Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
It seems you are right … I setup quickly POX and its working … :o Oh dear … Thanks a lot!!! Have a nice weekend! Von: Volodymyr Litovka [mailto:doka...@gmx.com] Gesendet: Freitag, 2. Februar 2018 15:33 An: Mathias Strufe (DFKI) ; Benjamin Diaz ; OpenStack Mailing List Cc: doka...@gmx.com Betreff: Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough Hi Mathias, the fact that you've seen ARP request-reply says that connectivity itself is correct. I think the problem with flows configuration inside bridge, which is controlled by ODL. Unfortunately, I never had an experience with ODL and can't comment what it do and how. You can print flows config using command ovs-ofctl dump-flows and there you can try to find whether some rules block some traffic. On 2/2/18 4:14 PM, Mathias Strufe (DFKI) wrote: Dear Volodymyr, Benjamin, thanks a lot for your tipps and patience ... but still facing the same problem :/ So I need to bother you again ... I think its something totally stupid, basic I do wrong ... Let me summarize what I did so far: - Update OpenStack to pike (devstack All in Single VM using default local.conf) [following this https://docs.openstack.org/devstack/latest/index.html] - Set prevent_arp_spoofing = False in ml2_config.ini - Disable Port Security of the TestNFV +---+--+ | Field | Value | +---+--+ | admin_state_up| UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at| 2018-01-31T07:50:40Z | | data_plane_status | None | | description | | | device_id | 97101c9b-c5ea-47f5-aa50-4a6ffa06c2a2 | | device_owner | compute:nova | | dns_assignment| None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='192.168.120.5', subnet_id='b88f21e0-55ce-482f-8755-87a431f43e52' | | id| 5e97ea14-2555-44fc-bbfa-61877e93ae69 | | ip_address| None | | mac_address | fa:16:3e:55:80:84 | | name | | | network_id| 67572da9-c1e1-4330-84f6-79b64225c070 | | option_name | None | | option_value | None | | port_security_enabled | False | | project_id| ec8680e914a540e59d9d84dec8101ba5 | | qos_policy_id | None | | revision_number | 56 | | security_group_ids| | | status| ACTIVE | | subnet_id | None | | tags |
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Hi Mathias,
the fact that you've seen ARP request-reply says that connectivity
itself is correct. I think the problem with flows configuration inside
bridge, which is controlled by ODL. Unfortunately, I never had an
experience with ODL and can't comment what it do and how. You can print
flows config using command
ovs-ofctl dump-flows
and there you can try to find whether some rules block some traffic.
On 2/2/18 4:14 PM, Mathias Strufe (DFKI) wrote:
Dear Volodymyr, Benjamin,
thanks a lot for your tipps and patience ... but still facing the same
problem :/
So I need to bother you again ...
I think its something totally stupid, basic I do wrong ...
Let me summarize what I did so far:
- Update OpenStack to pike (devstack All in Single VM using default
local.conf)
[following this https://docs.openstack.org/devstack/latest/index.html]
- Set prevent_arp_spoofing = False in ml2_config.ini
- Disable Port Security of the TestNFV
+---+--+
| Field | Value |
+---+--+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2018-01-31T07:50:40Z
|
| data_plane_status | None |
| description | |
| device_id | 97101c9b-c5ea-47f5-aa50-4a6ffa06c2a2
|
| device_owner | compute:nova |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.120.5',
subnet_id='b88f21e0-55ce-482f-8755-87a431f43e52' |
| id | 5e97ea14-2555-44fc-bbfa-61877e93ae69
|
| ip_address | None |
| mac_address | fa:16:3e:55:80:84
|
| name | |
| network_id | 67572da9-c1e1-4330-84f6-79b64225c070
|
| option_name | None |
| option_value | None |
| port_security_enabled | False |
| project_id | ec8680e914a540e59d9d84dec8101ba5
|
| qos_policy_id | None |
| revision_number | 56 |
| security_group_ids | |
| status | ACTIVE |
| subnet_id | None |
| tags | |
| trunk_details | None |
| updated_at | 2018-02-02T13:40:26Z
|
+---+--+
In this state everything works fine and as expected ... I can ping
from VM1 (192.168.120.10) to Test NVF VM (192.168.120.5) and get a
response ... I have access to the outside world ...
