Creating a DANOS Virtual Router VNF in Openstack

This How-To will describe how to create an instance of DANOS in openstack for functional testing and training. The VNF image will be a 4 vcpu, 4096 GB memory, 8 GB disk glance image with 4 network connections that could be used to spin up a Danos VRR for testing. The vcpu/memory/disk simply matches the assumptions for the iso. The 4 network ports a sufficient for testing with 1 external port for OA&M and 3 internal networks for demonstrating flows. Following the steps additional networks can be attached.

The intent is that the vRR could be reached via ssh/NETCONF for configuration on the external port and the 3 other ports are for flow and feature functional testing. This configuration is not for throughput testing but rather to get familiar with the features and functions in a Danos Virtual Router.

At a high level, we are creating a glance image from the iso by creating a virtual server, installing the Danos image, detaching the disk image and then creating a working vRR from the disk image using the flavor that has the netowrk/vcpu/memory/disk settings that match our test assumptions.

CAVEAT:
Your environment must expose ssse3 to the Virtual Machine or Danos will not install. “host-passthrough” is the setting in your nova.conf that is required

Instructions

A. Networks

In horizon or via CLI , create 3 networks (in addition to the external network).

Set options for no gateway but DHCP on.

In this example I will use these names and IP blocks:

private-01 192.168.101.0/24
private-02 192.168.102.0/24
private-03 192.168.103.0/24

Note: After the ports are created you will be coming back into the ports on these networks to Disable “Port Security”

B. Flavor

Create a flavor that matches the final image we want:
4096 GB Memory
4 vcpu
1 disk with size 8 GB

C. Load ISO

Download the iso to your devstack/openstack environment
TODO: how to add cloud-init / heat utilities to iso/image

wget http://repos.danosproject.org.s3-website-us-west-1.amazonaws.com/images/danos-1908-amd64-vrouter.iso

D. Source your openstack credentials (you may need to copy them into your environment from the horizon portal)

source openstack.rc

E. Import the Danos iso

openstack image create --public \
--disk-format iso  --container-format bare \
--file danos-1908-amd64-vrouter.iso  danos-1908-amd64-vrouter.iso 

openstack image list

+--------------------------------------+------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+------------------------------+--------+

| e2f30f29-779f-4def-b8f0-fa9824cf6e1e | danos-1908-amd64-vrouter.iso | active |

+--------------------------------------+------------------------------+--------+

F. Create a server
Use the net-id from horizon from the 4 network (1 external and 3 private from step a)

G. Create a volume

--------------------------------------+----------------+-----------+------+-------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+----------------+-----------+------+-------------+
| 21133635-433f-4411-8a40-9fbca1a59a07 | danosVRRVolume | available | 8 | |
+--------------------------------------+----------------+-----------+------+-------------+

H. Attach the volume to the server

+--------------------------------------+-----------------+--------+----------------------------------------------------------------------------------------------------------------------+------------------------------+---------------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+-----------------+--------+----------------------------------------------------------------------------------------------------------------------+------------------------------+---------------+
| 35933051-4c5e-45a0-a8cd-24d2f14384b7 | danosVRRFromISO | ACTIVE | private-02=192.168.102.231; private-01=192.168.101.199; private-03=192.168.103.224; public=2001:db8::6b, 10.0.200.34 | danos-1908-amd64-vrouter.iso | danos4cpu4G8G |
+--------------------------------------+-----------------+--------+----------------------------------------------------------------------------------------------------------------------+------------------------------+---------------+

I. Use horizon instance console to configure and install image

Instructions from Installing DANOS but picking up after the virt-manager instance create.

Before you run “install image” it may be appropriate to modify the config to use dhcp on the dp0s3 interface and to activate the ssh service so that we can use ssh for the configuration.

