The Go Blog

openvswitch on a docker container

bantana
12 July 2015

introduction

.                         vm vm vm vm vm
.                         |  |  |  |  |
.                        --------------
.                           vSwitch
.                        --------------
Security: VLAN                 |     Monitoring: Netflow,
isolation, traffic filtering   |     sFlow, SPAN, RSPAN

Qos: traffic queuing           |     Automated Control:
and traffic shaping            |     OpenFlow, OVSDB
                               |     mgmt, protocol

design

Decoupling Hardware and Software:

Virtual Network               vm vm vm          vm vm vm
Innovate at Software Speed    |  |  |           |  |  |
Rich Edge Services            ---------         -------
Security                      vSwitch           vSwitch
- - - - - - - - - - - -- - - - - | - - -- - - - - - | - - - - - - - -
Physical Network              switch ----------- switch
Innovate at Hardware Speed
Performance and Scale
Keep it Simple

install on raspbian

modprobe openvswitch on docker master:

$ sudo modprobe openvswitch

$ lsmod|grep -i openvswitch
openvswitch            74083  0

build deb packages on container vswitch:

$ docker create --name vswitch -h vswitch --cap-add NET_ADMIN --cap-add SYS_NICE jessie:ssh

$ docker start vswitch
$ docker exec vswitch ip addr|grep -i inet|grep -i eth0
  inet 192.168.88.233/24 scope global eth0

$ ssh 192.168.88.233 -l pi
$ mkdir ~/src
$ cd src
$ sudo apt-get install -y wget curl
$ wget -c http://openvswitch.org/releases/openvswitch-2.3.2.tar.gz
$ tar xzvf openvswitch-2.3.2.tar.gz
$ cd openvswitch-2.3.2

$ sudo apt-get install -y build-essential fakeroot

$ dpkg-checkbuilddeps
$ sudo apt-get install -y  debhelper autoconf automake automake1.10 libssl-dev graphviz python-all python-qt4 python-zopeinterface python-twisted-conch libtool

$ DEB_BUILD_OPTIONS='parallel=8 nocheck' fakeroot debian/rules binary

pi@vswitch:~/src/openvswitch-2.3.2$ ls -al ../
total 14556
drwxr-xr-x  3 pi pi    4096 Jul 17 16:03 .
drwxr-xr-x  1 pi pi    4096 Jul 17 16:19 ..
drwxr-xr-x 20 pi pi    4096 Jul 17 16:02 openvswitch-2.3.2
-rw-r--r--  1 pi pi 3277164 Jun 19 03:50 openvswitch-2.3.2.tar.gz
-rw-r--r--  1 pi pi  442758 Jul 17 16:00 openvswitch-common_2.3.2-1_armhf.deb
-rw-r--r--  1 pi pi 2258482 Jul 17 16:05 openvswitch-datapath-dkms_2.3.2-1_all.deb
-rw-r--r--  1 pi pi 3313594 Jul 17 16:04 openvswitch-datapath-source_2.3.2-1_all.deb
-rw-r--r--  1 pi pi 4439068 Jul 17 16:01 openvswitch-dbg_2.3.2-1_armhf.deb
-rw-r--r--  1 pi pi   36078 Jul 17 16:00 openvswitch-ipsec_2.3.2-1_armhf.deb
-rw-r--r--  1 pi pi   29820 Jul 17 16:03 openvswitch-pki_2.3.2-1_all.deb
-rw-r--r--  1 pi pi  792502 Jul 17 16:00 openvswitch-switch_2.3.2-1_armhf.deb
-rw-r--r--  1 pi pi   45534 Jul 17 16:03 openvswitch-test_2.3.2-1_all.deb
-rw-r--r--  1 pi pi  154120 Jul 17 16:00 openvswitch-vtep_2.3.2-1_armhf.deb
-rw-r--r--  1 pi pi   80124 Jul 17 16:03 python-openvswitch_2.3.2-1_all.deb

$ cd ../
$ sudo apt-get install -y uuid-runtime
$ sudo dpkg -i *.deb

$ sudo /etc/init.d/openvswitch-switch start
$ sudo ovs-vsctl show
97d913cf-3145-42b8-9064-8cf177449d9a
    ovs_version: "2.3.2"

use deb packages create a new openvswitch docker container:

$ docker create --name vsw -h vsw --cap-add NET_ADMIN --cap-add SYS_NICE jessie:ssh

$ docker start vsw
$ docker exec vsw ip addr|grep -i inet|grep -i eth0
  inet 192.168.88.226/24 scope global eth0

$ ssh 192.168.88.226 -l pi

sudo apt-get install python  libatomic1 libc6 openssl
sudo dpkg -i openvswitch-common_2.3.2-1_armhf.deb

