From patchwork Thu Aug 8 02:11:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Flaviof X-Patchwork-Id: 1143768 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=flaviof.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 463sLt3tkdz9s00 for ; Thu, 8 Aug 2019 12:11:49 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id B221ACC9; Thu, 8 Aug 2019 02:11:46 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id AE02BCC4 for ; Thu, 8 Aug 2019 02:11:44 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A37BC829 for ; Thu, 8 Aug 2019 02:11:43 +0000 (UTC) Received: by mail-qk1-f181.google.com with SMTP id r6so67599773qkc.0 for ; Wed, 07 Aug 2019 19:11:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :senderwebaddress:content-transfer-encoding; bh=5yW8MAj0YtsLBCPWY6fZAYwDlpNVE5IYfKZKCtKE9r0=; b=S3M8fxaE7R163slkfF1C6DDFCRp+jmq4n+5YBKdoFGwq+Any7fkNc8O/fZnJWDnnE6 k1ae98/LwPEBJUwLZnIN7asRx0H8ckM4ht6wHdl+f1gO9NSFsP56l4DoYtqedzf6Y8s6 a4CHR3NXp1ak90IrQoa+VIVXqBTPyXcUH2kSEcuq8ow+8ZBQbHkmyLBHIQk5QjVhPWtv UEXNkNMBsgMaBOa+4iMuxNT6Gz5Np/nLL2uqt52QSQtrbDrF+VfZ1alwWIiNPhb0uuXm 2sfmq4y1ll0AL761ReEmMpULRnvehprYQgjdX55nE5OpwBpnG00SzZN6/ZxUW+S8HGLc NOZQ== X-Gm-Message-State: APjAAAVYvNEsBcuPuYLJiKa+nTgZV7NNykaApDVYAM7i1/Dn/qIvg+Yh UMjgBf0GkKQPRxUO9JCgzDCh3DVYZII= X-Google-Smtp-Source: APXvYqyXIA1pDL09tjeprEWLLPreYJaGBdvxbtRm8ZvI9cMsQIKppaEHvDzz52eMzZpYhthCd1/jwA== X-Received: by 2002:a05:620a:1411:: with SMTP id d17mr7262668qkj.81.1565230302440; Wed, 07 Aug 2019 19:11:42 -0700 (PDT) Received: from localhost.localdomain (pool-74-104-177-190.bstnma.fios.verizon.net. [74.104.177.190]) by smtp.gmail.com with ESMTPSA id m8sm40539429qti.97.2019.08.07.19.11.40 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 07 Aug 2019 19:11:41 -0700 (PDT) From: Flavio Fernandes To: dev@openvswitch.org Date: Wed, 7 Aug 2019 22:11:38 -0400 Message-Id: <20190808021138.13728-1-flavio@flaviof.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 SenderWebAddress: http://flaviof.com/ X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v3] ovn-openstack.rst: Miscelaneous fixes. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Added a few clarifications to improve the tutorial: - VM needs to be at least 6 Gb on latest openstack (ouch!); - VM must support nesting; - local.conf may require HOST_IP depending on device name; - Omit --project from network create to be consistent with OS_PROJECT_NAME; - Use a temporary file to ensure datapath flow for recirc(0) is obtained; - Reword what to expect when tracing packet before logical router creation; - Fix minor mistake on the usage of netcat command; - Use MAC of logical router's IPv4 interface to make ACL example more realistic. Signed-off-by: Flavio Fernandes --- v1->v2: Fix [most] issues found by 0-day robot. Bleep bloop. :) The one lingering issue I don't know how to fix, bc I rather not break up url. v2->v3: Fix backslash mistake introduced on v2. Open issues that I will look into in parallel: - With OVN moving to its own repo, this patch may need to move as well. - I was not able to see NAT entries in a logical flow when following the Gateway section. --- Documentation/tutorials/ovn-openstack.rst | 64 +++++++++++++++++++---- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/Documentation/tutorials/ovn-openstack.rst b/Documentation/tutorials/ovn-openstack.rst index c6dff5e55..353ef209e 100644 --- a/Documentation/tutorials/ovn-openstack.rst +++ b/Documentation/tutorials/ovn-openstack.rst @@ -62,12 +62,16 @@ with the tutorial in full. Unless you have a spare computer laying about, it's easiest to install DevStacck in a virtual machine. This tutorial was built using a VM implemented by KVM and managed by virt-manager. I recommend -configuring the VM configured for the x86-64 architecture, 4 GB RAM, 2 +configuring the VM configured for the x86-64 architecture, 6 GB RAM, 2 VCPUs, and a 20 GB virtual disk. .. note:: + Since we will be creating VMs inside this VM, it is important to have + nesting configured properly. See + https://github.com/openstack/devstack/blob/master/doc/source/guides/devstack-with-nested-kvm.rst + for details on that. - If you happen to run your Linux-based host with 32-bit userspace, + Also, if you happen to run your Linux-based host with 32-bit userspace, then you will have some special issues, even if you use a 64-bit kernel: @@ -174,6 +178,12 @@ Here are step-by-step instructions to get started: .. note:: + Depending on the name of the network device used by the VM, devstack + may be unable to automatically obtain its IP address. If that happens, + edit ``local.conf`` and explicitly provide it (X marks the spot):: + + HOST_IP=X + If you installed a 32-bit i386 guest (against the advice above), at this point edit ``local.conf`` to add the following line:: @@ -430,7 +440,7 @@ Creating network ``n1`` Let's start by creating the network:: - $ openstack network create --project admin --provider-network-type geneve n1 + $ openstack network create --provider-network-type geneve n1 OpenStack needs to know the subnets that a network serves. We inform it by creating subnet objects. To keep it simple, let's give our @@ -997,6 +1007,22 @@ this:: recirc_id(0),in_port(3),eth(src=fa:16:3e:f5:2a:90),eth_type(0x0800),ipv4(src=10.1.1.5,frag=no), packets:388, bytes:38024, used:0.977s, actions:ct(zone=8),recirc(0x18) +.. note:: + + Flows in the datapath can expire quickly and the ``watch`` command + mentioned above may be too slow to catch it. If that is your + case, stop the ``ping 10.1.1.6`` session and re-start it a few + seconds after this command:: + + $ sudo conntrack -F ; rm -f /tmp/flows.txt ; \ + for _ in $(seq 100) ; do \ + sudo ovs-dpctl dump-flows >> /tmp/flows.txt ; \ + sleep 0.1 ; done + + Then, look for ``recirc_id(0)`` in flows.txt after ping command was issued:: + + $ sort --uniq /tmp/flows.txt | grep zone + We can hand the first part of this (everything up to the first space) to ``ofproto/trace``, and it will tell us what happens:: @@ -1064,7 +1090,7 @@ tracing with ``recirc_id(0xc)``:: ... Datapath actions: 4 -It was took multiple hops, but we finally came to the end of the line +It took multiple hops, but we finally came to the end of the line where the packet was output to ``b`` after passing through both firewalls. The port number here is a datapath port number, which is usually different from an OpenFlow port number. To check that it is @@ -1114,15 +1140,16 @@ works in OVN. There's nothing really new for the network and the VM so let's just go ahead and create them:: - $ openstack network create --project admin --provider-network-type geneve n2 + $ openstack network create --provider-network-type geneve n2 $ openstack subnet create --subnet-range 10.1.2.0/24 --network n2 n2subnet $ openstack server create --nic net-id=n2,v4-fixed-ip=10.1.2.7 --flavor m1.nano --image $IMAGE_ID --key-name demo c $ openstack port set --name cp $(openstack port list --server c -f value -c ID) $ CP_MAC=$(openstack port show -f value -c mac_address cp) The new network ``n2`` is not yet connected to ``n1`` in any way. You -can try tracing a broadcast packet from ``a`` to see, for example, -that it doesn't make it to ``c``:: +can try tracing a packet from ``a`` to see, for example, that it doesn’t +make it to ``c``. Instead, it will end up as ``multicast unknown`` +in ``n1``:: $ ovn-trace n1 'inport == "ap" && eth.src == '$AP_MAC' && eth.dst == '$CP_MAC ... @@ -1698,7 +1725,7 @@ Now we can do some experiments to test security groups. From the console on ``a`` or ``b``, it should now be possible to "ping" ``c`` or to SSH to it, but attempts to initiate connections on other ports should be blocked. (You can try to connect on another port with -``ssh -p PORT IP`` or ``nc PORT IP``.) Connection attempts should +``ssh -p PORT IP`` or ``nc IP PORT -vv``.) Connection attempts should time out rather than receive the "connection refused" or "connection reset" error that you would see between ``a`` and ``b``. @@ -1739,9 +1766,18 @@ so ``--minimal`` works fine and the output is easier to read. Try a few traces. For example: +First, obtain the mac address of logical router's IPv4 interface +on ``n1``:: + + $ N1SUBNET4_MAC=$(ovn-nbctl --bare --columns=mac \ + find logical_router_port networks=\"10.1.1.1/24\") + * VM ``a`` initiates a new SSH connection to ``c``:: - $ ovn-trace --ct new --ct new --minimal n1 'inport == "ap" && eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET6_MAC' && ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && tcp.dst == 22' + $ ovn-trace --ct new --ct new --minimal n1 'inport == "ap" && + eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET4_MAC' && + ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && + tcp.dst == 22' ... ct_next(ct_state=new|trk) { ip.ttl--; @@ -1756,7 +1792,10 @@ Try a few traces. For example: * VM ``a`` initiates a new Telnet connection to ``c``:: - $ ovn-trace --ct new --ct new --minimal n1 'inport == "ap" && eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET6_MAC' && ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && tcp.dst == 23' + $ ovn-trace --ct new --ct new --minimal n1 'inport == "ap" && + eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET4_MAC' && + ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && + tcp.dst == 23' ct_next(ct_state=new|trk) { ip.ttl--; eth.src = fa:16:3e:19:9f:46; @@ -1769,7 +1808,10 @@ Try a few traces. For example: * VM ``a`` replies to a packet that is part of a Telnet connection originally initiated by ``c``:: - $ ovn-trace --ct est,rpl --ct est,rpl --minimal n1 'inport == "ap" && eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET6_MAC' && ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && tcp.dst == 23' + $ ovn-trace --ct est,rpl --ct est,rpl --minimal n1 'inport == "ap" && + eth.src == '$AP_MAC' && eth.dst == '$N1SUBNET4_MAC' && + ip4.src == 10.1.1.5 && ip4.dst == 10.1.2.7 && ip.ttl == 64 && + tcp.dst == 23' ... ct_next(ct_state=est|rpl|trk) { ip.ttl--;