PSB inline. On Mon, Aug 22, 2016 at 2:18 PM, Lijun (Matthew) <[email protected]> wrote:
> Hi Sridhar > > > > It’s very helpful to understand the background. > > 1. pure openstack environment > > 2. the VM booted fails, then the status is still DOWN, now I know > is not the DOWN causes the VM boot failure… > > 3. ext-net is properly configured. > > > > I am working with the installer team to debug this, it maybe some error > caused from the installer. > Thanks for the details Matthew. > > > Can you have a look at this link https://git.opnfv.org/cgit/ > ipv6/tree/docs/configurationguide/featureconfig.rst I follow this. > > > > Maybe there is something need to amend with Mitaka, such as line 293 > “--port_security_enabled=False” doesn’t supported with Mitaka. > > AFAIU, port_security extension is supported in Mitaka. JFYI, If you are seeing an error when you issue the command [*] then it is likely that port-security is disabled in your setup. One way to check if port_security is enabled or not is by looking at the file " /etc/neutron/plugins/ml2/ml2_conf.ini " In this file, please look for the following config under the section "[ml2]" - " extension_drivers = port_security " [*] neutron net-create --port_security_enabled=False ipv4-int-network1 If you do not have access to this file, then you can try the following command to see if port_security is enabled in the setup. [vagrant@localhost devstack]$ neutron ext-list | grep port-security | port-security | Port Security In case, you see that port-security is enabled in your build, but the command [*] is failing, can you please share the error trace and the q-svc.log (i.e., neutron server log) when the error happens. Also Section “Disable Security Groups in OpenStack ML2 Setup” line 155- line 177. It can reduce many debug time if you feel it pleasure to do that J > > Sure, depending on your observations we shall update the contents accordingly. I'll discuss this with Bin. Thank you. > > > /MatthewLi > > > > *发件人:* Sridhar Gaddam [mailto:[email protected]] > *发送时间:* 2016年8月18日 17:59 > *收件人:* Lijun (Matthew) > *抄送:* HU, BIN; Gaoliang (kubi); [email protected] > *主题:* Re: 答复: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka > > > > Hello Matthew, > > > > *Some background:* > > Neutron supported "Port Security" extension in releases prior to Mitaka. > But there was a Bug [1] in Nova, due to which, we were disabling the > Security Groups completely for IPv6 Service VM use-case. > > Nova bug[1] was fixed recently and is back-ported to stable/mitaka. So, if > you are using the stable/Mitaka branch (which includes the fix [2]), then > there is no need to disable Security Groups completely. > > We can have Security Groups enabled in the setup and while creating the > networks we can disable port_security on the individual networks (like we > are doing in [3]). > > > > The following blog [4] explains about Neutron ML2 port security very well. > > > > I had a look at the logs [5], it only says that ping6 is failing. I'm not > able to figure out any issue in port-creation. Am I missing something? > > I just tried the IPv6 ServiceVM use-case on my laptop with latest > stable/mitaka branch and its working fine (Security Groups are enabled, but > port_security is disabled on the networks) > > > > A small note: When a port is updated with "--no-security-groups", Neutron > does not remove the Anti-Spoofing rules on the ports. It simply disables > any ACL rules that were applied to the port. > > > > I have few questions. > > 1. Are you running the tests in a pure OpenStack environment or > OpenStack+ODL environment? > > 2. The port status would be DOWN when the port is initially created. But > after the VM is spawned (using this port), the port status would be made as > ACTIVE. > > You mentioned that you are seeing the port status as DOWN, is it after > the VM is booted? Can you also check if VM boots fine (i.e., vRouter, VM1 > and VM2) - you can use nova console-log vRouter) > > 3. As you know ext-net should be properly configured in the setup. This is > because vRouter VM would download and install certain packages like radvd. > In case there is an issue with external connectivity, vRouter will not be > able to act as an IPv6 Router. Please take a look at this. > > > > [1] https://bugs.launchpad.net/nova/+bug/1175464 > > [2] https://review.openstack.org/#/c/306470/ > > [3] https://git.opnfv.org/cgit/yardstick/tree/yardstick/ > benchmark/scenarios/networking/ping6_setup.bash#n27 > > [4] http://kimizhang.com/neutron-ml2-port-security/ > > [5] https://build.opnfv.org/ci/view/yardstick/job/yardstick- > compass-baremetal-daily-master/190/consoleFull > > > > Thanks, > > --Sridhar. > > > > > > On Fri, Aug 12, 2016 at 1:32 PM, Lijun (Matthew) <[email protected]> > wrote: > > Hi Bin > > > > Thanks for your suggestion. > > > > All those I have tried and they fails, port status is still DOWN > > > > Yep In Mitaka > > - Line 27 and 28: the parameter “--port_security_enabled=False” > should be moved > > > > /MatthewLi > > > > *发件人:* HU, BIN [mailto:[email protected]] > *发送时间:* 2016年8月12日 14:31 > *收件人:* Lijun (Matthew); [email protected]; Gaoliang (kubi) > *抄送:* [email protected] > *主题:* RE: [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka > > > > BTW, Matthew, > > > > I checked Mitaka’s docs, and it seems that they deprecated > “security_group_api” in nova.conf in Mitaka (should still work though until > Newton where it will be removed). > > > > So another way is to change: > > > > - Line 27 and 28: remove the parameter “ > --port_security_enabled=False” > > - Line 54 and 55: add one more parameter “--no-security-groups” > > > > Can you also try this? > > > > Thanks > > Bin > > > > *From:* HU, BIN > *Sent:* Thursday, August 11, 2016 11:02 PM > *To:* 'Lijun (Matthew)' <[email protected]>; > [email protected]; Gaoliang (kubi) <[email protected]> > *Cc:* [email protected] > *Subject:* RE: [ipv6][yardstick][mitaka] ipv6 test case failure with > Mitaka > > > > Matthew, > > > > Thank you for letting us know. The failure of Line 27 (and 28) result in > the failure of Line 54 (and 55). > > > > We need to disable Security Groups in ML2 Setup first. See > http://artifacts.opnfv.org/opnfvdocs/brahmaputra/docs/ > configguide/featureconfig-ipv6.html#id2, *OPNFV-SEC-1*, *OPNFV-SEC-2* and > *OPNFV-SEC-3.* > > > > Can you double check the above settings in Mitaka deployment? > > > > Thanks > > Bin > > *From:* Lijun (Matthew) [mailto:[email protected] > <[email protected]>] > *Sent:* Thursday, August 11, 2016 6:59 PM > *To:* HU, BIN <[email protected]>; [email protected]; Gaoliang > (kubi) <[email protected]> > *Cc:* [email protected] > *Subject:* [ipv6][yardstick][mitaka] ipv6 test case failure with Mitaka > > > > Hi > > > > Recently, I am running the test case in compass(Mitaka version), by > running https://git.opnfv.org/cgit/yardstick/tree/yardstick/ > benchmark/scenarios/networking/ping6_setup.bash it fails, > > > > Also in the CI logs, if fails https://build.opnfv.org/ci/ > view/yardstick/job/yardstick-compass-baremetal-daily- > master/190/consoleFull (although vm ssh timeoout, it is caused by port > creation error) > > > > It worked with Liberity version, with Mitaka it has some problems, > https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n27 > > line 27 --port_security_enabled=False doesn’t support now > > > > https://git.opnfv.org/cgit/yardstick/tree/yardstick/benchmark/scenarios/networking/ping6_setup.bash#n54 > line 54 the port creation status is DOWN, so the VM can’t be created after > this procedure. > > > > @sridhar, do you have any ideas? > > > > > > /MatthewLi > > >
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