BUT
As soon as I bring the OVS up inside of the Test NVF ... now as
Volodymyr proposed with a "special patch port"
Database config:
59aca356-8f37-4c6f-8c9a-504c66c65648
Bridge "OVSbr2"
Controller "tcp:192.168.53.49:6633"
is_connected: true
fail_mode: secure
Port "OVSbr2-patch"
Interface "OVSbr2-patch"
type: patch
options: {peer="OVSbr1-patch"}
Port "OVSbr2"
Interface "OVSbr2"
type: internal
Port "ens5"
Interface "ens5"
Bridge "OVSbr1"
Controller "tcp:192.168.53.49:6633"
is_connected: true
fail_mode: secure
Port "OVSbr1"
Interface "OVSbr1"
type: internal
Port "OVSbr1-patch"
Interface "OVSbr1-patch"
type: patch
options: {peer="OVSbr2-patch"}
Port "ens4"
Interface "ens4"
ovs_version: "2.5.2"
the ping stops ... and again with tcpdump I can only see ARP requests
on ens4 but not on the OVSbr1 bridge ...
But I see now some LLDP packets on the ens4 and OVSbr1
Then I tried following ... I stopped the ping from source to TestNFVVM
A
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear Volodymyr, Benjamin, thanks a lot for your tipps and patience ... but still facing the same problem :/ So I need to bother you again ... I think its something totally stupid, basic I do wrong ... Let me summarize what I did so far: - Update OpenStack to pike (devstack All in Single VM using default local.conf) [following this https://docs.openstack.org/devstack/latest/index.html] - Set prevent_arp_spoofing = False in ml2_config.ini - Disable Port Security of the TestNFV +---+--+ | Field | Value | +---+--+ | admin_state_up| UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at| 2018-01-31T07:50:40Z | | data_plane_status | None | | description | | | device_id | 97101c9b-c5ea-47f5-aa50-4a6ffa06c2a2 | | device_owner | compute:nova | | dns_assignment| None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='192.168.120.5', subnet_id='b88f21e0-55ce-482f-8755-87a431f43e52' | | id| 5e97ea14-2555-44fc-bbfa-61877e93ae69 | | ip_address| None | | mac_address | fa:16:3e:55:80:84 | | name | | | network_id| 67572da9-c1e1-4330-84f6-79b64225c070 | | option_name | None | | option_value | None | | port_security_enabled | False | | project_id| ec8680e914a540e59d9d84dec8101ba5 | | qos_policy_id | None | | revision_number | 56 | | security_group_ids| | | status| ACTIVE | | subnet_id | None | | tags | | | trunk_details | None | | updated_at| 2018-02-02T13:40:26Z | +---+--+ In this state everything works fine and as expected ... I can ping from VM1 (192.168.120.10) to Test NVF VM (192.168.120.5) and get a response ... I have access to the outside world ... BUT As soon as I bring the OVS up inside of the Test NVF ... now as Volodymyr proposed with a "special patch port" Database config: 59aca356-8f37-4c6f-8c9a-504c66c65648 Bridge "OVSbr2" Controller "tcp:192.168.53.49:6633" is_connected: true fail_mode: secure Port "OVSbr2-patch" Interface "OVSbr2-patch" type: patch
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Hi Mathias,
I'm not so fluent with OVS, but I would recommend to join bridges using
special "ports" like
Port ovsbr1-patch
Interface ovsbr1-patch
type: patch
options: {peer=ovsbr2-patch}
and vice versa, keeping "native" configuration of "port OVSbr1" and
"port OVSbr2"
And keep in mind that ARP scope is broadcast domain and, if using just
ARP (not routing), from VM1 you will be able to ping hosts, belonging to
OVSbr1, particularly - OVSbr1's IP.
On 2/1/18 4:11 PM, Mathias Strufe (DFKI) wrote:
Dear Benjamin, Volodymyr,
good question ;) ... I like to experiment with some kind of "Firewall
NFV" ... but in the first step, I want to build a Router VM between
two networks (and later extend it with some flow rules) ... OpenStack,
in my case, is more a foundation to build a "test environment" for my
"own" application ... please find attached a quick sketch of the
current network ...
I did this already before with iptables inside the middle instance ...
worked quite well ... but know I like to achieve the same with OVS ...
I didn't expect that it is so much more difficult ;) ...
I'm currently checking Volodymyrs answer ... I think first point is
now solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM
together (see OVpatch file)... but I think this is important later
when I really like to ping from VM1 to VM2 ... but in the moment I
only ping from VM1 to the TestNFV ... but the arp requests only
reaches ens4 but not OVSbr1 (according to tcpdump)...
May it have to do with port security and the (for OpenStack) unknown
MAC address of the OVS bridge?
Thanks so far ...
Mathias.
On 2018-02-01 14:28, Benjamin Diaz wrote:
Dear Mathias,
Could you attach a diagram of your network configuration and of what
you are trying to achieve?
Are you trying to install OVS inside a VM? If so, why?
Greetings,
Benjamin
On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka
wrote:
Dear Mathias,
if I correctly understand your configuration, you're using bridges
inside VM and it configuration looks a bit strange:
1) you use two different bridges (OVSbr1/192.168.120.x and
OVSbr2/192.168.110.x) and there is no patch between them so they're
separate
2) while ARP requests for address in OVSbr1 arrives from OVSbr2:
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
but on the OVS bridge nothing arrives ...
listening on OVSBR2, link-type EN10MB (Ethernet), capture size
262144 bytes
while these bridges are separate, ARP requests and answers will not
be passed between them.
Regarding your devstack configuration - unfortunately, I don't have
experience with devstack, so don't know, where it stores configs. In
Openstack, ml2_conf.ini points to openvswitch in ml2's
mechanism_drivers parameter, in my case it looks as the following:
[ml2]
mechanism_drivers = l2population,openvswitch
and rest of openvswitch config described in
/etc/neutron/plugins/ml2/openvswitch_agent.ini
Second - I see an ambiguity in your br-tun configuration, where
patch_int is the same as patch-int without corresponding remote peer
config, probably you should check this issue.
And third is - note that Mitaka is quite old release and probably
you can give a chance for the latest release of devstack? :-)
On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
Dear Volodymyr, all,
thanks for your fast answer ...
but I'm still facing the same problem, still can't ping the
instance with configured and up OVS bridge ... may because I'm quite
new to OpenStack and OpenVswitch and didn't see the problem ;)
My setup is devstack Mitaka in single machine config ... first of
all I didn't find there the openvswitch_agent.ini anymore, I
remember in previous version it was in the neutron/plugin folder ...
Is this config now done in the ml2 config file in the [OVS]
section
I'm really wondering ...
so I can ping between the 2 instances without any problem. But as
soon I bring up the OVS bridge inside the vm the ARP requests only
visible at the ens interface but not reaching the OVSbr ...
please find attached two files which may help for troubleshooting.
One are some network information from inside the Instance that runs
the OVS and one ovs-vsctl info of the OpenStack Host.
If you need more info/logs please let me know! Thanks for your
help!
BR Mathias.
On 2018-01-27 22:44, Volodymyr Litovka wrote:
Hi Mathias,
whether you have all corresponding bridges and patches between
them
as described in openvswitch_agent.ini using
integration_bridge
tunnel_bridge
int_peer_patch_port
tun_peer_patch_port
bridge_mappings
parameters? And make sure, that service "neutron-ovs-cleanup" is
in
use during system boot. You can check these bridges and patches
using
"ovs-vsctl show" command.
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
Dear all,
I'm quite new to openstack and like to install openVSwtich inside
one Instance of our Mitika openstack Lab Enviornment ...
But it seems that ARP packets got
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Mathias, Just to clarify: Which interface in which VM are you pinging from, and which interface in which VM are you pinging to? Also, if i recall correctly, in Mitaka, besides disabling port security, you had to disable ARP spoofing prevention for a scenario like this to work. In ml2_conf.ini: [AGENT] prevent_arp_spoofing = False I would also sincerely recommend though that you update your dev environment to use the latest version of Openstack (Pike). Greetings, Benjamin On Thu, Feb 1, 2018 at 11:11 AM, Mathias Strufe (DFKI) < mathias.str...@dfki.de> wrote: > Dear Benjamin, Volodymyr, > > good question ;) ... I like to experiment with some kind of "Firewall NFV" > ... but in the first step, I want to build a Router VM between two networks > (and later extend it with some flow rules) ... OpenStack, in my case, is > more a foundation to build a "test environment" for my "own" application > ... please find attached a quick sketch of the current network ... > I did this already before with iptables inside the middle instance ... > worked quite well ... but know I like to achieve the same with OVS ... > I didn't expect that it is so much more difficult ;) ... > > I'm currently checking Volodymyrs answer ... I think first point is now > solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM together (see > OVpatch file)... but I think this is important later when I really like to > ping from VM1 to VM2 ... but in the moment I only ping from VM1 to the > TestNFV ... but the arp requests only reaches ens4 but not OVSbr1 > (according to tcpdump)... > > May it have to do with port security and the (for OpenStack) unknown MAC > address of the OVS bridge? > > Thanks so far ... > > Mathias. > > > > > > On 2018-02-01 14:28, Benjamin Diaz wrote: > >> Dear Mathias, >> >> Could you attach a diagram of your network configuration and of what >> you are trying to achieve? >> Are you trying to install OVS inside a VM? If so, why? >> >> Greetings, >> Benjamin >> >> On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka >> wrote: >> >> Dear Mathias, >>> >>> if I correctly understand your configuration, you're using bridges >>> inside VM and it configuration looks a bit strange: >>> >>> 1) you use two different bridges (OVSbr1/192.168.120.x and >>> OVSbr2/192.168.110.x) and there is no patch between them so they're >>> separate >>> 2) while ARP requests for address in OVSbr1 arrives from OVSbr2: >>> >>> 18:50:58.080478 ARP, Request who-has 192.168.120.10 tell >>> 192.168.120.6, length 28 >>> but on the OVS bridge nothing arrives ... listening on OVSBR2, link-type EN10MB (Ethernet), capture size 262144 bytes >>> >>> while these bridges are separate, ARP requests and answers will not >>> be passed between them. >>> >>> Regarding your devstack configuration - unfortunately, I don't have >>> experience with devstack, so don't know, where it stores configs. In >>> Openstack, ml2_conf.ini points to openvswitch in ml2's >>> mechanism_drivers parameter, in my case it looks as the following: >>> >>> [ml2] >>> mechanism_drivers = l2population,openvswitch >>> >>> and rest of openvswitch config described in >>> /etc/neutron/plugins/ml2/openvswitch_agent.ini >>> >>> Second - I see an ambiguity in your br-tun configuration, where >>> patch_int is the same as patch-int without corresponding remote peer >>> config, probably you should check this issue. >>> >>> And third is - note that Mitaka is quite old release and probably >>> you can give a chance for the latest release of devstack? :-) >>> >>> On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote: >>> Dear Volodymyr, all, >>> >>> thanks for your fast answer ... >>> but I'm still facing the same problem, still can't ping the >>> instance with configured and up OVS bridge ... may because I'm quite >>> new to OpenStack and OpenVswitch and didn't see the problem ;) >>> >>> My setup is devstack Mitaka in single machine config ... first of >>> all I didn't find there the openvswitch_agent.ini anymore, I >>> remember in previous version it was in the neutron/plugin folder ... >>> >>> Is this config now done in the ml2 config file in the [OVS] >>> section >>> >>> I'm really wondering ... >>> so I can ping between the 2 instances without any problem. But as >>> soon I bring up the OVS bridge inside the vm the ARP requests only >>> visible at the ens interface but not reaching the OVSbr ... >>> >>> please find attached two files which may help for troubleshooting. >>> One are some network information from inside the Instance that runs >>> the OVS and one ovs-vsctl info of the OpenStack Host. >>> >>> If you need more info/logs please let me know! Thanks for your >>> help! >>> >>> BR Mathias. >>> >>> On 2018-01-27 22:44, Volodymyr Litovka wrote: >>> Hi Mathias, >>> >>> whether you have all corresponding bridges and patches between >>> them >>> as described in openvswitch_agent.ini using >>> >>> integration_bridge >>> tunnel_bridge >>> int_peer_patch_port >>>
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear Benjamin, Volodymyr, good question ;) ... I like to experiment with some kind of "Firewall NFV" ... but in the first step, I want to build a Router VM between two networks (and later extend it with some flow rules) ... OpenStack, in my case, is more a foundation to build a "test environment" for my "own" application ... please find attached a quick sketch of the current network ... I did this already before with iptables inside the middle instance ... worked quite well ... but know I like to achieve the same with OVS ... I didn't expect that it is so much more difficult ;) ... I'm currently checking Volodymyrs answer ... I think first point is now solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM together (see OVpatch file)... but I think this is important later when I really like to ping from VM1 to VM2 ... but in the moment I only ping from VM1 to the TestNFV ... but the arp requests only reaches ens4 but not OVSbr1 (according to tcpdump)... May it have to do with port security and the (for OpenStack) unknown MAC address of the OVS bridge? Thanks so far ... Mathias. On 2018-02-01 14:28, Benjamin Diaz wrote: Dear Mathias, Could you attach a diagram of your network configuration and of what you are trying to achieve? Are you trying to install OVS inside a VM? If so, why? Greetings, Benjamin On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka wrote: Dear Mathias, if I correctly understand your configuration, you're using bridges inside VM and it configuration looks a bit strange: 1) you use two different bridges (OVSbr1/192.168.120.x and OVSbr2/192.168.110.x) and there is no patch between them so they're separate 2) while ARP requests for address in OVSbr1 arrives from OVSbr2: 18:50:58.080478 ARP, Request who-has 192.168.120.10 tell 192.168.120.6, length 28 but on the OVS bridge nothing arrives ... listening on OVSBR2, link-type EN10MB (Ethernet), capture size 262144 bytes while these bridges are separate, ARP requests and answers will not be passed between them. Regarding your devstack configuration - unfortunately, I don't have experience with devstack, so don't know, where it stores configs. In Openstack, ml2_conf.ini points to openvswitch in ml2's mechanism_drivers parameter, in my case it looks as the following: [ml2] mechanism_drivers = l2population,openvswitch and rest of openvswitch config described in /etc/neutron/plugins/ml2/openvswitch_agent.ini Second - I see an ambiguity in your br-tun configuration, where patch_int is the same as patch-int without corresponding remote peer config, probably you should check this issue. And third is - note that Mitaka is quite old release and probably you can give a chance for the latest release of devstack? :-) On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote: Dear Volodymyr, all, thanks for your fast answer ... but I'm still facing the same problem, still can't ping the instance with configured and up OVS bridge ... may because I'm quite new to OpenStack and OpenVswitch and didn't see the problem ;) My setup is devstack Mitaka in single machine config ... first of all I didn't find there the openvswitch_agent.ini anymore, I remember in previous version it was in the neutron/plugin folder ... Is this config now done in the ml2 config file in the [OVS] section I'm really wondering ... so I can ping between the 2 instances without any problem. But as soon I bring up the OVS bridge inside the vm the ARP requests only visible at the ens interface but not reaching the OVSbr ... please find attached two files which may help for troubleshooting. One are some network information from inside the Instance that runs the OVS and one ovs-vsctl info of the OpenStack Host. If you need more info/logs please let me know! Thanks for your help! BR Mathias. On 2018-01-27 22:44, Volodymyr Litovka wrote: Hi Mathias, whether you have all corresponding bridges and patches between them as described in openvswitch_agent.ini using integration_bridge tunnel_bridge int_peer_patch_port tun_peer_patch_port bridge_mappings parameters? And make sure, that service "neutron-ovs-cleanup" is in use during system boot. You can check these bridges and patches using "ovs-vsctl show" command. On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote: Dear all, I'm quite new to openstack and like to install openVSwtich inside one Instance of our Mitika openstack Lab Enviornment ... But it seems that ARP packets got lost between the network interface of the instance and the OVS bridge ... With tcpdump on the interface I see the APR packets ... tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens6, link-type EN10MB (Ethernet), capture size 262144 bytes 18:50:58.080478 ARP, Request who-has 192.168.120.10 tell 192.168.120.6, length 28 18:50:58.125009 ARP, Request who-has 192.168.120.1 tell 192.168.120.6, length 28 18:50:59.077315 ARP, Request who-has 192.168.120.10 tell 192.168.120.6, length 28 1
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear Mathias,
Could you attach a diagram of your network configuration and of what you
are trying to achieve?
Are you trying to install OVS inside a VM? If so, why?
Greetings,
Benjamin
On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka wrote:
> Dear Mathias,
>
> if I correctly understand your configuration, you're using bridges inside
> VM and it configuration looks a bit strange:
>
> 1) you use two different bridges (OVSbr1/192.168.120.x and
> OVSbr2/192.168.110.x) and there is no patch between them so they're separate
> 2) while ARP requests for address in OVSbr1 arrives from OVSbr2:
>
> > 18:50:58.080478 ARP, Request who-has *192.168.120.10* tell
> 192.168.120.6, length 28
> >
> > but on the OVS bridge nothing arrives ...
> >
> > listening on *OVSbr2*, link-type EN10MB (Ethernet), capture size
> > 262144 bytes
>
> while these bridges are separate, ARP requests and answers will not be
> passed between them.
>
> Regarding your devstack configuration - unfortunately, I don't have
> experience with devstack, so don't know, where it stores configs. In
> Openstack, ml2_conf.ini points to openvswitch in ml2's mechanism_drivers
> parameter, in my case it looks as the following:
>
> [ml2]
> mechanism_drivers = l2population,openvswitch
>
> and rest of openvswitch config described in /etc/neutron/plugins/ml2/
> openvswitch_agent.ini
>
> Second - I see an ambiguity in your br-tun configuration, where patch_int
> is the same as patch-int without corresponding remote peer config, probably
> you should check this issue.
>
> And third is - note that Mitaka is quite old release and probably you can
> give a chance for the latest release of devstack? :-)
>
>
> On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
>
> Dear Volodymyr, all,
>
> thanks for your fast answer ...
> but I'm still facing the same problem, still can't ping the instance with
> configured and up OVS bridge ... may because I'm quite new to OpenStack and
> OpenVswitch and didn't see the problem ;)
>
> My setup is devstack Mitaka in single machine config ... first of all I
> didn't find there the openvswitch_agent.ini anymore, I remember in previous
> version it was in the neutron/plugin folder ...
> Is this config now done in the ml2 config file in the [OVS] section
>
>
> I'm really wondering ...
> so I can ping between the 2 instances without any problem. But as soon I
> bring up the OVS bridge inside the vm the ARP requests only visible at the
> ens interface but not reaching the OVSbr ...
>
> please find attached two files which may help for troubleshooting. One are
> some network information from inside the Instance that runs the OVS and one
> ovs-vsctl info of the OpenStack Host.
>
> If you need more info/logs please let me know! Thanks for your help!
>
> BR Mathias.
>
>
> On 2018-01-27 22:44, Volodymyr Litovka wrote:
>
> Hi Mathias,
>
> whether you have all corresponding bridges and patches between them
> as described in openvswitch_agent.ini using
>
> integration_bridge
> tunnel_bridge
> int_peer_patch_port
> tun_peer_patch_port
> bridge_mappings
>
> parameters? And make sure, that service "neutron-ovs-cleanup" is in
> use during system boot. You can check these bridges and patches using
> "ovs-vsctl show" command.
>
> On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
>
> Dear all,
>
> I'm quite new to openstack and like to install openVSwtich inside
> one Instance of our Mitika openstack Lab Enviornment ...
> But it seems that ARP packets got lost between the network
> interface of the instance and the OVS bridge ...
>
> With tcpdump on the interface I see the APR packets ...
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on ens6, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
> 192.168.120.6, length 28
> 18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
> 192.168.120.6, length 28
> 18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
> 192.168.120.6, length 28
> 18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
> 192.168.120.6, length 28
> 18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
> 192.168.120.6, length 28
> 18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
> 192.168.120.6, length 28
>
> but on the OVS bridge nothing arrives ...
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on OVSbr2, link-type EN10MB (Ethernet), capture size
> 262144 bytes
>
> I disabled port_security and removed the security group but nothing
> changed
>
>
> +---+---
> +
>
>
> | Field | Value
> |
>
> +---+---
> +
>
>
> | admin_state_up | True
> |
> | allowed_address_pairs |
> |
> | binding:host_id | node11
> |
> | binding:profile | {}
> |
> | binding:vif_details |
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear Mathias,
if I correctly understand your configuration, you're using bridges
inside VM and it configuration looks a bit strange:
1) you use two different bridges (OVSbr1/192.168.120.x and
OVSbr2/192.168.110.x) and there is no patch between them so they're separate
2) while ARP requests for address in OVSbr1 arrives from OVSbr2:
> 18:50:58.080478 ARP, Request who-has *192.168.120.10* tell
192.168.120.6, length 28
>
> but on the OVS bridge nothing arrives ...
>
> listening on *OVSbr2*, link-type EN10MB (Ethernet), capture size
> 262144 bytes
while these bridges are separate, ARP requests and answers will not be
passed between them.
Regarding your devstack configuration - unfortunately, I don't have
experience with devstack, so don't know, where it stores configs. In
Openstack, ml2_conf.ini points to openvswitch in ml2's mechanism_drivers
parameter, in my case it looks as the following:
[ml2]
mechanism_drivers = l2population,openvswitch
and rest of openvswitch config described in
/etc/neutron/plugins/ml2/openvswitch_agent.ini
Second - I see an ambiguity in your br-tun configuration, where
patch_int is the same as patch-int without corresponding remote peer
config, probably you should check this issue.
And third is - note that Mitaka is quite old release and probably you
can give a chance for the latest release of devstack? :-)
On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
Dear Volodymyr, all,
thanks for your fast answer ...
but I'm still facing the same problem, still can't ping the instance
with configured and up OVS bridge ... may because I'm quite new to
OpenStack and OpenVswitch and didn't see the problem ;)
My setup is devstack Mitaka in single machine config ... first of all
I didn't find there the openvswitch_agent.ini anymore, I remember in
previous version it was in the neutron/plugin folder ...
Is this config now done in the ml2 config file in the [OVS] section
I'm really wondering ...
so I can ping between the 2 instances without any problem. But as soon
I bring up the OVS bridge inside the vm the ARP requests only visible
at the ens interface but not reaching the OVSbr ...
please find attached two files which may help for troubleshooting. One
are some network information from inside the Instance that runs the
OVS and one ovs-vsctl info of the OpenStack Host.
If you need more info/logs please let me know! Thanks for your help!
BR Mathias.
On 2018-01-27 22:44, Volodymyr Litovka wrote:
Hi Mathias,
whether you have all corresponding bridges and patches between them
as described in openvswitch_agent.ini using
integration_bridge
tunnel_bridge
int_peer_patch_port
tun_peer_patch_port
bridge_mappings
parameters? And make sure, that service "neutron-ovs-cleanup" is in
use during system boot. You can check these bridges and patches using
"ovs-vsctl show" command.
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
Dear all,
I'm quite new to openstack and like to install openVSwtich inside
one Instance of our Mitika openstack Lab Enviornment ...
But it seems that ARP packets got lost between the network
interface of the instance and the OVS bridge ...
With tcpdump on the interface I see the APR packets ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ens6, link-type EN10MB (Ethernet), capture size 262144
bytes
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
but on the OVS bridge nothing arrives ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on OVSbr2, link-type EN10MB (Ethernet), capture size
262144 bytes
I disabled port_security and removed the security group but nothing
changed
+---+---+
| Field | Value
|
+---+---+
| admin_state_up | True
|
| allowed_address_pairs |
|
| binding:host_id | node11
|
| binding:profile | {}
|
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug":
true} |
| binding:vif_type | ovs
|
| binding:vnic_type | normal
|
| created_at | 2018-01-27T16:45:48Z
|
| description |
|
| device_id | 74916967-984c-4617-ae33-b847de73de13
|
| device_owner | compute:nova
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id":
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address":
"192.168.120.10"} |
| id | 74b754d6--4c2e-bfd1-87f640154ac9
|
| mac_address | fa:16:3e:af:90:0c
|
| name
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear Volodymyr, all,
thanks for your fast answer ...
but I'm still facing the same problem, still can't ping the instance
with configured and up OVS bridge ... may because I'm quite new to
OpenStack and OpenVswitch and didn't see the problem ;)
My setup is devstack Mitaka in single machine config ... first of all I
didn't find there the openvswitch_agent.ini anymore, I remember in
previous version it was in the neutron/plugin folder ...
Is this config now done in the ml2 config file in the [OVS] section
I'm really wondering ...
so I can ping between the 2 instances without any problem. But as soon I
bring up the OVS bridge inside the vm the ARP requests only visible at
the ens interface but not reaching the OVSbr ...
please find attached two files which may help for troubleshooting. One
are some network information from inside the Instance that runs the OVS
and one ovs-vsctl info of the OpenStack Host.
If you need more info/logs please let me know! Thanks for your help!
BR Mathias.
On 2018-01-27 22:44, Volodymyr Litovka wrote:
Hi Mathias,
whether you have all corresponding bridges and patches between them
as described in openvswitch_agent.ini using
integration_bridge
tunnel_bridge
int_peer_patch_port
tun_peer_patch_port
bridge_mappings
parameters? And make sure, that service "neutron-ovs-cleanup" is in
use during system boot. You can check these bridges and patches using
"ovs-vsctl show" command.
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
Dear all,
I'm quite new to openstack and like to install openVSwtich inside
one Instance of our Mitika openstack Lab Enviornment ...
But it seems that ARP packets got lost between the network
interface of the instance and the OVS bridge ...
With tcpdump on the interface I see the APR packets ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ens6, link-type EN10MB (Ethernet), capture size 262144
bytes
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
192.168.120.6, length 28
but on the OVS bridge nothing arrives ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on OVSbr2, link-type EN10MB (Ethernet), capture size
262144 bytes
I disabled port_security and removed the security group but nothing
changed
+---+---+
| Field | Value
|
+---+---+
| admin_state_up | True
|
| allowed_address_pairs |
|
| binding:host_id | node11
|
| binding:profile | {}
|
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug":
true} |
| binding:vif_type | ovs
|
| binding:vnic_type | normal
|
| created_at | 2018-01-27T16:45:48Z
|
| description |
|
| device_id | 74916967-984c-4617-ae33-b847de73de13
|
| device_owner | compute:nova
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id":
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address":
"192.168.120.10"} |
| id | 74b754d6--4c2e-bfd1-87f640154ac9
|
| mac_address | fa:16:3e:af:90:0c
|
| name |
|
| network_id | 917254cb-9721-4207-99c5-8ead9f95d186
|
| port_security_enabled | False
|
| project_id | c48457e73b664147a3d2d36d75dcd155
|
| revision_number | 27
|
| security_groups |
|
| status | ACTIVE
|
| tenant_id | c48457e73b664147a3d2d36d75dcd155
|
| updated_at | 2018-01-27T18:54:24Z
|
+---+---+
maybe the port_filter causes still the problem? But how to disable
it?
Any other idea?
Thanks and BR Mathias.
