Virtual Network Router Appliance Project

VNRP - Virtual Network Router Appliance Project

• Introduction
• VNRP Architecture
• VNRP Project Prototype Requirements
• Getting Started
• Virtualization Support
• Downloading
• Future Enhancements

Introduction

 VNRP is a prototype of an appliance platform based on OpenSolaris/Indiana that enables deployment of an edge router in a development environment.

 This initial version of VNRP configures RIP or OSPF protocols across a pair of Zones that represent the internal (Intranet) and external (Internet) networking domains. The set of available network interfaces can be assigned across the Zones and are isolated specifically to the Zones they belong to.

 All the functionality provided by VNRP, as well as the source code, is currently available in OpenSolaris with the exception of the Crossbow Anchor VNIC support. Anchor VNIC support that's required by VNRP is temporarily provided by a network pseudo driver named vpnet. This driver is used to communicate between Solaris Zones that are using exclusive IP stacks without the need for allocating a physical hardware NIC port.

 Though all the capabilities provided by VNRP are available in OpenSolaris, VNRP is a focused effort behind the integration and initial configuration of the Solaris router facilities using Zones, Quagga and Webmin. This can be used as-is to deploy elementary edge-router appliances, or used as a base for further development.

 The software that VNRP provides on top of the OpenSolaris/Indiana distribution are experimental in nature and intended to showcase some of the current capabilities of Solaris as well as foster further development of router appliances in the community.

 The Crossbow project will provide unique functionality to VNRP, and integrated use of Crossbow capabilities will become available in VNRP once Crossbow integrates into OpenSolaris. We are also looking for ideas from the community on different ways by which Crossbow can provide differentiable capabilities in the VNRP effort.

 The following project pages contain information related to VNRP:

• Crossbow
• Quagga
• VirtualNetworkMachines
• RBridges

Architecture:

 The VNRP appliance is composed of two Solaris Zones, connected to each other by individual pseudo network driver module instances vpnet0 and vpnet1. The Internet and Intranet zones are separated to function in their specific domain so failures and security issues are isolated.

 Each domain runs as an ip-type=exclusive Zone so each can utilize its own routing protocol and own specific instances of network adapters. Currently OSPF and RIP are provided as protocol options. BGP Webmin additions are in the process of being developed, but any currently supported Quagga protocol may be configured manually in any Zone by creating appropriate configuration files and enabling the service:

	# svcs quagga
	STATE          STIME    FMRI
	disabled       Dec_12   svc:/network/routing/zebra:quagga
	disabled       Dec_12   svc:/network/routing/rip:quagga
	disabled       Dec_12   svc:/network/routing/ripng:quagga
	disabled       Dec_12   svc:/network/routing/ospf:quagga
	disabled       Dec_12   svc:/network/routing/ospf6:quagga
	disabled       Dec_12   svc:/network/routing/bgp:quagga 

 The Intranet/Internet Zones were derived from an OpenSolaris build 76 installation that contained only the CORE packages. These images were transplanted to the Indiana LiveCD image for use in the VNRP release.

 The VNRP Webmin components are located in /usr/sfw/lib/webmin/VNRP and provide a simple GUI for basic VNRP configuration.

 The VNRP initialization script, located in /sbin/VNRP.init, is normally only run once in the LiveCD environment to startup the pre-configured Zones, initialize Quagga and Webmin and setup other environmental requirements. /sbin/VNRP.config starts up the Webmin browser and /sbin/VNRP.install is run as a wrapper script around the Indiana gui-install module to setup the installation environment (Zone installation currently needs special treatment to work with the Indiana gui-install).

 The remainder of the VNRP sources reside in the Webmin directory (/usr/sfw/lib/webmin/VNRP), with the vpnet driver configuration file residing in /kernel/drv/vpnet.conf. The driver is initially configured to initialize only two interfaces (vpnet0/vpnet1), but can be reconfigured with up to 10 if needed (more than 10 require a recompile of the driver).

 See the Downloading section below for instructions on obtaining the vpnet driver package.

