<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Mathias,<br>
<br>
I'm not so fluent with OVS, but I would recommend to join bridges
using special "ports" like<br>
<pre wrap="">Port ovsbr1-patch
Interface ovsbr1-patch
type: patch
options: {peer=ovsbr2-patch}</pre>
and vice versa, keeping "native" configuration of "port OVSbr1" and
"port OVSbr2"<br>
<br>
And keep in mind that ARP scope is broadcast domain and, if using
just ARP (not routing), from VM1 you will be able to ping hosts,
belonging to OVSbr1, particularly - OVSbr1's IP.<br>
<br>
<div class="moz-cite-prefix">On 2/1/18 4:11 PM, Mathias Strufe
(DFKI) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1b307fff14ee05267a5dad10216c3d04@projects.dfki.uni-kl.de">Dear
Benjamin, Volodymyr,
<br>
<br>
good question ;) ... I like to experiment with some kind of
"Firewall NFV" ... but in the first step, I want to build a Router
VM between two networks (and later extend it with some flow rules)
... OpenStack, in my case, is more a foundation to build a "test
environment" for my "own" application ... please find attached a
quick sketch of the current network ...
<br>
I did this already before with iptables inside the middle instance
... worked quite well ... but know I like to achieve the same with
OVS ...
<br>
I didn't expect that it is so much more difficult ;) ...
<br>
<br>
I'm currently checking Volodymyrs answer ... I think first point
is now solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM
together (see OVpatch file)... but I think this is important later
when I really like to ping from VM1 to VM2 ... but in the moment I
only ping from VM1 to the TestNFV ... but the arp requests only
reaches ens4 but not OVSbr1 (according to tcpdump)...
<br>
<br>
May it have to do with port security and the (for OpenStack)
unknown MAC address of the OVS bridge?
<br>
<br>
Thanks so far ...
<br>
<br>
Mathias.
<br>
<br>
<br>
<br>
<br>
<br>
On 2018-02-01 14:28, Benjamin Diaz wrote:
<br>
<blockquote type="cite">Dear Mathias,
<br>
<br>
Could you attach a diagram of your network configuration and of
what
<br>
you are trying to achieve?
<br>
Are you trying to install OVS inside a VM? If so, why?
<br>
<br>
Greetings,
<br>
Benjamin
<br>
<br>
On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka
<a class="moz-txt-link-rfc2396E" href="mailto:doka.ua@gmx.com"><doka.ua@gmx.com></a>
<br>
wrote:
<br>
<br>
<blockquote type="cite">Dear Mathias,
<br>
<br>
if I correctly understand your configuration, you're using
bridges
<br>
inside VM and it configuration looks a bit strange:
<br>
<br>
1) you use two different bridges (OVSbr1/192.168.120.x and
<br>
OVSbr2/192.168.110.x) and there is no patch between them so
they're
<br>
separate
<br>
2) while ARP requests for address in OVSbr1 arrives from
OVSbr2:
<br>
<br>
<blockquote type="cite">18:50:58.080478 ARP, Request who-has
192.168.120.10 tell
<br>
</blockquote>
192.168.120.6, length 28
<br>
<blockquote type="cite">
<br>
but on the OVS bridge nothing arrives ...
<br>
<br>
listening on OVSBR2, link-type EN10MB (Ethernet), capture
size
<br>
262144 bytes
<br>
</blockquote>
<br>
while these bridges are separate, ARP requests and answers
will not
<br>
be passed between them.
<br>
<br>
Regarding your devstack configuration - unfortunately, I don't
have
<br>
experience with devstack, so don't know, where it stores
configs. In
<br>
Openstack, ml2_conf.ini points to openvswitch in ml2's
<br>
mechanism_drivers parameter, in my case it looks as the
following:
<br>
<br>
[ml2]
<br>
mechanism_drivers = l2population,openvswitch
<br>
<br>
and rest of openvswitch config described in
<br>
/etc/neutron/plugins/ml2/openvswitch_agent.ini
<br>
<br>
Second - I see an ambiguity in your br-tun configuration,
where
<br>
patch_int is the same as patch-int without corresponding
remote peer
<br>
config, probably you should check this issue.
<br>
<br>
And third is - note that Mitaka is quite old release and
probably
<br>
you can give a chance for the latest release of devstack? :-)
<br>
<br>
On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
<br>
Dear Volodymyr, all,
<br>
<br>
thanks for your fast answer ...
<br>
but I'm still facing the same problem, still can't ping the
<br>
instance with configured and up OVS bridge ... may because I'm
quite
<br>
new to OpenStack and OpenVswitch and didn't see the problem ;)
<br>
<br>
My setup is devstack Mitaka in single machine config ... first
of
<br>
all I didn't find there the openvswitch_agent.ini anymore, I
<br>
remember in previous version it was in the neutron/plugin
folder ...
<br>
<br>
Is this config now done in the ml2 config file in the [OVS]
<br>
section????
<br>
<br>
I'm really wondering ...
<br>
so I can ping between the 2 instances without any problem. But
as
<br>
soon I bring up the OVS bridge inside the vm the ARP requests
only
<br>
visible at the ens interface but not reaching the OVSbr ...
<br>
<br>
please find attached two files which may help for
troubleshooting.
<br>
One are some network information from inside the Instance that
runs
<br>
the OVS and one ovs-vsctl info of the OpenStack Host.
<br>
<br>
If you need more info/logs please let me know! Thanks for your
<br>
help!
<br>
<br>
BR Mathias.
<br>
<br>
On 2018-01-27 22:44, Volodymyr Litovka wrote:
<br>
Hi Mathias,
<br>
<br>
whether you have all corresponding bridges and patches between
<br>
them
<br>
as described in openvswitch_agent.ini using
<br>
<br>
integration_bridge
<br>
tunnel_bridge
<br>
int_peer_patch_port
<br>
tun_peer_patch_port
<br>
bridge_mappings
<br>
<br>
parameters? And make sure, that service "neutron-ovs-cleanup"
is
<br>
in
<br>
use during system boot. You can check these bridges and
patches
<br>
using
<br>
"ovs-vsctl show" command.
<br>
<br>
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
<br>
<br>
Dear all,
<br>
<br>
I'm quite new to openstack and like to install openVSwtich
inside
<br>
one Instance of our Mitika openstack Lab Enviornment ...
<br>
But it seems that ARP packets got lost between the network
<br>
interface of the instance and the OVS bridge ...
<br>
<br>
With tcpdump on the interface I see the APR packets ...
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol
<br>
<br>
decode
<br>
listening on ens6, link-type EN10MB (Ethernet), capture size
262144
<br>
<br>
bytes
<br>
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
<br>
but on the OVS bridge nothing arrives ...
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol
<br>
<br>
decode
<br>
listening on OVSbr2, link-type EN10MB (Ethernet), capture size
<br>
262144 bytes
<br>
<br>
I disabled port_security and removed the security group but
nothing
<br>
<br>
changed
<br>
<br>
<br>
</blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<blockquote type="cite">
<br>
<br>
| Field | Value
<br>
|
<br>
<br>
<br>
</blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<blockquote type="cite">
<br>
<br>
| admin_state_up | True
<br>
|
<br>
| allowed_address_pairs |
<br>
|
<br>
| binding:host_id | node11
<br>
|
<br>
| binding:profile | {}
<br>
|
<br>
| binding:vif_details | {"port_filter": true,
"ovs_hybrid_plug":
<br>
true} |
<br>
| binding:vif_type | ovs
<br>
|
<br>
| binding:vnic_type | normal
<br>
|
<br>
| created_at | 2018-01-27T16:45:48Z
<br>
|
<br>
| description |
<br>
|
<br>
| device_id | 74916967-984c-4617-ae33-b847de73de13
<br>
|
<br>
| device_owner | compute:nova
<br>
|
<br>
| extra_dhcp_opts |
<br>
|
<br>
| fixed_ips | {"subnet_id":
<br>
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address":
<br>
"192.168.120.10"} |
<br>
| id | 74b754d6-0000-4c2e-bfd1-87f640154ac9
<br>
|
<br>
| mac_address | fa:16:3e:af:90:0c
<br>
|
<br>
| name |
<br>
|
<br>
| network_id | 917254cb-9721-4207-99c5-8ead9f95d186
<br>
|
<br>
| port_security_enabled | False
<br>
|
<br>
| project_id | c48457e73b664147a3d2d36d75dcd155
<br>
|
<br>
| revision_number | 27
<br>
|
<br>
| security_groups |
<br>
|
<br>
| status | ACTIVE
<br>
|
<br>
| tenant_id | c48457e73b664147a3d2d36d75dcd155
<br>
|
<br>
| updated_at | 2018-01-27T18:54:24Z
<br>
|
<br>
<br>
<br>
</blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<blockquote type="cite">
<br>
<br>
maybe the port_filter causes still the problem? But how to
disable
<br>
it?
<br>
<br>
Any other idea?
<br>
<br>
Thanks and BR Mathias.
<br>
<br>
_______________________________________________
<br>
Mailing list:
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
[1]
<br>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
<br>
Unsubscribe :
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
[1]
<br>
<br>
--
<br>
Volodymyr Litovka
<br>
"Vision without Execution is Hallucination." -- Thomas Edison
<br>
<br>
Links:
<br>
------
<br>
[1]
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>
[1]
<br>
</blockquote>
<br>
--
<br>
Volodymyr Litovka
<br>
"Vision without Execution is Hallucination." -- Thomas Edison
<br>
<br>
_______________________________________________
<br>
Mailing list:
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
<br>
Unsubscribe :
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
<br>
--
<br>
<br>
BENJAMÍN DÍAZ
<br>
Cloud Computing Engineer
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bdiaz@whitestack.com">bdiaz@whitestack.com</a>
<br>
<br>
Links:
<br>
------
<br>
[1]
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>