You typically can not copy/paste in the console window via horizon so you will have to type this in

show config will display

Run “install image”

after the update to /dev/vda2 is complete , you can simply exit out of the console

J. Delete the server created from the iso but preserving the disk image

"openstack volume list" will show the preserved volume danosVRRVolume as available once the instance is deleted.

openstack volume list

+--------------------------------------+----------------+-----------+------+-------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+----------------+-----------+------+-------------+
| 21133635-433f-4411-8a40-9fbca1a59a07 | danosVRRVolume | available | 8 | |
+--------------------------------------+----------------+-----------+------+-------------+

K. Upload the image to glance

This may take some minutes to change from saving to active use image list to check periodically

+--------------------------------------+------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+------------------------------+--------+

+--------------------------------------+------------------------------+--------+

openstack image list
+--------------------------------------+------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+------------------------------+--------+

+--------------------------------------+------------------------------+--------+

L. Use horizon to create a server from the new glance image using the flavor created in step B.

Select the volume
Select the flavor
Add the 4 networks (public, private-01,private-02,private-03)
Deselect the Security Group
No keypair (since we will login via vyatta/vyatta without cloud-init being used to upload keys)

M. Use horizon instance console to log into the new instance

Configure the external network port since we did not enable cloud-init

a. show interfaces

if the update to config.boot worked correctly show interfaces should show the IP address on dp0s3. If so you can move to Step N. If not then:
b. enter config mode and add the external network (get ip address from horizon ) so we don't have to use console anymore

config

set interfaces dataplane dp0s3 address dhcp
set service ssh
commit
exit
show interfaces @ should show dp0s3 as u/u

N. Login to the instance via SSH on the external port since console is slow

login via ssh: ssh vyatta@10.0.200.135 # using your ip

vyatta@vyatta:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Speed/Duplex Description

dp0s3 10.0.200.135/24 u/u a-10g/a-full
dp0s4 - A/D auto/auto
dp0s5 - A/D auto/auto
dp0s6 - A/D auto/auto

O. Add configuration for the 3 others ports on the private networks using ip address from horizon

you can either set the static IP addresses or set them as address ‘dhcp’

config
set interfaces dataplane dp0s4 address 192.168.101.222/24
set interfaces dataplane dp0s5 address 192.168.102.216/24
set interfaces dataplane dp0s6 address 192.168.103.227/24
commit
exit

or

config
set interfaces dataplane dp0s4 address dhcp
set interfaces dataplane dp0s5 address dhcp
set interfaces dataplane dp0s6 address dhcp
commit
exit

NOTE: you could have done all three dataplane interfaced in config.boot if you wanted but for real world examples you would likely set these per instance and they would not likely be dhcp based.

show interfaces

vyatta@vyatta:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Speed/Duplex Description

dp0s3 10.0.200.135/24 u/u a-10g/a-full
dp0s4 192.168.101.222/24 u/u a-10g/a-full
dp0s5 192.168.102.216/24 u/u a-10g/a-full
dp0s6 192.168.103.227/24 u/u a-10g/a-full

P. Optionally start NETCONF
set service netconf

Danos should now route for the 192.168.101, 102 and 103 networks but we need to setup the routing on the trafficSource and the trafficSink.

Q. Create a Traffic Source and Traffic Sink

For testing create two instances of a ubuntu server (18.0.4 for example)

trafficSource with an external and private network for source (private-01)

and

trafficSink with an external network and private ntwork for sink (private-02)

set static routes to dp0s4 and sp0s5 ip addresses respectively. We will have a heat template for this later.

Use horizon and uncheck Use Port Security for both instance ports on priavte-01 and private-02

On trafficSource (private-01)

ip route add 192.168.102.0/24 via 192.168.101.222
ip route add 192.168.103.0/24 via 192.168.101.222

Ping should work from the trafficSource to the danosVRR private-02 and private-03 ip addresses if everything is correct.

trafficSource (192.168.101.203)

root@trafficsource:/home/ubuntu# ping 192.168.102.216
PING 192.168.102.216 (192.168.102.216) 56(84) bytes of data.
64 bytes from 192.168.102.216: icmp_seq=1 ttl=64 time=4.52 ms
64 bytes from 192.168.102.216: icmp_seq=2 ttl=64 time=1.97 ms
64 bytes from 192.168.102.216: icmp_seq=3 ttl=64 time=3.37 ms
64 bytes from 192.168.102.216: icmp_seq=4 ttl=64 time=1.96 ms

root@trafficsource:/home/ubuntu# ping 192.168.103.227
PING 192.168.103.227 (192.168.103.227) 56(84) bytes of data.
64 bytes from 192.168.103.227: icmp_seq=1 ttl=64 time=3.38 ms
64 bytes from 192.168.103.227: icmp_seq=2 ttl=64 time=1.58 ms
64 bytes from 192.168.103.227: icmp_seq=3 ttl=64 time=4.89 ms
64 bytes from 192.168.103.227: icmp_seq=4 ttl=64 time=2.78 ms

