On Thu, Apr 4, 2019 at 11:27 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Sat, Mar 23, 2019 at 7:44 PM Dominik Holler <dholler@redhat.com> wrote:
Sorry for late reply Dominik.... busy on other (interesting at least ;-) things
I have to dig a bit more, because from first tests if I start another VM on the same ovn192 network also on the same host they are not able to communicate Possibly an iptables misconfiguration on host?
Just to understand the error, would you please check if /var/log/openvswitch/ovn-controller.log or any other logfile in the same directory contains any hints?
It seems not
Would communication using a new created ovn network without port security enabled work?
I confirm that if I create a new ovn with security port "Disabled" the VMs can communicate both when running on the same host and on hosts even in different datacenters ;-) I unplug vnic / change ovn network of vms to match the new one / plug vnics again and they communicate. I unplug vnic / change ovn network of vms to the old one with port securty enabled / plug vnics again and they don't communicate.
Questions: - what is the role of the "Network port security" option for an OVN network?
It means that newly created ports under that network will inherit the port security value from the network - e.g. if the network's port security attribute is active, so will the newly created port's port security. Port security on a port means 2 things: #1 - security group rules *will* apply to the VM having that port attached #2 - only the specified mac address will be allowed to send/receive through that port. MAC spoofing protection is applied.
- what is the meaning of "Undefined" option for it other than "Enabled" and "Disabled"?
It means that the network will inherit the value from the provider's configuration - you can check what it translates to in /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
- it seems I cannot edit the value for "Network port security" option of an existing OVN network, is it correct?
You cannot do it *through the UI*. You can use ansible / REST api to update the network - or ports - port_security_enabled value. I am working on creating a couple of playbooks for this; hopefully I can provide those early next week. It would be helpful to agilize this process.
Thanks again, Gianluca
There is a notion of 'default' group, that ensures connectivity to all VMs whose ports belong to that group - and all ports with active port security, by default do. I'm not sure how you reached that situation, but let's first make sure of a couple of things; please provider the output of: - ovn-nbctl list logical_switch_port # this will feature info of the port security value, and of which groups the port belongs to - the latter in the 'external_ids' column. - ovn-nbctl list port_group # this is where the security groups are stored; it has associations to the ACLs belonging to the group, and of the ports that are using it - ovn-nbctl list address_set # this is where the IPs per group are stored. security groups are an L3 concept. A pastebin with the aforementioned info is welcome.