[Openstack] [Kuryr] nested containers - using Linux bridge for iptables rather than Openvswitch firewall

Agmon, Gideon (Nokia - IL) gideon.agmon at nokia.com
Tue Jan 24 10:00:39 UTC 2017


 - Centos 7.3 , kernel 3.10 (!)
 - devstack mid Jan 2017 master
 - kuryr-libnetworks
 - NOT using opensvswitch firewall as shown e.g. in https://github.com/openstack/kuryr-libnetwork#how-to-try-out-nested-containers-locally 
   because Linux kernel 3.10 doesn't support it, so Linux bridge is used instead! 

Question: Must I use Openvswitch firewall instead of linux bridge for proper operation of trunk bridge ?

The phenomenon:
When ARP from ContainerA to containerB, both are netsed within a VM, the ping fails:
 - ARP request (broadcast) succeeds to pass via the Linux bridge to the OVS and back to the VM via the Linux bridge.
 - ARP reply (unicast) succeeds to pass via the Linux bridge to the OVS (it learned the MAC from the request coming back from the OVS).
 - this ARP reply is not forwarded by the Linux bridge to the VM ! Note that it learned this MAC from the OVS side (although with a different Vlan). 

I suspect:
The Linux bridge works in SVL mode (Shared-Vlan-Learning).   

Thanks in advance

More information about the Openstack mailing list