Any update on this one ? On Mon, 14 Jul 2025, 17:22 engineer2024, <[email protected]> wrote:
> Hi, > > I have created sriov based external ports for the vms and tried to spin up > the workloads > in openstack OVN. The vm is able to reach out to the metadata service at > http://169.254.169.254:80. But when I do a ovn-trace from the northd > node, it is showing as > > --------- > # ovn-trace --no-leader-only "inport == > \"2495e603-1412-46af-bc39-8ffe1aad03ea\" && eth.src == fa:16:3e:bf:fe:24 && > ip4.src == 10.116.10.8 && ip4.dst == 169.254.169.254 && ip.proto == 6 && > tcp.dst == 80" > # > tcp,reg14=0x136,vlan_tci=0x0000,dl_src=fa:16:3e:bf:fe:24,dl_dst=00:00:00:00:00:00,nw_src=10.116.10.8,nw_dst=169.254.169.254,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0 > > ingress(dp="testing-net1", inport="ovn-test") > -------------------------------------------------------------- > 0. ls_in_check_port_sec (northd.c:8691): 1, priority 50, uuid 4d11484a > reg0[15] = check_in_port_sec(); > next; > 4. ls_in_pre_acl (northd.c:5997): ip, priority 100, uuid 8fb4dd09 > reg0[0] = 1; > next; > 6. ls_in_pre_stateful (northd.c:6241): reg0[0] == 1, priority 100, uuid > 677c3e3a > ct_next; > > ct_next(ct_state=est|trk /* default (use --ct to customize) */) > --------------------------------------------------------------- > 7. ls_in_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl && > ct_mark.blocked == 0, priority 4, uuid 5b314f6b > reg0[8] = 1; > reg0[10] = 1; > next; > 8. ls_in_acl_eval (northd.c:6535): reg0[8] == 1 && (inport == > @pg_a9e95d02_57ff_49e8_9b90_e841853b53a8 && ip4 && ip4.dst == 0.0.0.0/0 > && tcp && tcp.dst >= 1 && tcp.dst <= 65000), priority 2002, uuid a05620f1 > reg8[16] = 1; > next; > 9. ls_in_acl_action (northd.c:6686): reg8[16] == 1, priority 1000, uuid > 9b276339 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 19. ls_in_acl_after_lb_action (northd.c:6714): 1, priority 0, uuid 3ea5b0c2 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 27. ls_in_l2_lkup (northd.c:5801): 1, priority 0, uuid 5c412110 > outport = get_fdb(eth.dst); > next; > 28. ls_in_l2_unknown (northd.c:8631): outport == "none", priority 50, uuid > 0251c423 > outport = "_MC_unknown"; > output; > > multicast(dp="testing-net1", mcgroup="_MC_unknown") > ----------------------------------------------------------- > > egress(dp="testing-net1", inport="ovn-test", outport="003747") > > ------------------------------------------------------------------------------- > 0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c > reg0[0] = 1; > next; > 2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority > 100, uuid 2c746c82 > ct_next; > > ct_next(ct_state=est|trk /* default (use --ct to customize) */) > --------------------------------------------------------------- > 3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl > && ct_mark.blocked == 0, priority 4, uuid 8b561e1e > reg0[8] = 1; > reg0[10] = 1; > next; > 5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid > 2494852b > reg0[15] = check_out_port_sec(); > next; > 10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid > f4ca8ef9 > output; > /* output to "003747", type "" */ > > egress(dp="testing-net1", inport="ovn-test", outport="65dfce") > > ------------------------------------------------------------------------------- > 0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c > reg0[0] = 1; > next; > 2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority > 100, uuid 2c746c82 > ct_next; > > ct_next(ct_state=est|trk /* default (use --ct to customize) */) > --------------------------------------------------------------- > 3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl > && ct_mark.blocked == 0, priority 4, uuid 8b561e1e > reg0[8] = 1; > reg0[10] = 1; > next; > 5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid > 2494852b > reg0[15] = check_out_port_sec(); > next; > 10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid > f4ca8ef9 > output; > /* output to "65dfce", type "" */ > > egress(dp="testing-net1", inport="ovn-test", outport="a99815") > > ------------------------------------------------------------------------------- > 0. ls_out_pre_acl (northd.c:6000): ip, priority 100, uuid 1dcc6f6c > reg0[0] = 1; > next; > 2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority > 100, uuid 2c746c82 > ct_next; > > ct_next(ct_state=est|trk /* default (use --ct to customize) */) > --------------------------------------------------------------- > 3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl > && ct_mark.blocked == 0, priority 4, uuid 8b561e1e > reg0[8] = 1; > reg0[10] = 1; > next; > 5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid > 2494852b > reg0[15] = check_out_port_sec(); > next; > 10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid > f4ca8ef9 > output; > /* output to "a99815", type "" */ > > egress(dp="testing-net1", inport="ovn-test", outport="provnet-a05407") > > --------------------------------------------------------------------------------------- > 0. ls_out_pre_acl (northd.c:5856): ip && outport == > "provnet-a05407", priority 110, uuid 19541619 > next; > 1. ls_out_pre_lb (northd.c:5856): ip && outport == > "provnet-a05407", priority 110, uuid 99fa8e8e > next; > 2. ls_out_pre_stateful (northd.c:6245): reg0[0] == 1, priority > 100, uuid 2c746c82 > ct_next; > > ct_next(ct_state=est|trk /* default (use --ct to customize) */) > --------------------------------------------------------------- > 3. ls_out_acl_hint (northd.c:6335): !ct.new && ct.est && !ct.rpl > && ct_mark.blocked == 0, priority 4, uuid 8b561e1e > reg0[8] = 1; > reg0[10] = 1; > next; > 5. ls_out_acl_action (northd.c:6714): 1, priority 0, uuid 6a0357e1 > reg8[16] = 0; > reg8[17] = 0; > reg8[18] = 0; > next; > 9. ls_out_check_port_sec (northd.c:5817): 1, priority 0, uuid > 2494852b > reg0[15] = check_out_port_sec(); > next; > 10. ls_out_apply_port_sec (northd.c:5824): 1, priority 0, uuid > f4ca8ef9 > output; > /* output to "provnet-a05407", type "localnet" */ > ------- > > Also on the compute chassis, I dont find any link local ip related rules. : > ---- > # ovs-appctl ofproto/trace br-int > "in_port=2,tcp,nw_src=10.116.10.8,nw_dst=169.254.169.254,tcp_dst=80" > Flow: > tcp,in_port=2,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,nw_src=10.36.162.195,nw_dst=169.254.169.254,nw_tos=0,nw_ecn=0,nw_ttl=0,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0 > > bridge("br-int") > ---------------- > 0. priority 0 > drop > > Final flow: unchanged > Megaflow: recirc_id=0,eth,ip,in_port=2,nw_frag=no > Datapath actions: drop > ---------- > > But the vm is able to reach the service. > ----- > :~$ ping 169.254.169.254 > PING 169.254.169.254 (169.254.169.254) 56(84) bytes of data. > 64 bytes from 169.254.169.254: icmp_seq=1 ttl=64 time=0.150 ms > 64 bytes from 169.254.169.254: icmp_seq=2 ttl=64 time=0.195 ms > 64 bytes from 169.254.169.254: icmp_seq=3 ttl=64 time=0.200 ms > ----- > > Why is the trace showing as failing, but in the vm it is working. The ovs > version on the chassis is > ----- > # ovn-appctl --version > ovn-appctl 24.03.2 > Open vSwitch Library 3.3.0 > --------- > > Thanks > elinux >
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
