subject:"\[openstack\-dev\] \[Neutron\] \[DVR\] easyOVS \-\- Smart tool to use\/debug Neutron\/DVR"

Re: [openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

2015-08-31 Thread Germy Lure

Hi,

It's Interesting! I have three points for you here.
a.Support packet tracking which show the path of a packet traveled on the
host, even on the source/destination host.
b.Given a communication type and packet characteristic to find out the
fault point. For example, if you want VM1 talk with VM2 via DVR but failed.
The tool should tell you that the packet is sent to the snat router and the
DVR router on the host VM1 residents is created with a wrong
route[dest=xx,nexthop=yy], and the right route should be dest=xx,nexthop=zz.
c.As a tool, I think if it should be simple. The best is no installation.
Copy and use it. Can you simple it? One of the possible method may
implement it using C/C++ and publish executable file.

BR,
Germy

On Fri, Aug 28, 2015 at 6:05 PM, Baohua Yang  wrote:

> Hi , all
>
> When using neutron (especially with DVR), I find it difficult to debug
> problems with lots of ovs rules, complicated iptables rules, network
> namespaces, routing tables, ...
>
> So I create 
> easyOVS
> , in summary, it can
>
>
>- Format the output and use color to make it clear and easy to compare.
>- Associate the OpenStack information (e.g., vm ip) on the virtual
>port or rule
>- Query openvswitch,iptables,namespace information in smart way.
>- Check if the DVR configuration is correct.
>- Smart command completion, try tab everywhere.
>- Support runing local system commands.
>
> In latest 0.5 version, it supports checking your dvr configuration and
> running states, e.g., on a compute node, I run 'dvr check' command, then it
> will automatically check the configuration files, bridges, ports, network
> spaces, iptables rules,... like
>
>  No type given, guessing...compute node
> === Checking DVR on compute node ===
> >>> Checking config files...
> # Checking file = /etc/sysctl.conf...
> # Checking file = /etc/neutron/neutron.conf...
> # Checking file = /etc/neutron/plugins/ml2/ml2_conf.ini...
> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has [agent]
> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has l2_population = True
> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has
> enable_distributed_routing = True
> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has arp_responder = True
> # Checking file = /etc/neutron/l3_agent.ini...
> <<< Checking config files has warnings
>
> >>> Checking bridges...
> # Existing bridges are br-tun, br-int, br-eno1, br-ex
> # Vlan bridge is at br-tun, br-int, br-eno1, br-ex
> <<< Checking bridges passed
>
> >>> Checking vports ...
> ## Checking router port = qr-b0142af2-12
> ### Checking rfp port rfp-f046c591-7
> Found associated floating ips : 172.29.161.127/32, 172.29.161.126/32
> ### Checking associated fpr port fpr-f046c591-7
> ### Check related fip_ns=fip-9e1c850d-e424-4379-8ebd-278ae995d5c3
> Bridging in the same subnet
> fg port is attached to br-ex
> floating ip 172.29.161.127 match fg subnet
> floating ip 172.29.161.126 match fg subnet
> Checking chain rule number: neutron-postrouting-bottom...Passed
> Checking chain rule number: OUTPUT...Passed
> Checking chain rule number: neutron-l3-agent-snat...Passed
> Checking chain rules: neutron-postrouting-bottom...Passed
> Checking chain rules: PREROUTING...Passed
> Checking chain rules: OUTPUT...Passed
> Checking chain rules: POSTROUTING...Passed
> Checking chain rules: POSTROUTING...Passed
> Checking chain rules: neutron-l3-agent-POSTROUTING...Passed
> Checking chain rules: neutron-l3-agent-PREROUTING...Passed
> Checking chain rules: neutron-l3-agent-OUTPUT...Passed
> DNAT for incoming: 172.29.161.127 --> 10.0.0.3 passed
> Checking chain rules: neutron-l3-agent-float-snat...Passed
> SNAT for outgoing: 10.0.0.3 --> 172.29.161.127 passed
> Checking chain rules: neutron-l3-agent-OUTPUT...Passed
> DNAT for incoming: 172.29.161.126 --> 10.0.0.216 passed
> Checking chain rules: neutron-l3-agent-float-snat...Passed
> SNAT for outgoing: 10.0.0.216 --> 172.29.161.126 passed
> ## Checking router port = qr-8c41bfc7-56
> Checking passed already
> <<< Checking vports passed
>
>
> Welcome for any feedback, and welcome for any contribution!
>
> I am trying to put this project into stackforge to let more people can use
> and improve it, any thoughts if it is suitable?
>
> https://review.openstack.org/#/c/212396/
>
> Thanks for any help or suggestion!
>
>
> --
> Best wishes!
> Baohua
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

[openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

2015-08-31 Thread Vikas Choudhary

Hi,

One suggestion from my side is checking nova security groups against

iptable rules for each vm.Doing this will ensure that there are no
unwanted holes in security

(for example, accidental messing up of iptable rules).


