1:07 p.m.
On Thu, Apr 4, 2019 at 11:27 AM Gianluca Cecchi
<gianluca.cecchi(a)gmail.com> wrote:
On Sat, Mar 23, 2019 at 7:44 PM Dominik Holler <dholler(a)redhat.com> wrote:
Sorry for late reply Dominik.... busy on other (interesting at least ;-) things
>
>
> > I have to dig a bit more, because from first tests if I start another VM on
> > the same ovn192 network also on the same host they are not able to
> > communicate
> > Possibly an iptables misconfiguration on host?
> >
>
> Just to understand the error, would you please check if
> /var/log/openvswitch/ovn-controller.log
> or any other logfile in the same directory contains any hints?
>
It seems not
>
> Would communication using a new created ovn network without port
> security enabled work?
I confirm that if I create a new ovn with security port "Disabled" the VMs can
communicate both when running on the same host and on hosts even in different datacenters
;-)
I unplug vnic / change ovn network of vms to match the new one / plug vnics again and
they communicate.
I unplug vnic / change ovn network of vms to the old one with port securty enabled / plug
vnics again and they don't communicate.
Questions:
- what is the role of the "Network port security" option for an OVN network?
It means that newly created ports under that network will inherit the
port security value from the network - e.g. if the network's port
security attribute is active, so will the newly created port's port
security.
Port security on a port means 2 things:
#1 - security group rules *will* apply to the VM having that port attached
#2 - only the specified mac address will be allowed to send/receive
through that port. MAC spoofing protection is applied.
- what is the meaning of "Undefined" option for it other
than "Enabled" and "Disabled"?
It means that the network will inherit the value from the provider's
configuration - you can check what it translates to in
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
- it seems I cannot edit the value for "Network port
security" option of an existing OVN network, is it correct?
You cannot do it *through the UI*. You can use ansible / REST api to
update the network - or ports - port_security_enabled value.
I am working on creating a couple of playbooks for this; hopefully I
can provide those early next week. It would be helpful to agilize this
process.
Thanks again,
Gianluca
There is a notion of 'default' group, that ensures connectivity to all
VMs whose ports belong to that group - and all ports with active port
security, by default do.
I'm not sure how you reached that situation, but let's first make sure
of a couple of things; please provider the output of:
- ovn-nbctl list logical_switch_port # this will feature info of the
port security value, and of which groups the port belongs to - the
latter in the 'external_ids' column.
- ovn-nbctl list port_group # this is where the security groups are
stored; it has associations to the ACLs belonging to the group, and of
the ports that are using it
- ovn-nbctl list address_set # this is where the IPs per group are
stored. security groups are an L3 concept.
A pastebin with the aforementioned info is welcome.