___
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [1]
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [1]
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
Links:
--
[1] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Vielen Dank und Gruß Mathias.
Many Thanks and kind regards, Mathias.
--
Dipl.-Ing. (FH) Mathias Strufe
Wissenschaftlicher Mitarbeiter / Researcher
Intelligente Netze / Intelligent Networks
Phone: +49 (0) 631 205 75 - 1826
Fax: +49 (0) 631 205 75 – 4400
E-Mail: mathias.str...@dfki.de
WWW: http://www.dfki.de/web/forschung/in
WWW: https://selfnet-5g.eu/
--
Deutsches Forschungszentrum fuer Kuenstliche Intelligenz Gmb
Re: [Openstack] OpenVSwitch inside Instance no ARP passthrough
Hi Mathias,
whether you have all corresponding bridges and patches between them as
described in openvswitch_agent.ini using
integration_bridge
tunnel_bridge
int_peer_patch_port
tun_peer_patch_port
bridge_mappings
parameters? And make sure, that service "neutron-ovs-cleanup" is in use
during system boot. You can check these bridges and patches using
"ovs-vsctl show" command.
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
Dear all,
I'm quite new to openstack and like to install openVSwtich inside one
Instance of our Mitika openstack Lab Enviornment ...
But it seems that ARP packets got lost between the network interface
of the instance and the OVS bridge ...
With tcpdump on the interface I see the APR packets ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ens6, link-type EN10MB (Ethernet), capture size 262144 bytes
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
192.168.120.6, length 28
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
but on the OVS bridge nothing arrives ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on OVSbr2, link-type EN10MB (Ethernet), capture size 262144
bytes
I disabled port_security and removed the security group but nothing
changed
+---+---+
| Field | Value |
+---+---+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | node11 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug":
true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2018-01-27T16:45:48Z
|
| description | |
| device_id | 74916967-984c-4617-ae33-b847de73de13
|
| device_owner | compute:nova
|
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id":
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address": "192.168.120.10"} |
| id | 74b754d6--4c2e-bfd1-87f640154ac9
|
| mac_address | fa:16:3e:af:90:0c
|
| name | |
| network_id | 917254cb-9721-4207-99c5-8ead9f95d186
|
| port_security_enabled | False |
| project_id | c48457e73b664147a3d2d36d75dcd155
|
| revision_number | 27 |
| security_groups | |
| status | ACTIVE |
| tenant_id | c48457e73b664147a3d2d36d75dcd155
|
| updated_at | 2018-01-27T18:54:24Z
|
+---+---+
maybe the port_filter causes still the problem? But how to disable it?
Any other idea?
Thanks and BR Mathias.
___
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] OpenVSwitch inside Instance no ARP passthrough
Dear all,
I'm quite new to openstack and like to install openVSwtich inside one
Instance of our Mitika openstack Lab Enviornment ...
But it seems that ARP packets got lost between the network interface of
the instance and the OVS bridge ...
With tcpdump on the interface I see the APR packets ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ens6, link-type EN10MB (Ethernet), capture size 262144
bytes
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell 192.168.120.6,
length 28
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell 192.168.120.6,
length 28
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell 192.168.120.6,
length 28
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell 192.168.120.6,
length 28
but on the OVS bridge nothing arrives ...
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on OVSbr2, link-type EN10MB (Ethernet), capture size 262144
bytes
I disabled port_security and removed the security group but nothing
changed
+---+---+
| Field | Value
|
+---+---+
| admin_state_up| True
|
| allowed_address_pairs |
|
| binding:host_id | node11
|
| binding:profile | {}
|
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true}
|
| binding:vif_type | ovs
|
| binding:vnic_type | normal
|
| created_at| 2018-01-27T16:45:48Z
|
| description |
|
| device_id | 74916967-984c-4617-ae33-b847de73de13
|
| device_owner | compute:nova
|
| extra_dhcp_opts |
|
| fixed_ips | {"subnet_id":
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address": "192.168.120.10"}
|
| id| 74b754d6--4c2e-bfd1-87f640154ac9
|
| mac_address | fa:16:3e:af:90:0c
|
| name |
|
| network_id| 917254cb-9721-4207-99c5-8ead9f95d186
|
| port_security_enabled | False
|
| project_id| c48457e73b664147a3d2d36d75dcd155
|
| revision_number | 27
|
| security_groups |
|
| status| ACTIVE
|
| tenant_id | c48457e73b664147a3d2d36d75dcd155
|
| updated_at| 2018-01-27T18:54:24Z
|
+---+---+
maybe the port_filter causes still the problem? But how to disable it?
Any other idea?
Thanks and BR Mathias.
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
