[ovs-discuss] openvswitch-kmod: on uninstall, get depmod: ERROR: fstatat
Build Fedora RPM from 2.9.90. On "yum remove", get the following errors: Erasing: openvswitch-kmod-2.9.90-1.el7.x86_64 3/6 depmod: ERROR: fstatat(4, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(4, vport-stt.ko): No such file or directory depmod: ERROR: fstatat(4, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(4, vport-lisp.ko): No such file or directory depmod: ERROR: fstatat(4, vport-vxlan.ko): No such file or directory depmod: ERROR: fstatat(4, openvswitch.ko): No such file or directory depmod: ERROR: fstatat(4, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(4, vport-stt.ko): No such file or directory depmod: ERROR: fstatat(4, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(4, vport-lisp.ko): No such file or directory depmod: ERROR: fstatat(4, vport-vxlan.ko): No such file or directory rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
On Mon, Jun 18, 2018 at 1:43 PM, Daniel Alvarez Sanchez
wrote:
>
> Hi all,
>
> I'm writing the code to implement the port groups in networking-ovn (the
OpenStack integration project with OVN). I found out that when a boot a VM,
looks like the egress traffic (from VM) is not working properly. The VM
port belongs to 3 Port Groups:
>
> 1. Default drop port group with the following ACLs:
>
> _uuid : 0b092bb2-e97b-463b-a678-8a28085e3d68
> action : drop
> direction : from-lport
> external_ids: {}
> log : false
> match : "inport == @neutron_pg_drop && ip"
> name: []
> priority: 1001
> severity: []
>
> _uuid : 849ee2e0-f86e-4715-a949-cb5d93437847
> action : drop
> direction : to-lport
> external_ids: {}
> log : false
> match : "outport == @neutron_pg_drop && ip"
> name: []
> priority: 1001
> severity: []
>
>
> 2. Subnet port group to allow DHCP traffic on that subnet:
>
> _uuid : 8360a415-b7e1-412b-95ff-15cc95059ef0
> action : allow
> direction : from-lport
> external_ids: {}
> log : false
> match : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c
&& ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68
&& udp.dst == 67"
> name: []
> priority: 1002
> severity: []
>
>
> 3. Security group port group which the following rules:
>
> 3.1 Allow ICMP traffic:
>
> _uuid : d12a749f-0f75-4634-aa20-6116e1d5d26d
> action : allow-related
> direction : to-lport
> external_ids:
{"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"}
> log : false
> match : "outport ==
@pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 &&
icmp4"
> name: []
> priority: 1002
> severity: []
>
> 3.2 Allow SSH traffic:
>
> _uuid : 05100729-816f-4a09-b15c-4759128019d4
> action : allow-related
> direction : to-lport
> external_ids:
{"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"}
> log : false
> match : "outport ==
@pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 &&
tcp && tcp.dst == 22"
> name: []
> priority: 1002
> severity: []
>
>
> 3.3 Allow IPv4/IPv6 traffic from this same port group
>
>
> _uuid : b56ce66e-da6b-48be-a66e-77c8cfd6ab92
> action : allow-related
> direction : to-lport
> external_ids:
{"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"}
> log : false
> match : "outport ==
@pg_d237185f_733f_4a09_8832_bcee773722ef && ip6 && ip6.src ==
$pg_d237185f_733f_4a09_8832_bcee773722ef_ip6"
> name: []
> priority: 1002
> severity: []
>
>
> _uuid : 7b68f430-41b5-414d-a2ed-6c548be53dce
> action : allow-related
> direction : to-lport
> external_ids:
{"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"}
> log : false
> match : "outport ==
@pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src ==
$pg_d237185f_733f_4a09_8832_bcee773722ef_ip4"
> name: []
> priority: 1002
> severity: []
>
>
> 3.4 Allow all egress (VM point of view) IPv4 traffic
>
> _uuid : c5fbf0b7-6461-4f27-802e-b0d743be59e5
> action : allow-related
> direction : from-lport
> external_ids:
{"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"}
> log : false
> match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4"
> name: []
> priority: 1002
> severity: []
>
>
>
> So, I boot a VM using this port and I can verify that ICMP and SSH
traffic works good while the egress traffic doesn't work. From the VM I
curl to an IP living in a network namespace and this is what I see with
tcpdump there:
>
> On the VM:
> $ ip r get 169.254.254.169
> 169.254.254.169 via 10.0.0.1 dev eth0 src 10.0.0.6
> $ curl 169.254.169.254
>
> On the hypervisor (haproxy listening on 169.254.169.254:80):
>
> $ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i
any po
> rt 80 -vvn
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture
size 262144 bytes
> 21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF],
proto TCP (6), length 60)
> 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c
(correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val
22740490 ecr
Re: [ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
On Mon, Jun 18, 2018 at 10:43:22PM +0200, Daniel Alvarez Sanchez wrote: > I'm writing the code to implement the port groups in networking-ovn (the > OpenStack integration project with OVN). I found out that when a boot a VM, > looks like the egress traffic (from VM) is not working properly. The VM > port belongs to 3 Port Groups: There's a lot of information here but I don't see any output from ovn-trace. Have you tried that? Usually it's the first thing I reach for. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
Hi all,
I'm writing the code to implement the port groups in networking-ovn (the
OpenStack integration project with OVN). I found out that when a boot a VM,
looks like the egress traffic (from VM) is not working properly. The VM
port belongs to 3 Port Groups:
1. Default drop port group with the following ACLs:
_uuid : 0b092bb2-e97b-463b-a678-8a28085e3d68
action : drop
direction : from-lport
external_ids: {}
log : false
match : "inport == @neutron_pg_drop && ip"
name: []
priority: 1001
severity: []
_uuid : 849ee2e0-f86e-4715-a949-cb5d93437847
action : drop
direction : to-lport
external_ids: {}
log : false
match : "outport == @neutron_pg_drop && ip"
name: []
priority: 1001
severity: []
2. Subnet port group to allow DHCP traffic on that subnet:
_uuid : 8360a415-b7e1-412b-95ff-15cc95059ef0
action : allow
direction : from-lport
external_ids: {}
log : false
match : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c
&& ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68
&& udp.dst == 67"
name: []
priority: 1002
severity: []
3. Security group port group which the following rules:
3.1 Allow ICMP traffic:
_uuid : d12a749f-0f75-4634-aa20-6116e1d5d26d
action : allow-related
direction : to-lport
external_ids:
{"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"}
log : false
match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == 0.0.0.0/0 && icmp4"
name: []
priority: 1002
severity: []
3.2 Allow SSH traffic:
_uuid : 05100729-816f-4a09-b15c-4759128019d4
action : allow-related
direction : to-lport
external_ids:
{"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"}
log : false
match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
name: []
priority: 1002
severity: []
3.3 Allow IPv4/IPv6 traffic from this same port group
_uuid : b56ce66e-da6b-48be-a66e-77c8cfd6ab92
action : allow-related
direction : to-lport
external_ids:
{"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"}
log : false
match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip6 && ip6.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip6"
name: []
priority: 1002
severity: []
_uuid : 7b68f430-41b5-414d-a2ed-6c548be53dce
action : allow-related
direction : to-lport
external_ids:
{"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"}
log : false
match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip4"
name: []
priority: 1002
severity: []
3.4 Allow all egress (VM point of view) IPv4 traffic
_uuid : c5fbf0b7-6461-4f27-802e-b0d743be59e5
action : allow-related
direction : from-lport
external_ids:
{"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"}
log : false
match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4"
name: []
priority: 1002
severity: []
So, I boot a VM using this port and I can verify that ICMP and SSH traffic
works good while the egress traffic doesn't work. From the VM I curl to an
IP living in a network namespace and this is what I see with tcpdump there:
On the VM:
$ ip r get 169.254.254.169
169.254.254.169 via 10.0.0.1 dev eth0 src 10.0.0.6
$ curl 169.254.169.254
On the hypervisor (haproxy listening on 169.254.169.254:80):
$ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i any
po
rt 80 -vvn
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
262144 bytes
21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF], proto
TCP (6), length 60)
10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c
(correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val
22740490 ecr 0,nop,wscale 2], length 0
21:59:47.106935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x34c0), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val
