crossbow discuss - Feb 2007 - A Virtual Router/Switch for Virtual Machines?

I apologize if this has been discussed, as I am relatively new to this forum.

I would like to create a network of containers under a single global zone.  Can
I do this without hitting the physical network?

I envision the ability to create virtual routers and switches, allowing one to
create this network of Solaris and Linux zones within a single physical box. 
(This would provide a huge benefit to a transaction processing shop.)

Just a thought...
 
 
This message posted from opensolaris.org

Hi Bill,

Bill Quayle wrote On 02/05/07 08:54,:
> I apologize if this has been discussed, as I am relatively new to this
forum.
> 
> I would like to create a network of containers under a single global zone. 
Can I do this without hitting the physical network?
Not sure what you are asking for. Do you want to prevent non-global zones from
reaching the outside
network, either at all or only indirectly? Or just make sure inter-zone traffic
does not go out the
network? Or something else.
> 
> I envision the ability to create virtual routers and switches, allowing one
to create this network of Solaris and Linux zones within a single physical box. 
(This would provide a huge benefit to a transaction processing shop.)
There is no concept of a virtual router or switch in the current Solaris
implementation. Without
crossbow, interzone traffic will stay within the system. With crossbow, it will
be forced to leave
the system if a zone has an exclusive IP instance.
> 
> Just a thought...
Steffen

reply-to set to: crossbow-discuss at opensolaris.org
>  
>  
> This message posted from opensolaris.org
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss

* bquayle at cme.com [2007-02-05 13:54:54]
> I would like to create a network of containers under a single global
> zone.  Can I do this without hitting the physical network?
You can almost do this today using Crossbow VNICs.  The VNICs are
still associated with an underlying physical NIC but traffic between
them is looped around in the VNIC code.  A different physical NIC
(which doesn''t even need to be connected to a network) would be used
for each of the "virtual switches".

We''ve talked about improving this so that the VNICs are instead
associated with a virtual switch.  It seems this might be as simple as
creating a "null" GLDv3 driver to act as an anchor point (presuming
that we include the ability to create new instances of the null
driver).  I don''t think that anyone did this work yet, but could be
wrong.  Nicolas?

dme.
-- 
David Edmondson, Sun Microsystems, http://www.dme.org

Bill Quayle wrote:
> I apologize if this has been discussed, as I am relatively new to this
> forum.
> 
> I would like to create a network of containers under a single global zone.
> Can I do this without hitting the physical network?
> 
> I envision the ability to create virtual routers and switches, allowing one
> to create this network of Solaris and Linux zones within a single physical
> box.  (This would provide a huge benefit to a transaction processing shop.)
> 
If you would like multiple containers to communicate with each other, without 
using the physical network for inter-container transport, you can do that 
today without Crossbow.  All inter-container traffic stays in the IP stack.

Another example that you can do without Crossbow is a web server which sits in 
one container and uses the physical network, and an app server which only 
communicates with the web server, and perhaps with another container in which 
you run a DB server.

But if you would like something more sophisticated, e.g. packets come in from 
the network into one container where they are filtered, and some packets are 
forwarded/routed to other containers in the same system, you should be looking 
at Crossbow.


--------------------------------------------------------------------------
Jeff VICTOR              Sun Microsystems            jeff.victor @ sun.com
OS Ambassador            Sr. Technical Specialist
Solaris 10 Zones FAQ:    http://www.opensolaris.org/os/community/zones/faq
--------------------------------------------------------------------------

Jeff Victor wrote On 02/05/07 06:45 AM,:
> Bill Quayle wrote:
>
>> I apologize if this has been discussed, as I am relatively new to this
>> forum.
>>
>> I would like to create a network of containers under a single global 
>> zone.
>> Can I do this without hitting the physical network?
>
depends what you mean by "hitting" the physical network.

Multiple VNICs can be created over the same NIC, and comminicate among 
each other
without going through the NIC itself.
The NIC is just an anchor point to create the vnics, it''s there for 
control operation,
and no packet destined to the machine goes to the wire (see also Dave''s
reply)

If you want the same inter-vnic communication on a host tht has no 
physical NICs (or none
available for such use), then we''ll have that in a future phase, using 
v-switches.
>>
>>
>> I envision the ability to create virtual routers and switches, 
>> allowing one
>> to create this network of Solaris and Linux zones within a single 
>> physical
>> box.  (This would provide a huge benefit to a transaction processing 
>> shop.)
>
yep. cool appliance, isn''t it :)
>>
>
> If you would like multiple containers to communicate with each other, 
> without using the physical network for inter-container transport, you 
> can do that today without Crossbow.  All inter-container traffic stays 
> in the IP stack.

that''s right.
However, with IP level communication you don''t get to filter between 
exclusive zones,
you don''t get to snoop their assigned interfaces individually, and you 
don''t get to express
different bandwidth allocation policy to each.

    Kais.
>
> Another example that you can do without Crossbow is a web server which 
> sits in one container and uses the physical network, and an app server 
> which only communicates with the web server, and perhaps with another 
> container in which you run a DB server.
>
> But if you would like something more sophisticated, e.g. packets come 
> in from the network into one container where they are filtered, and 
> some packets are forwarded/routed to other containers in the same 
> system, you should be looking at Crossbow.
>
>
> -------------------------------------------------------------------------- 
>
> Jeff VICTOR              Sun Microsystems            jeff.victor @ 
> sun.com
> OS Ambassador            Sr. Technical Specialist
> Solaris 10 Zones FAQ:    
> http://www.opensolaris.org/os/community/zones/faq
> -------------------------------------------------------------------------- 
>
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://opensolaris.org/mailman/listinfo/crossbow-discuss

David Edmondson wrote:
> We''ve talked about improving this so that the VNICs are instead
> associated with a virtual switch.  It seems this might be as simple as
> creating a "null" GLDv3 driver to act as an anchor point
(presuming
> that we include the ability to create new instances of the null
> driver).  I don''t think that anyone did this work yet, but could
be
> wrong.  Nicolas?
Correct, we haven''t started the implementation of the virtual switch 
yet. Combined with VNICs, these virtual switches will allow virtual 
networks to be built within a host without depending on any physical 
NICs. We''re currently planning to allow several instances of these 
virtual switches to be instantiated, and connected via "virtual
bridges".

Nicolas.

-- 
Nicolas Droux - Solaris Networking - Sun Microsystems, Inc.
droux at sun.com - http://blogs.sun.com/droux

* Nicolas.Droux at Sun.COM [2007-02-05 19:23:05]
> Combined with VNICs, these virtual switches will allow virtual
> networks to be built within a host without depending on any physical
> NICs. We''re currently planning to allow several instances of these
> virtual switches to be instantiated, and connected via "virtual
> bridges".
What''s the purpose of the "virtual bridge"?

dme.
-- 
David Edmondson, Sun Microsystems, http://www.dme.org

David Edmondson wrote:
> * Nicolas.Droux at Sun.COM [2007-02-05 19:23:05]
>> Combined with VNICs, these virtual switches will allow virtual
>> networks to be built within a host without depending on any physical
>> NICs. We''re currently planning to allow several instances of
these
>> virtual switches to be instantiated, and connected via "virtual
>> bridges".
> 
> What''s the purpose of the "virtual bridge"?
It allows you to "connect" these virtual switches at the MAC layer 
without network layer processing by the stack.

Nicolas.

-- 
Nicolas Droux - Solaris Networking - Sun Microsystems, Inc.
droux at sun.com - http://blogs.sun.com/droux

* Nicolas.Droux at Sun.COM [2007-02-05 22:38:53]
> David Edmondson wrote:
>> * Nicolas.Droux at Sun.COM [2007-02-05 19:23:05]
>>> Combined with VNICs, these virtual switches will allow virtual
>>> networks to be built within a host without depending on any
physical
>>> NICs. We''re currently planning to allow several instances
of these
>>> virtual switches to be instantiated, and connected via
"virtual
>>> bridges".
>>
>> What''s the purpose of the "virtual bridge"?
>
> It allows you to "connect" these virtual switches at the MAC
layer
> without network layer processing by the stack.
In that case, what''s a "virtual switch"?  Maybe you view what
happens
at the VNIC layer as "switch"?

dme.
-- 
David Edmondson, Sun Microsystems, http://www.dme.org

On Feb 5, 2007, at 4:09 PM, David Edmondson wrote:
> * Nicolas.Droux at Sun.COM [2007-02-05 22:38:53]
>> David Edmondson wrote:
>>> * Nicolas.Droux at Sun.COM [2007-02-05 19:23:05]
>>>> Combined with VNICs, these virtual switches will allow virtual
>>>> networks to be built within a host without depending on any  
>>>> physical
>>>> NICs. We''re currently planning to allow several
instances of these
>>>> virtual switches to be instantiated, and connected via
"virtual
>>>> bridges".
>>>
>>> What''s the purpose of the "virtual bridge"?
>>
>> It allows you to "connect" these virtual switches at the MAC
layer
>> without network layer processing by the stack.
>
> In that case, what''s a "virtual switch"?  Maybe you view
what happens
> at the VNIC layer as "switch"?
The VNIC itself implements the loopback path between the VNICs  
defined on top of the same MAC instance. So the "switching" really  
takes place at the bottom of the VNIC layer. That MAC entity can be  
either a physical device, an aggregation, etc, or what we call a  
virtual switch. In this case the "virtual switch" is basically a NULL
pseudo MAC device, i.e. it doesn''t participate in the data-path, but  
rather defines the connectivity between VNICs.

We want to be able to combine these different objects to build  
"virtual topologies" of the form:


          |       +---bridge---+        |
          |       |            |        |
        vnic0    vnic1       vnic2    vnic3
          |       |            |        |
          +---+---+            +--------+
              |                    |
            mac driver          vswitch
              |
             NIC
              |
            network

Nicolas.

-- 
Nicolas Droux - Solaris Networking - Sun Microsystems, Inc.
droux at sun.com - http://blogs.sun.com/droux

* Nicolas.Droux at Sun.COM [2007-02-06 03:51:33]
> We want to be able to combine these different objects to build
> "virtual topologies" of the form:
>
>
>          |       +---bridge---+        |
>          |       |            |        |
>        vnic0    vnic1       vnic2    vnic3
>          |       |            |        |
>          +---+---+            +--------+
>              |                    |
>            mac driver          vswitch
>              |
>             NIC
>              |
>            network
I''m there now.  It was the "virtual" in "virtual
bridge" that confused
me.

dme.
-- 
David Edmondson, Sun Microsystems, http://www.dme.org