SlideShare ist ein Scribd-Unternehmen logo

Anatomy of neutron from the eagle eyes of troubelshoorters

Sadique Puthen
Sadique Puthen

Presentation at OpenStack summit Barcelona

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
Anatomy Of OpenStack Neutron Through The Of Troubleshooters Sadique Puthen Cloud Success Architect 27/10/2016
INSERT DESIGNATOR, IF NEEDED2 Examples: 1. Security group rules are not effective 2. Newly created instances cannot get ip from dhcp. 3. Connection to floating ip randomly fails. 4. Communications through provider networks are very very slow. ○ Lessons learned. Understand: ● Will explore only the limited anatomy associated with the problems explained here. Agenda Explore troubleshooting neutron and its anatomy using real life troubleshooting examples ● Examples are real life troubleshooting examples. ● These solutions are applicable to the versions where they were hit. ○ May not be relevant with latest versions as patches may have landed to fix some of them permanently. ● The prime focus of this session is not on the problem and solution. ○ But on the anatomy of neutron and troubleshooting methods applied to solve them.
Security group rules are not effective
INSERT DESIGNATOR, IF NEEDED4 The rules say only ping and ssh should be allowed from x source, but everything is allowed from everywhere. Security Groups Are Not Working Rules are not effective, everything is allowed ● Understand how the packets flow through multiple iptables chains ● Understand where exactly Security group rules are applied. ● Try with different security groups and rules including the default one.
INSERT DESIGNATOR, IF NEEDED5 Security Group Not Working FORWARD neutron-openvswi-FORWARD neutron-openvswi-sgchain neutron-openvswitch-oxxx-x neutron-openvswitch-ixxx-x incoming outgoing No Yes Yes No Does it meet the RETURN rule? Does it meet the RETURN rule? neutron-openvswitch-sg-fallback DROP Process further rules and apply default policy for the chain ACCEPT
INSERT DESIGNATOR, IF NEEDED6 The rules say only ping and ssh should be allowed from x source, but everything is allowed from everywhere. Security Groups Are Not Working Rules are not effective, everything is allowed ● Understand how the packets flow through multiple chains ● Verify the rules are inserted to required iptables chains. ● Understand where exactly Security group rules are applied. ● Verify if the packets are going through the chain by iptables logging. ● Example Rule. iptables -A CHAIN -j LOG --log-prefix “CHAIN:SG:" --log-level <level> ● When we added the rule, we saw that packets never traverse through iptables since nothing was logged. ● This led us to fix our focus to hunt for global parameters that could bypass iptables and found: ● This was because the default kernel configuration is set not to send packets in a linux bridge through iptables. net.bridge.bridge-nf-call-iptables =1 ● Nova dynamically enables this now.
Newly created instances cannot get dhcp ip.
INSERT DESIGNATOR, IF NEEDED8 Newly Created Instances Cannot Get DHCP IP Instance dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp ACK DHCP dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp NACK dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp NACK Understand how HA for DHCP works. ● While network is created, a dhcp server is spawned on each network node depending on the value of dhcp_agents_per_network. In this case 3 ● First the instance sends DHCP discover. ● All DHCP servers respond with an offer. ● Instance replies with a DHCP request with server identifier. ● That server replies with ACK, rest of them don’t respond or does NACK DHCP DHCP Instances created previously can still get their dhcp ip address on renewal or reboot.
INSERT DESIGNATOR, IF NEEDED9 Understand the L2 flow between instance and dhcp server tapxxx-x eth0qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx ethx ethx tapxxxx br-int patch-tun patch-int br-tun dnsmasq tapxxxx br-int patch-tun patch-int br-tun dnsmasq tapxxxx br-int patch-tun patch-int br-tun dnsmasq dhcp discover dhcp offer dhcp request c0 dhcp ACK dhcp discover dhcp offer dhcp request c0 dhcp NACK dhcp discover dhcp offer dhcp request c0 dhcp NACK
INSERT DESIGNATOR, IF NEEDED10 How does it work after the packet reaches dhcp-server? nobody 27219 0.0 0.0 15552 540 ? S 13:35 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/host --addn-hosts=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/opts --dhcp-leasefile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tapd5bf1700-5c --dhcp-range=set:tag0,192.168.1.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq-neutron.conf --domain=openstacklocal ● We do not see any of the dhcp server responding with an offer to instance. ○ This requires exploring how neutron dhcp with dnsmasq works. ● Each DHCP server is a dnsmasq process bound to a tapxxx interface in its own namespace. ● The DHCP server reads mac -> ip mapping from static host file and responds to only the mac -> ip listed there. ● While exploring the host file, we found it contains mac -> ip mapping only for previous instances. ○ File never gets populated with mac -> ip mapping of any newly created instance. ● This led to further investigation on who is responsible to populate this file and how it does.
INSERT DESIGNATOR, IF NEEDED11 Who is responsible to update this file? ● dhcp-agent dynamically updates this file during changes to a port through message bus. ● This led us to explore the dhcp-agent logs and found. 2015-07-29 02:12:14.204 36387 TRACE root NotFound: Basic.consume: (404) NOT_FOUND - no queue 'dhcp_agent' in vhost '/' The solution! ● We saw this error more than 5k times in each dhcp-agent.log ● Upon further digging, it was found the rpc/oslo.messaging code was missing the patch to reconnect to message bus in case it loses access to it. ● The immediate problem was solved by restarting dhcp-agent. ● A permanent fix was added by backporting the patch to always reconnect.
Connection to Floating IP randomly fails
INSERT DESIGNATOR, IF NEEDED13 Communication to instance through floating ip randomly fails Random failure. ● 10 ping to floating ip works. Then drops some pings. Then works and starts dropping. ○ It’s purely random and there is no pattern. ● Layer 3 HA is used. Configured with. max_l3_agents_per_router=3 l3_ha=True ● This creates three instances of the routers instances in active/passive mode. Like 10 ping works, then stops and loses another 20, then starts working and fails ● Vxlan tunneling is used for communication between compute node and network node. ● Floating ip network is a vlan provider external network. ● Let us try to explore the anatomy of l3 HA configuration before going very deep into our problem.
INSERT DESIGNATOR, IF NEEDED14 Anatomy of L3 HA for floating ips tapxxx-x eth0 qbrxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx ethx ethx qg-xxx br-int patch-tun patch-int br-tun br-int patch-tun patch-int br-tun br-int patch-tun patch-int br-tun qr-yyy ha-zzz qg-xxx qr-yyy ha-zzz qrouter-xxx qrouter-xxx qg-xxx qr-yyy ha-zzz qrouter-xxx
INSERT DESIGNATOR, IF NEEDED15 Troubleshooting steps. tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx qg-xxx br-int patch-tun patch-int br-tun qr-yyy ha-zzz qrouter-xxx int-br-ex phy-br-ex br-ex ethx External network Only the anatomy master network node for the router is shown in the diagram. ● Ping to the default gateway of the private network from instance. ○ That is the ip of qr-yyy. 100% successful. ● Ping the base ip of qg-xxx from instance. Every router has a base ip. ○ 100% successful. ● From qrouter-xxx namespace, ping the default gateway of external network. ○ This reproduces it! ip netns exec qrouter-xxx ping <ip>
INSERT DESIGNATOR, IF NEEDED16 Troubleshooting steps. Only the anatomy master network node for the router is shown in the diagram. ● From an external system connected to the same floating ip network, we tried to ping the base ip of qg-xxx. ○ This reproduces it. ○ This helped us to focus on br-ex for rest of troubleshooting. ● Constantly monitored mac learning of ovs on br-ex bridge. The mac -> port mapping was flapping randomly for the mac address of the instance. # ovs-appctl fdb/show br-ex port VLAN MAC Age 1 0 00:2a:6a:8c:d6:c4 37 2 0 00:17:a4:77:10:2c 1 # ovs-appctl fdb/show br-ex port VLAN MAC Age 1 0 00:2a:6a:8c:d6:c4 37 1 0 00:17:a4:77:10:2c 1 tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx qg-xxx br-int patch-tun patch-int br-tun qr-yyy ha-zzz qrouter-xxx int-br-ex phy-br-ex br-ex ethx External network
INSERT DESIGNATOR, IF NEEDED17 Solution: Fix the loop from switch/enclosure # tcpdump -i eth0 15:20:03.050558 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050583 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050835 ARP, Reply 12.1.1.1 is-at 00:17:a4:77:10:2c, length 38 15:20:03.050558 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050583 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050835 ARP, Reply 12.1.1.1 is-at 00:17:a4:77:10:2c, length 38 # ovs-ofctl show br-ex 1 (eth0): addr:00:17:a4:77:10:14 … 2 (phy-br-ex): addr:5e:b6:f8:49:06:41 ….. ● Below command will give port number associated with the port in the ovs bridge. ● The instance mac address should always be mapped to port phy-br-ex to reach the packet to instance. ● We did tcpdump on physical interface to understand why the flapping happens. ● This clearly indicated that there is loop from switch that confuses ovs and understands the mac of instances is outside of the system and flips mac - ip mapping to the mac of physical interface. ● The loop on the hardware/switch was fixed to resolve this. ○ Beware some bonding mode or a misconfigured bonding configuration can exhibit the same problem. # ovs-appctl vlog/set ofproto_dpif_xlate dbg 2016-06-14T05:02:13.155Z|10769|ofproto_dpif_xlate(x)|DBG|bridge br-ex: learned that 00:17:a4:77:10:2c is on port eth1 in VLAN 13 2016-06-14T05:02:13.155Z|10770|ofproto_dpif_xlate(x)|DBG|bridge br-ex: learned that 00:17:a4:77:10:2c is on port phy-br-ex in VLAN 13 ● Enabled DBG level logging in ofproto_dpif_xlate to see what OVS is learning when the loop happens.
Communication through provider network is very slow
