I think I've fixed SecGrps and SecGrpRules


Edward Warnicke <hagbard@...>
 

So... I went and tried 

from OpenStack (many thanks Kyle Mestery :) ).

In digging into why that wasn't working I found a bug in Neutron NB and fixed it here:


In my basic checks it appears to work when I test it against dummy-provider in the
neutron project and:

1)  I see the SecGrp messages in the dummy provider in the logs, 
2)  I see successful responses to the SecGrp calls in the pcap I took

So I'm feeling good about it.

Could folks try it out in more complex scenarios?

Ed


Suryanarayanan, Aswin <aswin.suryanarayanan@...>
 

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


Edward Warnicke <hagbard@...>
 

Looping in other interested parties.

Ravi,

Lets start debugging at the top :)

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

The reason I ask, is because the issue could be in any of the following components:

1) Neutron
2) ML2
3) ODL ML2 Driver (in Stackforge)
4) ODL Neutron Northbound (in ODL)
5) The provider

Usually, the simplest way to start debugging for me is to answer the question:

On the wire, do I see the REST calls I expected.

Once we know the answer to that, we can drill further down :)

Ed

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



Suryanarayanan, Aswin <aswin.suryanarayanan@...>
 

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 


Edward Warnicke <hagbard@...>
 

Aswin,

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

Ed

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 



Anil Vishnoi
 

I would say just enable the debug log in odl mechanism driver and you will get all the rest call details that it's sending to odl controller. 

On Wed, Jun 17, 2015 at 1:00 AM, Edward Warnicke <hagbard@...> wrote:
Aswin,

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

Ed

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 



_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev




--
Thanks
Anil


Suryanarayanan, Aswin <aswin.suryanarayanan@...>
 

Thanks Anil for the suggestions.

 

Hi Ed,

 

The logs and pcap are attached in the below link. There are some logs security groups in neutron server log. But I was not able to confirm whether the request reached ODL correctly. I am trying to understand the same.  But no flows related to security groups where  inserted. Let me know if any further logs are required.

 

The log is for the use case  Create Network -> Create Subnet -> Spawn VM.

 

https://drive.google.com/folderview?id=0BzO1nVcl7PumfmczY1lsWjJXSGc0SHVkYlNaYTh6TjdkZk1HazRqdzdCWUpjcFI4UzVIUW8&usp=sharing

 

Thanks and Regards

Aswin

 

From: Anil Vishnoi [mailto:vishnoianil@...]
Sent: Wednesday, June 17, 2015 3:06 AM
To: Edward Warnicke
Cc: Suryanarayanan, Aswin; ovsdb-dev@...; groupbasedpolicy-dev@...; neutron-dev@...; Kenchappa, Ravindra
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

I would say just enable the debug log in odl mechanism driver and you will get all the rest call details that it's sending to odl controller. 

 

On Wed, Jun 17, 2015 at 1:00 AM, Edward Warnicke <hagbard@...> wrote:

Aswin,

 

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

 

Ed

 

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



 

--

Thanks

Anil


Vishal Thapar <vishal.thapar@...>
 

Looks like rest calls are going from ODL Mech driver to ODL for security group as well as VM Port [IP .

 

Neutron log: 3389 and 3402

pcap: Frame 406 and 555.

 

Found this entry in karaf.log:

Line 569: 2015-06-18 01:51:59,928 | INFO  | ntDispatcherImpl | OF13Provider                     | 272 - org.opendaylight.ovsdb.openstack.net-virt-providers - 1.1.0.SNAPSHOT | programLocalRules: could not find ofPort for Port tap1220d276-15 on Node Uri [_value=ovsdb://uuid/b45dcd8f-5e20-42a0-abc0-f1373dc18f6c/bridge/br-int]

 

Relevant entries are line 567 to 570. This is where someone more familiar with OVSDB would be able to help.

 

Regards,

Vishal.

 

 

From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of Suryanarayanan, Aswin
Sent: 17 June 2015 16:51
To: Anil Vishnoi; Edward Warnicke
Cc: ovsdb-dev@...; groupbasedpolicy-dev@...; Kenchappa, Ravindra; neutron-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Thanks Anil for the suggestions.

 

Hi Ed,

 

The logs and pcap are attached in the below link. There are some logs security groups in neutron server log. But I was not able to confirm whether the request reached ODL correctly. I am trying to understand the same.  But no flows related to security groups where  inserted. Let me know if any further logs are required.

 

The log is for the use case  Create Network -> Create Subnet -> Spawn VM.

 

https://drive.google.com/folderview?id=0BzO1nVcl7PumfmczY1lsWjJXSGc0SHVkYlNaYTh6TjdkZk1HazRqdzdCWUpjcFI4UzVIUW8&usp=sharing

 

Thanks and Regards

Aswin

 

From: Anil Vishnoi [mailto:vishnoianil@...]
Sent: Wednesday, June 17, 2015 3:06 AM
To: Edward Warnicke
Cc: Suryanarayanan, Aswin; ovsdb-dev@...; groupbasedpolicy-dev@...; neutron-dev@...; Kenchappa, Ravindra
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

I would say just enable the debug log in odl mechanism driver and you will get all the rest call details that it's sending to odl controller. 

 

On Wed, Jun 17, 2015 at 1:00 AM, Edward Warnicke <hagbard@...> wrote:

Aswin,

 

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

 

Ed

 

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



 

--

Thanks

Anil


Edward Warnicke <hagbard@...>
 

Vishal,

Good job narrowing it down :)

You've cleared the ML2 driver (messages are getting to ODL)

If you would try it with the neutron northbound dummy-provider which gives good logging of messages received and correctly unmarshalled, we can clear the neutron northbound
and narrow it down to just the provider.

To test with the neutron northbound,

cd neutron
cd karaf/
mvn clean install
cd target/assembly/bin
./karaf

This will bring up the dummy-provider, which just logs messages received.  If you see your messages in the logs there, we know the
neutron northbound has correct behavior :)

Ed


On Wed, Jun 17, 2015 at 6:25 AM, Vishal Thapar <vishal.thapar@...> wrote:

Looks like rest calls are going from ODL Mech driver to ODL for security group as well as VM Port [IP .

 

Neutron log: 3389 and 3402

pcap: Frame 406 and 555.

 

Found this entry in karaf.log:

Line 569: 2015-06-18 01:51:59,928 | INFO  | ntDispatcherImpl | OF13Provider                     | 272 - org.opendaylight.ovsdb.openstack.net-virt-providers - 1.1.0.SNAPSHOT | programLocalRules: could not find ofPort for Port tap1220d276-15 on Node Uri [_value=ovsdb://uuid/b45dcd8f-5e20-42a0-abc0-f1373dc18f6c/bridge/br-int]

 

Relevant entries are line 567 to 570. This is where someone more familiar with OVSDB would be able to help.

 

Regards,

Vishal.

 

 

From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of Suryanarayanan, Aswin
Sent: 17 June 2015 16:51
To: Anil Vishnoi; Edward Warnicke
Cc: ovsdb-dev@...; groupbasedpolicy-dev@...; Kenchappa, Ravindra; neutron-dev@...


Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Thanks Anil for the suggestions.

 

Hi Ed,

 

The logs and pcap are attached in the below link. There are some logs security groups in neutron server log. But I was not able to confirm whether the request reached ODL correctly. I am trying to understand the same.  But no flows related to security groups where  inserted. Let me know if any further logs are required.

 

The log is for the use case  Create Network -> Create Subnet -> Spawn VM.

 

https://drive.google.com/folderview?id=0BzO1nVcl7PumfmczY1lsWjJXSGc0SHVkYlNaYTh6TjdkZk1HazRqdzdCWUpjcFI4UzVIUW8&usp=sharing

 

Thanks and Regards

Aswin

 

From: Anil Vishnoi [mailto:vishnoianil@...]
Sent: Wednesday, June 17, 2015 3:06 AM
To: Edward Warnicke
Cc: Suryanarayanan, Aswin; ovsdb-dev@...; groupbasedpolicy-dev@...; neutron-dev@...; Kenchappa, Ravindra
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

I would say just enable the debug log in odl mechanism driver and you will get all the rest call details that it's sending to odl controller. 

 

On Wed, Jun 17, 2015 at 1:00 AM, Edward Warnicke <hagbard@...> wrote:

Aswin,

 

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

 

Ed

 

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



 

--

Thanks

Anil



Suryanarayanan, Aswin <aswin.suryanarayanan@...>
 

Hi Ed,

 

Thanks for the inputs J.

 

Yes as per the pcap and the logs the request is reaching the Opendaylight. The default security groups which needs to be associated with the port when a vm is spawned comes as a part of the port create /update request. This will invoke programLocalRules in OF13Provider.java when port is created and updated. I see the error “could not find the ofport” is being thrown only in the case port create and  for port update I didn’t see this error (in debug mode I saw the OFport associated with interface retrieved ). But the code for adding the SG flows is commented out currently in OF13Provider. I tried uncommenting it but still it not adding the default security group rules flows since SecurityRuleRemoteIpPrefix being passed from networking-odl is null while odl expects 0.0.0.0/0.  In horizon UI it is set to 0.0.0.0/0, I think it may require a fix in the networking-odl.

 

The default security groups expected when a VM is spawned to have parity with openstack is as follows (correct me if I have missed any)

 

Ingress

1)      Allow traffic  from the DHCP server.

2)      Allow traffic from any other vm in the same network

 

Egress

1)      Allow DHCP traffic

2)      Disallow DHCP spoffing by the client.

3)      Allow all other traffic

 

Source

1)      Allow the traffic from the IP/Mac pair of the vm as source

2)      Disallow all the other traffic.

 

 

In the Ingress/EgressAclService currently supports only security rules realted to TCP and with no protocol selected . In my opinion we need to enhance the code related to default securityGroups rule in ODL to match with openstack  . Me and Ravi are planning to sign up for the trello card related to default  SecurityGroups.  Please let us know if you have any comments/suggestions/concerns.

 

Btw, for adding new security group ( which when created not associated with a port), I hope the call should come directly  NeutronSecurityGroupsNorthbound or neutron will send ODL Info about these SecurityGroup rules only when it is associated with a port?  Currently when I captured the packet in wireshark  the REST call for creating a security  going to 9696 port only but  not to the ODL port.

 

                                                                                                                                                                                                                                           

Thanks and Regards

Aswin

 

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Wednesday, June 17, 2015 6:17 PM
To: Vishal Thapar
Cc: Suryanarayanan, Aswin; Anil Vishnoi; ovsdb-dev@...; groupbasedpolicy-dev@...; Kenchappa, Ravindra; neutron-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Vishal,

 

Good job narrowing it down :)

 

You've cleared the ML2 driver (messages are getting to ODL)

 

If you would try it with the neutron northbound dummy-provider which gives good logging of messages received and correctly unmarshalled, we can clear the neutron northbound

and narrow it down to just the provider.

 

To test with the neutron northbound,

 

cd neutron

cd karaf/

mvn clean install

cd target/assembly/bin

./karaf

 

This will bring up the dummy-provider, which just logs messages received.  If you see your messages in the logs there, we know the

neutron northbound has correct behavior :)

 

Ed

 

 

On Wed, Jun 17, 2015 at 6:25 AM, Vishal Thapar <vishal.thapar@...> wrote:

Looks like rest calls are going from ODL Mech driver to ODL for security group as well as VM Port [IP .

 

Neutron log: 3389 and 3402

pcap: Frame 406 and 555.

 

Found this entry in karaf.log:

Line 569: 2015-06-18 01:51:59,928 | INFO  | ntDispatcherImpl | OF13Provider                     | 272 - org.opendaylight.ovsdb.openstack.net-virt-providers - 1.1.0.SNAPSHOT | programLocalRules: could not find ofPort for Port tap1220d276-15 on Node Uri [_value=ovsdb://uuid/b45dcd8f-5e20-42a0-abc0-f1373dc18f6c/bridge/br-int]

 

Relevant entries are line 567 to 570. This is where someone more familiar with OVSDB would be able to help.

 

Regards,

Vishal.

 

 

From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of Suryanarayanan, Aswin
Sent: 17 June 2015 16:51
To: Anil Vishnoi; Edward Warnicke
Cc: ovsdb-dev@...; groupbasedpolicy-dev@...; Kenchappa, Ravindra; neutron-dev@...


Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Thanks Anil for the suggestions.

 

Hi Ed,

 

The logs and pcap are attached in the below link. There are some logs security groups in neutron server log. But I was not able to confirm whether the request reached ODL correctly. I am trying to understand the same.  But no flows related to security groups where  inserted. Let me know if any further logs are required.

 

The log is for the use case  Create Network -> Create Subnet -> Spawn VM.

 

https://drive.google.com/folderview?id=0BzO1nVcl7PumfmczY1lsWjJXSGc0SHVkYlNaYTh6TjdkZk1HazRqdzdCWUpjcFI4UzVIUW8&usp=sharing

 

Thanks and Regards

Aswin

 

From: Anil Vishnoi [mailto:vishnoianil@...]
Sent: Wednesday, June 17, 2015 3:06 AM
To: Edward Warnicke
Cc: Suryanarayanan, Aswin; ovsdb-dev@...; groupbasedpolicy-dev@...; neutron-dev@...; Kenchappa, Ravindra
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

I would say just enable the debug log in odl mechanism driver and you will get all the rest call details that it's sending to odl controller. 

 

On Wed, Jun 17, 2015 at 1:00 AM, Edward Warnicke <hagbard@...> wrote:

Aswin,

 

If you could stick the pcap files somwhere like google drive or dropbox and share them that would also be mega useful :)

 

Ed

 

On Tue, Jun 16, 2015 at 12:29 PM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

We checked with break points in  NeutronSecurityRulesNorthbound and NeutronSecurityGroupsNorthbound in neutron ODL. We will analyze with wireshark and get back.

 

Aswin

 

From: Edward Warnicke [mailto:hagbard@...]
Sent: Tuesday, June 16, 2015 11:40 PM
To: Suryanarayanan, Aswin
Cc: ovsdb-dev@...; Kenchappa, Ravindra; neutron-dev@...; groupbasedpolicy-dev@...
Subject: Re: [ovsdb-dev] I think I've fixed SecGrps and SecGrpRules

 

Looping in other interested parties.

 

Ravi,

 

Lets start debugging at the top :)

 

1)  When you create a VM, what call are you expecting to see to ODL, and how are you verifying you don't see it (wireshark, etc)

 

The reason I ask, is because the issue could be in any of the following components:

 

1) Neutron

2) ML2

3) ODL ML2 Driver (in Stackforge)

4) ODL Neutron Northbound (in ODL)

5) The provider

 

Usually, the simplest way to start debugging for me is to answer the question:

 

On the wire, do I see the REST calls I expected.

 

Once we know the answer to that, we can drill further down :)

 

Ed

 

 

 

On Tue, Jun 16, 2015 at 11:44 AM, Suryanarayanan, Aswin <aswin.suryanarayanan@...> wrote:

Hi Ed,

 

Me and Ravi  tired with the devstack kilo with latest code from networking-odl(few changes in neutron as well) along with latest ODL. We observed that when we created a network from horizon we received a call to NeutronSecurityRulesNorthbound  createSecurityRules with empty list. But when we created a vm call didn’t seem to reach Neutron northbound in ODL and no flows where inserted Table 40 or Table 90.  Shouldn’t we have the default rules to be added?  Could you please clarify?  Also when we tried to create SG from horizon UI, none of the call hit the Neutron Security Groups in ODL. Do that require any further changes in networking-odl/neutron?

 

Aswin


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

 

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



 

--

Thanks

Anil