xref: /illumos-gate/usr/src/man/man7/overlay.7 (revision dd72704bd9e794056c558153663c739e2012d721)
1.\"
2.\" This file and its contents are supplied under the terms of the
3.\" Common Development and Distribution License ("CDDL"), version 1.0.
4.\" You may only use this file in accordance with the terms of version
5.\" 1.0 of the CDDL.
6.\"
7.\" A full copy of the text of the CDDL should have accompanied this
8.\" source.  A copy of the CDDL is also available via the Internet at
9.\" http://www.illumos.org/license/CDDL.
10.\"
11.\"
12.\" Copyright 2015 Joyent, Inc.
13.\"
14.Dd March 30, 2022
15.Dt OVERLAY 7
16.Os
17.Sh NAME
18.Nm overlay
19.Nd Overlay Devices
20.Sh DESCRIPTION
21Overlay devices are a GLDv3 device that allows users to create overlay
22networks that can be used to form the basis of network virtualization
23and software defined networking.
24Overlay networks allow a single physical network, often called an
25.Sy underlay
26network, to provide the means for creating multiple logical, isolated,
27and discrete layer two and layer three networks on top of it.
28.Pp
29Overlay devices are administered through
30.Xr dladm 8 .
31Overlay devices themselves cannot be plumbed up with
32.Sy IP ,
33.Sy vnd ,
34or any other protocol.
35Instead, like an
36.Sy etherstub ,
37they allow for VNICs to be created on top of them.
38Like an
39.Sy etherstub ,
40an overlay device acts as a local switch; however, when it encounters a
41non-local destination address, it instead looks up where it should send
42the packet, encapsulates it, and sends it out another interface in the
43system.
44.Pp
45A single overlay device encapsulates the logic to answer two different,
46but related, questions:
47.Pp
48.Bl -enum -offset indent -compact
49.It
50How should a packet be transformed and put on the wire?
51.It
52Where should a transformed packet be sent?
53.El
54.Pp
55Each of these questions is answered by a plugin.
56The first question is answered by what's called an
57.Em encapsulation plugin .
58The second question is answered by what's called a
59.Em search plugin .
60Packets are encapsulated and decapsulated using the encapsulation plugin
61by the kernel.
62The search plugins are all user land plugins that are consumed by the
63varpd service whose FMRI is
64.Em svc:/network/varpd:default .
65This separation allows for the kernel to be responsible for the data
66path, while having the search plugins in userland allows the system to
67provide a much more expressive interface.
68.Ss Overlay Types
69Overlay devices come in two different flavors, one where all packets are
70always sent to a single address, the other, where the destination of a
71packet varies based on the target MAC address of the packet.
72This information is maintained in a
73.Em target table ,
74which is independent and unique to each overlay device.
75We call the plugins that send traffic to a single location, for example
76a single unicast or multicast IP address, a
77.Sy point to point
78overlay and the overlay devices that can send traffic to different
79locations based on the MAC address of that packet a
80.Sy dynamic
81overlay.
82The plugin type is determined based on the type of the
83.Sy search plugin .
84These are all fully listed in the section
85.Sx Plugins and their Properties .
86.Ss Overlay Destination
87Both encapsulation and search plugins define the kinds of destinations
88that they know how to support.
89An encapsulation plugin always has a single destination type that's
90determined based on how the encapsulation is defined.
91A search plugin, on the other hand, can support multiple combinations of
92destinations.
93A search plugin must support the destination type of the encapsulation
94device.
95The destination may require any of the following three pieces of
96information, depending on the encapsulation plugin:
97.Bl -hang -width Ds
98.It Sy MAC Address
99.Bd -filled -compact
100An Ethernet MAC address is required to determine the destination.
101.Ed
102.It Sy IP Address
103.Bd -filled -compact
104An IP address is required.
105Both IPv4 and IPv6 addresses are supported.
106.Ed
107.It Sy Port
108.Bd -filled -compact
109An IP protocol level (TCP, UDP, SCTP, etc.) port is required.
