https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETVIRT-488 netvirt <p>My setup is 2 compute nodes, and 1 control node. The compute nodes both have dpdk ports, with a patch port from br-int to br-phy, using vxlan as the tenant network type. The control node has no dpdk port, and is using a regular ethernet interface to egress vxlan traffic.</p> <p>The issue is when an instance is created, the flows that should be in table 40 on the controller to allow dhcp are missing. The flows however are installed on the compute node, and vxlan tunnel is created. The instance comes up fine with a vhostuser port and tries to dhcp.</p> <p>I do not see any errors in the log indicating failure to install flows, so I'm not sure if nevirt ever tried to even install them.</p> <p>This is with OVS 2.6 and dpdk 16.11.</p> <p>Will attach karaf log and ovs outputs.</p> <p>Operating System: All<br/> Platform: All</p> NETVIRT-488

Openflow DHCP rules not installed with OVS DPDK on controller node

Bug Resolved Cannot Reproduce Unassigned Tim Rozet Tue, 21 Feb 2017 14:55:46 +0000 Tue, 29 May 2018 14:58:55 +0000 Fri, 24 Mar 2017 19:00:26 +0000 Boron General 0 2 <p>Attachment logs_output_repro_steps.zip has been added with description: Contains ovs outputs, karaf log, and steps to reproduce</p> <p>It looks like the problem is the tap port from the DHCP NS is down:</p> <p><span class="error">&#91;root@overcloud-controller-0 hieradata&#93;</span># ovs-ofctl -O openflow13 show br-int<br/> OFPT_FEATURES_REPLY (OF1.3) (xid=0x2): dpid:0000dc5cf7654e1b<br/> n_tables:254, n_buffers:256<br/> capabilities: FLOW_STATS TABLE_STATS PORT_STATS GROUP_STATS QUEUE_STATS<br/> OFPST_PORT_DESC reply (OF1.3) (xid=0x3):<br/> 1(br-ex-patch): addr:1e:23:b7:d3:55:c6<br/> config: 0<br/> state: 0<br/> speed: 0 Mbps now, 0 Mbps max<br/> 2(tapc61135c5-ba): addr:00:00:00:00:70:bb<br/> config: PORT_DOWN<br/> state: LINK_DOWN<br/> speed: 0 Mbps now, 0 Mbps max<br/> 3(tund547d93ae28): addr:8a:80:0d:a0:46:98<br/> config: 0<br/> state: 0<br/> speed: 0 Mbps now, 0 Mbps max<br/> LOCAL(br-int): addr:dc:5c:f7:65:4e:1b<br/> config: PORT_DOWN<br/> state: LINK_DOWN<br/> speed: 0 Mbps now, 0 Mbps max<br/> OFPT_GET_CONFIG_REPLY (OF1.3) (xid=0x5): frags=normal miss_send_len=0</p> <p>2017-02-21T09:23:16.607Z|00035|bridge|INFO|bridge br-int: added interface tapc61135c5-ba on port 2<br/> 2017-02-21T09:23:16.765Z|00036|netdev_linux|INFO|ioctl(SIOCGIFHWADDR) on tapc61135c5-ba device failed: No such device<br/> 2017-02-21T09:23:16.773Z|00037|netdev_linux|WARN|ioctl(SIOCGIFINDEX) on tapc61135c5-ba device failed: No such device<br/> 2017-02-21T09:23:16.774Z|00038|netdev_linux|WARN|tapc61135c5-ba: removing policing failed: No such device</p> <p>I'm not sure why it is trying to add it as a netdev device.</p> <p>Looking at the DHCP agent Neutron code and OVS driver there, it does not add any config to put the bridge into netdev mode. It simply uses vsctl and adds a port to the bridge, which is by default being added as netdev. Therefore my theory is that ODL is putting the bridge into netdev mode, which it shouldn't when DPDK is not enabled on that openvswitch instance. Can an ODL dev confirm that ODL puts the switches into netdev mode?</p> <p>Table 40 is the INGRESS_ACL_TABLE</p> <p>I'm not certain it's related to the dhcp port being down as you indicate below. For e.g., it's always down in my dev environments and it works just fine:<br/> 2(tap2278122f-1e): addr:7f:74:00:00:00:00<br/> config: PORT_DOWN<br/> state: LINK_DOWN<br/> speed: 0 Mbps now, 0 Mbps max</p> <p>I did notice that aside from the patch to br-ex br-int also has the auto-configured tun interfaces. There was a problem with this recently where it interfered with DHCP. Can you try this with a version that has the following two patches merged? </p> <p><a href="https://code.engineering.redhat.com/gerrit/#/c/97855/" class="external-link" target="_blank" rel="nofollow noopener">https://code.engineering.redhat.com/gerrit/#/c/97855/</a><br/> <a href="https://code.engineering.redhat.com/gerrit/#/c/97729" class="external-link" target="_blank" rel="nofollow noopener">https://code.engineering.redhat.com/gerrit/#/c/97729</a></p> <p>Also, it does not look like the bridge is in netdev:</p> <p><span class="error">&#91;heat-admin@overcloud-controller-0 ~&#93;</span>$ sudo ovs-vsctl get Bridge d7199e75-edcb-484a-ab77-4695e233100b name <br/> br-int<br/> <span class="error">&#91;heat-admin@overcloud-controller-0 ~&#93;</span>$ sudo ovs-vsctl get Bridge d7199e75-edcb-484a-ab77-4695e233100b datapath_type <br/> ""</p> <p>Which is weird. Plus:<br/> <span class="error">&#91;heat-admin@overcloud-controller-0 ~&#93;</span>$ sudo ovs-appctl dpctl/dump-dps<br/> system@ovs-system</p> <p>Whereas on the compute you'd get:<br/> <span class="error">&#91;heat-admin@overcloud-novacompute-1 ~&#93;</span>$ sudo ovs-appctl dpctl/dump-dps<br/> netdev@ovs-netdev<br/> system@ovs-system</p> <p>So it really looks like netdev is not active on the controller</p> <p>OK I saw netdev logging msgs and assumed it was in netdev, but you're right it is not. So I manually tried to create a tap port and attach to the namespace and it attaches but link state will not come up in OVS. I think the issue is the 2.6 OVS I have is using the wrong kmod, let me figure that out and then will report back here.