neutron

Bug #1734320
Comment #43

Comment 43 for bug 1734320

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2018-02-01:

#43

reading through the recommendations i am not sure that using a drop rule and null vlan(4095) is the correct approch.

refering to http://openvswitch.org/support/dist-docs/ovs-ofctl.8.txt
using
ovs-ofctl mod-port down|up
would appear to be more correct as it disables the tx and rx quese in the interface.

a drop rule would only prevent the vm from transmitting packet it would not prevent the vm from reciving traffic as openflow does not allow you to match on output port.

my only concern with ovs-ofctl mod-port down is that odl/ovn and any other ml2 driver that uses vif_ovs would also need this change to ovs-ofctl mod-port up when they are finished.
granted they would likely also need to be modifed to fix the 4095 vlan and remove the drop rule too.

so to resolve Issue #1 Initially creating a trunk port
i would suggest that when we create teh port we initially set it down and have the ovs agent set up as part of wiring up the port.

Issue #2 Order of creation should be resolved by the multiple port binding spec i believe.

Issue #3 Not closing the port when it is down.

I think this can be resolved by updating neutron to use ovs-ofctl mod-port down|up to actually disable the port in ovs instead of using the null vlan.

Issue #4 Putting the port administratively down actually puts the port on a compute node shared vlan
issue 4 will be resulve by moving to ovs-ofctl mod-port down|up
however if you are currently able to transmit/recive packet in a vm that is attached to vlan 4095 i think you have a ovs bug. vlan 4095 is reserved as the null/dead vlan and ovs is drop all packet to/from interfaes with a tag of 4095.

my main concern though is that solving this isuue in os-vif in this way will not solve it for all usecase. when the neutron vif_type is ovs but hybrid_plug is set to false os-vif is not used to plug the port. this configuration is used when kernel ovs is installed on the has and neutron is configured to use either the noop security group driver or the openvsiwtch conntrack driver is used.

when vif_type=ovs and hybird_plug=false then libvirt is used to plug the vif into ovs directly.
libvirt does not set the state of the port or the mtu(that's a different bug) i we want to cover all edgecase we need to finally convert this codepath to use os-vif to handel the vif plugging when vif_type=ovs and hybird_plug=false.

reading through the recommendations i am not sure that using a drop rule and null vlan(4095) is the correct approch.

refering to http://openvswitch.org/support/dist-docs/ovs-ofctl.8.txt
using 
ovs-ofctl mod-port down|up
would appear to be more correct as it disables the tx and rx quese in the interface.

a drop rule would only prevent the vm from transmitting packet it would not prevent the vm from reciving traffic as openflow does not allow you to match on output port.

so to resolve Issue #1 Initially creating a trunk port
i would suggest that when we create teh port we initially set it down and have the ovs agent set up as part of wiring up the port.

Issue #2 Order of creation should be resolved by the multiple port binding spec i believe.

Issue #3 Not closing the port when it is down.

I think this can be resolved by updating neutron to use ovs-ofctl mod-port down|up to actually disable the port in ovs instead of using the null vlan.

Issue #4 Putting the port administratively down actually puts the port on a compute node shared vlan
issue 4 will be resulve by moving to ovs-ofctl mod-port down|up 
however if you are currently able to transmit/recive packet in a vm that is attached to vlan 4095 i think you have a ovs bug. vlan 4095 is reserved as the null/dead vlan and ovs is drop all packet to/from interfaes with a tag of 4095.

my main concern though is that solving this isuue in os-vif in this way will not solve it for all usecase. when the neutron vif_type is ovs but hybrid_plug is set to false os-vif is not used to plug the port. this configuration is used when kernel ovs is installed  on the has and neutron is configured to use either the noop security group driver or the openvsiwtch conntrack driver is used.