Hello, I have an environment with oVirt 4.3.8. All seems ok from a configuration point of view, but if I use OVN based interfaces on two VMs, they are not able to ping, both if I put them on the same host and if I put on different hosts. At this point they are both running on the same host and their only vnic is on ovn172 network (defined as 192.168.172.0/24). I have this manager # ovn-nbctl show switch fc2fc4e8-ff71-4ec3-ba03-536a870cd483 (ovirt-ovn192-1e252228-ade7-47c8-acda-5209be358fcf) switch 87012fa6-ffaa-4fb0-bd91-b3eb7c0a2fc1 (ovirt-ovn193-d43a7928-0dc8-49d3-8755-5d766dff821a) port 8141047d-10c0-41f6-bedc-130552a115ef addresses: ["00:1a:4a:17:01:54 dynamic"] port 90559419-cb8e-45ae-ad61-6c16c4aff598 addresses: ["00:1a:4a:17:01:52 dynamic"] port b3db190f-086a-4c79-99a0-77f811f66c80 addresses: ["00:1a:4a:17:01:53 dynamic"] switch 9e77163a-c4e4-4abf-a554-0388e6b5e4ce (ovirt-ovn172-4ac7ba24-aad5-432d-b1d2-672eaeea7d63) port 3641cae4-18df-4fba-a2bd-7b0c60a87162 addresses: ["00:1a:4a:19:01:59 dynamic"] port aaddc425-3a38-49bf-bfc7-9eaeab82906e addresses: ["00:1a:4a:19:01:58 dynamic"] The two macs correspond to what I see for VMs in web admin gui and at os level of the two VMs. On the host where VMs are running I have: # ovs-vsctl show f1a41e9c-16fb-4aa2-a386-2f366ade4d3c Bridge br-int fail_mode: secure Port "ovn-b8872a-0" Interface "ovn-b8872a-0" type: geneve options: {csum="true", key=flow, remote_ip="10.4.192.34"} Port br-int Interface br-int type: internal Port "vnet0" Interface "vnet0" Port "ovn-1dce5b-0" Interface "ovn-1dce5b-0" type: geneve options: {csum="true", key=flow, remote_ip="10.4.192.32"} Port "vnet1" Interface "vnet1" ovs_version: "2.11.0" So apparently I see the vnet0 and vnet1 ports associated with the two VMs How can I check more in depth the reason why they don't ping? Both VMs are CentOS 8.1 but I don't know if it is relevant. Thanks, Gianluca
On Wed, Feb 26, 2020 at 10:16 AM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
Hello, I have an environment with oVirt 4.3.8. All seems ok from a configuration point of view, but if I use OVN based interfaces on two VMs, they are not able to ping, both if I put them on the same host and if I put on different hosts. At this point they are both running on the same host and their only vnic is on ovn172 network (defined as 192.168.172.0/24).
Did the VMs got an IP address via DHCP from OVN? Can you please create a new OVN network with port security disabled and try again? Was the openvswitch or ovn package upgraded during the update?
I have this
manager # ovn-nbctl show switch fc2fc4e8-ff71-4ec3-ba03-536a870cd483 (ovirt-ovn192-1e252228-ade7-47c8-acda-5209be358fcf) switch 87012fa6-ffaa-4fb0-bd91-b3eb7c0a2fc1 (ovirt-ovn193-d43a7928-0dc8-49d3-8755-5d766dff821a) port 8141047d-10c0-41f6-bedc-130552a115ef addresses: ["00:1a:4a:17:01:54 dynamic"] port 90559419-cb8e-45ae-ad61-6c16c4aff598 addresses: ["00:1a:4a:17:01:52 dynamic"] port b3db190f-086a-4c79-99a0-77f811f66c80 addresses: ["00:1a:4a:17:01:53 dynamic"] switch 9e77163a-c4e4-4abf-a554-0388e6b5e4ce (ovirt-ovn172-4ac7ba24-aad5-432d-b1d2-672eaeea7d63) port 3641cae4-18df-4fba-a2bd-7b0c60a87162 addresses: ["00:1a:4a:19:01:59 dynamic"] port aaddc425-3a38-49bf-bfc7-9eaeab82906e addresses: ["00:1a:4a:19:01:58 dynamic"]
The two macs correspond to what I see for VMs in web admin gui and at os level of the two VMs.
On the host where VMs are running I have: # ovs-vsctl show f1a41e9c-16fb-4aa2-a386-2f366ade4d3c Bridge br-int fail_mode: secure Port "ovn-b8872a-0" Interface "ovn-b8872a-0" type: geneve options: {csum="true", key=flow, remote_ip="10.4.192.34"} Port br-int Interface br-int type: internal Port "vnet0" Interface "vnet0" Port "ovn-1dce5b-0" Interface "ovn-1dce5b-0" type: geneve options: {csum="true", key=flow, remote_ip="10.4.192.32"} Port "vnet1" Interface "vnet1" ovs_version: "2.11.0"
So apparently I see the vnet0 and vnet1 ports associated with the two VMs How can I check more in depth the reason why they don't ping?
If OVN would be unhappy, there would be an hint in /var/log/openvswitch/*.log . If the VMs get an IP address via DHCP, OVN should be fine. In this case we have to check if we blocked by traffic in an unintended way.
Both VMs are CentOS 8.1 but I don't know if it is relevant.
Thanks, Gianluca
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/DAFG32P7R5Y67O...
On Wed, Feb 26, 2020 at 6:01 PM Dominik Holler <dholler@redhat.com> wrote:
On Wed, Feb 26, 2020 at 10:16 AM Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
Hello, I have an environment with oVirt 4.3.8. All seems ok from a configuration point of view, but if I use OVN based interfaces on two VMs, they are not able to ping, both if I put them on the same host and if I put on different hosts. At this point they are both running on the same host and their only vnic is on ovn172 network (defined as 192.168.172.0/24).
Did the VMs got an IP address via DHCP from OVN?
No, both VMs are static ip
Can you please create a new OVN network with port security disabled and try again?
Ah ah! I forgot this thing of the port security again.... Putting the Vms on a port security disabled OVN network they are able to ping each other both when on same host and on hosts sitting in different physical datacenters.... Is it possible to change to disabled an existing OVN network with port security enabled? It seems all is greyed out when editing Thanks. You already told me this in the past.... Gianluca
On Wed, Feb 26, 2020 at 7:02 PM Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Wed, Feb 26, 2020 at 6:01 PM Dominik Holler <dholler@redhat.com> wrote:
On Wed, Feb 26, 2020 at 10:16 AM Gianluca Cecchi < gianluca.cecchi@gmail.com> wrote:
Hello, I have an environment with oVirt 4.3.8. All seems ok from a configuration point of view, but if I use OVN based interfaces on two VMs, they are not able to ping, both if I put them on the same host and if I put on different hosts. At this point they are both running on the same host and their only vnic is on ovn172 network (defined as 192.168.172.0/24).
Did the VMs got an IP address via DHCP from OVN?
No, both VMs are static ip
Can you please create a new OVN network with port security disabled and try again?
Ah ah! I forgot this thing of the port security again.... Putting the Vms on a port security disabled OVN network they are able to ping each other both when on same host and on hosts sitting in different physical datacenters....
Is it possible to change to disabled an existing OVN network with port security enabled? It seems all is greyed out when editing
Yes, you have to disable directly via OpenStack API. Please note that the attribute of the network applies only to ports that are created after the attribute is changed on the network. So if you want to disable port security for an existing port, you have to disable this on the port via the OpenStack API.
Thanks. You already told me this in the past....
I am always happy to hear your feedback!
Gianluca
participants (2)
-
Dominik Holler -
Gianluca Cecchi