Thanks

-Vikas Choudhary


Hi,

It's Interesting! I have three points for you here.
a.Support packet tracking which show the path of a packet traveled on the
host, even on the source/destination host.
b.Given a communication type and packet characteristic to find out the
fault point. For example, if you want VM1 talk with VM2 via DVR but failed.
The tool should tell you that the packet is sent to the snat router and the
DVR router on the host VM1 residents is created with a wrong
route[dest=xx,nexthop=yy], and the right route should be dest=xx,nexthop=zz.
c.As a tool, I think if it should be simple. The best is no installation.
Copy and use it. Can you simple it? One of the possible method may
implement it using C/C++ and publish executable file.

BR,
Germy

On Fri, Aug 28, 2015 at 6:05 PM, Baohua Yang http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>>
wrote:

>* Hi , all
*>>* When using neutron (especially with DVR), I find it difficult to debug
*>* problems with lots of ovs rules, complicated iptables rules, network
*>* namespaces, routing tables, ...
*>>* So I create >
*>* >easyOVS
*>* >, in summary, it can
*>>>*- Format the output and use color to make it clear and easy to compare.
*>*- Associate the OpenStack information (e.g., vm ip) on the virtual
*>*port or rule
*>*- Query openvswitch,iptables,namespace information in smart way.
*>*- Check if the DVR configuration is correct.
*>*- Smart command completion, try tab everywhere.
*>*- Support runing local system commands.
*>>* In latest 0.5 version, it supports checking your dvr configuration and
*>* running states, e.g., on a compute node, I run 'dvr check' command, then it
*>* will automatically check the configuration files, bridges, ports, network
*>* spaces, iptables rules,... like
*>>*  No type given, guessing...compute node
*>* === Checking DVR on compute node ===
*>* >>> Checking config files...
*>* # Checking file = /etc/sysctl.conf...
*>* # Checking file = /etc/neutron/neutron.conf...
*>* # Checking file = /etc/neutron/plugins/ml2/ml2_conf.ini...
*>* file /etc/neutron/plugins/ml2/ml2_conf.ini Not has [agent]
*>* file /etc/neutron/plugins/ml2/ml2_conf.ini Not has l2_population = True
*>* file /etc/neutron/plugins/ml2/ml2_conf.ini Not has
*>* enable_distributed_routing = True
*>* file /etc/neutron/plugins/ml2/ml2_conf.ini Not has arp_responder = True
*>* # Checking file = /etc/neutron/l3_agent.ini...
*>* <<< Checking config files has warnings
*>>* >>> Checking bridges...
*>* # Existing bridges are br-tun, br-int, br-eno1, br-ex
*>* # Vlan bridge is at br-tun, br-int, br-eno1, br-ex
*>* <<< Checking bridges passed
*>>* >>> Checking vports ...
*>* ## Checking router port = qr-b0142af2-12
*>* ### Checking rfp port rfp-f046c591-7
*>* Found associated floating ips : 172.29.161.127/32
, 172.29.161.126/32

*>* ### Checking associated fpr port fpr-f046c591-7
*>* ### Check related fip_ns=fip-9e1c850d-e424-4379-8ebd-278ae995d5c3
*>* Bridging in the same subnet
*>* fg port is attached to br-ex
*>* floating ip 172.29.161.127 match fg subnet
*>* floating ip 172.29.161.126 match fg subnet
*>* Checking chain rule number: neutron-postrouting-bottom...Passed
*>* Checking chain rule number: OUTPUT...Passed
*>* Checking chain rule number: neutron-l3-agent-snat...Passed
*>* Checking chain rules: neutron-postrouting-bottom...Passed
*>* Checking chain rules: PREROUTING...Passed
*>* Checking chain rules: OUTPUT...Passed
*>* Checking chain rules: POSTROUTING...Passed
*>* Checking chain rules: POSTROUTING...Passed
*>* Checking chain rules: neutron-l3-agent-POSTROUTING...Passed
*>* Checking chain rules: neutron-l3-agent-PREROUTING...Passed
*>* Checking chain rules: neutron-l3-agent-OUTPUT...Passed
*>* DNAT for incoming: 172.29.161.127 --> 10.0.0.3 passed
*>* Checking chain rules: neutron-l3-agent-float-snat...Passed
*>* SNAT for outgoing: 10.0.0.3 --> 172.29.161.127 passed
*>* Checking chain rules: neutron-l3-agent-OUTPUT...Passed
*>* DNAT for incoming: 172.29.161.126 --> 10.0.0.216 passed
*>* Checking chain rules: neutron-l3-agent-float-snat...Passed
*>* SNAT for outgoing: 10.0.0.216 --> 172.29.161.126 passed
*>* ## Checking router port = qr-8c41bfc7-56
*>* Checking passed already
*>* <<< Checking vports passed
*>>>* Welcome for any feedback, and welcome for any contribution!
*>>* I am trying to put this project into stackforge to let more people can use
*>* and improve it, any thoughts if it is

[openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

2015-08-28 Thread Baohua Yang

Hi , all

When using neutron (especially with DVR), I find it difficult to debug
problems with lots of ovs rules, complicated iptables rules, network
namespaces, routing tables, ...

So I create https://github.com/yeasy/easyOVS
https://github.com/yeasy/easyOVSeasyOVS https://github.com/yeasy/easyOVS,
in summary, it can


   - Format the output and use color to make it clear and easy to compare.
   - Associate the OpenStack information (e.g., vm ip) on the virtual port
   or rule
   - Query openvswitch,iptables,namespace information in smart way.
   - Check if the DVR configuration is correct.
   - Smart command completion, try tab everywhere.
   - Support runing local system commands.

In latest 0.5 version, it supports checking your dvr configuration and
running states, e.g., on a compute node, I run 'dvr check' command, then it
will automatically check the configuration files, bridges, ports, network
spaces, iptables rules,... like

 No type given, guessing...compute node
=== Checking DVR on compute node ===
 Checking config files...
# Checking file = /etc/sysctl.conf...
# Checking file = /etc/neutron/neutron.conf...
# Checking file = /etc/neutron/plugins/ml2/ml2_conf.ini...
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has [agent]
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has l2_population = True
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has
enable_distributed_routing = True
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has arp_responder = True
# Checking file = /etc/neutron/l3_agent.ini...
 Checking config files has warnings

 Checking bridges...
# Existing bridges are br-tun, br-int, br-eno1, br-ex
# Vlan bridge is at br-tun, br-int, br-eno1, br-ex
 Checking bridges passed

 Checking vports ...
## Checking router port = qr-b0142af2-12
### Checking rfp port rfp-f046c591-7
Found associated floating ips : 172.29.161.127/32, 172.29.161.126/32
### Checking associated fpr port fpr-f046c591-7
### Check related fip_ns=fip-9e1c850d-e424-4379-8ebd-278ae995d5c3
Bridging in the same subnet
fg port is attached to br-ex
floating ip 172.29.161.127 match fg subnet
floating ip 172.29.161.126 match fg subnet
Checking chain rule number: neutron-postrouting-bottom...Passed
Checking chain rule number: OUTPUT...Passed
Checking chain rule number: neutron-l3-agent-snat...Passed
Checking chain rules: neutron-postrouting-bottom...Passed
Checking chain rules: PREROUTING...Passed
Checking chain rules: OUTPUT...Passed
Checking chain rules: POSTROUTING...Passed
Checking chain rules: POSTROUTING...Passed
Checking chain rules: neutron-l3-agent-POSTROUTING...Passed
Checking chain rules: neutron-l3-agent-PREROUTING...Passed
Checking chain rules: neutron-l3-agent-OUTPUT...Passed
DNAT for incoming: 172.29.161.127 -- 10.0.0.3 passed
Checking chain rules: neutron-l3-agent-float-snat...Passed
SNAT for outgoing: 10.0.0.3 -- 172.29.161.127 passed
Checking chain rules: neutron-l3-agent-OUTPUT...Passed
DNAT for incoming: 172.29.161.126 -- 10.0.0.216 passed
Checking chain rules: neutron-l3-agent-float-snat...Passed
SNAT for outgoing: 10.0.0.216 -- 172.29.161.126 passed
## Checking router port = qr-8c41bfc7-56
Checking passed already
 Checking vports passed


Welcome for any feedback, and welcome for any contribution!

I am trying to put this project into stackforge to let more people can use
and improve it, any thoughts if it is suitable?

https://review.openstack.org/#/c/212396/

Thanks for any help or suggestion!


-- 
Best wishes!
Baohua
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

[openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

[openstack-dev] [Neutron] [DVR] easyOVS -- Smart tool to use/debug Neutron/DVR

3 matches

Site Navigation

Mail list logo

Footer information