From patchwork Fri Feb 19 14:31:53 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique <nusiddiq@redhat.com>
X-Patchwork-Id: 585242
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (li376-54.members.linode.com
	[96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id C72CE14033B
	for <incoming@patchwork.ozlabs.org>;
	Sat, 20 Feb 2016 01:32:04 +1100 (AEDT)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 4D9DD10BC0;
	Fri, 19 Feb 2016 06:32:03 -0800 (PST)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5])
	by archives.nicira.com (Postfix) with ESMTPS id 88D1610BBB
	for <dev@openvswitch.org>; Fri, 19 Feb 2016 06:32:01 -0800 (PST)
Received: from bar4.cudamail.com (localhost [127.0.0.1])
	by mx3v3.cudamail.com (Postfix) with ESMTPS id C2E3E163740
	for <dev@openvswitch.org>; Fri, 19 Feb 2016 07:31:59 -0700 (MST)
X-ASG-Debug-ID: 1455892318-03dc210c7c0bf50001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar4.cudamail.com
	with
	ESMTP id kH69dYjjy6hXTwTN (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Fri, 19 Feb 2016 07:31:58 -0700 (MST)
X-Barracuda-Envelope-From: nusiddiq@redhat.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mx1.redhat.com) (209.132.183.28)
	by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
	19 Feb 2016 14:31:58 -0000
Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at _spf1.redhat.com
	designates 209.132.183.28 as permitted sender)
X-Barracuda-Apparent-Source-IP: 209.132.183.28
X-Barracuda-RBL-IP: 209.132.183.28
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (Postfix) with ESMTPS id B6373550D5
	for <dev@openvswitch.org>; Fri, 19 Feb 2016 14:31:56 +0000 (UTC)
Received: from nusiddiq.blr.redhat.com (dhcp-0-174.blr.redhat.com
	[10.70.1.174])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id u1JEVsTK004418
	for <dev@openvswitch.org>; Fri, 19 Feb 2016 09:31:55 -0500
X-CudaMail-Envelope-Sender: nusiddiq@redhat.com
From: Numan Siddique <nusiddiq@redhat.com>
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-218021050
X-CudaMail-DTE: 021916
X-CudaMail-Originating-IP: 209.132.183.28
To: dev@openvswitch.org
X-ASG-Orig-Subj: [##CM-E2-218021050##][PATCH] ovn: Add a section on
	containers in OVN Tutorial
Organization: Red Hat
Message-ID: <56C72759.4070406@redhat.com>
Date: Fri, 19 Feb 2016 20:01:53 +0530
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.3.0
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1455892318
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCH] ovn: Add a section on containers in OVN Tutorial
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Signed-Off-by: Numan Siddique <nusiddiq@redhat.com>
---
 tutorial/OVN-Tutorial.md                 | 77 ++++++++++++++++++++++++++++++++
 tutorial/automake.mk                     |  7 ++-
 tutorial/ovn/env7/add-container-ports.sh | 60 +++++++++++++++++++++++++
 tutorial/ovn/env7/packet1.sh             | 19 ++++++++
 tutorial/ovn/env7/packet2.sh             | 19 ++++++++
 tutorial/ovn/env7/setup.sh               | 36 +++++++++++++++
 6 files changed, 216 insertions(+), 2 deletions(-)
 create mode 100755 tutorial/ovn/env7/add-container-ports.sh
 create mode 100755 tutorial/ovn/env7/packet1.sh
 create mode 100755 tutorial/ovn/env7/packet2.sh
 create mode 100755 tutorial/ovn/env7/setup.sh

diff --git a/tutorial/OVN-Tutorial.md b/tutorial/OVN-Tutorial.md
index 1188faa..2bcfc59 100644
--- a/tutorial/OVN-Tutorial.md
+++ b/tutorial/OVN-Tutorial.md
@@ -709,6 +709,78 @@ though.
 perspective and also provides an example of what the resulting OpenFlow flows
 look like.
 
+7) Container Ports
+------------------
+
+OVN supports containers running directly on the hypervisors and running
+containers inside VMs. This example shows how OVN supports network
+virtualization to containers when run inside VMs. Details about how to use
+docker containers in OVS can be found [here][openvswitch-docker].
+
+To support container traffic created inside a VM and to distinguish network
+traffic coming from different container vifs, for each container a logical
+port needs to be created with parent name set to the VM's logical port and
+the tag set to the vlan tag of the container vif.
+
+Start with a simple logical switch with 3 logical ports.
+
+[View ovn/env7/setup.sh][env7setup].
+
+    $ ovn/env7/setup.sh
+
+Lets create a container vif attached to the logical port 'sw0-port1' and
+another container vif attached to the logical port 'sw0-port2'.
+
+[View ovn/env7/add-container-ports.sh][env7contports]
+
+    $ ovn/env7/add-container-ports.sh
+
+Run the `ovn-nbctl` command to see the logical ports
+
+    $ovn-nbctl show
+
+
+As you can see a logical port 'csw0-cport1' is created on a logical
+switch 'csw0' whose parent is 'sw0-port1' and it has tag set to 42.
+And a logical port 'csw0-cport2' is created on the logical switch 'csw0'
+whose parent is 'sw0-port2' and it has tag set to 43.
+
+Bridge 'br-vmport1' represents the ovs bridge running inside the VM
+connected to the logical port 'sw0-port1'. In this tutorial the ovs port
+to 'sw0-port1' is created as a patch port with its peer connected to the
+ovs bridge 'br-vmport1'. An ovs port 'cport1' is added to 'br-vmport1'
+which represents the container interface connected to the ovs bridge
+and vlan tag set to 42. Similarly 'br-vmport2' represents the ovs bridge
+for the logical port 'sw0-port2' and 'cport2' connected to 'br-vmport2'
+with vlan tag set to 43.
+
+This first trace shows a packet from 'csw0-port1' with a destination mac
+address of 'csw0-port2'. You can see ovs bridge of the vm 'br-vmport1' tags
+the traffic with vlan id 42 and the traffic reaches to the br-int because
+of the patch port. As you can see below `ovn-controller` has added a flow
+to strip the vlan tag and set the reg6 and metadata appropriately.
+
+    $ ovs-ofctl -O OpenFlow13 dump-flows br-int
+    OFPST_FLOW reply (OF1.3) (xid=0x2):
+    cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=3,dl_vlan=42 actions=pop_vlan,set_field:0x3->reg5,set_field:0x2->metadata,set_field:0x1->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.002s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=4,dl_vlan=43 actions=pop_vlan,set_field:0x4->reg5,set_field:0x2->metadata,set_field:0x2->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=3 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.001s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=4 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16)
+
+[View ovn/env7/packet1.sh][env7packet1].
+
+    $ ovn/env5/packet1.sh
+
+
+The second trace shows a packet from 'csw0-port2' to 'csw0-port1'.
+
+[View ovn/env7/packet2.sh][env7packet2].
+
+    $ ovn/env5/packet1.sh
+
+You can extend this setup by adding additional container ports with two
+hypervisors. Please see the tutorial 3 above.
+
 [ovn-architecture(7)]:http://openvswitch.org/support/dist-docs/ovn-architecture.7.html
 [Tutorial.md]:https://github.com/openvswitch/ovs/blob/master/tutorial/Tutorial.md
 [ovn-nb(5)]:http://openvswitch.org/support/dist-docs/ovn-nb.5.html
@@ -742,4 +814,9 @@ look like.