Repeat for trafficSink on private-02

ubuntu@traaficsink:~$ ip route list
default via 10.0.200.1 dev ens3
10.0.200.0/24 dev ens3 proto kernel scope link src 10.0.200.176
192.168.102.0/24 dev ens4 proto kernel scope link src 192.168.102.143

ubuntu@traaficsink:~$ sudo su
sudo: unable to resolve host traaficsink
root@traaficsink:/home/ubuntu# ip route add 192.168.101.0/24 via 192.168.102.216
root@traaficsink:/home/ubuntu# ip route add 192.168.103.0/24 via 192.168.102.216
root@traaficsink:/home/ubuntu# ip route list
default via 10.0.200.1 dev ens3
10.0.200.0/24 dev ens3 proto kernel scope link src 10.0.200.176
192.168.101.0/24 via 192.168.102.216 dev ens4
192.168.102.0/24 dev ens4 proto kernel scope link src 192.168.102.143
192.168.103.0/24 via 192.168.102.216 dev ens4

You should now be able to ping trafficSink (192.168.102.143) from the trafficSource and vice versa

root@traafficsource:/home/ubuntu# ping 192.168.102.143
PING 192.168.102.143 (192.168.102.143) 56(84) bytes of data.
64 bytes from 192.168.102.143: icmp_seq=1 ttl=63 time=6.19 ms
64 bytes from 192.168.102.143: icmp_seq=2 ttl=63 time=2.62 ms
64 bytes from 192.168.102.143: icmp_seq=3 ttl=63 time=3.03 ms
^C
--- 192.168.102.143 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 2.620/3.947/6.192/1.596 ms

root@traaficsink:/home/ubuntu# ping 192.168.101.203
PING 192.168.101.203 (192.168.101.203) 56(84) bytes of data.
64 bytes from 192.168.101.203: icmp_seq=1 ttl=63 time=2.29 ms
64 bytes from 192.168.101.203: icmp_seq=2 ttl=63 time=2.37 ms
64 bytes from 192.168.101.203: icmp_seq=3 ttl=63 time=2.86 ms
^C
--- 192.168.101.203 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.290/2.507/2.862/0.256 ms

R. Firewall testing

You can install apache2 on the trafficSink and use curl to test firewall rules

trafficSink: apt-get install apache2
trafficSource: curl http://192.168.102.143 # this will return html of the default index.html page

S. Create Firewall Rule to allow traffic so we can set it to deny later

config
set security firewall name Test80 description "Allow port 80"
set security firewall name Test80 rule 100 destination address 192.168.102.143
set security firewall name Test80 rule 100 destination port 80
set security firewall name Test80 rule 100 protocol tcp
set security firewall name Test80 rule 100 action accept
set interfaces dataplane dp0s4 firewall in Test80
commit

exit

show firewall dp0s4

Rulesets Information: Firewall

Firewall "Test80":
Active on (dp0s4, in)
rule action proto packets bytes

100 allow tcp 0 0
condition - proto tcp to 192.168.102.143 port 80

Curl from trafficSource should still work.

T. Set the firewall to Block

config
set security firewall name Test80 rule 100 action drop
commit
exit

show firewall dp0s4

Rulesets Information: Firewall

Firewall "Test80":
Active on (dp0s4, in)
rule action proto packets bytes

100 drop tcp 0 0
condition - proto tcp to 192.168.102.143 port 80

Curl should now be blocked lets see how many packets are dropped.

on Danos

show firewall dp0s4

Rulesets Information: Firewall

Firewall "Test80":
Active on (dp0s4, in)
rule action proto packets bytes

100 drop tcp 10 740
condition - proto tcp to 192.168.102.143 port 80

U. Open the firewall again
config
set security firewall name Test80 rule 100 action accept
commit
exit

Test:

root@trafficsource:/home/ubuntu# curl http://192.168.102.143

Stats:

show firewall dp0s4

Rulesets Information: Firewall

Firewall "Test80":
Active on (dp0s4, in)
rule action proto packets bytes

100 allow tcp 6 483
condition - proto tcp to 192.168.102.143 port 80

V. Next Steps
1. Add cloud-init to the Danos image
2. Create a heat template to spin up all 3 VM's and the associated networking

Creating a DANOS Virtual Router VNF in Openstack

Instructions

Related articles