Open Stack

Hi list,

in case it can be of any help to someone who stumble upon my post, i
finally was able to fix my problem.

It was an iptables problem that was preventing the neutron ovs agent to
complete its configuration tasks on my compute node. Thus, the
iptables-restore error messages in the neutron agent log were
meaningful.

It was not clear, at first, to figure out how to find which piece of
iptables were disrupting but, i finally came up with an idea.

In the neutron ovs agent, in the
file /neutron/agent/linux/iptables_manager.py,
at line 378, i did replace :

args = ['%s-restore' % (cmd,), '-c']

by :

args = ['tee', '/tmp/neutron_debug']

and then, i had a copy of the iptables rules that were supposed to be
applied to my compute node by neutron ovs agent.

>From there, i was able to identify the rules that were causing problems;
rules with "-m physdev" in them.

Finally, looks like i was missing CONFIG_NETFILTER_XT_MATCH_PHYSDEV in
my kernel.

Adding support for it in my kernel and restarting the neutron ovs agent
finally fixed my problem!

Thanks to Ageeleshwar who gave me some tips on how to solve this.

Tony

On Mon, 2014-02-03 at 14:00 -0500, DeadManMoving wrote:
> Hi,
> 
> thanks for the info, it helped me going a bit further with this.
> 
> I did not have anything configured regarding vif in my nova.conf file on
> my compute node.
> 
> So i tried putting the following :
> 
> libvirt_vif_driver=nova.virt.libvirt.vif.LibvirtGenericVIFDriver
> libvirt_ovs_bridge=br-int
> libvirt_use_virtio_for_bridges=true
> 
> in my nova.conf config file on my compute node but it did not help.
> 
> So i wanted to have a better look at the neutron logs but, they were
> full of : 'iptables-restore: line 62 failed\n'
> messages so, it was a bit hard to figure something out.
> 
> So i tried to disable the firewall driver, by changing :
> 
> firewall_driver =
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> 
> to :
> 
> firewall_driver = neutron.agent.firewall.NoopFirewallDriver
> 
> in my ovs_neutron_plugin.ini config file and surprisingly, it started
> working, the port is tagged automatically.
> 
> That brings me to my next question, why would the port be tagged
> correctly with firewall_driver set to
> neutron.agent.firewall.NoopFirewallDriver but not with
> neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> ?!
> 
> @Ageeleshwar Kandavelu
> 
> I don't have physical interfaces on my integration bridge, just on my
> normal (first) bridge (in my case br0).
> 
> 
> Thank you so much!
> 
> Tony
> 
> On Mon, 2014-02-03 at 09:27 +0000, Darragh O'Reilly wrote:
> > Hi,
> > 
> > the ovs-agent is responsible for tagging the port. It's strange
> > that it can tag the dhcp port ok but not the nova port. What VIF
> > driver are you using - libvirt_vif_driver in nova.conf?
> > 
> > Check the syslog - all the ovs-vsctl commands are logged there.
> > Look for messages about this port. Are there any errors in the
> > ovs-agent log?
> > 
> > Re, Darragh.
> > 
> > >i have a nearly working neutron + openvswitch + VLAN setup but, i have a
> > >small problem however...
> > >
> > >I am running neutron-server on a node controller and
> > >neutron-openvswitch-agent and neutron-dhcp-agent running on a compute
> > >node.
> > >
> > >On the compute node, i have an initial bridge, with two physical
> > >interfaces in bonding, with some VLANs trunked on the bond.
> > >
> > >On the controller node, i created a network with --provider:network_type
> > >vlan and --provider:segmentation_id xxx (xxx being one of the VLAN
> > >trunked on the bond inside my initial bridge). Then, i created a subnet
> > >on that network.
> > >
> > >When i launch neutron-dhcp-agent on the compute node, everything seem
> > >fine : the namespace is being created, there is a port with tag 1 on the
> > >integration bridge for the dnsmasq process and, i can ping the IP of the
> > >dnsmasq process from a device on the xxx vlan. I can also see the
> > >openflow flows for vlan modification on both bridge (vlan xxx to vlan 1,
> > >vlan 1 to vlan xxx).
> > >
> > >However, my problem is that when i launch a VM using the network i
> > >created in neutron, a port is being created in the integration bridge
> > >but, it is not tagged with vlan 1 so, the VM is unable to communicate on
> > >the network. As soon as i tag the port with vlan 1, with a command
> > >like : 
> > >
> > >ovs-vsctl set Port tap1234-ab tag=1 
> > >
> > >the VM is able to communicate on the network.
> > >
> > >
> > >So, am i missing something obvious? Or maybe that i have something
> > >misconfigured in my neutron setup?
> > >
> > >
> > >Any help would be greatly appreciated.
> > >
> > >Regards,
> > >
> > >Tony
> > 
> > _______________________________________________
> > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack