[one-users] OpenNebula 3.8.1 ovswitch ovs-ofctl bad syntax for in_port

Valentin Bud valentin.bud at gmail.com
Mon Nov 12 07:18:55 PST 2012 

Hello World,

I have updated OpenNebula to 3.8.1 from source on CentOS 6.3. I have
noticed that ovswitch vnm now adds flows. That's very nice. I have never
worked with flows from OpenvSwitch but I have read a little bit about it
and they seem to bring a lot of (security) benefits.

However the `post` ovswitch vnm script fails.

```
/var/log/one/oned.log

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG I 216 post:
Executed "sudo /usr/bin/ovs-vsctl set Port vnet0 tag=5".

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG I 216
ovs-ofctl: vlan5 is not a bridge or a socket

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG E 216 post:
Command "sudo /usr/bin/ovs-ofctl add-flow vlan5
in_port=,dl_src=02:00:0a:80:05:32,priority=40000,actions=normal" failed.

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG E 216 post:
ovs-ofctl: dl_src=02:00:0a:80:05:32: bad syntax for in_port

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG E 216
ovs-ofctl: dl_src=02:00:0a:80:05:32: bad syntax for in_port
```

The vlan5 port on this particular switch is a `fake bridge`. Linux
bridge compatibility layer is enabled as requested by the docs [1].

```
$ ps aux | grep openvswitch
root      1247  0.0  0.0  39768  2112 ?        S<s  10:13   0:02
ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err ...

root      1259  0.0  0.0  40924  7812 ?        S<Ls 10:13   0:10
ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer ...

root      1280  0.0  0.0  39728  1088 ?        S<s  10:13   0:00
ovs-brcompatd -vconsole:emer -vsyslog:err -vfile:info --no-chdir ...

$ _ ovs-vsctl show
Port "vlan5"
   tag: 5
   Interface "vlan5"
   type: internal
```

sudo rules are in place for `oneadmin` to be able to execute ovs-*
commands without tty and password. 

The OpenFlow default rules employed by OpenNebula state on the doc 
[2] page the following:

    `These rules prevent any traffic to come out of the port the MAC
    address has changed.`

Does this mean that traffic coming out of the port OpenNebula just
created on the switch is denied/dropped? Or does it mean that traffic
with the source MAC address of the VM should only come in on the
specified port, the newly added port for the VM?

Maybe I'm wrong, but at a glance flows can improve security and thus are
a huge improvement to OpenNebula. Do you, devs and users, think that it
would be better to separate the flow definition from code? For now if we
want to add flow rules we have to modify
`/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. I think it would be
wise to have separate files with rules based on the users' need.

`ovs-ofctl` can add flows directly from a file so it wouldn't be very
hard, I guess, to separate the flows from the code. Of course one can do
this by himself by modifying `post`. 

One more thing, why does OpenNebula need the Linux bridge compatibility
layer enabled? 

Can anybody shed some light?

[1]: http://opennebula.org/documentation:rel3.8:openvswitch#hosts_configuration
[2]: http://opennebula.org/documentation:rel3.8:openvswitch#openflow_rules

Thanks. Cheers and Goodwill,
v

More information about the Users mailing list