[Bug 1979984] [NEW] [ovn] no traffic for VMs assigned with direct switchdev ports without security groups
Itai Levy
1979984 at bugs.launchpad.net
Mon Jun 27 11:36:48 UTC 2022
Public bug reported:
Charmed OpenStack (Yoga / Jammy)
I noticed that when creating VMs with switchdev direct port for HW Offload testing, traffic is dropped by OVN programming OVS to drop it.
In previous OpenStack/OVN versions as far as I remember it was possible
to create ports without security groups and exclude the traffic from
Connection Tracking enforcement...
This is happening on both Geneve / provider VLAN networks.
To reproduce:
openstack network create vlan_data --provider-physical-network tenantvlan --provider-network-type vlan --provider-segment 101 --share
openstack subnet create vlan_data_subnet --dhcp --network vlan_data --subnet-range 11.11.11.0/24 --allocation-pool start=11.11.11.100,end=11.11.11.200
openstack port create direct_overlay111 --vnic-type=direct --network vlan_data --binding-profile '{"capabilities":["switchdev"]}' --no-security-group
openstack port create direct_overlay112 --vnic-type=direct --network vlan_data --binding-profile '{"capabilities":["switchdev"]}' --no-security-group
openstack server create --key-name bastion --flavor d2.demo --image perf --port direct_overlay111 vm111 --availability-zone nova:node3.maas
openstack server create --key-name bastion --flavor d2.demo --image perf --port direct_overlay112 vm112 --availability-zone nova:node4.maas
Spawned VMs are not able get IP using DHCP.
Manually IP config and trying to ping between VM is not working, as the OVS flows are blocking the traffic:
# ovs-appctl dpctl/dump-flows -m | grep "0x84e"
ufid:4ae6331b-bcc9-4e11-899b-18d844ac5ae3, skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(ens1f1npf1vf7),packet_type(ns=0/0,id=0/0),eth(src=fa:16:3e:5b:14:47,dst=fa:16:3e:6d:ec:db),eth_type(0x0800),ipv4(src=11.11.11.141,dst=11.11.11.64/255.255.255.192,proto=1,tos=0/0,ttl=0/0,frag=no),icmp(type=0/0,code=0/0), packets:30, bytes:2520, used:0.950s, offloaded:yes, dp:tc, actions:ct(zone=5),recirc(0x84e)
ufid:5849a72a-2b05-4789-8ed2-b795d59adb30, skb_priority(0/0),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0/0),ct_mark(0/0),ct_label(0/0x1),recirc_id(0x84e),dp_hash(0/0),in_port(ens1f1npf1vf7),packet_type(ns=0/0,id=0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=fa:16:3e:6d:ec:db),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:30, bytes:2520, used:0.950s, dp:tc, actions:drop
** Affects: neutron (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- [ovn] no traffic for VMs assigned with direct ports without security groups
+ [ovn] no traffic for VMs assigned with direct switchdev ports without security groups
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1979984
Title:
[ovn] no traffic for VMs assigned with direct switchdev ports without
security groups
Status in neutron package in Ubuntu:
New
Bug description:
Charmed OpenStack (Yoga / Jammy)
I noticed that when creating VMs with switchdev direct port for HW Offload testing, traffic is dropped by OVN programming OVS to drop it.
In previous OpenStack/OVN versions as far as I remember it was
possible to create ports without security groups and exclude the
traffic from Connection Tracking enforcement...
This is happening on both Geneve / provider VLAN networks.
To reproduce:
openstack network create vlan_data --provider-physical-network tenantvlan --provider-network-type vlan --provider-segment 101 --share
openstack subnet create vlan_data_subnet --dhcp --network vlan_data --subnet-range 11.11.11.0/24 --allocation-pool start=11.11.11.100,end=11.11.11.200
openstack port create direct_overlay111 --vnic-type=direct --network vlan_data --binding-profile '{"capabilities":["switchdev"]}' --no-security-group
openstack port create direct_overlay112 --vnic-type=direct --network vlan_data --binding-profile '{"capabilities":["switchdev"]}' --no-security-group
openstack server create --key-name bastion --flavor d2.demo --image perf --port direct_overlay111 vm111 --availability-zone nova:node3.maas
openstack server create --key-name bastion --flavor d2.demo --image perf --port direct_overlay112 vm112 --availability-zone nova:node4.maas
Spawned VMs are not able get IP using DHCP.
Manually IP config and trying to ping between VM is not working, as the OVS flows are blocking the traffic:
# ovs-appctl dpctl/dump-flows -m | grep "0x84e"
ufid:4ae6331b-bcc9-4e11-899b-18d844ac5ae3, skb_priority(0/0),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),recirc_id(0),dp_hash(0/0),in_port(ens1f1npf1vf7),packet_type(ns=0/0,id=0/0),eth(src=fa:16:3e:5b:14:47,dst=fa:16:3e:6d:ec:db),eth_type(0x0800),ipv4(src=11.11.11.141,dst=11.11.11.64/255.255.255.192,proto=1,tos=0/0,ttl=0/0,frag=no),icmp(type=0/0,code=0/0), packets:30, bytes:2520, used:0.950s, offloaded:yes, dp:tc, actions:ct(zone=5),recirc(0x84e)
ufid:5849a72a-2b05-4789-8ed2-b795d59adb30, skb_priority(0/0),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0/0),ct_mark(0/0),ct_label(0/0x1),recirc_id(0x84e),dp_hash(0/0),in_port(ens1f1npf1vf7),packet_type(ns=0/0,id=0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=fa:16:3e:6d:ec:db),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:30, bytes:2520, used:0.950s, dp:tc, actions:drop
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1979984/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list