From Grid5000
Jump to navigation Jump to search


KaVLAN architecture

The goal of Kavlan is to allow people to manage VLAN on Grid'5000 nodes. The benefit is a complete level 2 isolation. It can be used together with OAR and Kadeploy to do some experimentations.

Installation status for all sites:

Sites Version Status
Grenoble 1.2.7-1 Check.png
Lille 1.2.7-1 Check.png
Luxembourg 1.2.7-1 Check.png
Lyon 1.2.7-1 Check.png
Nancy 1.2.7-1 Check.png
Nantes 1.2.7-1 Check.png
Rennes 1.2.7-1 Check.png
Sophia 1.2.7-1 Check.png

3 types of VLANs are available for users on Grid'5000:

KaVLAN name in OAR type first id last id
kavlan-local local 1 3
kavlan routed 4 9
kavlan-global global 10 21

In the schema on the right, you see local VLANs in green, routed VLANs in blue, and global VLANs in purple.

1: Local VLAN

An local VLAN is completely isolated from the rest of Grid'5000: no routing is configured. Therefore, you have to hop by a special host to reach your nodes inside this kind of VLAN. A DHCP server is brought up for you, so once you have put your nodes in the VLAN, you can down-up the network interface, or restart the networking service (with kaconsole3, or an 'at' command for instance), or reboot the node (with kareboot3).

Then you will be able to reach any of your nodes within the VLAN using hostnames such as hostname-kavlan-VLAN_ID (adding the suffix -kavlan-VLAN_ID to the regular hostname), with a hop by the VLAN gateway machine, named: kavlan-VLAN-ID.

The figure below shows two jobs running with KaVLAN: each job has it's nodes isolated in a local VLAN (purple and green). The other nodes are all in the default VLAN (red). The only way to reach the isolated nodes is to hop by the VLAN's SSH gateway machine (kavlan-1 and kavlan-2 in the figure). The gateway has two Ethernet interfaces: one in the default VLAN and one in the dedicated VLAN. An other way to reach an isolated node is to use the kaconsole command.

KaVLAN architecture: 2 jobs running KaVLAN
Note.png Note

The SSH gateways are NOT doing any routing: they are meant to allow a SSH hop to the machines in the local VLAN.

Note.png Note

As your nodes are isolated from the rest of Grid'5000, NFS mounts of /home partition is not possible. Therefore, Grid'5000 environments that mount /home partition (-nfs, -big, -prod) may fail to boot

2: Routed VLAN

Unlike local VLANs which are isolated, routed VLANs are not isolated at the layer 3: IP packets are routed. Therefore you can reach the nodes inside a routed VLAN from the rest of Grid5000 (e.g. from the production network, or other routed VLAN). No need for a hop by a SSH gateway, as it is the case for local VLANs.

Nodes in the VLAN are reachable with the following hostname: hostname-kavlan-VLAN_ID (same naming scheme as for local VLANs), from the frontends for instance.

A DHCP service is provided in those VLANs, which will serve an IP to any cabled network interface of a Node which is placed in the VLAN.

3: Global VLAN

A global VLAN is a VLAN which is spread on all grid5000 sites (using IEEE 802.1ad encapsulation, also known as QinQ). Therefore you can configure nodes of different sites on the same VLAN (same layer 2 network) ! There will be no routing between these nodes. To reach nodes inside a VLAN, routing is configured on the router of the site where you reserved this global VLAN.


How to reserve a VLAN

KaVLAN only works with deploy reservations; to obtain nodes and a VLAN, you must reserve kavlan resources (VLAN-IDs) with the oarsub command. There are 3 kinds of resources defined in OAR: kavlan, kavlan-local, kavlan-global. For example, if you need 3 nodes and a local VLAN, you can run:

Terminal.png frontend:
oarsub -t deploy -l {"type='kavlan-local'"}/vlan=1+/nodes=3 -I

Then you can get the id of your VLAN using the kavlan command

Terminal.png frontend:
kavlan -V

If you run this command from outside the shell which is started by OAR for your reservation, you must give the OAR JOBID.

Terminal.png frontend:
kavlan -V -j JOBID

You should get an integer in the <1-3> range for local VLANs, <4-9> for routed vlan. For global VLANs, one VLAN_ID is available per site.

You can get all the options of the kavlan command using --help:

# kavlan --help
Usage: kavlan [options]
Specific options:
    -i, --vlan-id N                  set VLAN ID (integer or DEFAULT)
    -C, --ca-cert CA                 CA certificate
    -c, --client-cert CERT           client certificate
    -k, --client-key KEY             client key
    -l, --get-nodelist               Show nodenames in the given vlan
    -e, --enable-dhcp                Start DHCP server
    -d, --disable-dhcp               Stop DHCP server
    -V, --show-vlan-id               Show vlan id of job (needs -j JOBID)
    -g, --get-vlan                   Show vlan of nodes
    -s, --set-vlan                   Set vlan of nodes
    -j, --oar-jobid JOBID            OAR job id
    -m, --machine NODE               set nodename (several -m are OK)
    -f, --filename NODEFILE          read nodes from a file
    -u, --user USERNAME              username
    -v, --[no-]verbose               Run verbosely
    -q, --[no-]quiet                 Run quietly
        --[no-]debug                 Run with debug output
    -h, --help                       Show this message
        --version                    Show version

Once you have a kavlan reservation running, you can put your nodes in your VLAN (and later, back into the default VLAN) at anytime during the lifetime of your job. For local VLANs, you are also allowed to connect to the VLAN gateway, which is named kavlan-<ID> where ID is your VLAN ID,

To get more information on how to use a local VLAN, you can read the following tutorial: Network_isolation_on_Grid'5000#Change_the_VLAN_of_your_nodes_manually

If you want to learn how to use KaVLAN, you can try the tutorial on Network isolation on Grid'5000