110.Ed
111.El
112.Pp
113The list of destination types that are supported by both the search and
114encapsulation plugins is listed in the section
115.Sx Plugins and their Properties .
116.Ss varpd
117The varpd service, mentioned above, is responsible for providing the
118virtual ARP daemon.
119Its responsibility is conceptually similar to ARP.
120It runs all instances of search plugins in the system and is responsible
121for answering the kernel's ARP-like questions for where packets should
122be sent.
123.Pp
124The varpd service, svc:/network/varpd:default, must be enabled for
125overlay devices to function.
126If it is disabled while there are active devices, then most overlay
127devices will not function correctly and likely will end up dropping
128traffic.
129.Sh PLUGINS AND PROPERTIES
130Properties fall into three categories in the system:
131.Bl -enum -offset indent -compact
132.It
133Generic properties all overlay devices have
134.It
135Properties specific to the encapsulation plugin
136.It
137Properties specific to the search plugin
138.El
139.Pp
140Each property in the system has the following attributes, which mirror
141the traditional
142.Xr dladm 8
143link properties:
144.Bl -hang -width Ds
145.It Sy Name
146.Bd -filled -compact
147The name of a property is namespaced by its module and always structured
148and referred to as as module/property.
149This allows for both an encapsulation and search plugin to have a
150property with the same name.
151Properties that are valid for all overlay devices and not specific to a
152module do not generally use a module prefix.
153.Pp
154For example, the property
155.Sy vxlan/listen_ip
156is associated with the
157.Sy vxlan
158encapsulation module.
159.Ed
160.It Sy Type
161.Bd -filled -compact
162Each property in the system has a type.
163.Xr dladm 8
164takes care of converting between the internal representation and a
165value, but the type influences the acceptable input range.
166The types are:
167.Bl -hang -width Ds
168.It Sy INT
169A signed integer that is up to eight bytes long
170.Pq Sy int64_t .
171.It Sy UINT
172An unsigned integer that is up to eight bytes long
173.Pq Sy uint64_t .
174.It Sy IP
175Either an IPv4 or IPv6 address in traditional string form.
176For example, 192.168.128.23 or 2001:470:8af4::1:1.
177IPv4 addresses may also be encoded as IPv4-mapped IPv6 addresses.
178.It Sy STRING
179A string of ASCII or UTF-8 encoded characters terminated with a
180.Sy NUL
181byte.
182The maximum string length, including the terminator, is currently
183256 bytes.
184.El
185.Ed
186.It Sy Permissions
187.Bd -filled -compact
188Each property has permissions associated with it, which indicate whether
189the system considers them read-only properties or read-write properties.
190A read-only property can never be updated once the device is created.
191This generally includes things like the overlay's encapsulation module.
192.Ed
193.It Sy Required
194.Bd -filled -compact
195This property indicates whether the property is required for the given
196plugin.
197If it is not specified during a call to
198.Sy dladm create-overlay ,
199then the overlay cannot be successfully created.
200Properties which have a
201.Sy default
202will use that value if one is not specified rather than cause the
203overlay creation to fail.
204.Ed
205.It Sy Current Value
206.Bd -filled -compact
207The current value of a property, if the property has a value set.
208Required properties always have a value set.
209.Ed
210.It Sy Default Value
211.Bd -filled -compact
212The default value is an optional part of a given property.
213If a property does define a default value, then it will be used when an
214overlay is created and no other value is given.
215.Ed
216.It Sy Value ranges
217.Bd -filled -compact
218Value ranges are an optional part of a given property.
219They indicate a range or set of values that are valid and may be set for
220a property.
221A property may not declare such a range as it may be impractical or
222unknown.
223For example, most properties based on IP addresses will not
224declare a range.
225.Ed
226.El
227.Pp
228The following sections describe both the modules and the properties that
229exist for each module, noting their name, type, permissions, whether or
230not they are required, and if there is a default value.
231In addition, the effects of each property will be described.
