[ovs-discuss] openvswitch-kmod: on uninstall, get depmod: ERROR: fstatat
Build Fedora RPM from 2.9.90. On "yum remove", get the following errors: Erasing: openvswitch-kmod-2.9.90-1.el7.x86_64 3/6 depmod: ERROR: fstatat(4, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(4, vport-stt.ko): No such file or directory depmod: ERROR: fstatat(4, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(4, vport-lisp.ko): No such file or directory depmod: ERROR: fstatat(4, vport-vxlan.ko): No such file or directory depmod: ERROR: fstatat(4, openvswitch.ko): No such file or directory depmod: ERROR: fstatat(4, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(4, vport-stt.ko): No such file or directory depmod: ERROR: fstatat(4, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(4, vport-lisp.ko): No such file or directory depmod: ERROR: fstatat(4, vport-vxlan.ko): No such file or directory rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument rmdir: failed to remove '.': Invalid argument ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
On Mon, Jun 18, 2018 at 1:43 PM, Daniel Alvarez Sanchez wrote: > > Hi all, > > I'm writing the code to implement the port groups in networking-ovn (the OpenStack integration project with OVN). I found out that when a boot a VM, looks like the egress traffic (from VM) is not working properly. The VM port belongs to 3 Port Groups: > > 1. Default drop port group with the following ACLs: > > _uuid : 0b092bb2-e97b-463b-a678-8a28085e3d68 > action : drop > direction : from-lport > external_ids: {} > log : false > match : "inport == @neutron_pg_drop && ip" > name: [] > priority: 1001 > severity: [] > > _uuid : 849ee2e0-f86e-4715-a949-cb5d93437847 > action : drop > direction : to-lport > external_ids: {} > log : false > match : "outport == @neutron_pg_drop && ip" > name: [] > priority: 1001 > severity: [] > > > 2. Subnet port group to allow DHCP traffic on that subnet: > > _uuid : 8360a415-b7e1-412b-95ff-15cc95059ef0 > action : allow > direction : from-lport > external_ids: {} > log : false > match : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c && ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68 && udp.dst == 67" > name: [] > priority: 1002 > severity: [] > > > 3. Security group port group which the following rules: > > 3.1 Allow ICMP traffic: > > _uuid : d12a749f-0f75-4634-aa20-6116e1d5d26d > action : allow-related > direction : to-lport > external_ids: {"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"} > log : false > match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && icmp4" > name: [] > priority: 1002 > severity: [] > > 3.2 Allow SSH traffic: > > _uuid : 05100729-816f-4a09-b15c-4759128019d4 > action : allow-related > direction : to-lport > external_ids: {"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"} > log : false > match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" > name: [] > priority: 1002 > severity: [] > > > 3.3 Allow IPv4/IPv6 traffic from this same port group > > > _uuid : b56ce66e-da6b-48be-a66e-77c8cfd6ab92 > action : allow-related > direction : to-lport > external_ids: {"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"} > log : false > match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip6 && ip6.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip6" > name: [] > priority: 1002 > severity: [] > > > _uuid : 7b68f430-41b5-414d-a2ed-6c548be53dce > action : allow-related > direction : to-lport > external_ids: {"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"} > log : false > match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip4" > name: [] > priority: 1002 > severity: [] > > > 3.4 Allow all egress (VM point of view) IPv4 traffic > > _uuid : c5fbf0b7-6461-4f27-802e-b0d743be59e5 > action : allow-related > direction : from-lport > external_ids: {"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"} > log : false > match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4" > name: [] > priority: 1002 > severity: [] > > > > So, I boot a VM using this port and I can verify that ICMP and SSH traffic works good while the egress traffic doesn't work. From the VM I curl to an IP living in a network namespace and this is what I see with tcpdump there: > > On the VM: > $ ip r get 169.254.254.169 > 169.254.254.169 via 10.0.0.1 dev eth0 src 10.0.0.6 > $ curl 169.254.169.254 > > On the hypervisor (haproxy listening on 169.254.169.254:80): > > $ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i any po > rt 80 -vvn > tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes > 21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF], proto TCP (6), length 60) > 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c (correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val 22740490 ecr
Re: [ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
On Mon, Jun 18, 2018 at 10:43:22PM +0200, Daniel Alvarez Sanchez wrote: > I'm writing the code to implement the port groups in networking-ovn (the > OpenStack integration project with OVN). I found out that when a boot a VM, > looks like the egress traffic (from VM) is not working properly. The VM > port belongs to 3 Port Groups: There's a lot of information here but I don't see any output from ovn-trace. Have you tried that? Usually it's the first thing I reach for. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] [OVN] egress ACLs on Port Groups seem broken
Hi all, I'm writing the code to implement the port groups in networking-ovn (the OpenStack integration project with OVN). I found out that when a boot a VM, looks like the egress traffic (from VM) is not working properly. The VM port belongs to 3 Port Groups: 1. Default drop port group with the following ACLs: _uuid : 0b092bb2-e97b-463b-a678-8a28085e3d68 action : drop direction : from-lport external_ids: {} log : false match : "inport == @neutron_pg_drop && ip" name: [] priority: 1001 severity: [] _uuid : 849ee2e0-f86e-4715-a949-cb5d93437847 action : drop direction : to-lport external_ids: {} log : false match : "outport == @neutron_pg_drop && ip" name: [] priority: 1001 severity: [] 2. Subnet port group to allow DHCP traffic on that subnet: _uuid : 8360a415-b7e1-412b-95ff-15cc95059ef0 action : allow direction : from-lport external_ids: {} log : false match : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c && ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68 && udp.dst == 67" name: [] priority: 1002 severity: [] 3. Security group port group which the following rules: 3.1 Allow ICMP traffic: _uuid : d12a749f-0f75-4634-aa20-6116e1d5d26d action : allow-related direction : to-lport external_ids: {"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && icmp4" name: [] priority: 1002 severity: [] 3.2 Allow SSH traffic: _uuid : 05100729-816f-4a09-b15c-4759128019d4 action : allow-related direction : to-lport external_ids: {"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" name: [] priority: 1002 severity: [] 3.3 Allow IPv4/IPv6 traffic from this same port group _uuid : b56ce66e-da6b-48be-a66e-77c8cfd6ab92 action : allow-related direction : to-lport external_ids: {"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip6 && ip6.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip6" name: [] priority: 1002 severity: [] _uuid : 7b68f430-41b5-414d-a2ed-6c548be53dce action : allow-related direction : to-lport external_ids: {"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip4" name: [] priority: 1002 severity: [] 3.4 Allow all egress (VM point of view) IPv4 traffic _uuid : c5fbf0b7-6461-4f27-802e-b0d743be59e5 action : allow-related direction : from-lport external_ids: {"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"} log : false match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4" name: [] priority: 1002 severity: [] So, I boot a VM using this port and I can verify that ICMP and SSH traffic works good while the egress traffic doesn't work. From the VM I curl to an IP living in a network namespace and this is what I see with tcpdump there: On the VM: $ ip r get 169.254.254.169 169.254.254.169 via 10.0.0.1 dev eth0 src 10.0.0.6 $ curl 169.254.169.254 On the hypervisor (haproxy listening on 169.254.169.254:80): $ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i any po rt 80 -vvn tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c (correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val 22740490 ecr 0,nop,wscale 2], length 0 21:59:47.106935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x34c0), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val