Ask Your Question
2

How to configure a flat network with OpenVswitch on Openstack mitaka [closed]

asked 2016-07-08 09:18:02 -0500

jbabel gravatar image

updated 2016-07-25 07:52:45 -0500

Hi everybody,

I try to manually setup an openstack mitaka on Centos 7.2.

The test platform is composed of two nodes:

  1. One Controller (Keystone, Glance, Nova api, Neutron)
  2. One Compute (Nova-compute)

I follow the official guide http://docs.openstack.org/mitaka/install-guide-rdo/ in order to install Openstack and everything works fine till neutron configuration.

I would like to use the Networking option 1 (Provider Networks) with OpenVswitch. However I don’t need vlan nor router, the instances must get an IP (static or dhcp) on the lan. I tried many configurations following this http://docs.openstack.org/mitaka/networking-guide/scenario-provider-ovs.html , but I can’t make it work properly.

I wanted to have some advice on this setup. Is it Possible? And how to make it work?

Here are my configuration files:

Tell me if you need more configuration file or command output.

Controller

/etc/neutron/plugins/ml2/ml2_conf.ini

[DEFAULT]
[ml2]
type_drivers = flat
tenant_network_types =
mechanism_drivers = openvswitch
extension_drivers = port_security
[ml2_type_flat]
flat_networks = provider
[ml2_type_geneve]
[ml2_type_gre]
[ml2_type_vlan]
[ml2_type_vxlan]
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

/etc/neutron/plugins/ml2/openvswitch_agent.ini

DEFAULT]
[agent]
[ovs]
bridge_mappings = provider:br-enp0s8
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

ovs-vsctl show

Bridge "br-enp0s8"
        Port "enp0s8"
            Interface "enp0s8"
        Port "br-enp0s8"
            Interface "br-enp0s8"
                type: internal
        Port "phy-br-enp0s8"
            Interface "phy-br-enp0s8"
                type: patch
                options: {peer="int-br-enp0s8"}
    Bridge br-int
        fail_mode: secure
        Port "int-br-enp0s8"
            Interface "int-br-enp0s8"
                type: patch
                options: {peer="phy-br-enp0s8"}
        Port "tapd2c4eaad-31"
            tag: 1
            Interface "tapd2c4eaad-31"
                type: internal
        Port br-int
            Interface br-int
                type: internal

Compute

/etc/neutron/plugins/ml2/openvswitch_agent.ini

[DEFAULT]
[agent]
[ovs]
bridge_mappings = provider:br-enp0s8
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

ovs-vsctl show

Bridge br-int
        fail_mode: secure
        Port "qvo22d7cc0b-a0"
            tag: 1
            Interface "qvo22d7cc0b-a0"
        Port br-int
            Interface br-int
                type: internal
        Port "qvo8115b057-cd"
            tag: 1
            Interface "qvo8115b057-cd"
        Port "int-br-enp0s8"
            Interface "int-br-enp0s8"
                type: patch
                options: {peer="phy-br-enp0s8"}
    Bridge "br-enp0s8"
        Port "enp0s8"
            Interface "enp0s8"
        Port "br-enp0s8"
            Interface "br-enp0s8"
                type: internal
        Port "phy-br-enp0s8"
            Interface "phy-br-enp0s8"
                type: patch
                options: {peer="int-br-enp0s8"}

Update 1 : The real problem in my setup is that neutron seems to work (Instance correctly get an IP) but I can't join them from the LAN. If try to ping there is no result. However broadcast flow works because instances are able to update their MAC table according to equipements on the LAN (Gateway, Computer). By the way security group are configured to let ICMP and SSH pass.

Update 2 : I did the captures that you asked for

On compute host

tcpdump -ne -i enp0s8 ether host 0c:8b:fd:0a:f3:e8 (MAC address of the computer where ping come from)

10:35:36.252660 0c:8b:fd:0a:f3:e8 > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.0.112 tell 192.168.0.34, length 46
10:35:36.255043 fa:16:3e:38:a3:a6 > 0c:8b:fd:0a:f3:e8, ethertype ARP (0x0806), length 42: Reply 192.168.0.112 is-at fa:16:3e:38:a3:a6, length 28
10:36:06.248391 0c:8b:fd:0a:f3:e8 > Broadcast, ethertype ARP (0x0806), length ...
(more)
edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by jbabel
close date 2016-09-19 04:50:41.710794

Comments

Can you add network_vlan_ranges = provider in ml2_type_vlan section?

kaustubh gravatar imagekaustubh ( 2016-07-09 15:59:29 -0500 )edit

Hi, I already test some configurations with this section filled but no result. Nevertheless I tried again and still no result. Furthermore if I do not add vlan to type_drivers should i still complete this section. I edited the post to explain more the network problem.

jbabel gravatar imagejbabel ( 2016-07-10 10:35:14 -0500 )edit

3 answers

Sort by » oldest newest most voted
2

answered 2016-07-20 11:41:18 -0500

Mohit gravatar image

Set the following on

 /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0

/etc/neutron/plugins/ml2/ml2_conf.ini
tenant_network_types = local,flat

Reboot the server and set the following on cli

ifconfig enp0s8 0
ifconfig br-int up
ifconfig  br-enp0s8 {your-ip-address} netmask {your-netmask} up
route add default gw {your-network-default-gateway} dev br-enp0s8 metric 100

Restart the neutron services and paste the output of neutron agent-list

edit flag offensive delete link more

Comments

Thanks for the answer Mohit. Sorry for the delay but the post was considered spam... I tried the above configuration but it didn't work. Though the agents on both nodes are up and fine. I'll retry today just in case i miss something.

jbabel gravatar imagejbabel ( 2016-07-25 04:54:05 -0500 )edit

I tested again without success, I also added the neutron agent-list to the post but it is normal.

jbabel gravatar imagejbabel ( 2016-07-25 07:55:37 -0500 )edit
1

answered 2016-07-11 17:35:11 -0500

kaustubh gravatar image

Let's try to trace the packets. While pinging the instance, can you capture the packets at the following places:

  1. your compute node's ensp0s8 interface.
  2. The qvb-xxx interface. On your compute node, do brctl show to list the bridge that will contain qvb-xxx corresponding to qvo-xxx seen in br-int.
  3. Inside your VM.

We should be able to see where the packets are lost.

As an aside, shouldn't the firewall driver be iptables_hybrid?

edit flag offensive delete link more

Comments

Thanks for answering kaustubh, I already try to trace packet but i can't see where the traffic is lost. It seems normal to me. I added the captures to the post. For the firewall, In order to comply to the docs i changed it but I can't see any difference between iptables_hybrid and OVS firewall.

jbabel gravatar imagejbabel ( 2016-07-12 04:01:52 -0500 )edit

Okay, it indeed looks like your VM is able to get ARP requests. I think the ICMP echo requests should be reaching the VM. Can you please verify this? If so, can you have a look at where the ICMP reply packets are lost while capturing at those three points?

kaustubh gravatar imagekaustubh ( 2016-07-12 14:30:54 -0500 )edit

Also, could you check if your VM has the correct routing table with ip r or route -n?

kaustubh gravatar imagekaustubh ( 2016-07-12 14:32:03 -0500 )edit

I agree with you, ICMP should reach the VM but it doesn't. In fact I see no ICMP traffic while capturing at the three points. The computer send frames but the others get nothing. It's really weird. I'll add the routing table to the post but it seems correct to me.

jbabel gravatar imagejbabel ( 2016-07-12 16:38:33 -0500 )edit

After looking closely to the routing table with route -n (I have always used the ip route command before). The problem could be at this level with the network 192.168.0.0 with no valid gateway. Should I change it manually or is there a way for openstack to do it automatically ?

jbabel gravatar imagejbabel ( 2016-07-12 16:53:34 -0500 )edit
0

answered 2016-09-18 17:11:14 -0500

updated 2016-09-18 17:13:54 -0500

After looking closely to the routing table with route -n (I have always used the ip route command before). The problem could be at this level with the network 192.168.0.0 with no valid gateway. Should I change it manually or is there a way for openstack to do it automatically ?

subnet-update --gateway GATEWAY_IP SUBNET

If its physical : edit whichever interface holds this ip address an add GATEWAY= to the file if it is configured for dhcp, make sure DEFROUTE=yes is set for only 1 of your interfaces and DEFROUTE=no on the others

edit flag offensive delete link more

Comments

Thanks for the answer but i resolved this problem and forgot to close the question. I was in an virtual environnement and the flat network did'nt want to work. I tried on physical servers and it work. By the way there was also DHCP snooping on the network to simplify the troubleshooting.

jbabel gravatar imagejbabel ( 2016-09-19 04:49:38 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-07-08 09:18:02 -0500

Seen: 3,307 times

Last updated: Sep 18 '16