[Openstack] Juno, DHCP and networking not working
Andreas Scheuring
scheuran at linux.vnet.ibm.com
Mon Mar 30 08:11:46 UTC 2015
>From the first point of view your setup looks fine.
I would recommend to use tcpdump to see where packets (dhcp or arp
requests) get lost.
For example running tcpdump on the compute nodes interface used for
tunneling you can verify if encapsulated packets leave your this node
and so on. What's not working well is doing tcpdump on ovs-bridges. This
only works well on the tap* devices. You could also run tcpdump in your
dhcp networknamespace to see if, packets arrive/leave there.
One tricky thing with tunneling is always the mtu stuff. But this only
becomes important when dealing with large packages. At least default
ping and dhcp should work with the default settings
Another important thing is that your nodes firewall permit the gre
protocol. But that looks fine on your setup, as nothing is prohibiting
gre packets from going outside.
--
Andreas
(irc: scheuran)
On Fri, 2015-03-27 at 11:08 +0000, el amo Kosuke wrote:
> I've installed Juno on Ubuntu 14.04.2 LTS and instances can't get IP from DHCP. No errors in logs.
>
> If I put a static IP on one instance, I can't ping anywhere.
>
>
> Network Node
>
> root at network:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 00:50:56:b1:79:07 brd ff:ff:ff:ff:ff:ff
> inet 10.8.1.131/24 brd 10.8.1.255 scope global eth0
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 00:50:56:b1:2e:45 brd ff:ff:ff:ff:ff:ff
> inet 10.0.1.21/24 brd 10.0.1.255 scope global eth1
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master ovs-system state UP group default qlen 1000
> link/ether 00:50:56:b1:12:ba brd ff:ff:ff:ff:ff:ff
> 5: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
> link/ether be:0e:db:dc:3d:56 brd ff:ff:ff:ff:ff:ff
> 6: br-ex: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether 00:50:56:b1:12:ba brd ff:ff:ff:ff:ff:ff
> 9: br-int: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether d6:bf:05:38:7d:43 brd ff:ff:ff:ff:ff:ff
> 13: phy-br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
> link/ether 1a:74:47:c1:1b:1b brd ff:ff:ff:ff:ff:ff
> 14: int-br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
> link/ether 9e:ae:d6:8e:e3:b0 brd ff:ff:ff:ff:ff:ff
> 15: br-tun: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether c6:7b:a3:9b:ea:4e brd ff:ff:ff:ff:ff:ff
>
> root at network:~# ip netns
> qrouter-eb218066-143d-42b4-ba90-0f719defde66
> qdhcp-38639607-391a-4622-ac0e-37d5a32ced1b
>
> root at network:~# ip netns exec qrouter-eb218066-143d-42b4-ba90-0f719defde66 ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 16: qr-3a45f5b8-01: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether fa:16:3e:a8:55:0b brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 brd 192.168.1.255 scope global qr-3a45f5b8-01
> valid_lft forever preferred_lft forever
> inet6 fe80::f816:3eff:fea8:550b/64 scope link
> valid_lft forever preferred_lft forever
> 17: qg-cde6eff6-2e: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether fa:16:3e:9f:45:c7 brd ff:ff:ff:ff:ff:ff
> inet 10.8.1.232/24 brd 10.8.1.255 scope global qg-cde6eff6-2e
> valid_lft forever preferred_lft forever
> inet 10.8.1.234/32 brd 10.8.1.234 scope global qg-cde6eff6-2e
> valid_lft forever preferred_lft forever
> inet6 fe80::f816:3eff:fe9f:45c7/64 scope link
> valid_lft forever preferred_lft forever
>
> root at network:~# ip netns exec qdhcp-38639607-391a-4622-ac0e-37d5a32ced1b ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 12: tapdb6455f8-8f: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether fa:16:3e:74:46:a1 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.2/24 brd 192.168.1.255 scope global tapdb6455f8-8f
> valid_lft forever preferred_lft forever
> inet6 fe80::f816:3eff:fe74:46a1/64 scope link
> valid_lft forever preferred_lft forever
>
> root at network:~# iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N neutron-filter-top
> -N neutron-openvswi-FORWARD
> -N neutron-openvswi-INPUT
> -N neutron-openvswi-OUTPUT
> -N neutron-openvswi-local
> -N neutron-openvswi-sg-chain
> -N neutron-openvswi-sg-fallback
> -A INPUT -j neutron-openvswi-INPUT
> -A FORWARD -j neutron-filter-top
> -A FORWARD -j neutron-openvswi-FORWARD
> -A OUTPUT -j neutron-filter-top
> -A OUTPUT -j neutron-openvswi-OUTPUT
> -A neutron-filter-top -j neutron-openvswi-local
> -A neutron-openvswi-sg-fallback -j DROP
>
> root at network:~# ovs-vsctl show
> e924d305-5ad0-4240-98d9-e0df7c1725d9
> Bridge br-int
> fail_mode: secure
> Port int-br-ex
> Interface int-br-ex
> Port "qr-3a45f5b8-01"
> tag: 1
> Interface "qr-3a45f5b8-01"
> type: internal
> Port br-int
> Interface br-int
> type: internal
> Port patch-tun
> Interface patch-tun
> type: patch
> options: {peer=patch-int}
> Port "tapdb6455f8-8f"
> tag: 1
> Interface "tapdb6455f8-8f"
> type: internal
> Bridge br-tun
> Port "gre-0a00011f"
> Interface "gre-0a00011f"
> type: gre
> options: {in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"}
> Port br-tun
> Interface br-tun
> type: internal
> Port patch-int
> Interface patch-int
> type: patch
> options: {peer=patch-tun}
> Bridge br-ex
> Port br-ex
> Interface br-ex
> type: internal
> Port "qg-cde6eff6-2e"
> Interface "qg-cde6eff6-2e"
> type: internal
> Port "eth2"
> Interface "eth2"
> Port phy-br-ex
> Interface phy-br-ex
> ovs_version: "2.0.2"
>
> root at network:~# ovs-ofctl dump-flows br-int
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=261.782s, table=0, n_packets=3244, n_bytes=632378, idle_age=1, priority=2,in_port=2 actions=drop
> cookie=0x0, duration=262.486s, table=0, n_packets=1343, n_bytes=297728, idle_age=72, priority=1 actions=NORMAL
> cookie=0x0, duration=262.436s, table=22, n_packets=0, n_bytes=0, idle_age=262, priority=0 actions=drop
>
> root at network:~# ovs-ofctl dump-flows br-ex
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=299.613s, table=0, n_packets=964, n_bytes=167198, idle_age=117, priority=2,in_port=2 actions=drop
> cookie=0x0, duration=300.097s, table=0, n_packets=16828, n_bytes=5997710, idle_age=0, priority=1 actions=NORMAL
>
> root at network:~# ovs-ofctl dump-flows br-tun
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=2735.847s, table=0, n_packets=391, n_bytes=132042, idle_age=2547, priority=1,in_port=1 actions=resubmit(,1)
> cookie=0x0, duration=2735.051s, table=0, n_packets=949, n_bytes=165428, idle_age=2554, priority=1,in_port=2 actions=resubmit(,2)
> cookie=0x0, duration=2735.787s, table=0, n_packets=0, n_bytes=0, idle_age=2735, priority=0 actions=drop
> cookie=0x0, duration=2735.729s, table=1, n_packets=378, n_bytes=131004, idle_age=2547, priority=1,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
> cookie=0x0, duration=2735.669s, table=1, n_packets=13, n_bytes=1038, idle_age=2720, priority=1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,21)
> cookie=0x0, duration=2734.29s, table=2, n_packets=949, n_bytes=165428, idle_age=2554, priority=1,tun_id=0x1 actions=mod_vlan_vid:1,resubmit(,10)
> cookie=0x0, duration=2735.61s, table=2, n_packets=0, n_bytes=0, idle_age=2735, priority=0 actions=drop
> cookie=0x0, duration=2735.552s, table=3, n_packets=0, n_bytes=0, idle_age=2735, priority=0 actions=drop
> cookie=0x0, duration=2735.495s, table=10, n_packets=949, n_bytes=165428, idle_age=2554, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
> cookie=0x0, duration=2735.437s, table=20, n_packets=0, n_bytes=0, idle_age=2735, priority=0 actions=resubmit(,21)
> cookie=0x0, duration=2734.339s, table=21, n_packets=6, n_bytes=460, idle_age=2720, dl_vlan=1 actions=strip_vlan,set_tunnel:0x1,output:2
> cookie=0x0, duration=2735.39s, table=21, n_packets=7, n_bytes=578, idle_age=2728, priority=0 actions=drop
>
> root at network:~# ps -fea | grep dnsmasq
> nobody 1903 1 0 15:46 ? 00:00:00 dnsmasq --no-hosts --no-resolv --strict-order --bind-interfaces --interface=tapdb6455f8-8f \
> --except-interface=lo --pid-file=/var/lib/neutron/dhcp/38639607-391a-4622-ac0e-37d5a32ced1b/pid \
> --dhcp-hostsfile=/var/lib/neutron/dhcp/38639607-391a-4622-ac0e-37d5a32ced1b/host \
> --addn-hosts=/var/lib/neutron/dhcp/38639607-391a-4622-ac0e-37d5a32ced1b/addn_hosts \
> --dhcp-optsfile=/var/lib/neutron/dhcp/38639607-391a-4622-ac0e-37d5a32ced1b/opts --leasefile-ro \
> --dhcp-range=set:tag0,192.168.1.0,static,86400s --dhcp-lease-max=256 \
> --conf-file=/etc/neutron/dnsmasq-neutron.conf --domain=openstacklocal
>
> root at network:~#tail -f /var/log/dnsmasq.log
>
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 available DHCP subnet: 192.168.1.0/255.255.255.0
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 vendor class: udhcp 1.20.1
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 client provides name: cirros
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 DHCPDISCOVER(tapdb6455f8-8f)fa:16:3e:74:46:a1
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 tags: tag0, known,tapdb6455f8-8fMar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 DHCPOFFER(tapdb6455f8-8f) 192.168.1.100 fa:16:3e:74:46:a1
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 requested options: 1:netmask, 3:router, 6:dns-server, 12:hostname,
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 requested options: 15:domain-name, 26:mtu, 28:broadcast, 42:ntp-server,
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 requested options: 121:classless-static-route
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 next server: 192.168.1.2
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 1 option: 53 message-type 2
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 54 server-identifier 192.168.1.2
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 51 lease-time 1d
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 58 T1 12h
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 59 T2 21h
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 1 netmask 255.255.255.0
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 28 broadcast 192.168.1.255
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 6 dns-server 192.168.1.2
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 14 option: 15 domain-name openstacklocal
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 4 option: 3 router 192.168.1.1
> Mar 27 08:22:16 network dnsmasq-dhcp[28676]: 950476819 sent size: 2 option: 26 mtu 1454
>
> root at network:~# neutron agent-list
> +--------------------------------------+--------------------+----------+-------+----------------+
> | id | agent_type | host | alive | admin_state_up |
> +--------------------------------------+--------------------+----------+-------+----------------+
> | 0296b969-85cb-40d9-9fa6-86e58cfe8910 | DHCP agent | network | :-) | True |
> | 41efdb7a-4538-43f3-8d22-07582afcae04 | L3 agent | network | :-) | True |
> | 8705b820-696c-4070-9c6e-74bde5481e72 | Open vSwitch agent | compute1 | :-) | True |
> | c88cbe43-ad0a-4712-955a-232f73a44379 | Open vSwitch agent | network | :-) | True |
> | ea63f9aa-b7ef-4bae-a7d7-7d910d93bb64 | Metadata agent | network | :-) | True |
> +--------------------------------------+--------------------+----------+-------+----------------+
>
> root at network:~# cat /etc/neutron/plugins/ml2/ml2_conf.ini
> [ml2]
> type_drivers = flat,gre
> tenant_network_types = gre
> mechanism_drivers = openvswitch
> [ml2_type_flat]
> flat_networks = external
> [ml2_type_gre]
> tunnel_id_ranges = 1:1000
> [securitygroup]
> enable_security_group = True
> enable_ipset = True
> firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> [ovs]
> local_ip = 10.0.1.21
> enable_tunneling = True
> bridge_mappings = external:br-ex
> [agent]
> tunnel_types = gre
>
> Compute Node
>
> root at compute1:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 00:21:5e:54:ba:70 brd ff:ff:ff:ff:ff:ff
> inet 10.8.1.132/24 brd 10.8.1.255 scope global eth0
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 00:21:5e:54:ba:72 brd ff:ff:ff:ff:ff:ff
> inet 10.0.1.31/24 brd 10.0.1.255 scope global eth1
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
> link/ether 00:1b:21:9b:d4:90 brd ff:ff:ff:ff:ff:ff
> inet 10.0.2.31/24 brd 10.0.2.255 scope global eth2
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
> link/ether 00:1b:21:9b:d4:91 brd ff:ff:ff:ff:ff:ff
> 6: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
> link/ether 2a:00:1d:f1:f4:37 brd ff:ff:ff:ff:ff:ff
> 7: br-int: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether b6:83:1c:98:52:44 brd ff:ff:ff:ff:ff:ff
> 10: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
> link/ether 42:cc:fb:4e:d0:dc brd ff:ff:ff:ff:ff:ff
> inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
> valid_lft forever preferred_lft forever
> 11: qbrc98a4b17-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
> link/ether 62:90:52:ba:58:2c brd ff:ff:ff:ff:ff:ff
> 12: qvoc98a4b17-a8: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
> link/ether b6:88:3d:f2:4e:0b brd ff:ff:ff:ff:ff:ff
> 13: qvbc98a4b17-a8: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master qbrc98a4b17-a8 state UP group default qlen 1000
> link/ether 62:90:52:ba:58:2c brd ff:ff:ff:ff:ff:ff
> 16: tapc98a4b17-a8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master qbrc98a4b17-a8 state UNKNOWN group default qlen 500
> link/ether fe:16:3e:cf:df:e2 brd ff:ff:ff:ff:ff:ff
> 21: br-tun: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
> link/ether 7a:56:3b:28:a9:45 brd ff:ff:ff:ff:ff:ff
>
> root at compute1:~# iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N neutron-filter-top
> -N neutron-openvswi-FORWARD
> -N neutron-openvswi-INPUT
> -N neutron-openvswi-OUTPUT
> -N neutron-openvswi-ic98a4b17-a
> -N neutron-openvswi-local
> -N neutron-openvswi-oc98a4b17-a
> -N neutron-openvswi-sc98a4b17-a
> -N neutron-openvswi-sg-chain
> -N neutron-openvswi-sg-fallback
> -A INPUT -j neutron-openvswi-INPUT
> -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A FORWARD -j neutron-filter-top
> -A FORWARD -j neutron-openvswi-FORWARD
> -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
> -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -j neutron-filter-top
> -A OUTPUT -j neutron-openvswi-OUTPUT
> -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A neutron-filter-top -j neutron-openvswi-local
> -A neutron-openvswi-FORWARD -m physdev --physdev-out tapc98a4b17-a8 --physdev-is-bridged -j neutron-openvswi-sg-chain
> -A neutron-openvswi-FORWARD -m physdev --physdev-in tapc98a4b17-a8 --physdev-is-bridged -j neutron-openvswi-sg-chain
> -A neutron-openvswi-INPUT -m physdev --physdev-in tapc98a4b17-a8 --physdev-is-bridged -j neutron-openvswi-oc98a4b17-a
> -A neutron-openvswi-ic98a4b17-a -m state --state INVALID -j DROP
> -A neutron-openvswi-ic98a4b17-a -m state --state RELATED,ESTABLISHED -j RETURN
> -A neutron-openvswi-ic98a4b17-a -s 192.168.1.2/32 -p udp -m udp --sport 67 --dport 68 -j RETURN
> -A neutron-openvswi-ic98a4b17-a -m set --match-set IPv47245734a-b4aa-4d22-9 src -j RETURN
> -A neutron-openvswi-ic98a4b17-a -j neutron-openvswi-sg-fallback
> -A neutron-openvswi-oc98a4b17-a -p udp -m udp --sport 68 --dport 67 -j RETURN
> -A neutron-openvswi-oc98a4b17-a -j neutron-openvswi-sc98a4b17-a
> -A neutron-openvswi-oc98a4b17-a -p udp -m udp --sport 67 --dport 68 -j DROP
> -A neutron-openvswi-oc98a4b17-a -m state --state INVALID -j DROP
> -A neutron-openvswi-oc98a4b17-a -m state --state RELATED,ESTABLISHED -j RETURN
