[ovs-discuss] 回复: OVN LSP with a unknown in address will not build arp response lflows

2021-11-04 Thread 鲁 成 
Thanks it solved my confusion.


Shawn.Lu
Software engineer of EasyStack
从 Windows 版邮件发送


发件人: Daniel Alvarez Sanchez
发送时间: Thursday, November 4, 2021 9:43 PM
收件人: 鲁 成; 
b...@openvswitch.org
主题: Re: [ovs-discuss] OVN LSP with a unknown in address will not build arp 
response lflows

adding the list back

On Fri, Oct 29, 2021 at 10:04 AM 鲁 成 
mailto:lucheng0...@outlook.com>> wrote:
When it come to me, I think LSP with address "fa:16:3e:b3:c0:e5 192.168.111.42" 
and unknown
unknown it means port can send traffic with any mac address
But for address "fa:16:3e:b3:c0:e5”, maybe we should make an arp reply for this 
address, don’t you think?

This used to be the former behavior but we hit use cases where a VM could send 
traffic from a particular port with that IP address (192.168.111.42 in your 
example) but a different MAC.
An example of this use case is NIC teaming where an IP fails over to a 
different port but the MAC address is different.

The patch that changed this behavior is here:

https://patchwork.ozlabs.org/patch/1258152/

Hope it helps!
daniel


Thanks
从 Windows 版邮件发送

发件人: Daniel Alvarez Sanchez
发送时间: Friday, October 29, 2021 3:58 PM
收件人: 鲁 成
抄送: b...@openvswitch.org
主题: Re: [ovs-discuss] OVN LSP with a unknown in address will not build arp 
response lflows

Hi,

On Fri, Oct 29, 2021 at 5:50 AM 鲁 成 
mailto:lucheng0...@outlook.com>> wrote:
Environment info:
OVN 21.06
OVS 2.12.0
Reproduction:
1. Create a port with neutronclient assign it to a node and close port security 
group
2. Create a ovs port and add it to br-int, and set interface iface-id same as 
neutron port uuid
After it Neutron will create a LSP in OVN NB, and append unknow into LSP’s 
address field
Check it in script[1]

Port info:
()[root@ovn-tool-0 /]# ovn-nbctl find Logical_Switch_Port 
name=6a8064f9-f2cc-407d-b8da-345c6a216cb3
_uuid   : 88fd1a84-8695-4cef-b916-45531edaf0db
addresses   : ["fa:16:3e:b3:c0:e5 192.168.111.42", unknown]
dhcpv4_options  : 1a8ca1af-519c-4aa2-b3a3-cc74955dee1f
dhcpv6_options  : []
dynamic_addresses   : []
enabled : true
external_ids: 
{"neutron:cidrs"="192.168.111.42/24", 
"neutron:device_id"="", "neutron:device_owner"="", 
"neutron:network_name"=neutron-6ac00688-422f-4a4f-99ae-b092b2d87f7b, 
"neutron:port_name"=lc-tap-2, 
"neutron:project_id"="498e2a96e4cc4edeb0c525a081dd6830", 
"neutron:revision_number"="4", "neutron:security_group_ids"=""}
ha_chassis_group: []
name: "6a8064f9-f2cc-407d-b8da-345c6a216cb3"
options : {mcast_flood_reports="true", 
requested-chassis=node-1.domain.tld}
parent_name : []
port_security   : []
tag : []
tag_request : []
type: ""
up  : false

Results:
OVN will not build arp responder lfows for this LSP


I believe that this is the expected behavior as you disable port security, 
meaning that the traffic from that port can come from any MAC address (it's 
unknown to OVN). Hence, it is up to the VM/container/whatever to reply to ARP 
requests and OVN should not reply on its behalf.

Hope this helps.