INSERT DESIGNATOR, IF NEEDED19 Communication to instance is very slow on provider network What are provider networks? ● Allows you to directly add an instance to external network. ○ Instance has gatway ip of the external gateway ● Compute node should be directly connected to external network. ● The infra was setup to route packets to external network via br-ex -> bond0.301 -> bond0 - > slaves ● Then a vlan provider network was created using below Provider networks enable direct communication from instance to external network. # neutron net-create provider-vlan171 --provider:network_type vlan --router:external true --provider:physical_network physnet1 --provider:segmentation_id 171 --shared ● Did tcpdump on physical interface and found packets are getting fragmented. ● lowered the mtu to 1450 and fixed the problem. ● This is not vxlan network, but vlan. Is lowering mtu the ultimate solution. Of course no! ● Let us try to explore the anatomy of provider network to get to the bottom of it.
INSERT DESIGNATOR, IF NEEDED20 Communication to instance is very slow on provider network Let us see how provider network works. ● The diagram is packet flow on a compute node. ● When an outgoing packet reaches qvoxxx-x, ovs adds internal vlan tag associated with provider network to the packet. ● When it reaches phy-br-ex, ovs strips internal tag and adds vlan tag associated with provider network to the packet. ● When the packet reaches bond0.301, it again gets vlan tag added to packet header Provider networks enable direct communication from instance to external network. tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int int-br-ex br-ex phy-br-ex bond0.301 bond0 External network Compute eth0 eth1 10 301 301x2
INSERT DESIGNATOR, IF NEEDED21 Solution: Add plain interface to ovs bridge, not tagged interface ● This obviously causes double vlan tag on the packet when it goes out and exceeds the MTU. ● The solution is simple, Add bond0 to ovs bridge br-ex instead of bond0.301. ● This was an admin error who was confused on how provider network works and mixed with a doc that explains about flat provider network while configuring. ● But troubleshooting was not that simple. Avoid double vlan tagging tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int int-br-ex br-ex phy-br-ex bond0 External network Compute eth0 eth1 10 301 301
Lessons learned
INSERT DESIGNATOR, IF NEEDED23 ● Collecting prerequisite information to start troubleshooting is time consuming and confusing. ○ Compute node the instance runs, instance name, port details, internal vlan tag on each node, etc. ● Too many hops to run tcpdumps for troubleshooting. ○ Not easy to dump patch-peer . Need to mirror to another port. ● Understanding ovs topology is time confusing. ○ Can be mitigated significantly by using ● Do not assume, neutron is always wrong. ○ It can be user error, OS issues, issues with supporting services and Neutron layer as well. ● Hunting for expertise in each of them is challenging. ● You may have to tread a lot of wrong paths before you get into the right track. Lessons learned. Some of the lessons learned while troubleshooting
BREAKOUT SESSIONS - Thursday October 27th Anatomy Of OpenStack Neutron Through The Eagle Eyes Of Troubleshooters The Ceph Power Show :: Hands-on Lab to learn Ceph "The most popular Cinder backend" Building self-healing applications with Aodh, Zaqar and Mistral Writing A New Puppet OpenStack Module Like A Rockstar Ambassador Community Report VPP: the ultimate NFV vSwitch (and more!)? Sadique Puthen Brent Compton, Karan Singh Zane Bitter, Lingxian Kong (Catalyst IT), Fei Long Wang (Catalyst IT) Emilien Macchi Erwan Gallen, Kavit Munshi (Aptira), Jaesuk Ahn (SKT), Marton Kiss (Aptira), Akihiro Hasegawa (Bit-isle Equinix, Inc) Franck Baudin, Uri Elzur (Intel) 9:00am-9:40am 9:00am-10:30am 9:00am-9:40am 9:50am-10:30am 9:50am-10:30am 9:50am-10:30am
BREAKOUT SESSIONS - Thursday October 27th Zuul v3: OpenStack and Ansible Native CI/CD Container Defense in Depth Analyzing Performance in the Cloud : solving an elastic problem with a scientific approach One-stop-shop for OpenStack tools OpenStack troubleshooting: So simple even your kids can do it Solving Distributed NFV Puzzle with OpenStack and SDN Ceph, now and later: our plan for open unified cloud storage James Blair Thomas Cameron, Scott McCarty Alex Krzos, Nicholas Wakou (Dell) Ruchika Kharwar Vinny Valdez, Jonathan Jozwiak Rimma Iontel, Fernando Oliveira (VZ), Rajneesh Bajpai (BigSwitch) Sage Weil 11:00am-11:40am 11:50am-12:30pm 11:50pm-12:30pm 1:50pm-2:30pm 1:50pm-2:30pm 2:40pm-3:20pm 2:40pm-3:20pm
BREAKOUT SESSIONS - Thursday October 27th How to configure your cloud to be able to charge your users using official OpenStack components! A dice with several faces: Coordinators, mentors and interns on OpenStack Outreach internships Yo dawg I herd you like Containers, so we put OpenStack and Ceph in Containers Picking an OpenStack Networking solution Forget everything you knew about Swift Rings - here's everything you need to know about Swift Rings Julien Danjou, Stephane Albert (Objectif Libre), Christophe Sauthier (Objectif Libre) Victoria Martinez de la Cruz, Nisha Yadav (Delhi Tech University), Samuel de Medeiros Queiroz (HPE) Sean Cohen, Sebastien Han, Federico Lucifredi Russell Bryant, Gal Sagie (Huawei), Kyle Mestery (IBM) Christian Schwede, Clay Gerrard (Swiftstack) 2:40pm-4:10pm 2:40pm-4:10pm 3:30pm-4:10pm 4:40pm-5:20pm 5:30pm-6:10pm
Questions? sputhenp@redhat.com @sadiquepp plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews

Empfohlen

How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
Multi tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalMulti tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalSadique Puthen
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 

Empfohlen

How to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepHow to Troubleshoot OpenStack Without Losing Sleep
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
 
Troubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentTroubleshooting containerized triple o deployment
Troubleshooting containerized triple o deploymentSadique Puthen
 
Multi tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalMulti tier-app-network-topology-neutron-final
Multi tier-app-network-topology-neutron-finalSadique Puthen
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
debugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitchdebugging openstack neutron /w openvswitch
debugging openstack neutron /w openvswitch어형 이
 
Docker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversDocker Networking with New Ipvlan and Macvlan Drivers
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSOpenstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSSadique Puthen
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science HungWei Chiu
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
rtnetlink
rtnetlinkrtnetlink
rtnetlinkTaku Fukushima
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsHungWei Chiu
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OpenvSwitch
 
Accelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDKAccelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDKAlexander Shalimov
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitchSim Janghoon
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OpenvSwitch
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kim150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kimjieun kim
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...LF Events
 

Weitere ähnliche Inhalte

Was ist angesagt?

Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveMirantis
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch YongKi Kim
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep diveTrinath Somanchi
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first partlilliput12
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSOpenstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSSadique Puthen
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrSim Janghoon
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science HungWei Chiu
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStackSean Chang
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsHungWei Chiu
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OpenvSwitch
 
Accelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDKAccelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDKAlexander Shalimov
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch IntroductionHungWei Chiu
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerJérôme Petazzoni
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitchSim Janghoon
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OpenvSwitch
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 

Was ist angesagt? (20)

Neutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep DiveNeutron Network Namespaces and IPtables--A Technical Deep Dive
Neutron Network Namespaces and IPtables--A Technical Deep Dive
 
Understanding Open vSwitch
Understanding Open vSwitch Understanding Open vSwitch
Understanding Open vSwitch
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
OVN - Basics and deep dive
OVN - Basics and deep diveOVN - Basics and deep dive
OVN - Basics and deep dive
 
Openstack Networking Internals - first part
Openstack Networking Internals - first partOpenstack Networking Internals - first part
Openstack Networking Internals - first part
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaSOpenstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
 
OpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvrOpenStack networking juno l3 h-a, dvr
OpenStack networking juno l3 h-a, dvr
 
How Networking works with Data Science
How Networking works with Data Science How Networking works with Data Science
How Networking works with Data Science
 
Commication Framework in OpenStack
Commication Framework in OpenStackCommication Framework in OpenStack
Commication Framework in OpenStack
 
rtnetlink
rtnetlinkrtnetlink
rtnetlink
 
Control Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring UsControl Your Network ASICs, What Benefits switchdev Can Bring Us
Control Your Network ASICs, What Benefits switchdev Can Bring Us
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
LF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitchLF_OVS_17_LXC Linux Containers over Open vSwitch
LF_OVS_17_LXC Linux Containers over Open vSwitch
 
Accelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDKAccelerating Neutron with Intel DPDK
Accelerating Neutron with Intel DPDK
 
Open vSwitch Introduction
Open vSwitch IntroductionOpen vSwitch Introduction
Open vSwitch Introduction
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Pipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and DockerPipework: Software-Defined Network for Containers and Docker
Pipework: Software-Defined Network for Containers and Docker
 
Virtualized network with openvswitch
Virtualized network with openvswitchVirtualized network with openvswitch
Virtualized network with openvswitch
 
LF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOceanLF_OVS_17_OvS manipulation with Go at DigitalOcean
LF_OVS_17_OvS manipulation with Go at DigitalOcean
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 

Andere mochten auch

150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kim150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kimjieun kim
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...LF Events
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016Phil Estes
 
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...Cloud Native Day Tel Aviv
 
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)open-e
 
Atlanta OpenStack 2014 Chef for OpenStack Deployment Workshop
Atlanta OpenStack 2014 Chef for OpenStack Deployment WorkshopAtlanta OpenStack 2014 Chef for OpenStack Deployment Workshop
Atlanta OpenStack 2014 Chef for OpenStack Deployment WorkshopMatt Ray
 
Red Hat Storage Day Seattle: Why Software-Defined Storage Matters
Red Hat Storage Day Seattle: Why Software-Defined Storage MattersRed Hat Storage Day Seattle: Why Software-Defined Storage Matters
Red Hat Storage Day Seattle: Why Software-Defined Storage MattersRed_Hat_Storage
 
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...Ontico
 
OpenStack Deployment with Chef Workshop
OpenStack Deployment with Chef WorkshopOpenStack Deployment with Chef Workshop
OpenStack Deployment with Chef WorkshopMatt Ray
 
Event Driven Architecture - MeshU - Ilya Grigorik
Event Driven Architecture - MeshU - Ilya GrigorikEvent Driven Architecture - MeshU - Ilya Grigorik
Event Driven Architecture - MeshU - Ilya GrigorikIlya Grigorik
 
Best Practice for Deploying Application with Heat
Best Practice for Deploying Application with HeatBest Practice for Deploying Application with Heat
Best Practice for Deploying Application with HeatEthan Lynn
 
Swift Architecture and Practice, by Alex Yang
Swift Architecture and Practice, by Alex YangSwift Architecture and Practice, by Alex Yang
Swift Architecture and Practice, by Alex YangHui Cheng
 
TXLF: Automated Deployment of OpenStack with Chef
TXLF: Automated Deployment of OpenStack with ChefTXLF: Automated Deployment of OpenStack with Chef
TXLF: Automated Deployment of OpenStack with ChefMatt Ray
 
React.jsでHowManyPizza
React.jsでHowManyPizzaReact.jsでHowManyPizza
React.jsでHowManyPizza松田 千尋
 
Are We Done Yet ? Testing Your OpenStack Deployment
Are We Done Yet ? Testing Your OpenStack DeploymentAre We Done Yet ? Testing Your OpenStack Deployment
Are We Done Yet ? Testing Your OpenStack DeploymentKen Pepple
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIsSilota Inc.
 
Software Defined presentation
Software Defined presentationSoftware Defined presentation
Software Defined presentationJohn Rhodes
 
Mirantis open stack deployment automation
Mirantis open stack deployment automationMirantis open stack deployment automation
Mirantis open stack deployment automationWooKyun Jeon
 

Andere mochten auch (20)

150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kim150416 OpenStack Networking with Neutron Jieun, Kim
150416 OpenStack Networking with Neutron Jieun, Kim
 
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
Learning From Real Practice of Providing Highly Available Hybrid Cloud Servic...
 
"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016"One network to rule them all" - OpenStack Summit Austin 2016
"One network to rule them all" - OpenStack Summit Austin 2016
 
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...
Networking, QoS, Liberty, Mitaka and Newton - Livnat Peer - OpenStack Day Isr...
 
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)
Open-E DSS V7 Active-Active Load Balanced iSCSI HA Cluster (with bonding)
 
Atlanta OpenStack 2014 Chef for OpenStack Deployment Workshop
Atlanta OpenStack 2014 Chef for OpenStack Deployment WorkshopAtlanta OpenStack 2014 Chef for OpenStack Deployment Workshop
Atlanta OpenStack 2014 Chef for OpenStack Deployment Workshop
 
Pycon 2008: Python Command-line Tools *Nix
Pycon 2008: Python Command-line Tools *NixPycon 2008: Python Command-line Tools *Nix
Pycon 2008: Python Command-line Tools *Nix
 
Red Hat Storage Day Seattle: Why Software-Defined Storage Matters
Red Hat Storage Day Seattle: Why Software-Defined Storage MattersRed Hat Storage Day Seattle: Why Software-Defined Storage Matters
Red Hat Storage Day Seattle: Why Software-Defined Storage Matters
 
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...
Modern Web App Development using ClojureScript & React.js / Baishampayan “BG”...
 
OpenStack Deployment with Chef Workshop
OpenStack Deployment with Chef WorkshopOpenStack Deployment with Chef Workshop
OpenStack Deployment with Chef Workshop
 
Introduction to Apache Synapse
Introduction to Apache SynapseIntroduction to Apache Synapse
Introduction to Apache Synapse
 
Event Driven Architecture - MeshU - Ilya Grigorik
Event Driven Architecture - MeshU - Ilya GrigorikEvent Driven Architecture - MeshU - Ilya Grigorik
Event Driven Architecture - MeshU - Ilya Grigorik
 
Best Practice for Deploying Application with Heat
Best Practice for Deploying Application with HeatBest Practice for Deploying Application with Heat
Best Practice for Deploying Application with Heat
 
Swift Architecture and Practice, by Alex Yang
Swift Architecture and Practice, by Alex YangSwift Architecture and Practice, by Alex Yang
Swift Architecture and Practice, by Alex Yang
 
TXLF: Automated Deployment of OpenStack with Chef
TXLF: Automated Deployment of OpenStack with ChefTXLF: Automated Deployment of OpenStack with Chef
TXLF: Automated Deployment of OpenStack with Chef
 
React.jsでHowManyPizza
React.jsでHowManyPizzaReact.jsでHowManyPizza
React.jsでHowManyPizza
 
Are We Done Yet ? Testing Your OpenStack Deployment
Are We Done Yet ? Testing Your OpenStack DeploymentAre We Done Yet ? Testing Your OpenStack Deployment
Are We Done Yet ? Testing Your OpenStack Deployment
 
Building RESTful APIs
Building RESTful APIsBuilding RESTful APIs
Building RESTful APIs
 
Software Defined presentation
Software Defined presentationSoftware Defined presentation
Software Defined presentation
 
Mirantis open stack deployment automation
Mirantis open stack deployment automationMirantis open stack deployment automation
Mirantis open stack deployment automation
 

Ähnlich wie Anatomy of neutron from the eagle eyes of troubelshoorters

Can you trust Neutron?
Can you trust Neutron?Can you trust Neutron?
Can you trust Neutron?salv_orlando
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Chartbeat
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchYutaka Yasuda
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Percon XtraDB Cluster in a nutshell
Percon XtraDB Cluster in a nutshellPercon XtraDB Cluster in a nutshell
Percon XtraDB Cluster in a nutshellFrederic Descamps
 
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 InstanceExtreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 InstanceScyllaDB
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and OpenstackDave Neary
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_partlilliput12
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux routerMarian Marinov
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...Edge AI and Vision Alliance
 
Troubleshooting Tracebacks
Troubleshooting TracebacksTroubleshooting Tracebacks
Troubleshooting TracebacksJames Denton
 
Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501robertguerra
 

Ähnlich wie Anatomy of neutron from the eagle eyes of troubelshoorters (20)

Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT NetworkRun Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
 
Can you trust Neutron?
Can you trust Neutron?Can you trust Neutron?
Can you trust Neutron?
 
Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2Tuning TCP and NGINX on EC2
Tuning TCP and NGINX on EC2
 
FPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow SwitchFPGA based 10G Performance Tester for HW OpenFlow Switch
FPGA based 10G Performance Tester for HW OpenFlow Switch
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Percon XtraDB Cluster in a nutshell
Percon XtraDB Cluster in a nutshellPercon XtraDB Cluster in a nutshell
Percon XtraDB Cluster in a nutshell
 
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 InstanceExtreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance
Extreme HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance
 
Open daylight and Openstack
Open daylight and OpenstackOpen daylight and Openstack
Open daylight and Openstack
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
Ccna labs-udemy
Ccna labs-udemyCcna labs-udemy
Ccna labs-udemy
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Open stack advanced_part
Open stack advanced_partOpen stack advanced_part
Open stack advanced_part
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux router
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...
“Efficiently Map AI and Vision Applications onto Multi-core AI Processors Usi...
 
Troubleshooting Tracebacks
Troubleshooting TracebacksTroubleshooting Tracebacks
Troubleshooting Tracebacks
 
Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501Installation of pfSense on Soekris 6501
Installation of pfSense on Soekris 6501
 

Kürzlich hochgeladen

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Anatomy of neutron from the eagle eyes of troubelshoorters

  • 1. Anatomy Of OpenStack Neutron Through The Of Troubleshooters Sadique Puthen Cloud Success Architect 27/10/2016
  • 2. INSERT DESIGNATOR, IF NEEDED2 Examples: 1. Security group rules are not effective 2. Newly created instances cannot get ip from dhcp. 3. Connection to floating ip randomly fails. 4. Communications through provider networks are very very slow. ○ Lessons learned. Understand: ● Will explore only the limited anatomy associated with the problems explained here. Agenda Explore troubleshooting neutron and its anatomy using real life troubleshooting examples ● Examples are real life troubleshooting examples. ● These solutions are applicable to the versions where they were hit. ○ May not be relevant with latest versions as patches may have landed to fix some of them permanently. ● The prime focus of this session is not on the problem and solution. ○ But on the anatomy of neutron and troubleshooting methods applied to solve them.
  • 3. Security group rules are not effective
  • 4. INSERT DESIGNATOR, IF NEEDED4 The rules say only ping and ssh should be allowed from x source, but everything is allowed from everywhere. Security Groups Are Not Working Rules are not effective, everything is allowed ● Understand how the packets flow through multiple iptables chains ● Understand where exactly Security group rules are applied. ● Try with different security groups and rules including the default one.
  • 5. INSERT DESIGNATOR, IF NEEDED5 Security Group Not Working FORWARD neutron-openvswi-FORWARD neutron-openvswi-sgchain neutron-openvswitch-oxxx-x neutron-openvswitch-ixxx-x incoming outgoing No Yes Yes No Does it meet the RETURN rule? Does it meet the RETURN rule? neutron-openvswitch-sg-fallback DROP Process further rules and apply default policy for the chain ACCEPT
  • 6. INSERT DESIGNATOR, IF NEEDED6 The rules say only ping and ssh should be allowed from x source, but everything is allowed from everywhere. Security Groups Are Not Working Rules are not effective, everything is allowed ● Understand how the packets flow through multiple chains ● Verify the rules are inserted to required iptables chains. ● Understand where exactly Security group rules are applied. ● Verify if the packets are going through the chain by iptables logging. ● Example Rule. iptables -A CHAIN -j LOG --log-prefix “CHAIN:SG:" --log-level <level> ● When we added the rule, we saw that packets never traverse through iptables since nothing was logged. ● This led us to fix our focus to hunt for global parameters that could bypass iptables and found: ● This was because the default kernel configuration is set not to send packets in a linux bridge through iptables. net.bridge.bridge-nf-call-iptables =1 ● Nova dynamically enables this now.
  • 7. Newly created instances cannot get dhcp ip.
  • 8. INSERT DESIGNATOR, IF NEEDED8 Newly Created Instances Cannot Get DHCP IP Instance dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp ACK DHCP dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp NACK dhcp discover ctrl-0 dhcp offer dhcp request c0 dhcp NACK Understand how HA for DHCP works. ● While network is created, a dhcp server is spawned on each network node depending on the value of dhcp_agents_per_network. In this case 3 ● First the instance sends DHCP discover. ● All DHCP servers respond with an offer. ● Instance replies with a DHCP request with server identifier. ● That server replies with ACK, rest of them don’t respond or does NACK DHCP DHCP Instances created previously can still get their dhcp ip address on renewal or reboot.
  • 9. INSERT DESIGNATOR, IF NEEDED9 Understand the L2 flow between instance and dhcp server tapxxx-x eth0qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx ethx ethx tapxxxx br-int patch-tun patch-int br-tun dnsmasq tapxxxx br-int patch-tun patch-int br-tun dnsmasq tapxxxx br-int patch-tun patch-int br-tun dnsmasq dhcp discover dhcp offer dhcp request c0 dhcp ACK dhcp discover dhcp offer dhcp request c0 dhcp NACK dhcp discover dhcp offer dhcp request c0 dhcp NACK
  • 10. INSERT DESIGNATOR, IF NEEDED10 How does it work after the packet reaches dhcp-server? nobody 27219 0.0 0.0 15552 540 ? S 13:35 0:00 dnsmasq --no-hosts --no-resolv --strict-order --except-interface=lo --pid-file=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/host --addn-hosts=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/addn_hosts --dhcp-optsfile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/opts --dhcp-leasefile=/var/lib/neutron/dhcp/d0ad9f6b-4927-4070-abe6-b0f149165d1e/leases --dhcp-match=set:ipxe,175 --bind-interfaces --interface=tapd5bf1700-5c --dhcp-range=set:tag0,192.168.1.0,static,86400s --dhcp-lease-max=256 --conf-file=/etc/neutron/dnsmasq-neutron.conf --domain=openstacklocal ● We do not see any of the dhcp server responding with an offer to instance. ○ This requires exploring how neutron dhcp with dnsmasq works. ● Each DHCP server is a dnsmasq process bound to a tapxxx interface in its own namespace. ● The DHCP server reads mac -> ip mapping from static host file and responds to only the mac -> ip listed there. ● While exploring the host file, we found it contains mac -> ip mapping only for previous instances. ○ File never gets populated with mac -> ip mapping of any newly created instance. ● This led to further investigation on who is responsible to populate this file and how it does.
  • 11. INSERT DESIGNATOR, IF NEEDED11 Who is responsible to update this file? ● dhcp-agent dynamically updates this file during changes to a port through message bus. ● This led us to explore the dhcp-agent logs and found. 2015-07-29 02:12:14.204 36387 TRACE root NotFound: Basic.consume: (404) NOT_FOUND - no queue 'dhcp_agent' in vhost '/' The solution! ● We saw this error more than 5k times in each dhcp-agent.log ● Upon further digging, it was found the rpc/oslo.messaging code was missing the patch to reconnect to message bus in case it loses access to it. ● The immediate problem was solved by restarting dhcp-agent. ● A permanent fix was added by backporting the patch to always reconnect.
  • 12. Connection to Floating IP randomly fails
  • 13. INSERT DESIGNATOR, IF NEEDED13 Communication to instance through floating ip randomly fails Random failure. ● 10 ping to floating ip works. Then drops some pings. Then works and starts dropping. ○ It’s purely random and there is no pattern. ● Layer 3 HA is used. Configured with. max_l3_agents_per_router=3 l3_ha=True ● This creates three instances of the routers instances in active/passive mode. Like 10 ping works, then stops and loses another 20, then starts working and fails ● Vxlan tunneling is used for communication between compute node and network node. ● Floating ip network is a vlan provider external network. ● Let us try to explore the anatomy of l3 HA configuration before going very deep into our problem.
  • 14. INSERT DESIGNATOR, IF NEEDED14 Anatomy of L3 HA for floating ips tapxxx-x eth0 qbrxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx ethx ethx qg-xxx br-int patch-tun patch-int br-tun br-int patch-tun patch-int br-tun br-int patch-tun patch-int br-tun qr-yyy ha-zzz qg-xxx qr-yyy ha-zzz qrouter-xxx qrouter-xxx qg-xxx qr-yyy ha-zzz qrouter-xxx
  • 15. INSERT DESIGNATOR, IF NEEDED15 Troubleshooting steps. tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx qg-xxx br-int patch-tun patch-int br-tun qr-yyy ha-zzz qrouter-xxx int-br-ex phy-br-ex br-ex ethx External network Only the anatomy master network node for the router is shown in the diagram. ● Ping to the default gateway of the private network from instance. ○ That is the ip of qr-yyy. 100% successful. ● Ping the base ip of qg-xxx from instance. Every router has a base ip. ○ 100% successful. ● From qrouter-xxx namespace, ping the default gateway of external network. ○ This reproduces it! ip netns exec qrouter-xxx ping <ip>
  • 16. INSERT DESIGNATOR, IF NEEDED16 Troubleshooting steps. Only the anatomy master network node for the router is shown in the diagram. ● From an external system connected to the same floating ip network, we tried to ping the base ip of qg-xxx. ○ This reproduces it. ○ This helped us to focus on br-ex for rest of troubleshooting. ● Constantly monitored mac learning of ovs on br-ex bridge. The mac -> port mapping was flapping randomly for the mac address of the instance. # ovs-appctl fdb/show br-ex port VLAN MAC Age 1 0 00:2a:6a:8c:d6:c4 37 2 0 00:17:a4:77:10:2c 1 # ovs-appctl fdb/show br-ex port VLAN MAC Age 1 0 00:2a:6a:8c:d6:c4 37 1 0 00:17:a4:77:10:2c 1 tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int patch-tun patch-int br-tun ethx ethx qg-xxx br-int patch-tun patch-int br-tun qr-yyy ha-zzz qrouter-xxx int-br-ex phy-br-ex br-ex ethx External network
  • 17. INSERT DESIGNATOR, IF NEEDED17 Solution: Fix the loop from switch/enclosure # tcpdump -i eth0 15:20:03.050558 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050583 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050835 ARP, Reply 12.1.1.1 is-at 00:17:a4:77:10:2c, length 38 15:20:03.050558 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050583 ARP, Request who-has 12.1.1.1 tell 12.1.1.2, length 28 15:20:03.050835 ARP, Reply 12.1.1.1 is-at 00:17:a4:77:10:2c, length 38 # ovs-ofctl show br-ex 1 (eth0): addr:00:17:a4:77:10:14 … 2 (phy-br-ex): addr:5e:b6:f8:49:06:41 ….. ● Below command will give port number associated with the port in the ovs bridge. ● The instance mac address should always be mapped to port phy-br-ex to reach the packet to instance. ● We did tcpdump on physical interface to understand why the flapping happens. ● This clearly indicated that there is loop from switch that confuses ovs and understands the mac of instances is outside of the system and flips mac - ip mapping to the mac of physical interface. ● The loop on the hardware/switch was fixed to resolve this. ○ Beware some bonding mode or a misconfigured bonding configuration can exhibit the same problem. # ovs-appctl vlog/set ofproto_dpif_xlate dbg 2016-06-14T05:02:13.155Z|10769|ofproto_dpif_xlate(x)|DBG|bridge br-ex: learned that 00:17:a4:77:10:2c is on port eth1 in VLAN 13 2016-06-14T05:02:13.155Z|10770|ofproto_dpif_xlate(x)|DBG|bridge br-ex: learned that 00:17:a4:77:10:2c is on port phy-br-ex in VLAN 13 ● Enabled DBG level logging in ofproto_dpif_xlate to see what OVS is learning when the loop happens.
  • 19. INSERT DESIGNATOR, IF NEEDED19 Communication to instance is very slow on provider network What are provider networks? ● Allows you to directly add an instance to external network. ○ Instance has gatway ip of the external gateway ● Compute node should be directly connected to external network. ● The infra was setup to route packets to external network via br-ex -> bond0.301 -> bond0 - > slaves ● Then a vlan provider network was created using below Provider networks enable direct communication from instance to external network. # neutron net-create provider-vlan171 --provider:network_type vlan --router:external true --provider:physical_network physnet1 --provider:segmentation_id 171 --shared ● Did tcpdump on physical interface and found packets are getting fragmented. ● lowered the mtu to 1450 and fixed the problem. ● This is not vxlan network, but vlan. Is lowering mtu the ultimate solution. Of course no! ● Let us try to explore the anatomy of provider network to get to the bottom of it.
  • 20. INSERT DESIGNATOR, IF NEEDED20 Communication to instance is very slow on provider network Let us see how provider network works. ● The diagram is packet flow on a compute node. ● When an outgoing packet reaches qvoxxx-x, ovs adds internal vlan tag associated with provider network to the packet. ● When it reaches phy-br-ex, ovs strips internal tag and adds vlan tag associated with provider network to the packet. ● When the packet reaches bond0.301, it again gets vlan tag added to packet header Provider networks enable direct communication from instance to external network. tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int int-br-ex br-ex phy-br-ex bond0.301 bond0 External network Compute eth0 eth1 10 301 301x2
  • 21. INSERT DESIGNATOR, IF NEEDED21 Solution: Add plain interface to ovs bridge, not tagged interface ● This obviously causes double vlan tag on the packet when it goes out and exceeds the MTU. ● The solution is simple, Add bond0 to ovs bridge br-ex instead of bond0.301. ● This was an admin error who was confused on how provider network works and mixed with a doc that explains about flat provider network while configuring. ● But troubleshooting was not that simple. Avoid double vlan tagging tapxxx-x eth0 qbrxxx-x qvbxxx-x qvoxxx-x br-int int-br-ex br-ex phy-br-ex bond0 External network Compute eth0 eth1 10 301 301
  • 23. INSERT DESIGNATOR, IF NEEDED23 ● Collecting prerequisite information to start troubleshooting is time consuming and confusing. ○ Compute node the instance runs, instance name, port details, internal vlan tag on each node, etc. ● Too many hops to run tcpdumps for troubleshooting. ○ Not easy to dump patch-peer . Need to mirror to another port. ● Understanding ovs topology is time confusing. ○ Can be mitigated significantly by using ● Do not assume, neutron is always wrong. ○ It can be user error, OS issues, issues with supporting services and Neutron layer as well. ● Hunting for expertise in each of them is challenging. ● You may have to tread a lot of wrong paths before you get into the right track. Lessons learned. Some of the lessons learned while troubleshooting
  • 24. BREAKOUT SESSIONS - Thursday October 27th Anatomy Of OpenStack Neutron Through The Eagle Eyes Of Troubleshooters The Ceph Power Show :: Hands-on Lab to learn Ceph "The most popular Cinder backend" Building self-healing applications with Aodh, Zaqar and Mistral Writing A New Puppet OpenStack Module Like A Rockstar Ambassador Community Report VPP: the ultimate NFV vSwitch (and more!)? Sadique Puthen Brent Compton, Karan Singh Zane Bitter, Lingxian Kong (Catalyst IT), Fei Long Wang (Catalyst IT) Emilien Macchi Erwan Gallen, Kavit Munshi (Aptira), Jaesuk Ahn (SKT), Marton Kiss (Aptira), Akihiro Hasegawa (Bit-isle Equinix, Inc) Franck Baudin, Uri Elzur (Intel) 9:00am-9:40am 9:00am-10:30am 9:00am-9:40am 9:50am-10:30am 9:50am-10:30am 9:50am-10:30am
  • 25. BREAKOUT SESSIONS - Thursday October 27th Zuul v3: OpenStack and Ansible Native CI/CD Container Defense in Depth Analyzing Performance in the Cloud : solving an elastic problem with a scientific approach One-stop-shop for OpenStack tools OpenStack troubleshooting: So simple even your kids can do it Solving Distributed NFV Puzzle with OpenStack and SDN Ceph, now and later: our plan for open unified cloud storage James Blair Thomas Cameron, Scott McCarty Alex Krzos, Nicholas Wakou (Dell) Ruchika Kharwar Vinny Valdez, Jonathan Jozwiak Rimma Iontel, Fernando Oliveira (VZ), Rajneesh Bajpai (BigSwitch) Sage Weil 11:00am-11:40am 11:50am-12:30pm 11:50pm-12:30pm 1:50pm-2:30pm 1:50pm-2:30pm 2:40pm-3:20pm 2:40pm-3:20pm
  • 26. BREAKOUT SESSIONS - Thursday October 27th How to configure your cloud to be able to charge your users using official OpenStack components! A dice with several faces: Coordinators, mentors and interns on OpenStack Outreach internships Yo dawg I herd you like Containers, so we put OpenStack and Ceph in Containers Picking an OpenStack Networking solution Forget everything you knew about Swift Rings - here's everything you need to know about Swift Rings Julien Danjou, Stephane Albert (Objectif Libre), Christophe Sauthier (Objectif Libre) Victoria Martinez de la Cruz, Nisha Yadav (Delhi Tech University), Samuel de Medeiros Queiroz (HPE) Sean Cohen, Sebastien Han, Federico Lucifredi Russell Bryant, Gal Sagie (Huawei), Kyle Mestery (IBM) Christian Schwede, Clay Gerrard (Swiftstack) 2:40pm-4:10pm 2:40pm-4:10pm 3:30pm-4:10pm 4:40pm-5:20pm 5:30pm-6:10pm