Thanks.
You said though that classifier must be unique within a tenant. I tried
creating chains in two different tenants by different users without any
RBAC rules. So there are two tenants, each has 1 network, 2 vms (source,
service) and an admin user. I used different openrc configs for each
user yet still get the same conflict.
Info about the test is in the attachment
31.07.2016 5:25, Farhad Sunavala пишет:
Yes, this was intentionally done.
The logical-source-port is important only at the point of classification.
All successive classifications rely only on the 5 tuple and MPLS label
(chain ID).
Consider an extension of the scenario you mention below.
Sources: (similar to your case)
a
b
Port-pairs: (added ppe and ppf)
ppc
ppd
ppe
ppf
Port-pair-groups: (added ppge and ppgf)
ppgc
ppgd
ppge
ppgf
Flow-classifiers:
fc1: logical-source-port of a && tcp
fc2: logical-source-port of b && tcp
Port-chains:
pc1: fc1 && (ppgc + ppge)
pc2: fc2 && (ppgd + ppgc + ppgf)
The flow-classifier has logical-src-port and protocol=tcp
The logical-src-port has no relevance in the middle of the chain.
In the middle of the chain, the only relevant flow-classifier is
protocol=tcp.
If we allow it, we cannot distinguish TCP traffic coming out of ppgc
(and subsequently ppc)
as to whether to mark it with the label for pc1 or the label for pc2.
In other words, within a tenant the flow-classifiers need to be unique
wrt the 5 tuples.
thanks,
Farhad.
Date: Fri, 29 Jul 2016 18:01:05 +0300
From: Artem Plakunov <art...@lvk.cs.msu.su <mailto:art...@lvk.cs.msu.su>>
To: openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>
Subject: [Openstack] [networking-sfc] Flow classifier conflict logic
Message-ID: <579b6fb1.3030...@lvk.cs.msu.su
<mailto:579b6fb1.3030...@lvk.cs.msu.su>>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hello.
We have two deployments with networking-sfc:
mirantis 8.0 (liberty) and mirantis 9.0 (mitaka).
I noticed a difference in how flow classifiers conflict with each other
which I do not understand. I'm not sure if it is a bug or not.
I did the following on mitaka:
1. Create tenant 1 and network 1
2. Launch vms A and B in network 1
3. Create tenant 2, share network 1 to it with RBAC policy, launch vm C
in network 1
4. Create tenant 3, share network 1 to it with RBAC policy, launch vm D
in network 1
5. Setup sfc:
create two port pairs for vm C and vm D with a bidirectional port
create two port pair groups with these pairs (one pair in one group)
create flow classifier 1: logical-source-port = vm A port, protocol
= tcp
create flow classifier 2: logical-source-port = vm B port, protocol
= tcp
create chain with group 1 and classifier 1
create chain with group 2 and classifier 2 - this step gives the
following error:
Flow Classifier 7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow
Classifier 4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain
d1070955-fae9-4483-be9e-0e30f2859282.
Neutron server returns request_ids:
['req-9d0eecec-2724-45e8-84b4-7ccf67168b03']
The only thing neutron logs have is this from server.log:
2016-07-29 14:15:57.889 18917 INFO neutron.api.v2.resource
[req-9d0eecec-2724-45e8-84b4-7ccf67168b03
0b807c8616614b84a4b16a318248d28c 9de9dcec18424398a75a518249707a61 - - -]
create failed (client error): Flow Classifier
7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow Classifier
4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain
d1070955-fae9-4483-be9e-0e30f2859282.
I tried the same in liberty and it works and sfc successfully routes
traffic from both vms to their respective port groups
Liberty setup:
neutron version 7.0.4
neutronclient version 3.1.1
networking-sfc version 1.0.0 (from pip package)
Mitaka setup:
neutron version 8.1.1
neutronclient version 5.0.0 (tried using 3.1.1 with same outcome)
networking-sfc version 1.0.1.dev74 (from master branch commit
6730b6810355761cf55f04a40cd645f065f15752)
I'll attach the output of commands neutron port-list, port-pair-list,
port-pair-group-list, flow-classifier-list and port-chain-list.
Is this an intended flow classifier behavior? If so, why? The port
chains and all their participants are different.
$ openstack project list | grep sfc
| 0dafd2d782f4445798363ba9b27e104f | sfc1
| ddf01417a9b74648a3a20c2b818a52ca | sfc2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State |
Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| fbf3809c-61b7-4246-a59f-80945a7cc428 | sfc1_serv | ACTIVE | - |
Running | sfc1_net=192.168.100.4 |
| 06b6b770-2854-4906-a5b6-7ace6cb610d3 | sfc1_vm | ACTIVE | - |
Running | sfc1_net=192.168.100.3 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron port-list | grep 100
| 429fdb89-1bfa-4dc1-bb89-25373501ebde | | fa:16:3e:68:e8:7a |
{"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address":
"192.168.100.4"} |
| ca7f8fdf-a1ff-4cd7-8897-9f6ca5220be6 | | fa:16:3e:72:0f:26 |
{"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address":
"192.168.100.3"} |
| df8ce9a2-eddd-4b86-8d1c-705f9c96ddb6 | | fa:16:3e:32:e4:1f |
{"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address":
"192.168.100.2"} |
$ neutron port-pair-show pair1
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| description | |
| egress | 429fdb89-1bfa-4dc1-bb89-25373501ebde |
| id | 7a975f46-5ea3-484b-aff5-ef343d0f4ac2 |
| ingress | 429fdb89-1bfa-4dc1-bb89-25373501ebde |
| name | pair1 |
| service_function_parameters | {"correlation": null} |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+-----------------------------+--------------------------------------+
$ neutron port-pair-group-show pair1
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | 166cd6f7-0370-4335-adda-9783b9f0a13b |
| name | pair1 |
| port_pairs | 7a975f46-5ea3-484b-aff5-ef343d0f4ac2 |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+-------------+--------------------------------------+
$ neutron flow-classifier-show flow1
+----------------------------+--------------------------------------+
| Field | Value |
+----------------------------+--------------------------------------+
| description | |
| destination_ip_prefix | |
| destination_port_range_max | |
| destination_port_range_min | |
| ethertype | IPv4 |
| id | 8301ed30-1325-460b-951f-5e707ff729bd |
| l7_parameters | {} |
| logical_destination_port | |
| logical_source_port | ca7f8fdf-a1ff-4cd7-8897-9f6ca5220be6 |
| name | flow1 |
| protocol | tcp |
| source_ip_prefix | |
| source_port_range_max | |
| source_port_range_min | |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+----------------------------+--------------------------------------+
$ neutron port-chain-show chain1
+------------------+--------------------------------------+
| Field | Value |
+------------------+--------------------------------------+
| chain_parameters | {"correlation": "mpls"} |
| description | |
| flow_classifiers | 8301ed30-1325-460b-951f-5e707ff729bd |
| id | 5de3a851-311a-4ac4-be43-d17630c8e13f |
| name | chain1 |
| port_pair_groups | 166cd6f7-0370-4335-adda-9783b9f0a13b |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+------------------+--------------------------------------+
$ source openrc2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State |
Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 8e5a5312-da09-4956-8459-21373fdd165b | sfc2_serv | ACTIVE | - |
Running | sfc2_net=192.168.200.4 |
| b6e1267c-a43d-4e35-a292-c5dccce0b754 | sfc2_vm | ACTIVE | - |
Running | sfc2_net=192.168.200.3 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron port-list | grep 200
| 2c6f6f67-6241-4661-977c-3fe5da864c95 | | fa:16:3e:8b:09:b8 |
{"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address":
"192.168.200.4"} |
| 9b20c466-f62c-4c49-a074-91a088ebb0f6 | | fa:16:3e:f9:40:c7 |
{"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address":
"192.168.200.3"} |
| f95f2509-d27d-4b3a-b62a-b9bdb69085bf | | fa:16:3e:61:de:16 |
{"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address":
"192.168.200.2"} |
$ neutron port-pair-show pair2
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| description | |
| egress | 2c6f6f67-6241-4661-977c-3fe5da864c95 |
| id | 46e63fab-9afe-489f-97ed-ab17ae1bdc91 |
| ingress | 2c6f6f67-6241-4661-977c-3fe5da864c95 |
| name | pair2 |
| service_function_parameters | {"correlation": null} |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+-----------------------------+--------------------------------------+
$ neutron port-pair-group-show group2
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | f8dd897a-1e36-49b0-8d35-d7df0782b3c1 |
| name | group2 |
| port_pairs | 46e63fab-9afe-489f-97ed-ab17ae1bdc91 |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+-------------+--------------------------------------+
$ neutron flow-classifier-show flow2
+----------------------------+--------------------------------------+
| Field | Value |
+----------------------------+--------------------------------------+
| description | |
| destination_ip_prefix | |
| destination_port_range_max | |
| destination_port_range_min | |
| ethertype | IPv4 |
| id | 12b4afa5-c6e4-4df8-a0cc-43e8ab926110 |
| l7_parameters | {} |
| logical_destination_port | |
| logical_source_port | 9b20c466-f62c-4c49-a074-91a088ebb0f6 |
| name | flow2 |
| protocol | tcp |
| source_ip_prefix | |
| source_port_range_max | |
| source_port_range_min | |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+----------------------------+--------------------------------------+
$ neutron port-chain-create --port-pair-group
f8dd897a-1e36-49b0-8d35-d7df0782b3c1 --flow-classifier
12b4afa5-c6e4-4df8-a0cc-43e8ab926110 chain2
Flow Classifier 12b4afa5-c6e4-4df8-a0cc-43e8ab926110 conflicts with Flow
Classifier 8301ed30-1325-460b-951f-5e707ff729bd in port chain
5de3a851-311a-4ac4-be43-d17630c8e13f.
Neutron server returns request_ids: ['req-1324eff7-8d56-4df3-9129-2480fae88762']
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
