Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Reproduce an OVN ICMP issue on a CentOS 7 host
#!/bin/bash
cleanup() {
if ! which ovn-nbctl 2>&1 > /dev/null ; then
# OVN not yet installed, nothing to cleanup
return
fi
sudo ovs-vsctl del-port ns1
sudo ovs-vsctl del-port ns2
sudo ovs-vsctl del-port ns3
sudo ip netns delete ns1
sudo ip netns delete ns2
sudo ip netns delete ns3
sudo ovn-nbctl lsp-del sw0-port1
sudo ovn-nbctl lsp-del sw0-port2
sudo ovn-nbctl lsp-del sw1-port1
sudo ovn-nbctl lsp-del lrp0-attachment
sudo ovn-nbctl lsp-del lrp1-attachment
sudo ovn-nbctl lr-del lr0
sudo ovn-nbctl ls-del sw0
sudo ovn-nbctl ls-del sw1
}
if [ "$1" = "cleanup" ] ; then
cleanup
exit 0
fi
# Add a repo for where we can get OVS 2.6 packages
if [ ! -f /etc/yum.repos.d/delorean-deps.repo ] ; then
curl http://trunk.rdoproject.org/centos7/delorean-deps.repo | sudo tee /etc/yum.repos.d/delorean-deps.repo
fi
sudo yum install -y openvswitch openvswitch-ovn-central openvswitch-ovn-host
for n in openvswitch ovn-northd ovn-controller ; do
sudo systemctl enable $n
sudo systemctl start $n
systemctl status $n
done
sudo ovs-vsctl set open . external-ids:ovn-remote=unix:/var/run/openvswitch/ovnsb_db.sock
sudo ovs-vsctl set open . external-ids:ovn-encap-type=geneve
sudo ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
sudo setenforce 0
sudo ovn-nbctl ls-add sw0
sudo ovn-nbctl lsp-add sw0 sw0-port1
sudo ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"
sudo ovn-nbctl lsp-add sw0 sw0-port2
sudo ovn-nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:02 192.168.0.3"
sudo ovn-nbctl ls-add sw1
sudo ovn-nbctl lsp-add sw1 sw1-port1
sudo ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"
sudo ovn-nbctl lr-add lr0
sudo ovn-nbctl show
sudo ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
sudo ovn-nbctl lsp-add sw0 lrp0-attachment
sudo ovn-nbctl lsp-set-type lrp0-attachment router
sudo ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
sudo ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
sudo ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24
sudo ovn-nbctl lsp-add sw1 lrp1-attachment
sudo ovn-nbctl lsp-set-type lrp1-attachment router
sudo ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
sudo ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1
add_phys_port() {
name=$1
mac=$2
ip=$3
mask=$4
gw=$5
iface_id=$6
sudo ip netns add $name
sudo ovs-vsctl add-port br-int $name -- set interface $name type=internal
sudo ip link set $name netns $name
sudo ip netns exec $name ip link set $name address $mac
sudo ip netns exec $name ip addr add $ip/$mask dev $name
sudo ip netns exec $name ip link set $name up
sudo ip netns exec $name ip route add default via $gw
sudo ovs-vsctl set Interface $name external_ids:iface-id=$iface_id
}
add_phys_port ns1 50:54:00:00:00:01 192.168.0.2 24 192.168.0.1 sw0-port1
add_phys_port ns2 50:54:00:00:00:02 192.168.0.3 24 192.168.0.1 sw0-port2
add_phys_port ns3 50:54:00:00:00:03 11.0.0.2 24 11.0.0.1 sw1-port1
msg() {
echo
echo "***"
echo "*** $1"
echo "***"
echo
}
msg "Starting with no ACLs"
msg "sw0-port1 (192.168.0.2) can ping sw0-port2 (192.168.0.3)"
sudo ip netns exec ns1 ping -c 5 192.168.0.3
msg "sw0-port1 (192.168.0.2) can ping sw1-port1 (11.0.0.2)"
sudo ip netns exec ns1 ping -c 5 11.0.0.2
msg "sw0-port2 (192.168.0.3) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns2 ping -c 5 192.168.0.1
msg "sw0-port1 (192.168.0.2) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns1 ping -c 5 192.168.0.1
msg "Adding ACLs for sw0-port1 (192.168.0.2) "
# ACLs for sw0-port1
# - allow all outgoing traffic and related reply traffic
# - deny all incoming traffic not a part of an existing connection
sudo ovn-nbctl --wait=hv acl-add sw0 from-lport 1001 'inport == "sw0-port1" && ip' allow-related
sudo ovn-nbctl --wait=hv acl-add sw0 to-lport 1001 'outport == "sw0-port1" && ip' drop
sudo ovn-nbctl acl-list sw0
msg "sw0-port1 (192.168.0.2) can ping sw0-port2 (192.168.0.3)"
sudo ip netns exec ns1 ping -c 5 192.168.0.3
msg "sw0-port1 (192.168.0.2) can ping sw1-port1 (11.0.0.2)"
sudo ip netns exec ns1 ping -c 5 11.0.0.2
msg "sw0-port2 (192.168.0.3) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns2 ping -c 5 192.168.0.1
msg "BUG: sw0-port1 (192.168.0.2) can NOT ping logical router IP (192.168.0.1)"
sudo ip netns exec ns1 ping -c 5 192.168.0.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment