Hi Felix, Em seg., 11 de set. de 2023 às 11:49, Felix Huettner <[email protected]> escreveu:
> Hi Roberto, > > On Mon, Sep 11, 2023 at 09:32:11AM -0300, Roberto Bartzen Acosta via > discuss wrote: > > Hello everyone, > > > > I noticed a problem with DGP feature when configured by OpenStack Neutron > > using multiple external (provider) subnets. > > > > For example, the OpenStack external provider network has multiple > subnets, > > such as: > > > > subnet1: 172.16.10.0/24 > > subnet2: 172.16.20.0/24 > > > > When the Logical Router attaches the external gateway port to this > network, > > only one subnet is configured (static or dinamically), e.g. IP address = > > 172.16.10.1/24. > > > > If the Floating IP assigned for some VM uses the same subnet range as the > > router's IP network, the dnat_and_snat rule will be created correctly and > > inbound/outbound traffic will work. However, when the Floating IP uses > the > > other one subnet (not on the same network of the external router port), > the > > dnat_and_snat is not created and we can see the warning message in the > log > > as below: > > > > 2023-09-08T13:29:40.721Z|00202|northd|WARN|Unable to determine > gateway_port > > for NAT with external_ip: 172.16.20.157 configured on logical router: > > neutron-477cf920-21e3-46e5-8c8f-7b8caef7f549 with multiple distributed > > gateway ports > > > > This problem occurs because Neutron has not configured the "gateway-port" > > param in the OVN NAT rule. In this case, the northd [1] automatically > > obtains the gateway port using the external IP from the NAT rule and the > > external network configured on the OVN logical router. If Neutron > > configured the gateway-port parameter it would work, but the issue is > that > > Neutron never configured this before and gateway port discovery was > always > > done by OVN northd. > > > > Note: Neutron does not configure more than one gateway port on the > Logical > > Router, so this second port comes from the OVN-IC. > > > > Wouldn't it be easiest to let neutron configure the "gateway-port"? > In the neutron ovn client wrapper there is `_create_or_update_floatingip` > which could simply determine the "gateway-port" from the router, since > the code already has the router id [1]. > Yes, it would be easiest to change in Neutron but I have my concerns about this because what would it look like for the cases when the OVN backend is not OpenStack/Neutron? and we are talking, for example, about ovn-kube, LXD, etc... maybe it's better to skip gw ports related to interconnect switches on northd code... I don't know, it could be complex and not meet other use cases... Changing Neutron to set the gw_port seems like a more viable solution... Thanks for the feedback. > > Regards > Felix > > [1]: > https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py#L825 > > > > > 1 - I have a question for Han/Abhiram here, what is the usage scenario > for > > these multiple DGPs? Would it just be the case of OVN-IC? > > > > 2 - Would a warning message be a desirable behavior without configuring > the > > NAT rule? or could we try to infer the gw port in some other way to avoid > > misconfiguration? > > > > I changed the behavior by modifying the code [1] to not only return but > > apply l3dgw_ports port "0" as default (same case when we only have one > > port): > > *nat_l3dgw_port = od->l3dgw_ports[0]; > > > > Although it seems to work for the OVN-IC case, there may be cases where > > this is not desirable, so I would like your opinion. > > > > Best regards, > > Roberto > > > > > > [1] > > > https://github.com/ovn-org/ovn/blob/b6939c165bcd781b1be91f2280de3d3a2026ee98/northd/northd.c#L15107 > > > > -- > > > > > > > > > > _‘Esta mensagem é direcionada apenas para os endereços constantes no > > cabeçalho inicial. Se você não está listado nos endereços constantes no > > cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa > > mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas > estão > > imediatamente anuladas e proibidas’._ > > > > > > * **‘Apesar do Magazine Luiza tomar > > todas as precauções razoáveis para assegurar que nenhum vírus esteja > > presente nesse e-mail, a empresa não poderá aceitar a responsabilidade > por > > quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.* > > > > > > > > > _______________________________________________ > > discuss mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für > die Verwertung durch den vorgesehenen Empfänger bestimmt. > Sollten Sie nicht der vorgesehene Empfänger sein, setzen Sie den Absender > bitte unverzüglich in Kenntnis und löschen diese E Mail. > > Hinweise zum Datenschutz finden Sie hier<https://www.datenschutz.schwarz>. > > > This e-mail may contain confidential content and is intended only for the > specified recipient/s. > If you are not the intended recipient, please inform the sender > immediately and delete this e-mail. > > Information on data protection can be found here< > https://www.datenschutz.schwarz>. > -- _‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas’._ * **‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.*
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