OPTION:

sudo apt-get install uuid-runtime netbase
sudo dpkg -i openvswitch-switch_2.3.2-1_armhf.deb

OPTION:

sudo dpkg -i python-openvswitch_2.3.2-1_all.deb openvswitch-vtep_2.3.2-1_armhf.deb

OPTION:

sudo dpkg -i openvswitch-pki_2.3.2-1_all.deb

OPTION:

sudo dpkg -i openvswitch-test_2.3.2-1_all.deb
sudo apt-get install -f

create images from container:

$ docker ps
CONTAINER ID        IMAGE               COMMAND               CREATED             STATUS              PORTS               NAMES
e8f4f9e13308        jessie:ssh          "/usr/sbin/sshd -D"   About an hour ago   Up About an hour    22/tcp              vsw

$ docker commit vsw jessie:openvswitch

$ docker images
REPOSITORY                TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
jessie                    openvswitch         cfda11f42e3c        16 minutes ago      277.8 MB

USAGE

create container from images:

$ docker create --name vSwitch -h vSwitch --cap-add NET_ADMIN --cap-add SYS_NICE jessie:openvswitch

$ docker start vSwitch

$ docker exec vSwitch ip addr|grep -i inet|grep -i eth0|awk '{print $2}'
192.168.88.227/24

$ ssh 192.168.88.227 -l pi

$ sudo /etc/init.d/openvswitch-switch start
Starting ovsdb-server.
Configuring Open vSwitch system IDs.
Starting ovs-vswitchd.

$ sudo ovs-vsctl show
81497ca6-1884-4193-875a-5b27c304414d
    ovs_version: "2.3.2  Enabling remote OVSDB managers.

FAQ

about the --cap-add:

cd github.com/docker/docker
find ./ -type f |xargs grep -i "var capabilityList"
.//vendor/src/github.com/docker/libcontainer/capabilities_linux.go:var capabilityList = map[string]capability.Cap{

var capabilityList = map[string]capability.Cap{
  "SETPCAP":          capability.CAP_SETPCAP,
  "SYS_MODULE":       capability.CAP_SYS_MODULE,
  "SYS_RAWIO":        capability.CAP_SYS_RAWIO,
  "SYS_PACCT":        capability.CAP_SYS_PACCT,
  "SYS_ADMIN":        capability.CAP_SYS_ADMIN,
  "SYS_NICE":         capability.CAP_SYS_NICE,
  "SYS_RESOURCE":     capability.CAP_SYS_RESOURCE,
  "SYS_TIME":         capability.CAP_SYS_TIME,
  "SYS_TTY_CONFIG":   capability.CAP_SYS_TTY_CONFIG,
  "MKNOD":            capability.CAP_MKNOD,
  "AUDIT_WRITE":      capability.CAP_AUDIT_WRITE,
  "AUDIT_CONTROL":    capability.CAP_AUDIT_CONTROL,
  "MAC_OVERRIDE":     capability.CAP_MAC_OVERRIDE,
  "MAC_ADMIN":        capability.CAP_MAC_ADMIN,
  "NET_ADMIN":        capability.CAP_NET_ADMIN,
  "SYSLOG":           capability.CAP_SYSLOG,
  "CHOWN":            capability.CAP_CHOWN,
  "NET_RAW":          capability.CAP_NET_RAW,
  "DAC_OVERRIDE":     capability.CAP_DAC_OVERRIDE,
  "FOWNER":           capability.CAP_FOWNER,
  "DAC_READ_SEARCH":  capability.CAP_DAC_READ_SEARCH,
  "FSETID":           capability.CAP_FSETID,
  "KILL":             capability.CAP_KILL,
  "SETGID":           capability.CAP_SETGID,
  "SETUID":           capability.CAP_SETUID,
  "LINUX_IMMUTABLE":  capability.CAP_LINUX_IMMUTABLE,
  "NET_BIND_SERVICE": capability.CAP_NET_BIND_SERVICE,
  "NET_BROADCAST":    capability.CAP_NET_BROADCAST,
  "IPC_LOCK":         capability.CAP_IPC_LOCK,
  "IPC_OWNER":        capability.CAP_IPC_OWNER,
  "SYS_CHROOT":       capability.CAP_SYS_CHROOT,
  "SYS_PTRACE":       capability.CAP_SYS_PTRACE,
  "SYS_BOOT":         capability.CAP_SYS_BOOT,
  "LEASE":            capability.CAP_LEASE,
  "SETFCAP":          capability.CAP_SETFCAP,
  "WAKE_ALARM":       capability.CAP_WAKE_ALARM,
  "BLOCK_SUSPEND":    capability.CAP_BLOCK_SUSPEND,
  "AUDIT_READ":       capability.CAP_AUDIT_READ,
}

reference

Related articles