OVN (Open Virtual Network) is a component of OpenStack Neutron that provides network virtualization and overlay networking capabilities. It uses the Open vSwitch (OVS) technology to create a distributed virtual network infrastructure across multiple compute nodes.
A physical network consists of tangible components like cables, switches, and routers. On the other hand, a virtual network expands the reach of a physical network by incorporating it into a hypervisor or container platform, enabling the connection of virtual machines (VMs) or containers to the physical network. In contrast, an OVN logical network is a software-based network that is isolated from both physical and virtual networks through encapsulation methods like tunnels. This insulation allows logical networks to utilize IP addresses and address spaces that may overlap with those used in physical networks, without causing conflicts. Logical network topologies can be designed independently of the underlying physical network topologies. As a result, VMs belonging to a logical network can be seamlessly migrated from one physical machine to another without experiencing any network disruptions.
Here’s a high-level overview of how OVN networking works in OpenStack Neutron:
- Logical Switches: OVN creates logical switches that represent virtual L2 networks within OpenStack. Each logical switch has a unique identifier and maintains a mapping of the virtual machine (VM) MAC addresses to its logical ports.
- Logical Ports: When a new VM is created in OpenStack, a logical port is associated with it. Logical ports connect VMs to logical switches and have unique identifiers and MAC addresses.
- Distributed Routing: OVN supports distributed routing, which means that routing decisions are made locally on each compute node rather than relying on a central router. Each compute node participating in the OVN network acts as a distributed router and performs routing functions. Replaces the conventional Neutron L3 agent.
- Distributed Firewall: OVN includes a distributed firewall that enforces security policies at the hypervisor level. It allows you to define access control rules between logical ports or logical switches and provides traffic filtering and isolation.
- Overlay Networks: OVN uses overlay networks to provide communication between VMs across different compute nodes. It encapsulates the original network packets in a tunneling protocol such as Geneve, VXLAN, or GRE. This allows VMs in different compute nodes to communicate as if they were connected to the same L2 network.
- DPDK: OVN and networking-ovn may be used with OVS using either the Linux kernel datapath or the DPDK datapath.
- North/South Connectivity: OVN also supports connectivity to external networks, allowing VMs to communicate with resources outside the OpenStack environment. This is achieved through integration with Neutron routers, which provide connectivity to external networks or the internet.
- VLAN tenant networks: The networking-ovn driver does support VLAN tenant networks when used with OVN version 2.11 (or higher).
- Central Control Plane: OVN includes a central control plane, which manages the logical network configuration, distributes logical flows, and synchronizes information across the OVN deployment. The control plane is responsible for handling API requests, updating logical switch and port information, and distributing routing information to the distributed routers.
Accessing OVN database content
OVN stores configuration data in a collection of OVS database tables. The following commands show the contents of the most common database tables in the northbound and southbound databases.
$ ovn-nbctl list Logical_Switch $ ovn-nbctl list Logical_Switch_Port $ ovn-nbctl list ACL $ ovn-nbctl list Address_Set $ ovn-nbctl list Logical_Router $ ovn-nbctl list Logical_Router_Port $ ovn-nbctl list Gateway_Chassis $ ovn-sbctl list Chassis $ ovn-sbctl list Encap $ ovn-nbctl list Address_Set $ ovn-sbctl lflow-list $ ovn-sbctl list Multicast_Group $ ovn-sbctl list Datapath_Binding $ ovn-sbctl list Port_Binding $ ovn-sbctl list MAC_Binding $ ovn-sbctl list Gateway_Chassis
Overall, OVN simplifies the network management and provides virtual network abstraction for OpenStack Neutron, enabling the creation of complex network topologies and facilitating the deployment of multi-tenant environments with isolation and security.