* Use a python client to connect to the Southbound Database.
* Once it is connected add an iptables rule to reject that traffic with TCP reset.
* Restart the application after installing the rule mentioned above and you will receive the following callstack:
File "/usr/lib/python3/dist-packages/ovs/db/idl.py", line 398, in run
self._session.run()
File "/usr/lib/python3/dist-packages/ovs/jsonrpc.py", line 532, in run
self.__connect()
File "/usr/lib/python3/dist-packages/ovs/jsonrpc.py", line 467, in __connect
error, self.stream = ovs.stream.Stream.open(name)
File "/usr/lib/python3/dist-packages/ovs/stream.py", line 196, in open
err = cls.check_connection_completion(sock)
File "/usr/lib/python3/dist-packages/ovs/stream.py", line 777, in check_connection_completion
return Stream.check_connection_completion(sock)
File "/usr/lib/python3/dist-packages/ovs/stream.py", line 137, in check_connection_completion
return ovs.socket_util.check_connection_completion(sock)
File "/usr/lib/python3/dist-packages/ovs/socket_util.py", line 181, in check_connection_completion
sock.send("\0".encode(), socket.MSG_DONTWAIT)
File "/usr/lib/python3/dist-packages/eventlet/green/ssl.py", line 193, in send
return self._call_trampolining(
File "/usr/lib/python3/dist-packages/eventlet/green/ssl.py", line 157, in _call_trampolining
return func(*a, **kw)
File "/usr/lib/python3.8/ssl.py", line 1170, in send
raise ValueError(
ValueError: non-zero flags not allowed in calls to send() on <class 'eventlet.green.ssl.GreenSSLSocket'>
Example using Openstack + neutron-ovn-metadata-agent (ovsdbapp):
* Check a compute instance which has neutron-ovn-metadata-agent connected to the SB DB:
$ sudo netstat -tuapn | grep 6642
tcp 0 0 10.230.57.99:38834 10.230.62.255:6642 ESTABLISHED 2209992/ovn-control
tcp 0 0 10.230.57.99:59670 10.230.58.204:6642 ESTABLISHED 3687447/neutron-ovn
tcp 0 0 10.230.57.99:45296 10.230.58.185:6642 ESTABLISHED 3687446/neutron-ovn
tcp 0 0 10.230.57.99:59668 10.230.58.204:6642 ESTABLISHED 3687426/neutron-ovn
* Add iptable rule to reject traffic:
$ sudo iptables -A OUTPUT -p tcp --destination-port 6642 -j REJECT --reject-with tcp-reset
* Restart the neutron-ovn-metadata-agent:
$ sudo systemctl restart neutron-ovn-metadata-agent.service
* Check log at /var/log/neutron/neutron-ovn-metadata-agent.log
Steps to reproduce
* Use a python client to connect to the Southbound Database. python3/ dist-packages/ ovs/db/ idl.py" , line 398, in run _session. run() python3/ dist-packages/ ovs/jsonrpc. py", line 532, in run __connect( ) python3/ dist-packages/ ovs/jsonrpc. py", line 467, in __connect Stream. open(name) python3/ dist-packages/ ovs/stream. py", line 196, in open connection_ completion( sock) python3/ dist-packages/ ovs/stream. py", line 777, in check_connectio n_completion check_connectio n_completion( sock) python3/ dist-packages/ ovs/stream. py", line 137, in check_connectio n_completion util.check_ connection_ completion( sock) python3/ dist-packages/ ovs/socket_ util.py" , line 181, in check_connectio n_completion send("\ 0".encode( ), socket. MSG_DONTWAIT) python3/ dist-packages/ eventlet/ green/ssl. py", line 193, in send trampolining( python3/ dist-packages/ eventlet/ green/ssl. py", line 157, in _call_trampolining python3. 8/ssl.py" , line 1170, in send green.ssl. GreenSSLSocket' >
* Once it is connected add an iptables rule to reject that traffic with TCP reset.
* Restart the application after installing the rule mentioned above and you will receive the following callstack:
File "/usr/lib/
self.
File "/usr/lib/
self.
File "/usr/lib/
error, self.stream = ovs.stream.
File "/usr/lib/
err = cls.check_
File "/usr/lib/
return Stream.
File "/usr/lib/
return ovs.socket_
File "/usr/lib/
sock.
File "/usr/lib/
return self._call_
File "/usr/lib/
return func(*a, **kw)
File "/usr/lib/
raise ValueError(
ValueError: non-zero flags not allowed in calls to send() on <class 'eventlet.
Example using Openstack + neutron- ovn-metadata- agent (ovsdbapp): ovn-metadata- agent connected to the SB DB: ovn-metadata- agent: ovn-metadata- agent.service neutron/ neutron- ovn-metadata- agent.log
* Check a compute instance which has neutron-
$ sudo netstat -tuapn | grep 6642
tcp 0 0 10.230.57.99:38834 10.230.62.255:6642 ESTABLISHED 2209992/ovn-control
tcp 0 0 10.230.57.99:59670 10.230.58.204:6642 ESTABLISHED 3687447/neutron-ovn
tcp 0 0 10.230.57.99:45296 10.230.58.185:6642 ESTABLISHED 3687446/neutron-ovn
tcp 0 0 10.230.57.99:59668 10.230.58.204:6642 ESTABLISHED 3687426/neutron-ovn
* Add iptable rule to reject traffic:
$ sudo iptables -A OUTPUT -p tcp --destination-port 6642 -j REJECT --reject-with tcp-reset
* Restart the neutron-
$ sudo systemctl restart neutron-
* Check log at /var/log/