Thanks!
daniel



Script:
[1]:
#!/usr/bin/bash

# Create port
# neutron port-create --name lucheng-tap --binding:host_id=node-3.domain.tld 
share_net

HOST=""
MAC=""

get_port_info() {
source openrc
port_id="$1"
HOST=$(neutron port-show -F binding:host_id -f value "$port_id")
MAC=$(neutron port-show -F mac_address -f value "$port_id")
ip_info=$(neutron port-show -F fixed_ips -f value "$port_id")
echo Port "$port_id" Mac: "$MAC" HOST: "$HOST"
echo IP Info: "$ip_info"
}

create_ns() {
port_id="$1"
iface_name="lc-tap-${port_id:0:8}"
netns_name="lc-vm-${port_id:0:8}"
ssh "$HOST" ovs-vsctl add-port br-int "$iface_name" \
  -- set Interface "$iface_name" type=internal \
  -- set Interface "$iface_name" external_ids:iface-id="$port_id" \
  -- set Interface "$iface_name" external_ids:attached-mac="$MAC" \
  -- set Interface "$iface_name" external_ids:iface-status=active

ssh "$HOST" ip netns add "$netns_name"
ssh "$HOST" ip l set dev "$iface_name" address "$MAC"
ssh "$HOST" ip l set "$iface_name" netns "$netns_name"
ssh "$HOST" ip netns exec "$netns_name" ip l set lo up
ssh "$HOST" ip netns exec "$netns_name" ip l set "$iface_name" up
}

main() {
get_port_info "$1"
create_ns "$1"
}

main $@
neutron port-update --no-security-groups [port uuid]
neutron port-update --port_security_enabled=false [port uuid]

What I found:
When try to build_lswitch_arp_nd_responder_known_ips in ovn northd, it will 
skip LSP, which has unknow flag.
static void

Re: [ovs-discuss] OVN LSP with a unknown in address will not build arp response lflows

2021-11-04 Thread Daniel Alvarez Sanchez 
adding the list back

On Fri, Oct 29, 2021 at 10:04 AM 鲁 成  wrote:

> When it come to me, I think LSP with address "fa:16:3e:b3:c0:e5
> 192.168.111.42" and unknown
> unknown it means port can send traffic with any mac address
>
> But for address "fa:16:3e:b3:c0:e5”, maybe we should make an arp reply for
> this address, don’t you think?
>

This used to be the former behavior but we hit use cases where a VM could
send traffic from a particular port with that IP address (192.168.111.42 in
your example) but a different MAC.
An example of this use case is NIC teaming where an IP fails over to a
different port but the MAC address is different.

The patch that changed this behavior is here:

https://patchwork.ozlabs.org/patch/1258152/

Hope it helps!
daniel


>
> Thanks
>
> 从 Windows 版邮件 发送
>
>
>
> *发件人: *Daniel Alvarez Sanchez 
> *发送时间: *Friday, October 29, 2021 3:58 PM
> *收件人: *鲁 成 
> *抄送: *b...@openvswitch.org
> *主题: *Re: [ovs-discuss] OVN LSP with a unknown in address will not build
> arp response lflows
>
>
>
> Hi,
>
>
>
> On Fri, Oct 29, 2021 at 5:50 AM 鲁 成  wrote:
>
> *Environment info:*
> OVN 21.06
>
> OVS 2.12.0
>
> *Reproduction:*
> 1. Create a port with neutronclient assign it to a node and close port
> security group
>
> 2. Create a ovs port and add it to br-int, and set interface iface-id same
> as neutron port uuid
>
> After it Neutron will create a LSP in OVN NB, and append unknow into LSP’s
> address field
>
> Check it in script[1]
>
>
>
> Port info:
> ()[root@ovn-tool-0 /]# ovn-nbctl find Logical_Switch_Port
> name=6a8064f9-f2cc-407d-b8da-345c6a216cb3
>
> _uuid   : 88fd1a84-8695-4cef-b916-45531edaf0db
>
> addresses   : ["fa:16:3e:b3:c0:e5 192.168.111.42", unknown]
>
> dhcpv4_options  : 1a8ca1af-519c-4aa2-b3a3-cc74955dee1f
>
> dhcpv6_options  : []
>
> dynamic_addresses   : []
>
> enabled : true
>
> external_ids: {"neutron:cidrs"="192.168.111.42/24",
> "neutron:device_id"="", "neutron:device_owner"="",
> "neutron:network_name"=neutron-6ac00688-422f-4a4f-99ae-b092b2d87f7b,
> "neutron:port_name"=lc-tap-2,
> "neutron:project_id"="498e2a96e4cc4edeb0c525a081dd6830",
> "neutron:revision_number"="4", "neutron:security_group_ids"=""}
>
> ha_chassis_group: []
>
> name: "6a8064f9-f2cc-407d-b8da-345c6a216cb3"
>
> options : {mcast_flood_reports="true",
> requested-chassis=node-1.domain.tld}
>
> parent_name : []
>
> port_security   : []
>
> tag : []
>
> tag_request : []
>
> type: ""
>
> up  : false
>
>
>
> *Results:*
> OVN will not build arp responder lfows for this LSP
>
>
>
>
>
> I believe that this is the expected behavior as you disable port security,
> meaning that the traffic from that port can come from any MAC address (it's
> unknown to OVN). Hence, it is up to the VM/container/whatever to reply to
> ARP requests and OVN should not reply on its behalf.
>
>
>
> Hope this helps.
>
>
>
> Thanks!
>
> daniel
>
>
>
>
>
>
>
> *Script:*
>
> [1]:
>
> #!/usr/bin/bash
>
>
>
> # Create port
>
> # neutron port-create --name lucheng-tap
> --binding:host_id=node-3.domain.tld share_net
>
>
>
> HOST=""
>
> MAC=""
>
>
>
> get_port_info() {
>
> source openrc
>
> port_id="$1"
>
> HOST=$(neutron port-show -F binding:host_id -f value "$port_id")
>
> MAC=$(neutron port-show -F mac_address -f value "$port_id")
>
> ip_info=$(neutron port-show -F fixed_ips -f value "$port_id")
>
> echo Port "$port_id" Mac: "$MAC" HOST: "$HOST"
>
> echo IP Info: "$ip_info"
>
> }
>
>
>
> create_ns() {
>
> port_id="$1"
>
> iface_name="lc-tap-${port_id:0:8}"
>
> netns_name="lc-vm-${port_id:0:8}"
>
> ssh "$HOST" ovs-vsctl add-port br-int "$iface_name" \
>
>   -- set Interface "$iface_name" type=internal \
>
>   -- set Interface "$iface_name" external_ids:iface-id="$port_id" \
>
>   -- set Interface "$iface_name" external_ids:attached-mac="$MAC" \
>
>   -- set Interface "$iface_name" external_ids:iface-status=active
>
>
>
> ssh "$HOST" ip netns add "$netns_name"
>
> ssh "$HOST" ip l set dev "$iface_name" address "$MAC"
>
> ssh "$HOST" ip l set "$iface_name" netns "$netns_name"
>
> ssh "$HOST" ip netns exec "$netns_name" ip l set lo up
>
> ssh "$HOST" ip netns exec "$netns_name" ip l set "$iface_name" up
>
> }
>
>
>
> main() {
>
> get_port_info "$1"
>
> create_ns "$1"
>
> }
>
>
>
> main $@
>
> neutron port-update --no-security-groups [port uuid]
>
> neutron port-update --port_security_enabled=false [port uuid]
>
>
>
> *What I found:*
>
> When try to build_lswitch_arp_nd_responder_known_ips in ovn northd, it
> will skip LSP, which has unknow flag.
>
> static void
>
> build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
>
>  struct hmap *lflows,
>
>  struct hmap *ports,
>
>

[ovs-discuss] OVN with SSL using self-signed CA Certificate | certificate verify failed

2021-11-04 Thread nabeel.tariq 
Hi,



We have implemented SSL with the OVN. While using SSL with Global CA Signing
registrar it works fine. When we use Self sign certificate with self-signed
CA certificate it is showing below mentioned error.

2021-11-02 01:22:12.960 3124740 ERROR neutron.service OpenSSL.SSL.Error:
[('SSL routines', 'tls_process_server_certificate', 'certificate verify
failed')]

Kindly guide us regarding the method to implement self-signed certificate. 



 



 

___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss