2 Licensed under the Apache License, Version 2.0 (the "License"); you may
3 not use this file except in compliance with the License. You may obtain
4 a copy of the License at
6 http://www.apache.org/licenses/LICENSE-2.0
8 Unless required by applicable law or agreed to in writing, software
9 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10 WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11 License for the specific language governing permissions and limitations
14 Convention for heading levels in Open vSwitch documentation:
16 ======= Heading 0 (reserved for the title in a document)
22 Avoid deeper levels because they do not render well.
24 ===============================
25 What's New with OVS and OVN 2.8
26 ===============================
28 This document is about what was added in Open vSwitch 2.8, which was released
29 at the end of August 2017, concentrating on the new features in OVN. It also
30 covers some of what is coming up in Open vSwitch and OVN 2.9, which is due to
31 be released in February 2018. OVN has many features, and this document does
32 not cover every new or enhanced feature (but contributions are welcome).
34 This document assumes a basic familiarity with Open vSwitch, OVN, and their
35 associated tools. For more information, please refer to the Open vSwitch and
36 OVN documentation, such as the ``ovn-architecture``\(7) manpage.
38 Debugging and Troubleshooting
39 -----------------------------
41 Before version 2.8, Open vSwitch command-line tools were far more painful to
42 use than they needed to be. This section covers the improvements made to the
43 CLI in the 2.8 release.
48 The OVN CLI, through ``ovn-nbctl``, ``ovn-nbctl``, and ``ovn-trace``, used
49 full-length UUIDs almost everywhere. It didn't even provide any assistance
50 with completion, etc., which in practice meant always cutting and pasting UUIDs
51 from one command or window to another. This problem wasn't limited to the
52 places where one would expect to have to see or use a UUID, either. In many
53 places where one would expect to be able to use a network, router, or port
54 name, a UUID was required instead. In many places where one would want to see
55 a name, the UUID was displayed instead. More than anything else, these
56 shortcomings made the CLI user-hostile.
58 There was an underlying problem that the southbound database didn't actually
59 contain all the information needed to provide a decent user interface. In some
60 cases, for example, the human-friendly names that one would want to use for
61 entities simply weren't part of the database. These names weren't necessary
62 for correctness, only for usability.
64 OVN 2.8 eased many of these problems. Most parts of the CLI now allow the user
65 to abbreviate UUIDs, as long as the abbreviations are unique within the
66 database. Some parts of the CLI where full-length UUIDs make output hard to
67 read now abbreviate them themselves. Perhaps more importantly, in many places
68 the OVN CLI now displays and accepts human-friendly names for networks,
69 routers, ports, and other entities. In the places where the names were not
70 previously available, OVN (through ``ovn-northd``) now copies the names into
71 the southbound database.
73 The CLIs for layers below OVN, at the OpenFlow and datapath layers with
74 ``ovs-ofctl`` and ``ovs-dpctl``, respectively, had some similar problems in
75 which numbers were used for entities that had human-friendly names. Open
76 vSwitch 2.8 also solves some of those problems. Other than that, the most
77 notable enhancement in this area was the ``--no-stats`` option to ``ovs-ofctl
78 dump-flows``, which made that command's output more readable for the cases
79 where per-flow statistics were not interesting to the reader.
81 Connections Between Levels
82 ~~~~~~~~~~~~~~~~~~~~~~~~~~
84 OVN and Open vSwitch work almost like a stack of compilers: the OVN Neutron
85 plugin translates Neutron configuration into OVN northbound configuration,
86 which ``ovn-northd`` translates into logical flows, which ``ovn-controller``
87 translates into OpenFlow flows, which ``ovs-vswitchd`` translates into datapath
88 flows. For debugging and troubleshooting it is often necessary to understand
89 exactly how these translations work. The relationship from a logical flow to
90 its OpenFlow flows, or in the other direction, from an OpenFlow flow back to
91 the logical flow that produced it, was often of particular interest, but OVN
92 didn't provide good tools for the job.
94 OVN 2.8 added some new features that ease these jobs. ``ovn-sbctl lflow-list``
95 has a new option ``--ovs`` that lists the OpenFlow flows on a particular
96 chassis that were generated from the logical flows that it lists.
97 ``ovn-trace`` also added a similar ``--ovs`` option that applies to the logical
100 In the other direction, OVN 2.8 added a new utility ``ovn-detrace`` that, given
101 an Open vSwitch trace of OpenFlow flows, annotates it with the logical flows
102 that yielded those OpenFlow flows.
107 OVN supports a distributed firewall with stateful connection tracking to ensure
108 that only packets for established connections, or those that the configuration
109 explicitly allows, can ingress a given VM or container. Neutron uses this
110 feature by default. Most packets in an OpenStack environment pass through it
111 twice, once after egress from the packet's source VM and once before ingress
112 into its destination VM. Before OVN 2.8, the ``ovn-trace`` program, which
113 shows the path of a packet through an OVN logical network, did not support the
114 logical firewall, which in practice made it almost useless for Neutron.
116 In OVN 2.8, ``ovn-trace`` adds support for the logical firewall. By default it
117 assumes that packets are part of an established connection, which is usually
118 what the user wants as part of the trace. It also accepts command-line options
119 to override that assumption, which allows the user to discover the treatment of
120 packets that the firewall should drop.
122 At the next level deeper, prior to Open vSwitch 2.8, the OpenFlow tracing
123 command ``ofproto/trace`` also supported neither the connection tracking
124 feature underlying the OVN distributed firewall nor the "recirculation" feature
125 that accompanied it. This meant that, even if the user tried to look deeper
126 into the distributed firewall mechanism, he or she would encounter a further
127 roadblock. Open vSwitch 2.8 added support for both of these features as well.
132 ``ovn-nbctl show`` and ``ovn-sbctl show``, for showing an overview of the OVN
133 configuration, didn't show a lot of important information. OVN adds some more
134 useful information here.
139 OVN 2.8 adds a built-in DNS server designed for assigning names to VMs and
140 containers within an OVN logical network. DNS names are assigned using records
141 in the OVN northbound database and, like other OVN features, translated into
142 logical flows at the OVN southbound layer. DNS requests directed to the OVN
143 DNS server never leave the hypervisor from which the request is sent; instead,
144 OVN processes and replies to the request from its ``ovn-controller`` local
145 agent. The OVN DNS server is not a general-purpose DNS server and cannot be
146 used for that purpose.
148 OVN includes simple built-in support for IP address management (IPAM), in which
149 OVN assigns IP addresses to VMs or containers from a pool or pools of IP
150 addresses delegated to it by the administrator. Before OVN 2.8, OVN IPAM only
151 supported IPv4 addresses; OVN 2.8 adds support for IPv6. OVN 2.8 also enhances
152 the address pool support to allow specific addresses to be excluded. Neutron
153 assigns IP addresses itself and does not use OVN IPAM.
158 As a distributed system, in OVN a lot can go wrong. As OVN advances, it adds
159 redundancy in places where currently a single failure could disrupt the
160 functioning of the system as a whole. OVN 2.8 adds two new kinds of high
166 The ``ovn-northd`` program sits between the OVN northbound and southbound
167 databases and translates from a logical network configuration into logical
168 flows. If ``ovn-northd`` itself or the host on which it runs fails, then
169 updates to the OVN northbound configuration will not propagate to the
170 hypervisors and the OVN configuration freezes in place until ``ovn-northd``
173 OVN 2.8 adds support for active-backup HA to ``ovn-northd``. When more than
174 one ``ovn-northd`` instance runs, it uses an OVSDB locking feature to
175 automatically choose a single active instance. When that instance dies or
176 becomes nonresponsive, the OVSDB server automatically choose one of the
177 remaining instance(s) to take over.
182 In OVN 2.8, multiple chassis may now be specified for L3 gateways. When more
183 than one chassis is specified, OVN manages high availability for that gateway.
184 Each hypervisor uses the BFD protocol to keep track of the gateway nodes that
185 are currently up. At any given time, a hypervisor uses the highest-priority
186 gateway node that is currently up.
191 The OVN architecture relies heavily on OVSDB, the Open vSwitch database, for
192 hosting the northbound and southbound databases. OVSDB was originally selected
193 for this purpose because it was already used in Open vSwitch for configuring
194 OVS itself and, thus, it was well integrated with OVS and well supported in C
195 and Python, the two languages that are used in Open vSwitch.
197 OVSDB was well designed for its original purpose of configuring Open vSwitch.
198 It supports ACID transactions, has a small, efficient server, a flexible schema
199 system, and good support for troubleshooting and debugging. However, it lacked
200 several features that are important for OVN but not for Open vSwitch. As OVN
201 advances, these missing features have become more and more of a problem. One
202 option would be to switch to a different database that already has many of
203 these features, but despite a careful search, no ideal existing database was
204 identified, so the project chose instead to improve OVSDB where necessary to
205 bring it up to speed. The following sections talk more about recent and future
211 When ``ovsdb-server`` was only used for OVS configuration, high availability
212 was not important. ``ovsdb-server`` was capable of restarting itself
213 automatically if it crashed, and if the whole system went down then Open
214 vSwitch itself was dead too, so the database server's failure was not
217 In contrast, the northbound and southbound databases are centralized components
218 of a distributed system, so it is important that they not be a single point of
219 failure for the system as a whole. In released versions of OVN,
220 ``ovsdb-server`` supports only "active-backup replication" across a pair of
221 servers. This means that if one server goes down, the other can pick it back
222 up approximately where the other one left off. The servers do not have
223 built-in support for deciding at any given time which is the active and which
224 the backup, so the administrator must configure an external agent to do this
227 Active-backup replication is not entirely satisfactory, for multiple reasons.
228 Replication is only approximate. Configuring the external agent requires extra
229 work. There is no benefit from the backup server except when the active server
230 fails. At most two servers can be used.
232 A new form of high availability for OVSDB is under development for the OVN 2.9
233 release, based on the Raft algorithm for distributed consensus. Whereas
234 replication uses two servers, clustering using Raft requires three or more
235 (typically an odd number) and continues functioning as long as more than half
236 of the servers are up. The clustering implementation is built into
237 ``ovsdb-server`` and does not require an external agent. Clustering preserves
238 the ACID properties of the database, so that a transaction that commits is
239 guaranteed to persist. Finally, reads (which are the bulk of the OVN workload)
240 scale with the size of the cluster, so that adding more servers should improve
241 performance as the number of hypervisors in an OVN deployment increases. As of
242 this writing, OVSDB support for clustering is undergoing development and early
248 Until Open vSwitch 2.8, ``ovsdb-server`` had little support for access control
249 within a database. If an OVSDB client could modify the database at all, it
250 could make arbitrary changes. This was sufficient for most uses case to that
253 Hypervisors in an OVN deployment need access to the OVN southbound database.
254 Most of their access is reads, to find out about the OVN configuration.
255 Hypervisors do need some write access to the southbound database, primarily to
256 let the other hypervisors know what VMs and containers they are running and how
257 to reach them. Thus, OVN gives all of the hypervisors in the OVN deployment
258 write access to the OVN southbound database. This is fine when all is well,
259 but if any of the hypervisors were compromised then they could disrupt the
260 entire OVN deployment by corrupting the database.
262 The OVN developers considered a few ways to solve this problem. One way would
263 be to introduce a new central service (perhaps in ``ovn-northd``) that provided
264 only the kinds of writes that the hypervisors legitimately need, and then grant
265 hypervisors direct access to the southbound database only for reads. But
266 ultimately the developers decided to introduce a new form of more access
267 control for OVSDB, called the OVSDB RBAC (role-based access control) feature.
268 OVSDB RBAC allows for granular enough control over access that hypervisors can
269 be granted only the ability to add, modify, and delete the records that relate
270 to themselves, preventing them from corrupting the database as a whole.
275 For more information about new features in OVN and Open vSwitch, please refer
276 to the NEWS file distributed with the source tree. If you have questions about
277 Open vSwitch or OVN features, please feel free to write to the Open vSwitch
278 discussion mailing list at ovs-discuss@openvswitch.org.
projects / mirror_ovs.git / blob