ovn: Add a section on containers in OVN Tutorial

Signed-Off-by: Numan Siddique <nusiddiq@redhat.com>

Signed-off-by: Ben Pfaff <blp@ovn.org>

tutorial/OVN-Tutorial.md

@@ -709,6 +709,78 @@ though.
 perspective and also provides an example of what the resulting OpenFlow flows
 look like.
 
+7) Container Ports
+------------------
+
+OVN supports containers running directly on the hypervisors and running
+containers inside VMs. This example shows how OVN supports network
+virtualization to containers when run inside VMs. Details about how to use
+docker containers in OVS can be found [here][openvswitch-docker].
+
+To support container traffic created inside a VM and to distinguish network
+traffic coming from different container vifs, for each container a logical
+port needs to be created with parent name set to the VM's logical port and
+the tag set to the vlan tag of the container vif.
+
+Start with a simple logical switch with 3 logical ports.
+
+[View ovn/env7/setup.sh][env7setup].
+
+    $ ovn/env7/setup.sh
+
+Lets create a container vif attached to the logical port 'sw0-port1' and
+another container vif attached to the logical port 'sw0-port2'.
+
+[View ovn/env7/add-container-ports.sh][env7contports]
+
+    $ ovn/env7/add-container-ports.sh
+
+Run the `ovn-nbctl` command to see the logical ports
+
+    $ovn-nbctl show
+
+
+As you can see a logical port 'csw0-cport1' is created on a logical
+switch 'csw0' whose parent is 'sw0-port1' and it has tag set to 42.
+And a logical port 'csw0-cport2' is created on the logical switch 'csw0'
+whose parent is 'sw0-port2' and it has tag set to 43.
+
+Bridge 'br-vmport1' represents the ovs bridge running inside the VM
+connected to the logical port 'sw0-port1'. In this tutorial the ovs port
+to 'sw0-port1' is created as a patch port with its peer connected to the
+ovs bridge 'br-vmport1'. An ovs port 'cport1' is added to 'br-vmport1'
+which represents the container interface connected to the ovs bridge
+and vlan tag set to 42. Similarly 'br-vmport2' represents the ovs bridge
+for the logical port 'sw0-port2' and 'cport2' connected to 'br-vmport2'
+with vlan tag set to 43.
+
+This first trace shows a packet from 'csw0-port1' with a destination mac
+address of 'csw0-port2'. You can see ovs bridge of the vm 'br-vmport1' tags
+the traffic with vlan id 42 and the traffic reaches to the br-int because
+of the patch port. As you can see below `ovn-controller` has added a flow
+to strip the vlan tag and set the reg6 and metadata appropriately.
+
+    $ ovs-ofctl -O OpenFlow13 dump-flows br-int
+    OFPST_FLOW reply (OF1.3) (xid=0x2):
+    cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=3,dl_vlan=42 actions=pop_vlan,set_field:0x3->reg5,set_field:0x2->metadata,set_field:0x1->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.002s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=4,dl_vlan=43 actions=pop_vlan,set_field:0x4->reg5,set_field:0x2->metadata,set_field:0x2->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=3 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16)
+    cookie=0x0, duration=2767.001s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=4 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16)
+
+[View ovn/env7/packet1.sh][env7packet1].
+
+    $ ovn/env5/packet1.sh
+
+
+The second trace shows a packet from 'csw0-port2' to 'csw0-port1'.
+
+[View ovn/env7/packet2.sh][env7packet2].
+
+    $ ovn/env5/packet1.sh
+
+You can extend this setup by adding additional container ports with two
+hypervisors. Please see the tutorial 3 above.
+
 [ovn-architecture(7)]:http://openvswitch.org/support/dist-docs/ovn-architecture.7.html
 [Tutorial.md]:https://github.com/openvswitch/ovs/blob/master/tutorial/Tutorial.md
 [ovn-nb(5)]:http://openvswitch.org/support/dist-docs/ovn-nb.5.html
@@ -742,4 +814,9 @@ look like.
 [env5packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env5/packet2.sh
 [env6setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/setup.sh
 [env6acls]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env6/add-acls.sh
+[env7setup]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/setup.sh
+[env7contports]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/add-container-ports.sh
+[env7packet1]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet1.sh
+[env7packet2]:https://github.com/openvswitch/ovs/blob/master/tutorial/ovn/env7/packet2.sh
 [openstack-ovn-acl-blog]:http://blog.russellbryant.net/2015/10/22/openstack-security-groups-using-ovn-acls/
+[openvswitch-docker]:http://openvswitch.org/support/dist-docs/INSTALL.Docker.md.txt

