Creating custom SDN plugin?

[phemmer]

So I'm working on building out a Proxmox cluster to mimic our production environment. This mimicry is requiring a unusual network setup, that while I have it working, has me wanting a cleaner solution.

What makes it unusual is that in our production environment, all hosts are fully L2 isolated, and connected via L3 routing. Meaning every host is in a /31 subnet, with just itself, and the router. Now we could just bridge the VMs directly to the physical network, using ebtables to ensure isolation between them, and continue like we have been doing. However this makes it difficult to handle things like moving VMs between hosts in the cluster, or allowing users to launch VMs without needing to get the network team involved to provision on the router.

So what I've done is to setup a local dhcp with a pool of /31 subnets that have been allocated to the proxmox cluster. When a host requests a DHCP address, after allocating it, the dhcpd calls a script which uses the client's MAC address to find the VM ID & interface number, and then creates a udev rule which watches for that TUN interface, which then adds the IP of the VM's gateway to the bridge on the Proxmox host (and removes it when the TUN interface disappears). I then have BIRD watching for these subnets, and then advertising them upstream via BGP.

It's not too terrible. However I feel like this would be more cleanly implemented via a SDN plugin. I do see proxmox has SDN support, and that it's labeled as experimental. But I couldn't find any documentation around creation of custom SDN plugins. Is 3rd party SDN plugins a goal of the project? Is there or will there be any documentation around such? Would this be something that can be implemented via SDN, or would this custom solution be more appropriate?

 

[t.lamprecht]

But I couldn't find any documentation around creation of custom SDN plugins.

There's none, currently, I'm afraid. What you describe could maybe be handled by the IP address management plugins, so you could base off:
https://git.proxmox.com/?p=pve-netw...225cfcd55eca8daad944d5261fbada271f836;hb=HEAD

See the standalone PVE integrated plugin which maintains its own IP db, could be used as sorta template
https://git.proxmox.com/?p=pve-netw...52745230c08ce032a5b860a0c49abacaae0e2;hb=HEAD

After plugin creation install it to /usr/share/perl5/PVE/Network/SDN/Ipams and "register" it manually in the Ipams.pm (parent folder):
https://git.proxmox.com/?p=pve-netw...c4d2dc087e9cbd2a1ac73d2f0d958bad9f9ed;hb=HEAD

Just some rough hint, not sure how familiar you're with perl but that may get you started for experimenting.

Is 3rd party SDN plugins a goal of the project?

There's not yet a "load external plugins from a certain place" mechanisms like we have for the PVE storage, such a thing would be probably only added once the SDN plugin ABI is declared stable.
In general, I'm not against such things, but main goal would be to continuing polishing the current approach and implement all commonly required features there. Main blocker is my slight lack of available review time atm for the good work @spirit continues to send in.

 

[phemmer]

I haven't touched perl (aside from the occasional one-liner) in over a decade. But those examples look pretty simple, so seems like such a task should be fairly easy. Thanks

 

[spirit]

Hi,

@phemmer

if you do layer3 on your network with /31, you could use bgp-evpn to add an overlay on top, like this you'll be able to migrate your vms between nodes, and do bgp with your upstream routers. (and if you're routers can do bgp-evpn too, it's even more easy)

@Thomas Lamprecht

Main blocker is my slight lack of available review time atm for the good work @spirit continues to send in.

yes,I think we could add custom plugins later, but we need to stabilize code first.
We all lack of time ^_^

 

[phemmer]

if you do layer3 on your network with /31, you could use bgp-evpn to add an overlay on top, like this you'll be able to migrate your vms between nodes, and do bgp with your upstream routers. (and if you're routers can do bgp-evpn too, it's even more easy)

Thanks, I did see this plugin, but didn't think it'd be usable for my case. There's not a lot of documentation on it, and it looked like it was only meant for BGP within the cluster. I didn't see any parameters for defining an upstream peer to negotiate BGP with.

Though even if it could be used that way, I think I might still prefer my current solution. If I understand correctly, I'd have to create multiple VNets, one for each /31. This is doable, but makes it difficult to track which VNets are free/used when provisioning a VM. With the DHCP solution the user can just pick the bridge interface and DHCP will determine what's available for them.

 

[spirit]

Thanks, I did see this plugin, but didn't think it'd be usable for my case. There's not a lot of documentation on it, and it looked like it was only meant for BGP within the cluster. I didn't see any parameters for defining an upstream peer to negotiate BGP with.

yes, next version have more feature to configure bgp with frr through gui.

Currently:
if your router can do bgp-evpn, you can simple add add router ip in the peer list. (ibgp only for now). This will do a full mesh between proxmox nodes && your router. and your routers will announce the default route in evpn directly.


if you router can't do bgp-evpn, you can define some proxmox nodes as evpn exit gateway. (so, they will announce the default route in evpn). Then, from this proxmox nodes, currently, you need to add manually bgp config in the frr.conf.

The next version should help this second case, allow to configure bgp for each host, and also allowing ebgp if you have already a full l3 bgp network.

Though even if it could be used that way, I think I might still prefer my current solution. If I understand correctly, I'd have to create multiple VNets, one for each /31. This is doable, but makes it difficult to track which VNets are free/used when provisioning a VM. With the DHCP solution the user can just pick the bridge interface and DHCP will determine what's available for them.

next version have multiple subnets configuration support by vnet. (so you'll be able to define multiple /31 by vnet). + ipam feature to attribute free ip addressses from the subnets defined a vnet. (for CT ip config, or through cloudinit for qemu).
I don't have planned dhcp yet, but technically it shouldn't be too difficult to implement. (distributed local dhcp on all nodes with ip config generated from vm/ct nics )

So what I've done is to setup a local dhcp with a pool of /31 subnets that have been allocated to the proxmox cluster. When a host requests a DHCP address, after allocating it, the dhcpd calls a script which uses the client's MAC address to find the VM ID & interface number, and then creates a udev rule which watches for that TUN interface, which then adds the IP of the VM's gateway to the bridge on the Proxmox host (and removes it when the TUN interface disappears). I then have BIRD watching for these subnets, and then advertising them upstream via BGP.

sdn plugin have hooks on vm tap plug/remove, so I think it could be possible to do it without udev rules.



Personnaly, I'll go to evpn and not reinvent the whell ^_^.
I'm currently migrating my network to evpn, with full l3 point to point from routers->switchs->proxmox nodes, all is working fine, 0 downtime on vm migration.

 

[phemmer]

Thanks. Sounds like this next version may be better suited to my use case. I'll definitely take a look at it once it's out.

 

[spirit]

Thanks. Sounds like this next version may be better suited to my use case. I'll definitely take a look at it once it's out.

yes

@Thomas Lamprecht
Do you known if they are blocking things to merge last sdn patches series? (including pve-cluster and other packages too)