<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em ter., 27 de jun. de 2023 às 15:22, Gary Molenkamp <<a href="mailto:molenkam@uwo.ca">molenkam@uwo.ca</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Thanks for the pointers, itlooks like I'm starting to narrow it
down. Something still confusing me, though.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I've built a Zed cloud, since upgraded to Antelope,
using the Neutron <br>
Manual install method here: <br>
<a href="https://docs.openstack.org/neutron/latest/install/ovn/manual_install.html" rel="noreferrer" target="_blank">https://docs.openstack.org/neutron/latest/install/ovn/manual_install.html</a><br>
I'm using a multi-tenent configuration using geneve
and the flat <br>
provider network is present on each hypervisor. Each
hypervisor is <br>
connected to the physical provider network, along with
the tenent <br>
network and is tagged as an external chassis under
OVN.<br>
br-int exists, as does br-provider<br>
ovs-vsctl set open . <br>
external-ids:ovn-cms-options=enable-chassis-as-gw<br>
</blockquote>
<div><br>
</div>
<div>Any specific reason to enable gateway on compute
nodes? Generally it's recommended to use
controller/network nodes as gateway. What's your
env(number of controllers, network, compute nodes)?<br>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Wouldn't it be interesting to enable-chassis-as-gw on the
compute nodes, just in case you want to use DVR: If that's
the case, you need to map the external bridge (<span style="background-color:rgb(244,245,247);color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap">ovs-vsctl set open . external-ids:ovn-bridge-mappings=...</span>)
via ansible this is created automatically, but in the manual
installation I didn't see any mention of it.</div>
<div> </div>
<div>The problem is basically that the port of the OVN LRP may
not be in the same chassis as the VM that failed (since the
CR-LRP will be where the first VM of that network will be
created). The suggestion is to remove the
enable-chassis-as-gw from the compute nodes to allow the VM
to forward traffic via tunneling/Geneve to the chassis where
the LRP resides.<br>
</div>
<div><br>
</div>
<div><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">ovs-vsctl remove open . external-ids ovn-cms-options="enable-chassis-as-gw"
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">ovs-vsctl remove open . external-ids ovn-bridge-mappings
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">ip link set br-provider-name down
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">ovs-vsctl del-br </span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">br-provider-name</span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">systemctl restart ovn-controller
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span><span style="color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247)">systemctl restart openvswitch-switch
</span><span style="box-sizing:border-box;padding-left:8px;margin-right:8px;text-align:right;float:left;font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap;background-color:rgb(244,245,247);display:inline-block;padding-right:8px"></span></div>
<br>
</div>
</div>
</blockquote>
<br>
How does one support both use-case types?<br>
<br>
If I want to use DVR via each compute node, then I must create the
br-provider bridge, set the chassis as a gateway and map the
bridge. This seems to be breaking forwarding to the OVN LRP. The
hypervisor/VM with the working LRP works but any other hypervisor is
not tunneling via Geneve.<br></div></blockquote><div><br><a href="https://docs.openstack.org/neutron/zed/ovn/faq/index.html">https://docs.openstack.org/neutron/zed/ovn/faq/index.html</a></div><div>The E/W traffic is "completely distributed in all cases." for OVN driver... It is natively supported and should work via openflow / tunneling / Geneve without any issues.</div><div><br></div><div>The problem is that when you set the <span style="background-color:rgb(244,245,247);color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap">enable-</span><span style="background-color:rgb(244,245,247);color:rgb(23,43,77);font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Consolas,Courier,monospace;font-size:14px;white-space:pre-wrap">chassis-as-gw</span> flag you enable gateway router port scheduling for a chassis that may not have an external bridge mapped (and this breaks external traffic).</div><div><br></div><div>You can trace the traffic where the VM is and check where it is breaking via datapath command:<br></div><div>ovs-dpctl dump-flows<br><br></div><div>But if you are facing problems on east/west traffic, please check your OVN settings (example):</div><div>ovs-vsctl list open_vswitch</div><div> - external_ids : {ovn-encap-ip="192.168.200.10", ovn-encap-type="geneve", ovn-remote="tcp:<a href="http://192.168.200.200:6642">192.168.200.200:6642</a>"})</div><div><br></div><div>...and make sure geneve tunnels are established between all hypervisors (example): </div><div>root@comp1:~# ovs-vsctl show<br> Bridge br-int</div><div>....<br> Port ovn-2e4ed2-0<br> Interface ovn-2e4ed2-0<br> type: geneve<br> options: {csum="true", key=flow, remote_ip="192.168.200.11"}<br> Port ovn-fc7744-0<br> Interface ovn-fc7744-0<br> type: geneve<br> options: {csum="true", key=flow, remote_ip="192.168.200.30"}<br></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<br>
Thanks as always, this is very informative.<br>
<br>
Gary<br>
<br>
<br>
<pre cols="72">--
Gary Molenkamp Science Technology Services
Systems Administrator University of Western Ontario
<a href="mailto:molenkam@uwo.ca" target="_blank">molenkam@uwo.ca</a> <a href="http://sts.sci.uwo.ca" target="_blank">http://sts.sci.uwo.ca</a>
(519) 661-2111 x86882 (519) 661-3566</pre>
</div>
</blockquote></div></div>
<br>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:1.3em"><div style="color:rgb(97,97,97);font-family:'Open Sans';font-size:14px;line-height:21px;background-color:rgb(255,255,255)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal"><div style="font-family:Arial,Helvetica,sans-serif;font-size:1.3em"><div style="color:rgb(97,97,97);font-family:'Open Sans';font-size:14px;line-height:21px"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8000001907349px;line-height:normal"><br></div></div></div><div style="font-family:Arial,Helvetica,sans-serif;font-size:1.3em"><i style="font-family:arial,sans-serif;font-size:x-small">‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas’.</i></div><div style="font-family:Arial,Helvetica,sans-serif;font-size:1.3em"><p style="font-family:arial,sans-serif;text-align:justify"><i><font size="1"> </font></i><i><font size="1">‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.</font></i></p></div></div></div></div>