VNRP Project Prototype Requirements:

 The VNRP prototype is delivered on LiveCD media that allows "test driving" of the routing facilities without over-writing any existing local storage. After the "live" instance is brought up it can be instantiated on a local system drive to provide a persistent router instance, and modified more extensively once installed there.

 This prototype is a developer release. The configuration tools are available for initial configuration and installation of a the router appliance on the following hardware:

• HW Platform:
  • x64 - i86pc/i86xpv (i.e. an Ultra 20)
  • Minimum of 1GB memory - 2GB preferred
  • Minimum of two additional NIC ports (i.e. one dual e1000g PCI card)

 The ISO image can either be burned onto a CD and used as a boot device, or booted directly as an xVM DomU instance from the ISO file (an example xVM configuration file is provided below).

• in-preview-VNRP.iso (660.5MB)
  • OS: Indiana (snv_75) xVM
  • Routing Protocols: OSPF, RIP
  • Preconfigured Zones: global, internet, intranet
  • Network Interfaces: e1000g, nge, xnf, ...

Getting Started:

• Burn/Boot
• Play
• Install/Develop...

 After burning the supplied ISO image to appropriate CD media (or DVD media if your system has a DVD player), insert the VNRP LiveCD into an x86 system and boot the system from that device.

 Once booted, the LiveCD should automatically log in as user "jack" ... (N.B. if you're presented with a Solaris login, login as user "jack" using the password "jack"), it should then take you on to the Webmin login.

 Webmin is used as the router configuration interface. The Webmin browser login should come up automatically (it may take a few seconds, be patient). After the Webmin browser appears, login as user "root" with the password "opensolaris".

 Within Webmin, the Virtual Network Router Appliance Project screen will show three Solaris zones (global/internet/intranet), their currently configured router protocol configuration and all the available network interfaces that were detected during boot. The interfaces will be initially be attached to the global zone with routing turned off.

 After selecting your routing protocol for the Internet and Intranet zones (OSPF or RIP), interfaces may be moved to their appropriate zones (i.e. interfaces attached to the local network should be placed in the intranet zone) and IP addresses can be assigned. You can select the use of DHCP for automatic IP address assignment, but only if a DHCP server is available on the attached subnet(s).

 Clicking on the "Commit" button will instantiate the configuration.

 Once your changes have been committed, turning back to the VNRP page will show the current state of the router configuration and allow further changes.

 Installing to a local drive will provide more flexibility in adding additional software and making the configuration persistent across reboots. To proceed with installing the current configuration click on the "Install OpenSolaris" desktop icon and follow the installation instructions.

 After rebooting to the locally installed version further changes can be made to the system through Webmin or any other available OpenSolaris administrative interface.

Virtualization Support

 The same ISO image can be brought up as a DomU instance on a system running Solaris xVM.

 This allows you to run multiple xVM "appliances" on the same physical machine. As an example consider the case where a router and an intrusion prevention system could be run on the same physical box but each in their own guest domain. The vpnet driver could be used as a fast communication mechanism between guest domains (it also removes the requirement that without Crossbow Anchor VNIC support, one needs an external NIC device to communicate between domains).

 Make the ISO image available to the Solaris xVM Dom0 either by copying it to local storage or exporting it via NFS. Create an xVM configuration file in /etc/xen/VNRP, then create a new DomU (xm create -c VNRP).

 Example xVM configuration file:

        name = "VNRP" 
        vcpus = 1
        memory = "1024"

        ramdisk = '/boot/x86.microroot'

        #
        # Path to ISO image in /export/home/in-preview-VNRP.iso
        # 
        disk = [ 'file:/export/home/in-preview-VNRP.iso,6:cdrom,r' ]

        # 
        # Configure up to three NIC interfaces.  One (xnf0) for the
        # external Webmin interface, one for the internet connection and
        # one for the intranet.  Example:
        #
        #       xnf0/nge0 == public interface,
        #       xnf1/e1000g0 == internet connection
        #       xnf2/e1000g1 == local intranet.
        #
        vif = ['bridge=nge0', 'bridge=e1000g0', 'bridge=e1000g1' ]

        on_shutdown = "destroy"
        on_reboot = "destroy"
        on_crash = "destroy"

 Once the domain is booted, logging in as user "jack" (password "jack") will start the initialization of the router appliance components:

        opensolaris console login: jack
        Password:
        Sun Microsystems Inc.   SunOS 5.11      snv_75  October 2007

        Initializing VNRP ... please wait ...
                starting Zones ...
                        internet ...
                        intranet ...
                initializing Quagga ...
                initializing Webmin ...
        Dec 19 12:27:18 localhost webmin[1359]: Webmin starting

        Initialize a public network interface and connect to Webmin via:

                http://(ip address):10000/VNRP/index.cgi

        -bash-3.2$

 In this example, if DHCP services were available on the subnet that nge0 is connected to, the interface can be configured to use DHCP with ifconfig(1m):

        ifconfig xnf0 dhcp

 An ifconfig -a will show the assigned address and an external Webmin VNRP session initiated from an external browser with the following URL:

        http://(assigned DHCP address):10000/VNRP/index.cgi

 Once you've attached to the Webmin service on the VNRP domU instance you can proceed with your virtual router appliance configuration.

Installing the configured VNRP instance

 While it's possible to run the VNRP.install script to instantiate the xVM domU VNRP instance on a virtual disk and persist the configuration, there are currently issues with booting ZFS-root based domU guests under xVM that prevent the image from being used.

 In the mean time, the following instructions can be used to produce an image that can be booted as an xVM guest once the xVM/ZFS-root boot issues are resolved.

 In order to install the configuration on a virtual drive using the gui-install you must specify a vdisk device that exists in the xVM configuration file prior to booting the domain:

        disk = [ 'file:/export/home/in-preview-VNRP.iso,6:cdrom,r',
		 'file:/export/home/your.disk.img,0,w' ]

 You can then set an appropriate DISPLAY variable and run /sbin/VNRP.install to start the installation remotely. The resulting disk image would then be booted up directly in an xVM guest domain with a configuration file like the following:

        name = "your.domain" 
        vcpus = 1
        memory = "1024"
        ramdisk = '/boot/x86.microroot'
        disk = [ 'file:/export/home/your.disk.img,0,w' ]
        vif = ['bridge=nge0', 'bridge=e1000g0', 'bridge=e1000g1' ]
        on_shutdown = "destroy"
        on_reboot = "destroy"
        on_crash = "destroy"

 N.B. There's currently a limit of three (3) VIF interfaces that can be configured for OpenSolaris xVM guest domains.

Downloading

 The VNRP iso image can be downloaded from http://dlc.sun.com/osol/VNRP/downloads/current/in-preview-VNRP.iso and assumes the same licensing and distribution restrictions as specified at the Indiana Download site. This contains an image that can be booted directly from a CD, or brought up within an xVM guest domain (see the Virtualization Support instructions above).

 The vpnet driver used by VNRP can be downloaded from vpnet-driver-20080108.i386.tar. These same driver binaries already exist in the VNRP iso image so this tarfile is only useful for installing the vpnet driver on a system running OpenSolaris. The tarfile contains an SVR4 package stream that, once installed with pkgadd -d SUNWvpnet.pkg and the driver configuration file (/kernel/drv/vpnet.conf) modified to specify the required instances, can be enabled on the system simply by running "add_drv vpnet".

Future Enhancements:

Crossbow will integrate into OpenSolaris proper at some point and will replace the need for the vpnet driver that's currently used in the VNRP appliance to route packets between the Intranet and Internet Zones. Crossbow will, in addition, present an additional new set of features that can be utilized in router appliance development.

 Additional support for BGP and IPFilter firewall facilities.

 The  Newboot project will provide an environment for SPARC LiveCD media support.

 Fix support for booting ZFS-root instances installed from Indiana.

 The VNRP project is open for questions and suggestions ... visit the  Virtual Router community page and subscribe to the VNM discussion mail list to participate in the project and track future releases ...