Hi Sridhar It’s very helpful to understand the background.
1. pure openstack environment 2. the VM booted fails, then the status is still DOWN, now I know is not the DOWN causes the VM boot failure… 3. ext-net is properly configured. I am working with the installer team to debug this, it maybe some error caused from the installer. Can you have a look at this link https://git.opnfv.org/cgit/ipv6/tree/docs/configurationguide/featureconfig.rst I follow this. Maybe there is something need to amend with Mitaka, such as line 293 “--port_security_enabled=False” doesn’t supported with Mitaka. Also Section “Disable Security Groups in OpenStack ML2 Setup” line 155- line 177. It can reduce many debug time if you feel it pleasure to do that ☺ /MatthewLi 发件人: Sridhar Gaddam [mailto:[email protected]] 发送时间: 2016年8月18日 17:59 收件人: Lijun (Matthew) 抄送: HU, BIN; Gaoliang (kubi); [email protected] 主题: Re: 答复: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka Hello Matthew, Some background: Neutron supported "Port Security" extension in releases prior to Mitaka. But there was a Bug [1] in Nova, due to which, we were disabling the Security Groups completely for IPv6 Service VM use-case. Nova bug[1] was fixed recently and is back-ported to stable/mitaka. So, if you are using the stable/Mitaka branch (which includes the fix [2]), then there is no need to disable Security Groups completely. We can have Security Groups enabled in the setup and while creating the networks we can disable port_security on the individual networks (like we are doing in [3]). The following blog [4] explains about Neutron ML2 port security very well. I had a look at the logs [5], it only says that ping6 is failing. I'm not able to figure out any issue in port-creation. Am I missing something? I just tried the IPv6 ServiceVM use-case on my laptop with latest stable/mitaka branch and its working fine (Security Groups are enabled, but port_security is disabled on the networks) A small note: When a port is updated with "--no-security-groups", Neutron does not remove the Anti-Spoofing rules on the ports. It simply disables any ACL rules that were applied to the port. I have few questions. 1. Are you running the tests in a pure OpenStack environment or OpenStack+ODL environment? 2. The port status would be DOWN when the port is initially created. But after the VM is spawned (using this port), the port status would be made as ACTIVE. You mentioned that you are seeing the port status as DOWN, is it after the VM is booted? Can you also check if VM boots fine (i.e., vRouter, VM1 and VM2) - you can use nova console-log vRouter) 3. As you know ext-net should be properly configured in the setup. This is because vRouter VM would download and install certain packages like radvd. In case there is an issue with external connectivity, vRouter will not be able to act as an IPv6 Router. Please take a look at this. [1] https://bugs.launchpad.net/nova/+bug/1175464 [2] https://review.openstack.org/#/c/306470/ [3] https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n27 [4] http://kimizhang.com/neutron-ml2-port-security/ [5] https://build.opnfv.org/ci/view/yardstick/job/yardstick-compass-baremetal-daily-master/190/consoleFull Thanks, --Sridhar. On Fri, Aug 12, 2016 at 1:32 PM, Lijun (Matthew) <[email protected]<mailto:[email protected]>> wrote: Hi Bin Thanks for your suggestion. All those I have tried and they fails, port status is still DOWN Yep In Mitaka - Line 27 and 28: the parameter “--port_security_enabled=False” should be moved /MatthewLi 发件人: HU, BIN [mailto:[email protected]<mailto:[email protected]>] 发送时间: 2016年8月12日 14:31 收件人: Lijun (Matthew); [email protected]<mailto:[email protected]>; Gaoliang (kubi) 抄送: [email protected]<mailto:[email protected]> 主题: RE: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka BTW, Matthew, I checked Mitaka’s docs, and it seems that they deprecated “security_group_api” in nova.conf in Mitaka (should still work though until Newton where it will be removed). So another way is to change: - Line 27 and 28: remove the parameter “--port_security_enabled=False” - Line 54 and 55: add one more parameter “--no-security-groups” Can you also try this? Thanks Bin From: HU, BIN Sent: Thursday, August 11, 2016 11:02 PM To: 'Lijun (Matthew)' <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Gaoliang (kubi) <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: RE: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka Matthew, Thank you for letting us know. The failure of Line 27 (and 28) result in the failure of Line 54 (and 55). We need to disable Security Groups in ML2 Setup first. See http://artifacts.opnfv.org/opnfvdocs/brahmaputra/docs/configguide/featureconfig-ipv6.html#id2, OPNFV-SEC-1, OPNFV-SEC-2 and OPNFV-SEC-3. Can you double check the above settings in Mitaka deployment? Thanks Bin From: Lijun (Matthew) [mailto:[email protected]] Sent: Thursday, August 11, 2016 6:59 PM To: HU, BIN <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]>; Gaoliang (kubi) <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka Hi Recently, I am running the test case in compass(Mitaka version), by running https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash it fails, Also in the CI logs, if fails https://build.opnfv.org/ci/view/yardstick/job/yardstick-compass-baremetal-daily-master/190/consoleFull (although vm ssh timeoout, it is caused by port creation error) It worked with Liberity version, with Mitaka it has some problems, https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n27 line 27 --port_security_enabled=False doesn’t support now https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n54 line 54 the port creation status is DOWN, so the VM can’t be created after this procedure. @sridhar, do you have any ideas? /MatthewLi
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