> -A neutron-openvswi-oc98a4b17-a -j RETURN
> -A neutron-openvswi-oc98a4b17-a -j neutron-openvswi-sg-fallback
> -A neutron-openvswi-sc98a4b17-a -s 192.168.1.100/32 -m mac --mac-source FA:16:3E:74:46:A1 -j RETURN
> -A neutron-openvswi-sc98a4b17-a -j DROP
> -A neutron-openvswi-sg-chain -m physdev --physdev-out tapc98a4b17-a8 --physdev-is-bridged -j neutron-openvswi-ic98a4b17-a
> -A neutron-openvswi-sg-chain -m physdev --physdev-in tapc98a4b17-a8 --physdev-is-bridged -j neutron-openvswi-oc98a4b17-a
> -A neutron-openvswi-sg-chain -j ACCEPT
> -A neutron-openvswi-sg-fallback -j DROP
>
> root at compute1:~# ovs-vsctl show
> 1eaa30fc-a71c-4a51-9b51-94e3ee98ad85
> Bridge br-tun
> Port patch-int
> Interface patch-int
> type: patch
> options: {peer=patch-tun}
> Port "gre-0a000115"
> Interface "gre-0a000115"
> type: gre
> options: {df_default="true", in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.21"}
> Port br-tun
> Interface br-tun
> type: internal
> Bridge br-int
> fail_mode: secure
> Port int-br-int
> Interface int-br-int
> type: patch
> options: {peer=phy-br-int}
> Port br-int
> Interface br-int
> type: internal
> Port "qvoc98a4b17-a8"
> tag: 2
> Interface "qvoc98a4b17-a8"
> Port patch-tun
> Interface patch-tun
> type: patch
> options: {peer=patch-int}
> Port phy-br-int
> Interface phy-br-int
> type: patch
> options: {peer=int-br-int}
> ovs_version: "2.0.2"
>
> root at compute1:~# ovs-ofctl dump-flows br-tun
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=9597.189s, table=0, n_packets=27341, n_bytes=2058220, idle_age=918, priority=1,in_port=1 actions=resubmit(,2)
> cookie=0x0, duration=1099.119s, table=0, n_packets=383, n_bytes=131374, idle_age=911, priority=1,in_port=2 actions=resubmit(,3)
> cookie=0x0, duration=9597.124s, table=0, n_packets=0, n_bytes=0, idle_age=9597, priority=0 actions=drop
> cookie=0x0, duration=9597.054s, table=2, n_packets=0, n_bytes=0, idle_age=9597, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
> cookie=0x0, duration=9596.987s, table=2, n_packets=26909, n_bytes=2025720, idle_age=918, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
> cookie=0x0, duration=9594.391s, table=3, n_packets=24113, n_bytes=1827490, idle_age=911, priority=1,tun_id=0x1 actions=mod_vlan_vid:2,resubmit(,10)
> cookie=0x0, duration=9596.921s, table=3, n_packets=0, n_bytes=0, idle_age=9596, priority=0 actions=drop
> cookie=0x0, duration=9596.853s, table=4, n_packets=0, n_bytes=0, idle_age=9596, priority=0 actions=drop
> cookie=0x0, duration=9596.788s, table=10, n_packets=24239, n_bytes=1871158, idle_age=911, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
> cookie=0x0, duration=9596.717s, table=20, n_packets=0, n_bytes=0, idle_age=9596, priority=0 actions=resubmit(,22)
> cookie=0x0, duration=9594.459s, table=22, n_packets=26354, n_bytes=1952384, idle_age=918, hard_age=1099, dl_vlan=2 actions=strip_vlan,set_tunnel:0x1,output:2
> cookie=0x0, duration=9596.652s, table=22, n_packets=0, n_bytes=0, idle_age=9596, priority=0 actions=drop
>
> root at compute1:~# ovs-ofctl dump-flows br-int
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=9625.566s, table=0, n_packets=1578548, n_bytes=120134586, idle_age=939, priority=1 actions=NORMAL
> cookie=0x0, duration=9625.499s, table=23, n_packets=0, n_bytes=0, idle_age=9625, priority=0 actions=drop
>
> root at compute1:~# cat /etc/neutron/plugins/ml2/ml2_conf.ini
> [ml2]
> type_drivers = flat,gre
> tenant_network_types = gre
> mechanism_drivers = openvswitch
> [ml2_type_gre]
> tunnel_id_ranges = 1:1000
> [securitygroup]
> enable_security_group = True
> enable_ipset = True
> firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
> [ovs]
> local_ip = 10.0.1.31
> enable_tunneling = True
> [agent]
> tunnel_types = gre
>
>
> Thanks.
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
More information about the Openstack
mailing list