[Openstack] [Kuryr] nested containers - using Linux bridge for iptables rather than Openvswitch firewall
Agmon, Gideon (Nokia - IL)
gideon.agmon at nokia.com
Tue Jan 24 10:00:39 UTC 2017
Hi,
Environment:
- Centos 7.3 , kernel 3.10 (!)
- devstack mid Jan 2017 master
- kuryr-libnetworks
- NOT using opensvswitch firewall as shown e.g. in https://github.com/openstack/kuryr-libnetwork#how-to-try-out-nested-containers-locally
because Linux kernel 3.10 doesn't support it, so Linux bridge is used instead!
Question: Must I use Openvswitch firewall instead of linux bridge for proper operation of trunk bridge ?
========
The phenomenon:
===============
When ARP from ContainerA to containerB, both are netsed within a VM, the ping fails:
- ARP request (broadcast) succeeds to pass via the Linux bridge to the OVS and back to the VM via the Linux bridge.
- ARP reply (unicast) succeeds to pass via the Linux bridge to the OVS (it learned the MAC from the request coming back from the OVS).
- this ARP reply is not forwarded by the Linux bridge to the VM ! Note that it learned this MAC from the OVS side (although with a different Vlan).
I suspect:
========
The Linux bridge works in SVL mode (Shared-Vlan-Learning).
Thanks in advance
Gideon
More information about the Openstack
mailing list