[Openstack] [Kuryr] [Neutron] nested containers - using Linux bridge for iptables rather than Openvswitch firewall

Liping Mao (limao) limao at cisco.com
Tue Jan 24 15:01:12 UTC 2017 

Hi Agmon,

Thanks for trying this feature first. 
We discussed with Jakub Libosvar from Neutron Team,  and confirmed that 
VM-Nested Trunk can’t work with iptables_hybrid in neutron. More detail in irc log[1]

Part of the log:
limao	jlibosva: trunk port do not work with iptables_hybrid , Do we have any bug about this or it is by design?	15:27
jlibosva	limao: that's by design	15:27
jlibosva	limao: "Obviously this solution is not compliant with iptables firewall." from https://github.com/openstack/neutron/blob/master/doc/source/devref/openvswitch_agent.rst#tackling-the-network-trunking-use-case	15:29
jlibosva	limao: at "To summarize:" section, B solution	15:29

[1]http://eavesdrop.openstack.org/irclogs/%23openstack-neutron/%23openstack-neutron.2016-11-22.log.html

Loop jlibosva and add [Neutron] Tag in mail title.
Thanks.

Regards,
Liping Mao

在 17/1/24 18:00,“Agmon, Gideon (Nokia - IL)”<gideon.agmon at nokia.com> 写入:

    Hi,
    
    Environment:
     - Centos 7.3 , kernel 3.10 (!)
     - devstack mid Jan 2017 master
     - kuryr-libnetworks
     - NOT using opensvswitch firewall as shown e.g. in https://github.com/openstack/kuryr-libnetwork#how-to-try-out-nested-containers-locally 
       because Linux kernel 3.10 doesn't support it, so Linux bridge is used instead! 
    
    Question: Must I use Openvswitch firewall instead of linux bridge for proper operation of trunk bridge ?
    ========
    
    The phenomenon:
    ===============
    When ARP from ContainerA to containerB, both are netsed within a VM, the ping fails:
     - ARP request (broadcast) succeeds to pass via the Linux bridge to the OVS and back to the VM via the Linux bridge.
     - ARP reply (unicast) succeeds to pass via the Linux bridge to the OVS (it learned the MAC from the request coming back from the OVS).
     - this ARP reply is not forwarded by the Linux bridge to the VM ! Note that it learned this MAC from the OVS side (although with a different Vlan). 
    
    I suspect:
    ========
    The Linux bridge works in SVL mode (Shared-Vlan-Learning).   
    
    Thanks in advance
    Gideon
    
    _______________________________________________
    Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
    Post to     : openstack at lists.openstack.org
    Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list