 [env5packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/packet2.sh
 [env6setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/setup.sh
 [env6acls]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/add-acls.sh
+[env7setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/setup.sh
+[env7contports]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/add-container-ports.sh
+[env7packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet1.sh
+[env7packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet2.sh
 [openstack-ovn-acl-blog]:http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/
+[openvswitch-docker]:http://openvswitch.org/support/dist-docs/INSTALL.Docker.md.txt
diff --git a/tutorial/automake.mk b/tutorial/automake.mk
index f41c406..7e835f2 100644
--- a/tutorial/automake.mk
+++ b/tutorial/automake.mk
@@ -30,7 +30,10 @@ EXTRA_DIST += \
 	tutorial/ovn/env5/packet1.sh \
 	tutorial/ovn/env5/packet2.sh \
 	tutorial/ovn/env6/setup.sh \
-	tutorial/ovn/env6/add-acls.sh
-
+	tutorial/ovn/env6/add-acls.sh \
+	tutorial/ovn/env7/add-container-ports.sh \
+	tutorial/ovn/env7/packet1.sh \
+	tutorial/ovn/env7/packet2.sh \
+	tutorial/ovn/env7/setup.sh
 sandbox: all
 	cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS)
diff --git a/tutorial/ovn/env7/add-container-ports.sh b/tutorial/ovn/env7/add-container-ports.sh
new file mode 100755
index 0000000..482c969
--- /dev/null
+++ b/tutorial/ovn/env7/add-container-ports.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# create a logical switch
+ovn-nbctl lswitch-add csw0
+
+# create a container port with parent set to sw0-port1
+ovn-nbctl lport-add csw0 csw0-cport1 sw0-port1 42
+ovn-nbctl lport-set-addresses csw0-cport1 00:00:00:00:01:01
+ovn-nbctl lport-set-port-security csw0-cport1 00:00:00:00:01:01
+
+# create another container port with parent set to sw0-port1
+ovn-nbctl lport-add csw0 csw0-cport2 sw0-port2 43
+ovn-nbctl lport-set-addresses csw0-cport2 00:00:00:00:01:02
+ovn-nbctl lport-set-port-security csw0-cport2 00:00:00:00:01:02
+
+
+# Make lport1 as a patch port, other end connected to br-vmport1
+ovs-vsctl set interface lport1 type=patch
+ovs-vsctl set interface lport1 options:peer=patch-lport1
+
+ovs-vsctl set interface lport2 type=patch
+ovs-vsctl set interface lport2 options:peer=patch-lport2
+
+
+# This represents ovs bridge inside a VM attached to lport1
+ovs-vsctl add-br br-vmport1
+
+# create a patch port with peer set to lport1.
+ovs-vsctl add-port br-vmport1 patch-lport1
+ovs-vsctl set interface patch-lport1 type=patch
+ovs-vsctl set interface patch-lport1 options:peer=lport1
+
+# create a container port on br-vmport1. Any traffic sent on this
+# port will reach to the br-int of the host via the patch port
+ovs-vsctl add-port br-vmport1 cport1
+ovs-vsctl set port cport1 tag=42
+
+# This represents ovs bridge inside a VM attached to lport2
+ovs-vsctl add-br br-vmport2
+ovs-vsctl add-port br-vmport2 patch-lport2
+ovs-vsctl set interface patch-lport2 type=patch
+ovs-vsctl set interface patch-lport2 options:peer=lport2
+
+ovs-vsctl add-port br-vmport2 cport2
+ovs-vsctl set port cport2 tag=43
diff --git a/tutorial/ovn/env7/packet1.sh b/tutorial/ovn/env7/packet1.sh
new file mode 100755
index 0000000..660566b
--- /dev/null
+++ b/tutorial/ovn/env7/packet1.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Trace a packet from csw0-port1 to csw0-port2.
+ovs-appctl ofproto/trace br-vmport1 in_port=3,dl_src=00:00:00:0:01:01,dl_dst=00:00:00:00:01:02 -generate
diff --git a/tutorial/ovn/env7/packet2.sh b/tutorial/ovn/env7/packet2.sh
new file mode 100755
index 0000000..244fbbd
--- /dev/null
+++ b/tutorial/ovn/env7/packet2.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Trace a packet from csw0-port2 to csw0-port1.
+ovs-appctl ofproto/trace br-vmport2 in_port=3,dl_src=00:00:00:0:01:02,dl_dst=00:00:00:00:01:01 -generate
diff --git a/tutorial/ovn/env7/setup.sh b/tutorial/ovn/env7/setup.sh
new file mode 100755
index 0000000..2df0f0e
--- /dev/null
+++ b/tutorial/ovn/env7/setup.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Create a logical switch named "sw0"
+ovn-nbctl lswitch-add sw0
+
+# Create two logical ports on "sw0".
+ovn-nbctl lport-add sw0 sw0-port1
+ovn-nbctl lport-add sw0 sw0-port2
+ovn-nbctl lport-add sw0 sw0-port3
+
+ovn-nbctl lport-set-addresses sw0-port1 00:00:00:00:00:01
+ovn-nbctl lport-set-addresses sw0-port2 00:00:00:00:00:02
+ovn-nbctl lport-set-addresses sw0-port3 00:00:00:00:00:03
+
+ovn-nbctl lport-set-port-security sw0-port1 00:00:00:00:00:01
+ovn-nbctl lport-set-port-security sw0-port2 00:00:00:00:00:02
+ovn-nbctl lport-set-port-security sw0-port3 00:00:00:00:00:03
+
+ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1
+ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2
+ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw0-port3