[one-users] OpenNebula 3.8.1 ovswitch ovs-ofctl bad syntax for in_port

Ruben S. Montero rsmontero at opennebula.org
Tue Nov 13 02:05:06 PST 2012


Hi

The 3.8 version of the Openvswitch drivers use openflows as there are some
incompatibility issues when using iptables and ovswitch. Note that there
are some filtering limitations (compared to the iptables) regarding the
definition of TCP/UDP port ranges.

Mon Nov 12 15:17:44 2012 [VMM][D]: Message received: LOG E 216 post:
> Command "sudo /usr/bin/ovs-ofctl add-flow vlan5
> in_port=,dl_src=02:00:0a:80:05:32,priority=40000,actions=normal" failed.
>

This may be some kind of incompatibility of the ovswitch version of your
installation and the drivers. The problem here is the empty in_port. Can
you deploy the VM by hand and send the output of (executed as oneadmin):

sudo /usr/bin/ovs-ofctl dump-ports vlan5 <VM_tap_interface>




>
> The vlan5 port on this particular switch is a `fake bridge`. Linux
> bridge compatibility layer is enabled as requested by the docs [1].
>
> ```
> $ ps aux | grep openvswitch


All seems ok here


>
> The OpenFlow default rules employed by OpenNebula state on the doc
> [2] page the following:
>
>     `These rules prevent any traffic to come out of the port the MAC
>     address has changed.`
>
> Does this mean that traffic coming out of the port OpenNebula just
> created on the switch is denied/dropped? Or does it mean that traffic
> with the source MAC address of the VM should only come in on the
> specified port, the newly added port for the VM?
>

The later, any traffic with source MAC address different from one assigned
to the VM is filtered out. To prevent a user to change the VM MAC from the
guest...


>
> Maybe I'm wrong, but at a glance flows can improve security and thus are
> a huge improvement to OpenNebula. Do you, devs and users, think that it
> would be better to separate the flow definition from code? For now if we
> want to add flow rules we have to modify
> `/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb`. I think it would be
> wise to have separate files with rules based on the users' need.


> `ovs-ofctl` can add flows directly from a file so it wouldn't be very
> hard, I guess, to separate the flows from the code. Of course one can do
> this by himself by modifying `post`.
>

Yes, this may be a good idea. Use a filter file with some template engine
(ERB, haml...)


>
> One more thing, why does OpenNebula need the Linux bridge compatibility
> layer enabled?
>

This is basically a requirement from the hypervisor that uses brctl
addif... KVM (through libvirt) supports Openvswitch without compatibility
layer since version 0.9.11. We opted to preserve this requirement and
remove it in future versions (and add <virtualport> for NICs). Note that
the driver itself does not require the compatibility layer, as it uses
openvswitch commands.


>
> Can anybody shed some light?
>
> [1]:
> http://opennebula.org/documentation:rel3.8:openvswitch#hosts_configuration
> [2]: http://opennebula.org/documentation:rel3.8:openvswitch#openflow_rules
>
> Thanks. Cheers and Goodwill,
> v
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> <http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20121113/fc886599/attachment-0002.htm>


More information about the Users mailing list