tutorial/automake.mk

@@ -30,7 +30,10 @@ EXTRA_DIST += \
 	tutorial/ovn/env5/packet1.sh \
 	tutorial/ovn/env5/packet2.sh \
 	tutorial/ovn/env6/setup.sh \
-	tutorial/ovn/env6/add-acls.sh
-
+	tutorial/ovn/env6/add-acls.sh \
+	tutorial/ovn/env7/add-container-ports.sh \
+	tutorial/ovn/env7/packet1.sh \
+	tutorial/ovn/env7/packet2.sh \
+	tutorial/ovn/env7/setup.sh
 sandbox: all
 	cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS)

tutorial/ovn/env7/add-container-ports.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# create a logical switch
+ovn-nbctl lswitch-add csw0
+
+# create a container port with parent set to sw0-port1
+ovn-nbctl lport-add csw0 csw0-cport1 sw0-port1 42
+ovn-nbctl lport-set-addresses csw0-cport1 00:00:00:00:01:01
+ovn-nbctl lport-set-port-security csw0-cport1 00:00:00:00:01:01
+
+# create another container port with parent set to sw0-port1
+ovn-nbctl lport-add csw0 csw0-cport2 sw0-port2 43
+ovn-nbctl lport-set-addresses csw0-cport2 00:00:00:00:01:02
+ovn-nbctl lport-set-port-security csw0-cport2 00:00:00:00:01:02
+
+
+# Make lport1 as a patch port, other end connected to br-vmport1
+ovs-vsctl set interface lport1 type=patch
+ovs-vsctl set interface lport1 options:peer=patch-lport1
+
+ovs-vsctl set interface lport2 type=patch
+ovs-vsctl set interface lport2 options:peer=patch-lport2
+
+
+# This represents ovs bridge inside a VM attached to lport1
+ovs-vsctl add-br br-vmport1
+
+# create a patch port with peer set to lport1.
+ovs-vsctl add-port br-vmport1 patch-lport1
+ovs-vsctl set interface patch-lport1 type=patch
+ovs-vsctl set interface patch-lport1 options:peer=lport1
+
+# create a container port on br-vmport1. Any traffic sent on this
+# port will reach to the br-int of the host via the patch port
+ovs-vsctl add-port br-vmport1 cport1
+ovs-vsctl set port cport1 tag=42
+
+# This represents ovs bridge inside a VM attached to lport2
+ovs-vsctl add-br br-vmport2
+ovs-vsctl add-port br-vmport2 patch-lport2
+ovs-vsctl set interface patch-lport2 type=patch
+ovs-vsctl set interface patch-lport2 options:peer=lport2
+
+ovs-vsctl add-port br-vmport2 cport2
+ovs-vsctl set port cport2 tag=43

tutorial/ovn/env7/packet1.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Trace a packet from csw0-port1 to csw0-port2.
+ovs-appctl ofproto/trace br-vmport1 in_port=3,dl_src=00:00:00:0:01:01,dl_dst=00:00:00:00:01:02 -generate

tutorial/ovn/env7/packet2.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Trace a packet from csw0-port2 to csw0-port1.
+ovs-appctl ofproto/trace br-vmport2 in_port=3,dl_src=00:00:00:0:01:02,dl_dst=00:00:00:00:01:01 -generate

tutorial/ovn/env7/setup.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o xtrace
+
+# Create a logical switch named "sw0"
+ovn-nbctl lswitch-add sw0
+
+# Create two logical ports on "sw0".
+ovn-nbctl lport-add sw0 sw0-port1
+ovn-nbctl lport-add sw0 sw0-port2
+ovn-nbctl lport-add sw0 sw0-port3
+
+ovn-nbctl lport-set-addresses sw0-port1 00:00:00:00:00:01
+ovn-nbctl lport-set-addresses sw0-port2 00:00:00:00:00:02
+ovn-nbctl lport-set-addresses sw0-port3 00:00:00:00:00:03
+
+ovn-nbctl lport-set-port-security sw0-port1 00:00:00:00:00:01
+ovn-nbctl lport-set-port-security sw0-port2 00:00:00:00:00:02
+ovn-nbctl lport-set-port-security sw0-port3 00:00:00:00:00:03
+
+ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1
+ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2
+ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw0-port3