Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Reproduce an OVN ICMP issue on a CentOS 7 host
#!/bin/bash
cleanup() {
if ! which ovn-nbctl 2>&1 > /dev/null ; then
# OVN not yet installed, nothing to cleanup
return
fi
sudo ovs-vsctl del-port ns1
sudo ovs-vsctl del-port ns2
sudo ovs-vsctl del-port ns3
sudo ip netns delete ns1
sudo ip netns delete ns2
sudo ip netns delete ns3
sudo ovn-nbctl lsp-del sw0-port1
sudo ovn-nbctl lsp-del sw0-port2
sudo ovn-nbctl lsp-del sw1-port1
sudo ovn-nbctl lsp-del lrp0-attachment
sudo ovn-nbctl lsp-del lrp1-attachment
sudo ovn-nbctl lr-del lr0
sudo ovn-nbctl ls-del sw0
sudo ovn-nbctl ls-del sw1
}
if [ "$1" = "cleanup" ] ; then
cleanup
exit 0
fi
# Add a repo for where we can get OVS 2.6 packages
if [ ! -f /etc/yum.repos.d/delorean-deps.repo ] ; then
curl http://trunk.rdoproject.org/centos7/delorean-deps.repo | sudo tee /etc/yum.repos.d/delorean-deps.repo
fi
sudo yum install -y openvswitch openvswitch-ovn-central openvswitch-ovn-host
for n in openvswitch ovn-northd ovn-controller ; do
sudo systemctl enable $n
sudo systemctl start $n
systemctl status $n
done
sudo ovs-vsctl set open . external-ids:ovn-remote=unix:/var/run/openvswitch/ovnsb_db.sock
sudo ovs-vsctl set open . external-ids:ovn-encap-type=geneve
sudo ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
sudo setenforce 0
sudo ovn-nbctl ls-add sw0
sudo ovn-nbctl lsp-add sw0 sw0-port1
sudo ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"
sudo ovn-nbctl lsp-add sw0 sw0-port2
sudo ovn-nbctl lsp-set-addresses sw0-port2 "50:54:00:00:00:02 192.168.0.3"
sudo ovn-nbctl ls-add sw1
sudo ovn-nbctl lsp-add sw1 sw1-port1
sudo ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"
sudo ovn-nbctl lr-add lr0
sudo ovn-nbctl show
sudo ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
sudo ovn-nbctl lsp-add sw0 lrp0-attachment
sudo ovn-nbctl lsp-set-type lrp0-attachment router
sudo ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
sudo ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
sudo ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24
sudo ovn-nbctl lsp-add sw1 lrp1-attachment
sudo ovn-nbctl lsp-set-type lrp1-attachment router
sudo ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
sudo ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1
add_phys_port() {
name=$1
mac=$2
ip=$3
mask=$4
gw=$5
iface_id=$6
sudo ip netns add $name
sudo ovs-vsctl add-port br-int $name -- set interface $name type=internal
sudo ip link set $name netns $name
sudo ip netns exec $name ip link set $name address $mac
sudo ip netns exec $name ip addr add $ip/$mask dev $name
sudo ip netns exec $name ip link set $name up
sudo ip netns exec $name ip route add default via $gw
sudo ovs-vsctl set Interface $name external_ids:iface-id=$iface_id
}
add_phys_port ns1 50:54:00:00:00:01 192.168.0.2 24 192.168.0.1 sw0-port1
add_phys_port ns2 50:54:00:00:00:02 192.168.0.3 24 192.168.0.1 sw0-port2
add_phys_port ns3 50:54:00:00:00:03 11.0.0.2 24 11.0.0.1 sw1-port1
msg() {
echo
echo "***"
echo "*** $1"
echo "***"
echo
}
msg "Starting with no ACLs"
msg "sw0-port1 (192.168.0.2) can ping sw0-port2 (192.168.0.3)"
sudo ip netns exec ns1 ping -c 5 192.168.0.3
msg "sw0-port1 (192.168.0.2) can ping sw1-port1 (11.0.0.2)"
sudo ip netns exec ns1 ping -c 5 11.0.0.2
msg "sw0-port2 (192.168.0.3) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns2 ping -c 5 192.168.0.1
msg "sw0-port1 (192.168.0.2) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns1 ping -c 5 192.168.0.1
msg "Adding ACLs for sw0-port1 (192.168.0.2) "
# ACLs for sw0-port1
# - allow all outgoing traffic and related reply traffic
# - deny all incoming traffic not a part of an existing connection
sudo ovn-nbctl --wait=hv acl-add sw0 from-lport 1001 'inport == "sw0-port1" && ip' allow-related
sudo ovn-nbctl --wait=hv acl-add sw0 to-lport 1001 'outport == "sw0-port1" && ip' drop
sudo ovn-nbctl acl-list sw0
msg "sw0-port1 (192.168.0.2) can ping sw0-port2 (192.168.0.3)"
sudo ip netns exec ns1 ping -c 5 192.168.0.3
msg "sw0-port1 (192.168.0.2) can ping sw1-port1 (11.0.0.2)"
sudo ip netns exec ns1 ping -c 5 11.0.0.2
msg "sw0-port2 (192.168.0.3) can ping logical router IP (192.168.0.1)"
sudo ip netns exec ns2 ping -c 5 192.168.0.1
msg "BUG: sw0-port1 (192.168.0.2) can NOT ping logical router IP (192.168.0.1)"
sudo ip netns exec ns1 ping -c 5 192.168.0.1
@sundafa

This comment has been minimized.

Copy link

sundafa commented Jan 17, 2018

Blogger, I now have this problem

Will bloggers have been resolved

The solution can teach me, Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.