From patchwork Tue Sep 27 07:31:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Adri=C3=A1n_Moreno?= X-Patchwork-Id: 1682997 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ood9Ag4J; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4McBBy1CD8z1yq7 for ; Tue, 27 Sep 2022 17:31:37 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 81AA182F51; Tue, 27 Sep 2022 07:31:31 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 81AA182F51 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ood9Ag4J X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrUw_Zcv2F9Y; Tue, 27 Sep 2022 07:31:30 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6DC2E82BFD; Tue, 27 Sep 2022 07:31:29 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6DC2E82BFD Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id BD962C0032; Tue, 27 Sep 2022 07:31:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 856C2C002D for ; Tue, 27 Sep 2022 07:31:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 59421400D8 for ; Tue, 27 Sep 2022 07:31:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 59421400D8 Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ood9Ag4J X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmtNcTXBeIQc for ; Tue, 27 Sep 2022 07:31:26 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0A947400AF Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id 0A947400AF for ; Tue, 27 Sep 2022 07:31:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664263884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eIEQSJGy+Y/gkFMlhqPoqJB16qE93g8xiLy9H1bQEaY=; b=Ood9Ag4J0ku/rRqtCMxldZMTKWJq/vfOO4aiQ4epX34fotCOP6D5UOYp9tHkCtNdI8fHqQ Oo4VeikFo+wU/aoln86psoceU7wJ1dCAgsIOJXX7dsQJYvNSIv3Fo1GyCrfzwiE1tYSGVy 5VOkybfimMynh/4BWRYyvAm10xfoP7k= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-653-RxvU3t3-OJOb18lMoLkZcA-1; Tue, 27 Sep 2022 03:31:23 -0400 X-MC-Unique: RxvU3t3-OJOb18lMoLkZcA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EDA6C29ABA3D; Tue, 27 Sep 2022 07:31:22 +0000 (UTC) Received: from amorenoz.users.ipa.redhat.com (unknown [10.39.193.44]) by smtp.corp.redhat.com (Postfix) with ESMTP id D70E8C15BA4; Tue, 27 Sep 2022 07:31:21 +0000 (UTC) From: Adrian Moreno To: dev@openvswitch.org Date: Tue, 27 Sep 2022 09:31:13 +0200 Message-Id: <20220927073116.2166024-1-amorenoz@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: dceara@redhat.com Subject: [ovs-dev] [PATCH ovn v3 0/3] Add ovn drop debugging X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Very often when troubleshooting networking issues in an OVN cluster one would like to know if any packet (or a specific one) is being dropped by OVN. Currently, this cannot be known because of two main reasons: 1 - Implicit drops: Some tables do not have a default action (priority=0, match=1). In this case, a packet that does not match any rule will be silently dropped. 2 - Even on explicit drops, we only know a packet was dropped. We lack information about that packet. In order to improve this, this series introduces a two-fold solution: - First, create a debug-mode option. When enabled, it makes: - northd add a default (match = "1") "drop;" action to those tables that currently lack one. - ovn-controller add an explicit drop action on those tables are not associated with logical flows (i.e: physical-to-logical mappings). - Secondly, allow sampling of all drops. By introducing a new OVN action: "sample" (equivalent to OVS's), OVN can make OVS sample the packets as they are dropped. In order to be able to correlate those samples back to what exact rule generated them, the user specifies the a 8-bit observation_domain_id. Based on that, the samples contain the following fields: - obs_domain_id: - 8 most significant bits = the provided observation_domain_id. - 24 least significant bits = the datapath's tunnely key if the drop comes from a lflow or zero otherwise. - obs_point_id: the first 32-bits of the lflow's UUID (i.e: the cookie) if the drop comes from an lflow or the table number otherwise. Based on the above changes in the flows, all of which are optional, users can collect IPFIX samples of the packets that are dropped by OVN which contain header information useful for debugging. * Note on observation_domain_ids: By allowing the user to specify only the 8 most significant bits of the obs_domain_id and having OVN combine it with the datapath's tunnel key, OVN could be extended to support more than one "sampling" application. For instance, ACL sampling could be developed in the future and, by specifying a different observation_domain_id, it could co-exist with the drop sampling mode implemented in the current series while still allowing to uniquely identify the flow that created the sample. * Notes on testing and usage: Any IPFIX collector that parses ObservationPointID and ObservationDomainID fields can be used. For instance, nfdump supports these fields in its unicorn branch [1] (future nfdump 1.7). Example of how to capture and analyze drops: # Enable debug sampling: $ ovn-nbctl set NB_Global . options:debug_drop_mode=true options:debug_drop_collector_set=1 options:debug_drop_domain_id=1 # Start nfcapd: nfcapd -p 2055 -l nfcap & # Configue sampling on the OVS you want to inspect: $ ovs-vsctl --id=@br get Bridge br-int -- --id=@i create IPFIX targets=\"172.18.0.1:2055\" -- create Flow_Sample_Collector_Set bridge=@br id=1 # Inspect samples and figure out what LogicalFlow caused them: $ nfdump -r nfcap -o fmt:'%line %odid %opid' Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows obsDomainID obsPointID 1970-01-01 01:09:36.000 00:00:00.000 UDP 172.18.0.1:49230 -> 239.255.255.250:1900 12 6356 1 0x001000009 0x00d8dd23c7 1970-01-01 01:01:34.000 00:00:00.000 UDP 172.18.0.1:5353 -> 224.0.0.251:5353 165 89257 1 0x001000009 0x00d8dd23c7 [...] $ ovn-sb vn-sbctl list Logical_Flow | grep -A 11 d8dd23c7 _uuid : d8dd23c7-1451-4ea3-add7-8d68b4be4691 actions : "sample(probability=65535,collector_set=1,obs_domain=1,obs_point=$cookie); /* drop */" controller_meter : [] external_ids : {source="northd.c:12504", stage-name=lr_in_ip_input} logical_datapath : [] logical_dp_group : 0dc1b195-c647-4277-aea0-0bad5e896f51 match : "ip4.mcast || ip6.mcast" pipeline : ingress priority : 82 table_id : 3 tags : {} hash : 0 [1] https://github.com/phaag/nfdump/tree/unicorn V2 -> V3: Fix rebase problem on unit test V1 -> V2 - Rebased and Addressed Mark's comments. - Added NEWS section. Adrian Moreno (3): actions: add sample action northd: add drop-debug-mode to add explicit drops northd: add drop sampling NEWS | 2 + controller/lflow.c | 1 + controller/ovn-controller.c | 50 +++++++++ controller/physical.c | 80 ++++++++++++++- controller/physical.h | 7 ++ include/ovn/actions.h | 16 +++ lib/actions.c | 120 ++++++++++++++++++++++ northd/automake.mk | 2 + northd/debug.c | 107 +++++++++++++++++++ northd/debug.h | 41 ++++++++ northd/northd.c | 115 ++++++++++++++------- ovn-nb.xml | 32 ++++++ tests/ovn-northd.at | 75 ++++++++++++++ tests/ovn.at | 200 +++++++++++++++++++++++++++++++++++- tests/test-ovn.c | 3 + utilities/ovn-trace.c | 2 + 16 files changed, 810 insertions(+), 43 deletions(-) create mode 100644 northd/debug.c create mode 100644 northd/debug.h