| #!/bin/bash | |
| set -xe | |
| # $0 host dev remote_ip | |
| # host is 1 or 2 | |
| # on vmA | |
| # ./mk-vx.sh 1 ens3 10.10.10.9 | |
| # on vmB | |
| # ./mk-vx.sh 2 ens3 10.10.10.15 |
DB
ovs-vsctl list open_vswitch
ovs-vsctl list interface
ovs-vsctl list interface vxlan-ac000344
ovs-vsctl --columns=options list interface vxlan-ac000344
ovs-vsctl --columns=ofport,name list Interface
ovs-vsctl --columns=ofport,name --format=table list Interface
ovs-vsctl -f csv --no-heading --columns=_uuid list controller
ovs-vsctl -f csv --no-heading -d bare --columns=other_config list port
#Open vSwitch Lab
Get started with Open vSwitch, flows and OpenFlow controllers.
##Pre-reqs
Linux system with OVS installed.
##Setup
| ''' | |
| Make the output of ovs-ofctl dump-flows more readable | |
| ''' | |
| import re | |
| import sys | |
| from tabulate import tabulate | |
| PAT = re.compile("^ cookie.*table=(\d+), n_packets=(\d+).+ priority=(\d+),*(.*) actions=(.+)") | |
| if len(sys.argv) == 2: |
tested on kilo, juno and liberty. This breaks creating instances in horizon - on liberty anyway, maybe older too.
People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance. Note: allowed-addresses-pairs or port-security extension can fix that. Also there is a performance drop using the hybrid plugging strategy (veth+linuxbridge+iptables).
But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.
The following works with Neutron VLAN provider networks, and requires configuration on the physical switches. Multicast works on br-int because the ML2 OVS driver/agent uses OVS in standalone mode (no external controller). The packets on br-int hit the NORMAL flow action, and so get treated by the ovs-vswitchd code that does IGMP snooping (when enabled). All IGMP packets are sent to the slow path (userspace ovs-vswitchd).
The following will not work on Neutron tunnel backed networks (VxLAN, GRE), as the neutron-openvswitch-agent hardcodes flows on br-tun that treats multicast the same as broadcasts and the NORMAL action is not used.
+----------------------------+ +----------------------------+
| +----+ +----+ | | +----+ +----+ |
| | VM | | VM | | | | VM | | VM | |
| +-+--+ +--+-+ | | +-+--+ +--+-+ |
| #!/usr/bin/python3 | |
| import re | |
| import sys | |
| from tabulate import tabulate | |
| comments_re = re.compile(r'/\*.*\/') | |
| in_chain, eof = False, False | |
| headers, table = [], [] |
| // go test -bench=. | |
| package main | |
| import ( | |
| "sync" | |
| "testing" | |
| ) | |
| type Person struct { |
| #@ /etc/quagga/bgpd.conf (Centos & Ubuntu) | |
| hostname <Local OS hostname> | |
| password <Any random phrase> | |
| enable password <Any random phrase> | |
| ! | |
| log file /var/log/quagga/bgpd | |
| !debug bgp events | |
| !debug bgp zebra | |
| debug bgp updates |
| """ | |
| Server to answer requests from Libvirt VMs to http://169.254.169.254/ | |
| Cloud images usually don't have a preset user/password, and this is needed to add a ssh pub key to .ssh/authorized_hosts. | |
| Change SSH_PUB_KEY path below. | |
| pip install bottle | |
| sudo ip address add 169.254.169.254 dev virbr0 | |
| open firewall | |
| -A ufw-user-input -s 192.168.122.0/24 -d 169.254.169.254/32 -i virbr0 -p tcp -m tcp --dport 80 -j ACCEPT |