<div dir="ltr"><pre>Hi,<br><br></pre><pre>One suggestion from my side is checking nova security groups against<br></pre><pre>iptable rules for each vm.Doing this will ensure that there are no unwanted holes in security<br></pre><pre>(for example, accidental messing up of iptable rules).<br><br><br></pre><pre>Thanks<br></pre><pre>-Vikas Choudhary<br></pre><pre>____________________________________________________<br>Hi,
It's Interesting! I have three points for you here.
a.Support packet tracking which show the path of a packet traveled on the
host, even on the source/destination host.
b.Given a communication type and packet characteristic to find out the
fault point. For example, if you want VM1 talk with VM2 via DVR but failed.
The tool should tell you that the packet is sent to the snat router and the
DVR router on the host VM1 residents is created with a wrong
route[dest=xx,nexthop=yy], and the right route should be dest=xx,nexthop=zz.
c.As a tool, I think if it should be simple. The best is no installation.
Copy and use it. Can you simple it? One of the possible method may
implement it using C/C++ and publish executable file.
BR,
Germy
On Fri, Aug 28, 2015 at 6:05 PM, Baohua Yang <<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">yangbaohua at gmail.com</a>> wrote:
><i> Hi , all
</i>><i>
</i>><i> When using neutron (especially with DVR), I find it difficult to debug
</i>><i> problems with lots of ovs rules, complicated iptables rules, network
</i>><i> namespaces, routing tables, ...
</i>><i>
</i>><i> So I create <<a href="https://github.com/yeasy/easyOVS">https://github.com/yeasy/easyOVS</a>>
</i>><i> <<a href="https://github.com/yeasy/easyOVS">https://github.com/yeasy/easyOVS</a>>easyOVS
</i>><i> <<a href="https://github.com/yeasy/easyOVS">https://github.com/yeasy/easyOVS</a>>, in summary, it can
</i>><i>
</i>><i>
</i>><i> - Format the output and use color to make it clear and easy to compare.
</i>><i> - Associate the OpenStack information (e.g., vm ip) on the virtual
</i>><i> port or rule
</i>><i> - Query openvswitch,iptables,namespace information in smart way.
</i>><i> - Check if the DVR configuration is correct.
</i>><i> - Smart command completion, try tab everywhere.
</i>><i> - Support runing local system commands.
</i>><i>
</i>><i> In latest 0.5 version, it supports checking your dvr configuration and
</i>><i> running states, e.g., on a compute node, I run 'dvr check' command, then it
</i>><i> will automatically check the configuration files, bridges, ports, network
</i>><i> spaces, iptables rules,... like
</i>><i>
</i>><i> No type given, guessing...compute node
</i>><i> === Checking DVR on compute node ===
</i>><i> >>> Checking config files...
</i>><i> # Checking file = /etc/sysctl.conf...
</i>><i> # Checking file = /etc/neutron/neutron.conf...
</i>><i> # Checking file = /etc/neutron/plugins/ml2/ml2_conf.ini...
</i>><i> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has [agent]
</i>><i> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has l2_population = True
</i>><i> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has
</i>><i> enable_distributed_routing = True
</i>><i> file /etc/neutron/plugins/ml2/ml2_conf.ini Not has arp_responder = True
</i>><i> # Checking file = /etc/neutron/l3_agent.ini...
</i>><i> <<< Checking config files has warnings
</i>><i>
</i>><i> >>> Checking bridges...
</i>><i> # Existing bridges are br-tun, br-int, br-eno1, br-ex
</i>><i> # Vlan bridge is at br-tun, br-int, br-eno1, br-ex
</i>><i> <<< Checking bridges passed
</i>><i>
</i>><i> >>> Checking vports ...
</i>><i> ## Checking router port = qr-b0142af2-12
</i>><i> ### Checking rfp port rfp-f046c591-7
</i>><i> Found associated floating ips : <a href="http://172.29.161.127/32">172.29.161.127/32</a>, <a href="http://172.29.161.126/32">172.29.161.126/32</a>
</i>><i> ### Checking associated fpr port fpr-f046c591-7
</i>><i> ### Check related fip_ns=fip-9e1c850d-e424-4379-8ebd-278ae995d5c3
</i>><i> Bridging in the same subnet
</i>><i> fg port is attached to br-ex
</i>><i> floating ip 172.29.161.127 match fg subnet
</i>><i> floating ip 172.29.161.126 match fg subnet
</i>><i> Checking chain rule number: neutron-postrouting-bottom...Passed
</i>><i> Checking chain rule number: OUTPUT...Passed
</i>><i> Checking chain rule number: neutron-l3-agent-snat...Passed
</i>><i> Checking chain rules: neutron-postrouting-bottom...Passed
</i>><i> Checking chain rules: PREROUTING...Passed
</i>><i> Checking chain rules: OUTPUT...Passed
</i>><i> Checking chain rules: POSTROUTING...Passed
</i>><i> Checking chain rules: POSTROUTING...Passed
</i>><i> Checking chain rules: neutron-l3-agent-POSTROUTING...Passed
</i>><i> Checking chain rules: neutron-l3-agent-PREROUTING...Passed
</i>><i> Checking chain rules: neutron-l3-agent-OUTPUT...Passed
</i>><i> DNAT for incoming: 172.29.161.127 --> 10.0.0.3 passed
</i>><i> Checking chain rules: neutron-l3-agent-float-snat...Passed
</i>><i> SNAT for outgoing: 10.0.0.3 --> 172.29.161.127 passed
</i>><i> Checking chain rules: neutron-l3-agent-OUTPUT...Passed
</i>><i> DNAT for incoming: 172.29.161.126 --> 10.0.0.216 passed
</i>><i> Checking chain rules: neutron-l3-agent-float-snat...Passed
</i>><i> SNAT for outgoing: 10.0.0.216 --> 172.29.161.126 passed
</i>><i> ## Checking router port = qr-8c41bfc7-56
</i>><i> Checking passed already
</i>><i> <<< Checking vports passed
</i>><i>
</i>><i>
</i>><i> Welcome for any feedback, and welcome for any contribution!
</i>><i>
</i>><i> I am trying to put this project into stackforge to let more people can use
</i>><i> and improve it, any thoughts if it is suitable?
</i>><i>
</i>><i> <a href="https://review.openstack.org/#/c/212396/">https://review.openstack.org/#/c/212396/</a>
</i>><i>
</i>><i> Thanks for any help or suggestion!
</i>><i>
</i>><i>
</i>><i> --
</i>><i> Best wishes!
</i>><i> Baohua
</i>></pre></div>