functionality. So it allocates a
oating IP you associate it with an instance. Neutron gures out which router that
instance need to go through to get to the external network and it uses NAT to
implement that oating IP.

On the router there is a metadata access, shared access for instances without oating
IP and some of the advance service are also integrated into it (VPNaas & FWaas).
http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 6/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

Share this:

Related

Openstack Neutron: Openstack Neutron: Open vSwitch: Introduction -

troubleshooting and solving Introduction Part 1
common problems January 4, 2016 October 18, 2016
January 6, 2016 In "Openstack" In "Linux"
In "Openstack"

Openstack

AGENT DVR L2 L3 NEUTRON OPENSTACK OVSDB MONITOR

ROUTING

PREVIOUS POST NEXT POST

Openstack: How to debug neutron with pdb Openstack Neutron: Introduction

1 Comment

Vikash
MARCH 29, 2017 AT 5:27 PM

Hi ,

Nice article. How does ovs-agent decide on port tag (tag:X) ? Can a port of
network on 2 different compute can have different tag ?

REPLY

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 7/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

Leave a Reply
Your email address will not be published.

Name

Email

Website

Post Comment

Notify me of follow-up comments by email.

Notify me of new posts by email.

Search form SEARCH

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 8/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

RECENT POSTS

Algorithms: Basic Exercises Part 1

Linear Programming: Graphical Method

jQuery Datatable Ajax: Change cells HTML after data is processed

Python: Working with Jinja2 templates

Ajax Datatable: changing row color based on the data

RECENT COMMENTS

Satya on Ansible: write and run your rst playbook

vamshi on Ansible: write and run your rst playbook

Viju on Ansible: write and run your rst playbook

Martin on Python: Objects comparison

Justin C. on Linux: Ulimit And Maximum Number Of Open Files

2017 ARIE BREGMAN UP

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 9/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 10/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 11/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 12/13
12/10/2017 Openstack Neutron: L2 & L3 agents Arie Bregman

http://abregman.com/2016/01/03/openstack-neutron-l2-l3-agents/#more-189 13/13