Hi,
I have created sriov based external ports for the vms and tried to spin up
the workloads
in openstack OVN. The vm is able to reach out to the metadata service at
http://169.254.169.254:80. But when I do a ovn-trace from the northd node,
it is showing as
---------
# ovn-trace --no-leader-only "inport ==
\"2495e603-1412-46af-bc39-8ffe1aad03ea\" && eth.src == fa:16:3e:bf:fe:24 &&
ip4.src == 10.116.10.8 && ip4.dst == 169.254.169.254 && ip.proto == 6 &&
tcp.dst == 80"
#
tcp,reg14=0x136,vlan_tci=0x0000,dl_src=fa:16:3e:bf:fe:24,dl_dst=00:00:00:00:00:00,nw_src=10.116.10.8,nw_dst=169.254.169.254,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0
ingress(dp="testing-net1", inport="ovn-test")
--------------------------------------------------------------
0. ls_in_check_port_sec (northd.c:8691): 1, priority 50, uuid 4d11484a
reg0[15] = check_in_port_sec();
next;
4. ls_in_pre_acl (northd.c:5997): ip, priority 100, uuid 8fb4dd09
reg0[0] = 1;
next;
6. ls_in_pre_stateful (northd.c:6241): reg0[0] == 1, priority 100, uuid
677c3e3a
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
7. ls_in_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl &&
ct_mark.blocked == 0, priority 4, uuid 5b314f6b
reg0[8] = 1;
reg0[10] = 1;
next;
8. ls_in_acl_eval (northd.c:6535): reg0[8] == 1 && (inport ==
@pg_a9e95d02_57ff_49e8_9b90_e841853b53a8 && ip4 && ip4.dst == 0.0.0.0/0 &&
tcp && tcp.dst >= 1 && tcp.dst <= 65000), priority 2002, uuid a05620f1
reg8[16] = 1;
next;
9. ls_in_acl_action (northd.c:6686): reg8[16] == 1, priority 1000, uuid
9b276339
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
19. ls_in_acl_after_lb_action (northd.c:6714): 1, priority 0, uuid 3ea5b0c2
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
27. ls_in_l2_lkup (northd.c:5801): 1, priority 0, uuid 5c412110
outport = get_fdb(eth.dst);
next;
28. ls_in_l2_unknown (northd.c:8631): outport == "none", priority 50, uuid
0251c423
outport = "_MC_unknown";
output;
multicast(dp="testing-net1", mcgroup="_MC_unknown")
-----------------------------------------------------------
egress(dp="testing-net1", inport="ovn-test", outport="003747")
-------------------------------------------------------------------------------
0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c
reg0[0] = 1;
next;
2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority
100, uuid 2c746c82
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0, priority 4, uuid 8b561e1e
reg0[8] = 1;
reg0[10] = 1;
next;
5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid
2494852b
reg0[15] = check_out_port_sec();
next;
10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid
f4ca8ef9
output;
/* output to "003747", type "" */
egress(dp="testing-net1", inport="ovn-test", outport="65dfce")
-------------------------------------------------------------------------------
0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c
reg0[0] = 1;
next;
2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority
100, uuid 2c746c82
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0, priority 4, uuid 8b561e1e
reg0[8] = 1;
reg0[10] = 1;
next;
5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid
2494852b
reg0[15] = check_out_port_sec();
next;
10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid
f4ca8ef9
output;
/* output to "65dfce", type "" */
egress(dp="testing-net1", inport="ovn-test", outport="a99815")
-------------------------------------------------------------------------------
0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c
reg0[0] = 1;
next;
2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority
100, uuid 2c746c82
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0, priority 4, uuid 8b561e1e
reg0[8] = 1;
reg0[10] = 1;
next;
5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid
2494852b
reg0[15] = check_out_port_sec();
next;
10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid
f4ca8ef9
output;
/* output to "a99815", type "" */
egress(dp="testing-net1", inport="ovn-test", outport="provnet-a05407")
---------------------------------------------------------------------------------------
0. ls_out_pre_acl (northd.c:5856): ip && outport ==
"provnet-a05407", priority 110, uuid 19541619
next;
1. ls_out_pre_lb (northd.c:5856): ip && outport ==
"provnet-a05407", priority 110, uuid 99fa8e8e
next;
2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority
100, uuid 2c746c82
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0, priority 4, uuid 8b561e1e
reg0[8] = 1;
reg0[10] = 1;
next;
5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1
reg8[16] = 0;
reg8[17] = 0;
reg8[18] = 0;
next;
9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid
2494852b
reg0[15] = check_out_port_sec();
next;
10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid
f4ca8ef9
output;
/* output to "provnet-a05407", type "localnet" */
-------
Also on the compute chassis, I dont find any link local ip related rules. :
----
# ovs-appctl ofproto/trace br-int
"in_port=2,tcp,nw_src=10.116.10.8,nw_dst=169.254.169.254,tcp_dst=80"
Flow:
tcp,in_port=2,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,nw_src=10.36.162.195,nw_dst=169.254.169.254,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0
bridge("br-int")
----------------
0. priority 0
drop
Final flow: unchanged
Megaflow: recirc_id=0,eth,ip,in_port=2,nw_frag=no
Datapath actions: drop
----------
But the vm is able to reach the service.
-----
:~$ ping 169.254.169.254
PING 169.254.169.254 (169.254.169.254) 56(84) bytes of data.
64 bytes from 169.254.169.254: icmp_seq=1 ttl=64 time=0.150 ms
64 bytes from 169.254.169.254: icmp_seq=2 ttl=64 time=0.195 ms
64 bytes from 169.254.169.254: icmp_seq=3 ttl=64 time=0.200 ms
-----
Why is the trace showing as failing, but in the vm it is working. The ovs
version on the chassis is
-----
# ovn-appctl --version
ovn-appctl 24.03.2
Open vSwitch Library 3.3.0
---------
Thanks
elinux
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
