[ONOS-7910] Add initial implementation for k8s flow rule manager
Change-Id: I4a419194b9e626d15be5c93b70af0d4c5005d814
diff --git a/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/Constants.java b/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/Constants.java
index aefc940..a47f295 100644
--- a/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/Constants.java
+++ b/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/Constants.java
@@ -15,8 +15,10 @@
*/
package org.onosproject.k8snetworking.api;
+import org.onlab.packet.MacAddress;
+
/**
- * Provides constants used in OpenStackSwitching.
+ * Provides constants used in kubernetes network switching and routing.
*/
public final class Constants {
@@ -24,4 +26,61 @@
}
public static final String K8S_NETWORKING_APP_ID = "org.onosproject.k8snetworking";
+
+ public static final String ARP_BROADCAST_MODE = "broadcast";
+ public static final String ARP_PROXY_MODE = "proxy";
+
+ public static final String DEFAULT_GATEWAY_MAC_STR = "fe:00:00:00:00:02";
+ public static final MacAddress DEFAULT_GATEWAY_MAC =
+ MacAddress.valueOf(DEFAULT_GATEWAY_MAC_STR);
+
+ public static final String ANNOTATION_NETWORK_ID = "networkId";
+ public static final String ANNOTATION_PORT_ID = "portId";
+ public static final String ANNOTATION_CREATE_TIME = "createTime";
+ public static final String ANNOTATION_SEGMENT_ID = "segId";
+
+ // flow priority
+ public static final int PRIORITY_SNAT_RULE = 26000;
+ public static final int PRIORITY_DHCP_RULE = 42000;
+ public static final int PRIORITY_ADMIN_RULE = 32000;
+ public static final int PRIORITY_ACL_RULE = 31000;
+ public static final int PRIORITY_ACL_INGRESS_RULE = 30000;
+ public static final int PRIORITY_CT_HOOK_RULE = 30500;
+ public static final int PRIORITY_CT_RULE = 32000;
+ public static final int PRIORITY_CT_DROP_RULE = 32500;
+ public static final int PRIORITY_ARP_GATEWAY_RULE = 41000;
+ public static final int PRIORITY_ARP_SUBNET_RULE = 40000;
+ public static final int PRIORITY_ARP_CONTROL_RULE = 40000;
+ public static final int PRIORITY_ARP_REPLY_RULE = 40000;
+ public static final int PRIORITY_ARP_REQUEST_RULE = 40000;
+ public static final int PRIORITY_ARP_FLOOD_RULE = 39000;
+ public static final int PRIORITY_FORCED_ACL_RULE = 50000;
+ public static final int PRIORITY_ICMP_PROBE_RULE = 50000;
+
+ // flow table index
+ public static final int STAT_INBOUND_TABLE = 0;
+ public static final int VTAP_INBOUND_TABLE = 1;
+ public static final int VTAP_INBOUND_MIRROR_TABLE = 2;
+ public static final int STAT_FLAT_OUTBOUND_TABLE = 10;
+ public static final int VTAP_FLAT_OUTBOUND_TABLE = 11;
+ public static final int VTAP_FLAT_OUTBOUND_MIRROR_TABLE = 12;
+ public static final int DHCP_TABLE = 5;
+ public static final int VTAG_TABLE = 30;
+ public static final int ARP_TABLE = 35;
+ public static final int ACL_EGRESS_TABLE = 40;
+ public static final int ACL_INGRESS_TABLE = 44;
+ public static final int CT_TABLE = 45;
+ public static final int ACL_RECIRC_TABLE = 43;
+ public static final int JUMP_TABLE = 50;
+ public static final int ROUTING_TABLE = 60;
+ public static final int STAT_OUTBOUND_TABLE = 70;
+ public static final int VTAP_OUTBOUND_TABLE = 71;
+ public static final int VTAP_OUTBOUND_MIRROR_TABLE = 72;
+ public static final int FORWARDING_TABLE = 80;
+ public static final int ERROR_TABLE = 100;
+
+ // group table index
+ public static final int VTAP_INBOUND_GROUP_TABLE = 1;
+ public static final int VTAP_FLAT_OUTBOUND_GROUP_TABLE = 2;
+ public static final int VTAP_OUTBOUND_GROUP_TABLE = 3;
}
diff --git a/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/K8sFlowRuleService.java b/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/K8sFlowRuleService.java
new file mode 100644
index 0000000..8069adf
--- /dev/null
+++ b/apps/k8s-networking/api/src/main/java/org/onosproject/k8snetworking/api/K8sFlowRuleService.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2019-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.k8snetworking.api;
+
+import org.onosproject.core.ApplicationId;
+import org.onosproject.net.DeviceId;
+import org.onosproject.net.flow.TrafficSelector;
+import org.onosproject.net.flow.TrafficTreatment;
+
+/**
+ * Service for setting flow rules.