232.Ss Encapsulation Plugins
233.Bl -hang -width Ds
234.It Sy vxlan
235The
236.Sy vxlan
237module is a UDP based encapsulation method.
238It takes a frame that would be put on the wire, wraps it up in a VXLAN
239header and places it in a UDP packet that gets sent out on the
240underlying network.
241For more details about the specific format of the VXLAN header, see
242.Xr vxlan 4P .
243.Pp
244The
245.Sy vxlan
246module requires both an
247.Sy IP address
248and
249.Sy port
250to address it.
251It has a 24-bit virtual network ID space, allowing for
252virtual network identifiers that range from
253.Sy 0
254-
255.Sy 16777215 .
256.Pp
257The
258.Sy vxlan
259module has the following properties:
260.Bl -hang -width Ds
261.It Sy vxlan/listen_ip
262.Bd -filled -compact
263Type:
264.Sy IP |
265Permissions:
266.Sy Read/Write |
267.Sy Required
268.Ed
269.Bd -filled
270The
271.Sy vxlan/listen_ip
272property determines the IP address that the system will accept VXLAN
273encapsulated packets on for this overlay.
274.Ed
275.It Sy vxlan/listen_port
276.Bd -filled -compact
277Type:
278.Sy UINT |
279Permissions:
280.Sy Read/Write |
281.Sy Required
282.Ed
283.Bd -filled -compact
284Default Value:
285.Sy 4789 |
286Range:
287.Sy 0 - 65535
288.Ed
289.Bd -filled
290The
291.Sy vxlan/listen_port
292property determines the UDP port that the system will listen on for
293VXLAN traffic for this overlay.
294The default value is
295.Sy 4789 ,
296the IANA assigned port for VXLAN.
297.Ed
298.El
299.Pp
300The
301.Sy vxlan/listen_ip
302and
303.Sy vxlan/listen_port
304properties determine how the system will accept VXLAN encapsulated
305packets for this interface.
306It does not determine the interface that packets will be sent out over.
307Multiple overlays that all use VXLAN can share the same IP and port
308combination, as the virtual network identifier can be used to tell the
309different overlays apart.
310.El
311.Ss Search Plugins
312Because search plugins may support multiple destinations, they may have
313more properties listed than necessarily show up for a given overlay.
314For example, the
315.Sy direct
316plugin supports destinations that are identified by both an IP address
317and a port, or just an IP address.
318In cases where the device is created over an overlay that only uses an
319IP address for its destination, then it will not have the
320.Sy direct/dest_port
321property.
322.Bl -hang -width Ds
323.It Sy direct
324The
325.Sy direct
326plugin is a point to point module that can be used to create an overlay
327that forwards all non-local traffic to a single destination.
328It supports destinations that are a combination of an
329.Sy IP Address
330and a
331.Sy port .
332.Pp
333The
334.Sy direct
335plugin has the following properties:
336.Bl -hang -width Ds
337.It Sy direct/dest_ip
338.Bd -filled -compact
339Type:
340.Sy IP |
341Permissions:
342.Sy Read/Write |
343.Sy Required
344.Ed
345.Bd -filled
346The
347.Sy direct/dest_ip
348property indicates the IP address that all traffic will be sent out.
349Traffic will be sent out the corresponding interface based on
350traditional IP routing rules and the configuration of the networking
351stack of the global zone.
352.Ed
353.It Sy direct/dest_port
354.Bd -filled -compact
355Type:
356.Sy UINT |
357Permissions:
358.Sy Read/Write |
359.Sy Required
360.Ed
361.Bd -filled -compact
362Default Value:
363.Sy - |
364Range:
365.Sy 0 - 65535
366.Ed
367.Bd -filled
368The
369.Sy direct/dest_port
370property indicates the TCP or UDP port that all traffic will be directed
371to.
372.Ed
373.El
374.It Sy files
375The
376.Sy files
377plugin implements a
378.Sy dynamic
379plugin that specifies where traffic should be sent based on a file.
