[Openstack] [networking-sfc] Flow classifier conflict logic
Artem Plakunov
artacc at lvk.cs.msu.su
Mon Aug 1 14:44:19 UTC 2016
Thanks.
You said though that classifier must be unique within a tenant. I tried
creating chains in two different tenants by different users without any
RBAC rules. So there are two tenants, each has 1 network, 2 vms (source,
service) and an admin user. I used different openrc configs for each
user yet still get the same conflict.
Info about the test is in the attachment
31.07.2016 5:25, Farhad Sunavala пишет:
> Yes, this was intentionally done.
> The logical-source-port is important only at the point of classification.
> All successive classifications rely only on the 5 tuple and MPLS label
> (chain ID).
>
> Consider an extension of the scenario you mention below.
>
> Sources: (similar to your case)
> a
> b
>
> Port-pairs: (added ppe and ppf)
> ppc
> ppd
> ppe
> ppf
>
> Port-pair-groups: (added ppge and ppgf)
> ppgc
> ppgd
> ppge
> ppgf
>
> Flow-classifiers:
> fc1: logical-source-port of a && tcp
> fc2: logical-source-port of b && tcp
>
> Port-chains:
> pc1: fc1 && (ppgc + ppge)
> pc2: fc2 && (ppgd + ppgc + ppgf)
>
>
>
> The flow-classifier has logical-src-port and protocol=tcp
> The logical-src-port has no relevance in the middle of the chain.
>
> In the middle of the chain, the only relevant flow-classifier is
> protocol=tcp.
>
> If we allow it, we cannot distinguish TCP traffic coming out of ppgc
> (and subsequently ppc)
> as to whether to mark it with the label for pc1 or the label for pc2.
>
> In other words, within a tenant the flow-classifiers need to be unique
> wrt the 5 tuples.
>
> thanks,
> Farhad.
>
> Date: Fri, 29 Jul 2016 18:01:05 +0300
> From: Artem Plakunov <artacc at lvk.cs.msu.su <mailto:artacc at lvk.cs.msu.su>>
> To: openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
> Subject: [Openstack] [networking-sfc] Flow classifier conflict logic
> Message-ID: <579B6FB1.3030505 at lvk.cs.msu.su
> <mailto:579B6FB1.3030505 at lvk.cs.msu.su>>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hello.
> We have two deployments with networking-sfc:
> mirantis 8.0 (liberty) and mirantis 9.0 (mitaka).
>
> I noticed a difference in how flow classifiers conflict with each other
> which I do not understand. I'm not sure if it is a bug or not.
>
> I did the following on mitaka:
> 1. Create tenant 1 and network 1
> 2. Launch vms A and B in network 1
> 3. Create tenant 2, share network 1 to it with RBAC policy, launch vm C
> in network 1
> 4. Create tenant 3, share network 1 to it with RBAC policy, launch vm D
> in network 1
> 5. Setup sfc:
> create two port pairs for vm C and vm D with a bidirectional port
> create two port pair groups with these pairs (one pair in one group)
> create flow classifier 1: logical-source-port = vm A port, protocol
> = tcp
> create flow classifier 2: logical-source-port = vm B port, protocol
> = tcp
> create chain with group 1 and classifier 1
> create chain with group 2 and classifier 2 - this step gives the
> following error:
>
> Flow Classifier 7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow
> Classifier 4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain
> d1070955-fae9-4483-be9e-0e30f2859282.
> Neutron server returns request_ids:
> ['req-9d0eecec-2724-45e8-84b4-7ccf67168b03']
>
> The only thing neutron logs have is this from server.log:
> 2016-07-29 14:15:57.889 18917 INFO neutron.api.v2.resource
> [req-9d0eecec-2724-45e8-84b4-7ccf67168b03
> 0b807c8616614b84a4b16a318248d28c 9de9dcec18424398a75a518249707a61 - - -]
> create failed (client error): Flow Classifier
> 7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow Classifier
> 4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain
> d1070955-fae9-4483-be9e-0e30f2859282.
>
> I tried the same in liberty and it works and sfc successfully routes
> traffic from both vms to their respective port groups
>
> Liberty setup:
> neutron version 7.0.4
> neutronclient version 3.1.1
> networking-sfc version 1.0.0 (from pip package)
>
> Mitaka setup:
> neutron version 8.1.1
> neutronclient version 5.0.0 (tried using 3.1.1 with same outcome)
> networking-sfc version 1.0.1.dev74 (from master branch commit
> 6730b6810355761cf55f04a40cd645f065f15752)
>
> I'll attach the output of commands neutron port-list, port-pair-list,
> port-pair-group-list, flow-classifier-list and port-chain-list.
>
> Is this an intended flow classifier behavior? If so, why? The port
> chains and all their participants are different.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160801/d4a30e82/attachment.html>
-------------- next part --------------
$ openstack project list | grep sfc
| 0dafd2d782f4445798363ba9b27e104f | sfc1
| ddf01417a9b74648a3a20c2b818a52ca | sfc2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| fbf3809c-61b7-4246-a59f-80945a7cc428 | sfc1_serv | ACTIVE | - | Running | sfc1_net=192.168.100.4 |
| 06b6b770-2854-4906-a5b6-7ace6cb610d3 | sfc1_vm | ACTIVE | - | Running | sfc1_net=192.168.100.3 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron port-list | grep 100
| 429fdb89-1bfa-4dc1-bb89-25373501ebde | | fa:16:3e:68:e8:7a | {"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address": "192.168.100.4"} |
| ca7f8fdf-a1ff-4cd7-8897-9f6ca5220be6 | | fa:16:3e:72:0f:26 | {"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address": "192.168.100.3"} |
| df8ce9a2-eddd-4b86-8d1c-705f9c96ddb6 | | fa:16:3e:32:e4:1f | {"subnet_id": "1bb6afcc-d4bb-41ec-b6b3-aef2b4fbda7f", "ip_address": "192.168.100.2"} |
$ neutron port-pair-show pair1
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| description | |
| egress | 429fdb89-1bfa-4dc1-bb89-25373501ebde |
| id | 7a975f46-5ea3-484b-aff5-ef343d0f4ac2 |
| ingress | 429fdb89-1bfa-4dc1-bb89-25373501ebde |
| name | pair1 |
| service_function_parameters | {"correlation": null} |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+-----------------------------+--------------------------------------+
$ neutron port-pair-group-show pair1
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | 166cd6f7-0370-4335-adda-9783b9f0a13b |
| name | pair1 |
| port_pairs | 7a975f46-5ea3-484b-aff5-ef343d0f4ac2 |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+-------------+--------------------------------------+
$ neutron flow-classifier-show flow1
+----------------------------+--------------------------------------+
| Field | Value |
+----------------------------+--------------------------------------+
| description | |
| destination_ip_prefix | |
| destination_port_range_max | |
| destination_port_range_min | |
| ethertype | IPv4 |
| id | 8301ed30-1325-460b-951f-5e707ff729bd |
| l7_parameters | {} |
| logical_destination_port | |
| logical_source_port | ca7f8fdf-a1ff-4cd7-8897-9f6ca5220be6 |
| name | flow1 |
| protocol | tcp |
| source_ip_prefix | |
| source_port_range_max | |
| source_port_range_min | |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+----------------------------+--------------------------------------+
$ neutron port-chain-show chain1
+------------------+--------------------------------------+
| Field | Value |
+------------------+--------------------------------------+
| chain_parameters | {"correlation": "mpls"} |
| description | |
| flow_classifiers | 8301ed30-1325-460b-951f-5e707ff729bd |
| id | 5de3a851-311a-4ac4-be43-d17630c8e13f |
| name | chain1 |
| port_pair_groups | 166cd6f7-0370-4335-adda-9783b9f0a13b |
| tenant_id | 0dafd2d782f4445798363ba9b27e104f |
+------------------+--------------------------------------+
$ source openrc2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 8e5a5312-da09-4956-8459-21373fdd165b | sfc2_serv | ACTIVE | - | Running | sfc2_net=192.168.200.4 |
| b6e1267c-a43d-4e35-a292-c5dccce0b754 | sfc2_vm | ACTIVE | - | Running | sfc2_net=192.168.200.3 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron port-list | grep 200
| 2c6f6f67-6241-4661-977c-3fe5da864c95 | | fa:16:3e:8b:09:b8 | {"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address": "192.168.200.4"} |
| 9b20c466-f62c-4c49-a074-91a088ebb0f6 | | fa:16:3e:f9:40:c7 | {"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address": "192.168.200.3"} |
| f95f2509-d27d-4b3a-b62a-b9bdb69085bf | | fa:16:3e:61:de:16 | {"subnet_id": "7d9cf928-f554-45f5-ad78-12a40e36d788", "ip_address": "192.168.200.2"} |
$ neutron port-pair-show pair2
+-----------------------------+--------------------------------------+
| Field | Value |
+-----------------------------+--------------------------------------+
| description | |
| egress | 2c6f6f67-6241-4661-977c-3fe5da864c95 |
| id | 46e63fab-9afe-489f-97ed-ab17ae1bdc91 |
| ingress | 2c6f6f67-6241-4661-977c-3fe5da864c95 |
| name | pair2 |
| service_function_parameters | {"correlation": null} |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+-----------------------------+--------------------------------------+
$ neutron port-pair-group-show group2
+-------------+--------------------------------------+
| Field | Value |
+-------------+--------------------------------------+
| description | |
| id | f8dd897a-1e36-49b0-8d35-d7df0782b3c1 |
| name | group2 |
| port_pairs | 46e63fab-9afe-489f-97ed-ab17ae1bdc91 |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+-------------+--------------------------------------+
$ neutron flow-classifier-show flow2
+----------------------------+--------------------------------------+
| Field | Value |
+----------------------------+--------------------------------------+
| description | |
| destination_ip_prefix | |
| destination_port_range_max | |
| destination_port_range_min | |
| ethertype | IPv4 |
| id | 12b4afa5-c6e4-4df8-a0cc-43e8ab926110 |
| l7_parameters | {} |
| logical_destination_port | |
| logical_source_port | 9b20c466-f62c-4c49-a074-91a088ebb0f6 |
| name | flow2 |
| protocol | tcp |
| source_ip_prefix | |
| source_port_range_max | |
| source_port_range_min | |
| tenant_id | ddf01417a9b74648a3a20c2b818a52ca |
+----------------------------+--------------------------------------+
$ neutron port-chain-create --port-pair-group f8dd897a-1e36-49b0-8d35-d7df0782b3c1 --flow-classifier 12b4afa5-c6e4-4df8-a0cc-43e8ab926110 chain2
Flow Classifier 12b4afa5-c6e4-4df8-a0cc-43e8ab926110 conflicts with Flow Classifier 8301ed30-1325-460b-951f-5e707ff729bd in port chain 5de3a851-311a-4ac4-be43-d17630c8e13f.
Neutron server returns request_ids: ['req-1324eff7-8d56-4df3-9129-2480fae88762']
More information about the Openstack
mailing list