+ */
+public interface K8sFlowRuleService {
+
+ /**
+ * Configure the flow rule.
+ *
+ * @param appId application ID
+ * @param deviceId device ID
+ * @param selector traffic selector used for match header fields
+ * @param treatment traffic treatment for take actions for matched packets
+ * @param priority rule priority
+ * @param tableType table number to install flow rules
+ * @param install true for rule addition, false for rule removal
+ */
+ void setRule(ApplicationId appId, DeviceId deviceId,
+ TrafficSelector selector, TrafficTreatment treatment,
+ int priority, int tableType, boolean install);
+
+ /**
+ * Installs table miss entry (drop rule) for the given flow table.
+ *
+ * @param deviceId device ID
+ * @param table table number
+ */
+ void setUpTableMissEntry(DeviceId deviceId, int table);
+
+ /**
+ * Installs a flow rule for transiting from table A to table B.
+ *
+ * @param deviceId device ID
+ * @param fromTable table number of table A
+ * @param toTable table number of table B
+ */
+ void connectTables(DeviceId deviceId, int fromTable, int toTable);
+}
diff --git a/apps/k8s-networking/app/src/main/java/org/onosproject/k8snetworking/impl/K8sFlowRuleManager.java b/apps/k8s-networking/app/src/main/java/org/onosproject/k8snetworking/impl/K8sFlowRuleManager.java
new file mode 100644
index 0000000..7cdf44e
--- /dev/null
+++ b/apps/k8s-networking/app/src/main/java/org/onosproject/k8snetworking/impl/K8sFlowRuleManager.java
@@ -0,0 +1,296 @@
+/*
+ * Copyright 2019-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.k8snetworking.impl;
+
+import org.onosproject.cluster.ClusterService;
+import org.onosproject.cluster.LeadershipService;
+import org.onosproject.cluster.NodeId;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.core.CoreService;
+import org.onosproject.k8snetworking.api.K8sFlowRuleService;
+import org.onosproject.k8snode.api.K8sNode;
+import org.onosproject.k8snode.api.K8sNodeEvent;
+import org.onosproject.k8snode.api.K8sNodeListener;
+import org.onosproject.k8snode.api.K8sNodeService;
+import org.onosproject.net.DeviceId;
+import org.onosproject.net.flow.DefaultFlowRule;
+import org.onosproject.net.flow.DefaultTrafficSelector;
+import org.onosproject.net.flow.DefaultTrafficTreatment;
+import org.onosproject.net.flow.FlowRule;
+import org.onosproject.net.flow.FlowRuleOperations;
+import org.onosproject.net.flow.FlowRuleOperationsContext;
+import org.onosproject.net.flow.FlowRuleService;
+import org.onosproject.net.flow.TrafficSelector;
+import org.onosproject.net.flow.TrafficTreatment;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Deactivate;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferenceCardinality;
+import org.slf4j.Logger;
+
+import java.util.Objects;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+
+import static org.onlab.util.Tools.groupedThreads;
+import static org.onosproject.k8snetworking.api.Constants.ACL_EGRESS_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.ACL_INGRESS_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.ARP_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.DEFAULT_GATEWAY_MAC;
+import static org.onosproject.k8snetworking.api.Constants.DHCP_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.FORWARDING_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.JUMP_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.K8S_NETWORKING_APP_ID;
+import static org.onosproject.k8snetworking.api.Constants.PRIORITY_SNAT_RULE;
+import static org.onosproject.k8snetworking.api.Constants.ROUTING_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.STAT_INBOUND_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.STAT_OUTBOUND_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.VTAG_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.VTAP_INBOUND_TABLE;
+import static org.onosproject.k8snetworking.api.Constants.VTAP_OUTBOUND_TABLE;
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ * Sets flow rules directly using FlowRuleService.
+ */
+@Component(immediate = true, service = K8sFlowRuleService.class)
+public class K8sFlowRuleManager implements K8sFlowRuleService {
+
+ private final Logger log = getLogger(getClass());
+
+ private static final int DROP_PRIORITY = 0;
+ private static final int HIGH_PRIORITY = 30000;
+ private static final int TIMEOUT_SNAT_RULE = 60;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY)
+ protected FlowRuleService flowRuleService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY)
+ protected CoreService coreService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY)
+ protected ClusterService clusterService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY)
+ protected LeadershipService leadershipService;
+
+ @Reference(cardinality = ReferenceCardinality.MANDATORY)
+ protected K8sNodeService k8sNodeService;
+
+ private final ExecutorService deviceEventExecutor =
+ Executors.newSingleThreadExecutor(groupedThreads(
+ getClass().getSimpleName(), "device-event"));
+ private final K8sNodeListener internalNodeListener = new InternalK8sNodeListener();
+
+ private ApplicationId appId;
+ private NodeId localNodeId;
+
+ @Activate
+ protected void activate() {
+ appId = coreService.registerApplication(K8S_NETWORKING_APP_ID);
+ coreService.registerApplication(K8S_NETWORKING_APP_ID);
+ k8sNodeService.addListener(internalNodeListener);
+ localNodeId = clusterService.getLocalNode().id();
+ leadershipService.runForLeadership(appId.name());
+ k8sNodeService.completeNodes().forEach(node ->
+ initializePipeline(node.intgBridge()));
+
+ log.info("Started");
+ }
+
+ @Deactivate
+ protected void deactivate() {
+ k8sNodeService.removeListener(internalNodeListener);
+ leadershipService.withdraw(appId.name());
+ deviceEventExecutor.shutdown();
+
+ log.info("Stopped");
+ }
+
+ @Override
+ public void setRule(ApplicationId appId, DeviceId deviceId,
+ TrafficSelector selector, TrafficTreatment treatment,
+ int priority, int tableType, boolean install) {
+ FlowRule.Builder flowRuleBuilder = DefaultFlowRule.builder()
+ .forDevice(deviceId)
+ .withSelector(selector)
+ .withTreatment(treatment)
+ .withPriority(priority)
+ .fromApp(appId)
+ .forTable(tableType);
+
+ if (priority == PRIORITY_SNAT_RULE) {
+ flowRuleBuilder.makeTemporary(TIMEOUT_SNAT_RULE);
+ } else {
+ flowRuleBuilder.makePermanent();
+ }
+
+ applyRule(flowRuleBuilder.build(), install);
+ }
+
+ @Override
+ public void setUpTableMissEntry(DeviceId deviceId, int table) {
+ TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+ TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
+
+ treatment.drop();
+
+ FlowRule flowRule = DefaultFlowRule.builder()
+ .forDevice(deviceId)
+ .withSelector(selector.build())
+ .withTreatment(treatment.build())
+ .withPriority(DROP_PRIORITY)
+ .fromApp(appId)
+ .makePermanent()
+ .forTable(table)
+ .build();
+
+ applyRule(flowRule, true);
+ }
+
+ @Override
+ public void connectTables(DeviceId deviceId, int fromTable, int toTable) {
+ TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+ TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
+
+ treatment.transition(toTable);
+
+ FlowRule flowRule = DefaultFlowRule.builder()
+ .forDevice(deviceId)
+ .withSelector(selector.build())
+ .withTreatment(treatment.build())
+ .withPriority(DROP_PRIORITY)
+ .fromApp(appId)
+ .makePermanent()
+ .forTable(fromTable)
+ .build();
+
+ applyRule(flowRule, true);
+ }
+
+ private void applyRule(FlowRule flowRule, boolean install) {
+ FlowRuleOperations.Builder flowOpsBuilder = FlowRuleOperations.builder();
+
+ flowOpsBuilder = install ? flowOpsBuilder.add(flowRule) : flowOpsBuilder.remove(flowRule);
+
+ flowRuleService.apply(flowOpsBuilder.build(new FlowRuleOperationsContext() {
+ @Override
+ public void onSuccess(FlowRuleOperations ops) {
+ log.debug("Provisioned vni or forwarding table");
+ }
+
+ @Override
+ public void onError(FlowRuleOperations ops) {
+ log.debug("Failed to provision vni or forwarding table");
+ }
+ }));
+ }
+
+ protected void initializePipeline(DeviceId deviceId) {
+ // for inbound table transition
+ connectTables(deviceId, STAT_INBOUND_TABLE, VTAP_INBOUND_TABLE);
+ connectTables(deviceId, VTAP_INBOUND_TABLE, DHCP_TABLE);
+
+ // for DHCP and vTag table transition
+ connectTables(deviceId, DHCP_TABLE, VTAG_TABLE);
+
+ // for vTag and ARP table transition
+ connectTables(deviceId, VTAG_TABLE, ARP_TABLE);
+
+ // for ARP and ACL table transition
+ connectTables(deviceId, ARP_TABLE, ACL_INGRESS_TABLE);
+
+ // for ACL and JUMP table transition
+ connectTables(deviceId, ACL_EGRESS_TABLE, JUMP_TABLE);
+
+ // for JUMP table transition
+ // we need JUMP table for bypassing routing table which contains large
+ // amount of flow rules which might cause performance degradation during
+ // table lookup
+ setupJumpTable(deviceId);
+
+ // for outbound table transition
+ connectTables(deviceId, STAT_OUTBOUND_TABLE, VTAP_OUTBOUND_TABLE);
+ connectTables(deviceId, VTAP_OUTBOUND_TABLE, FORWARDING_TABLE);
+ }
+
+ private void setupJumpTable(DeviceId deviceId) {
+ TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+ TrafficTreatment.Builder treatment = DefaultTrafficTreatment.builder();
+
+ selector.matchEthDst(DEFAULT_GATEWAY_MAC);
+ treatment.transition(ROUTING_TABLE);
+
+ FlowRule flowRule = DefaultFlowRule.builder()
+ .forDevice(deviceId)
+ .withSelector(selector.build())
+ .withTreatment(treatment.build())
+ .withPriority(HIGH_PRIORITY)
+ .fromApp(appId)
+ .makePermanent()
+ .forTable(JUMP_TABLE)
+ .build();
+
+ applyRule(flowRule, true);
+
+ selector = DefaultTrafficSelector.builder();
+ treatment = DefaultTrafficTreatment.builder();
+
+ treatment.transition(STAT_OUTBOUND_TABLE);
+
+ flowRule = DefaultFlowRule.builder()
+ .forDevice(deviceId)
+ .withSelector(selector.build())
+ .withTreatment(treatment.build())
+ .withPriority(DROP_PRIORITY)
+ .fromApp(appId)
+ .makePermanent()
+ .forTable(JUMP_TABLE)
+ .build();
+
+ applyRule(flowRule, true);
+ }
+
+ private class InternalK8sNodeListener implements K8sNodeListener {
+ private boolean isRelevantHelper() {
+ return Objects.equals(localNodeId, leadershipService.getLeader(appId.name()));
+ }
+
+ @Override
+ public void event(K8sNodeEvent event) {
+ K8sNode k8sNode = event.subject();
+
+ switch (event.type()) {
+ case K8S_NODE_COMPLETE:
+ deviceEventExecutor.execute(() -> {
+ log.info("COMPLETE node {} is detected", k8sNode.hostname());
+
+ if (!isRelevantHelper()) {
+ return;
+ }
+
+ initializePipeline(k8sNode.intgBridge());
+ });
+ break;
+ case K8S_NODE_CREATED:
+ default:
+ // do nothing
+ break;
+ }
+ }
+ }
+}