Mirantis OpenStack

[mos 9.x][ovsfw] no vm connectivity with ovs firewall

Bug #1619983 reported by Inessa Vasilevskaya on 2016-09-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Invalid	High	Inessa Vasilevskaya	Mirantis OpenStack 9.2
	9.x	Invalid	High	Inessa Vasilevskaya	Mirantis OpenStack 9.2

Bug Description

https://bugs.launchpad.net/neutron/+bug/1609090 - same bug wrongly filed for upstream neutron.

Steps to reproduce:

* install ovs-2.5 (openvswitch-switch, openvswitch-common) from http://mirror.fuel-infra.org/feature-nfv-repos/ubuntu/9.0/

add-apt-repository 'deb http://mirror.fuel-infra.org/feature-nfv-repos/ubuntu/9.0/ mos9.0 main'
wget -qO - http://mirror.fuel-infra.org/feature-nfv-repos/ubuntu/9.0/archive-feature-nfv9.0.key | apt-key add -
stop openvswitch-switch
apt-get update && apt-get install --upgrade-only openvswitch-switch openvswitch-common

Verify that all is ok: restart neutron-l3-agent and neutron-openvswitch-agent, check connectivity to a vm.

* /etc/neutron/plugins/ml2/openvswitch_agent.ini
[securitygroup]
firewall_driver = openvswitch

* restart neutron-openvswitch-agent on all nodes

OSTF connectivity test (as well as any other test that boots a vm, assigns a floating and pings it) will fail.

UPDATE: as per https://github.com/openvswitch/ovs/blob/branch-2.5/FAQ.md#q-are-all-features-available-with-all-datapaths conntrack support is natively available in 4.3 kernel.

See original description

Inessa Vasilevskaya (ivasilevskaya) on 2016-09-03

description:

updated

Revision history for this message

Inessa Vasilevskaya (ivasilevskaya) wrote on 2016-09-03:

Weird things observed so far (unfortunately I don't have any other environment save mos9.x, so I take devstack as reference one):

* zero mac-addresses in ovs-ofctl show br-int output:
(devstack, OK) http://paste.openstack.org/show/566417/
(mos9) http://paste.openstack.org/show/566418/

* ovs-appctl ofproto/trace and dump-flows differ substantially

(devstack, OK) http://paste.openstack.org/show/566433/
(mos9) http://paste.openstack.org/show/566436/

devstack flows br-int: http://paste.openstack.org/show/566435/
mos 9 flows br-int: http://paste.openstack.org/show/566434/

Those 2 are undoubtedly connected, let's figure why it's broken.

description:

updated

Inessa Vasilevskaya (ivasilevskaya) on 2016-09-05

description:

updated

Inessa Vasilevskaya (ivasilevskaya) on 2016-09-05

description:

updated

Inessa Vasilevskaya (ivasilevskaya) on 2016-09-05

description:

updated

Revision history for this message

Inessa Vasilevskaya (ivasilevskaya) wrote on 2016-09-05:

neutron-sanity-check --ovs_conntrack
Guru mediation now registers SIGUSR1 and SIGUSR2 by default for backward compatibility. SIGUSR1 will no longer be registered in a future release, so please use SIGUSR2 to generate reports.
2016-09-05 14:51:28.374 18977 INFO neutron.common.config [-] Logging enabled!
2016-09-05 14:51:28.375 18977 INFO neutron.common.config [-] /usr/bin/neutron-sanity-check version 8.1.2
2016-09-05 14:51:29.052 18977 ERROR neutron.agent.linux.utils [-] Exit code: 1; Stdin: ; Stdout: ; Stderr: OFPT_ERROR (xid=0x4): OFPBMC_BAD_MASK
NXT_FLOW_MOD (xid=0x4): ADD priority=1,ct_state=+trk actions=drop

2016-09-05 14:51:29.147 18977 ERROR neutron.cmd.sanity_check [-] Check for Open vSwitch support of conntrack support failed. OVS/CT firewall will not work. A newer version of OVS (2.5+) and linux kernel (4.3+) are required. See https://github.com/openvswitch/ovs/blob/master/FAQ.mdfor more information.

Need to compile ovs kernel module to utilize ovsfw.

Inessa Vasilevskaya (ivasilevskaya) on 2016-09-05

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.