380It is a glorified version of /etc/ethers.
381The
382.Sy dynamic
383plugin does not support broadcast or multicast traffic, but it has
384support for proxy ARP, NDP, and DHCPv4.
385For the full details of the file format, see
386.Xr overlay_files 5 .
387.Pp
388The
389.Sy files
390plugin has the following property:
391.Bl -hang -width Ds
392.It Sy files/config
393.Bd -filled -compact
394Type:
395.Sy String |
396Permissions:
397.Sy Read/Write |
398.Sy Required
399.Ed
400.Bd -filled
401The
402.Sy files/config
403property specifies an absolute path to a file to read.
404The file is a JSON file that is formatted according to
405.Xr overlay_files 5 .
406.Ed
407.El
408.El
409.Ss General Properties
410Each overlay has the following properties which are used to give
411additional information about the system.
412None of these properties may be specified as part of a
413.Sy dladm create-overlay ,
414instead they come from other arguments or from internal parts of the
415system.
416.Bl -hang -width Ds
417.It Sy encap
418.Bd -filled -compact
419.Sy String |
420Permissions:
421.Sy Read Only
422.Ed
423.Bd -filled
424The
425.Sy encap
426property contains the name of the encapsulation module that's in use.
427.Ed
428.It Sy mtu
429.Bd -filled -compact
430.Sy UINT |
431Permissions:
432.Sy Read/Write
433.Ed
434.Bd -filled -compact
435Default Value:
436.Sy 1400 |
437Range:
438.Sy 576 - 9000
439.Ed
440.Bd -filled
441The
442.Sy mtu
443property describes the maximum transmission unit of the overlay.
444The default value is
445.Sy 1400
446bytes, which ensures that in a traditional deployment with an MTU of
4471500 bytes, the overhead that is added from encapsulation is all
448accounted for.
449It is the administrator's responsibility to ensure that
450the device's MTU and the encapsulation overhead does not exceed that of
451the interfaces that the encapsulated traffic will be sent out of.
452.Pp
453To modify the
454.Sy mtu
455property, use
456.Sy dladm set-linkprop .
457.Ed
458.It Sy search
459.Bd -filled -compact
460.Sy String |
461Permissions:
462.Sy Read Only
463.Ed
464.Bd -filled
465The
466.Sy search
467property contains the name of the search plugin that's in use.
468.Ed
469.It Sy varpd/id
470.Bd -filled -compact
471.Sy String |
472Permissions:
473.Sy Read Only
474.Ed
475.Bd -filled
476The
477.Sy varpd/id
478property indicates the identifier which the
479.Sy varpd
480service uses for this overlay.
481.Ed
482.It Sy vnetid
483.Bd -filled -compact
484.Sy UINT |
485Permissions:
486.Sy Read/Write
487.Ed
488.Bd -filled
489The
490.Sy vnetid
491property has the virtual network identifier that belongs to this overlay.
492The valid range for the virtual network identifier depends on the
493encapsulation engine.
494.Ed
495.El
496.Sh FMA INTEGRATION
497Overlay devices are wired into FMA, the illumos fault management
498architecture, and generates error reports depending on the
499.Sy search
500plugin in use.
501Due to limitations in FMA today, when a single overlay
502enters a degraded state, meaning that it cannot properly perform look
503ups or another error occurred, then it degrades the overall
504.Sy overlay
505pseudo-device driver.
506.Pp
507For more fine-grained information about which overlay is actually in a
508.Em degraded
509state, one should run
510.Sy dladm show-overlay -f .
511In addition, for each overlay in a degraded state a more useful
512diagnostic message is provided which describes the reason that caused
513this overlay to enter into a degraded state.
514.Pp
515The overlay driver is self-healing.
516If the problem corrects itself on its own, it will clear the fault on
517the corresponding device.
518.Sh SEE ALSO
519.Xr vxlan 4P ,
520.Xr overlay_files 5 ,
521.Xr dladm 8
522