</p> <p>Nevermind, it looks like even on other setups that work the port state is always down in OVS:</p> <p>13(tap738a631a-f4): addr:00:00:00:00:f0:02<br/> config: PORT_DOWN<br/> state: LINK_DOWN<br/> speed: 0 Mbps now, 0 Mbps max</p> <p>and DHCP works in that setup. Must be something broken with the flows.</p> <p>It looks like neutron port on controller node is created with port_security_enabled=false.</p> <p>To debug further, please provide below details:</p> <p>From openstack:</p> <p>a. Neutron ports detail<br/> b. neutron security-group-list<br/> c. neutron security-rule-list<br/> d. neutron security-group-show default</p> <p>From ODL(Rest call outputs):</p> <p>a. http://&lt;controller_ip&gt;:8181/restconf/config/neutron:neutron/security-groups/<br/> b. http://&lt;controller_ip&gt;:8181/restconf/config/neutron:neutron/security-rules/<br/> c. http://&lt;controller_ip&gt;:8181/restconf/config/neutron:neutron/ports/<br/> d. http://<tt>controllerHost</tt>:8181/restconf/config/ietf-interfaces:interfaces/<br/> e. http://<tt>controllerHost</tt>:8181/restconf/operational/ietf-interfaces:interfaces-state/</p> <p>(In reply to Shashidhar R from comment #9)<br/> Attached the requested info as port_security_info.txt.</p> <p>From what I can see the port security in neutron is set to false for a dhcp port, but is set to true for the nova instance. This looks normal when comparing it to another setup.</p> <p>However, in Neutron northbound the port security is set to true for some reason:<br/> neutron-binding:vif-type":"ovs","device-id":"dhcp827da361-9c56-50f7-913f-5a01f7bfed2c-b6a4a0c3-2ec0-45da-954b-05ae44d6c782","tenant-id":"91a9b66d-c9cf-46a4-ae15-34abff12e786","mac-address":"fa:16:3e:60:b7:e9","neutron-portsecurity:port-security-enabled":true}</p> <p>Also, I see in the oper:<br/> "tapc61135c5-ba","odl-interface:l2vlan-mode":"trunk","type":"iana-if-type:l2vlan","enabled":true}]</p> <p>Is it supposed to be a type l2vlan in trunk mode?</p> <p>Note, this setup has been up for some time now, and I think I restarted ODL a few times. It should resync with neutron, but just a caveat the setup may not be 100% in the same original state anymore.</p> <p>Attachment port_security_info.txt has been added with description: Requested outputs for security groups</p> <p>Neutron north bound issue related to port_security_enabled=false issue is resolved by <a href="https://git.opendaylight.org/gerrit/#/c/52267/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/52267/</a>.</p> <p>Also, I observed that of port connected to VM is down in control node. Is this being done intentionally to verify some usecase? If not, can you verify this again by making this port UP? </p> <p>Along with above fix, few other fixes are in netvirt and genius projects. Please verify this usecase again with latest build.</p> <p>(In reply to Shashidhar R from comment #12)<br/> &gt; Neutron north bound issue related to port_security_enabled=false issue is<br/> &gt; resolved by <a href="https://git.opendaylight.org/gerrit/#/c/52267/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/52267/</a>.<br/> &gt; <br/> &gt; Also, I observed that of port connected to VM is down in control node. Is<br/> &gt; this being done intentionally to verify some usecase? If not, can you verify<br/> &gt; this again by making this port UP? <br/> &gt; <br/> &gt; Along with above fix, few other fixes are in netvirt and genius projects.<br/> &gt; Please verify this usecase again with latest build.</p> <p>Which port are you referring to? There is no VM on the control node, only namespaces. I will retry with newer build.</p> <p>I was referring to below o/p from "ovs-ofctl -O openflow13 show br-int" command on CONTROL NODE</p> <p>2(tapc61135c5-ba): addr:00:00:00:00:70:bb<br/> config: PORT_DOWN<br/> state: LINK_DOWN</p> <p>But, this should not have any problems configuring flows in table 40 as it's been discussed here.</p> <p>Is this issue still been observed in the latest build?</p> <p>This was not a bug and was a problem with iptables blocking the dhcp request to the controller. After fixing that everything works fine.</p> Development External issue ID 7835 External issue URL Rank 0|i01s3z: