How to verify the SNAT and DNAT mapping in OVN-DVR?
Environment
- Red Hat OpenStack 13
- OpenvSwitch 2.9
- python-networking-ovn-4.0
- openvswitch-ovn-central-2.9
Issue
- In
Red Hat OpenStack 13, how to verifySNATgateway map to compute chassis in OVN-DVR integrated environment?
Resolution
- In OVN environment , if the OpenStack instance doesn't have floating IP address, the SNAT traffic traversed through the controller. But, if the instance have floating IP then both SNAT and DNAT traffic routed via compute node.
Note: The below sample output in resolution section is captured from Red Hat test environment and it varies to other environments with its deployment scenario.
-
Log in to overcloud nodes set the Northbound and Southbound socket environment to execute OVN utility commands.
export SB=$(sudo ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g') export NB=$(sudo ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g' | sed -e 's/6642/6641/g') alias ovn-sbctl='sudo docker exec ovn_controller ovn-sbctl --db=$SB' alias ovn-nbctl='sudo docker exec ovn_controller ovn-nbctl --db=$NB' alias ovn-trace='sudo docker exec ovn_controller ovn-trace --db=$SB'
-
From the below output, verify
enable-chassis-as-gwflag and its associated node name and_uuid. In RHOSP environment, by default OVN gateway node scheduled on Controller nodes.Example:
# ovn-sbctl list chassis _uuid : 52337841-9489-456f-a0eb-9618824c9094 encaps : [0863c0df-a949-4e0e-9e9a-7b1be8151588] external_ids : {datapath-type="", iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", ovn-bridge-mappings="external:br-ex", ovn-cms-options=enable-chassis-as-gw} hostname : "ovn-controller-0.localdomain" name : "0f14983e-a077-42ae-8003-1c8d52897d17" nb_cfg : 0 vtep_logical_switches: [] _uuid : dd33bbb6-72c5-41eb-9413-abd529f34f6c encaps : [a9746d55-62e7-42e0-8950-2a2b878e04e6] external_ids : {datapath-type=system, iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", neutron-metadata-proxy-networks="1c5d3527-bb3d-4dd0-91e6-1c81b9140fe7", ovn-bridge-mappings="provider1:br-provider1,provider2:br-provider2,provider3:br-provider3,external:br-ex", ovn-cms-options=""} hostname : "ovn-compute-0.localdomain" name : "8f610c63-7eb6-4397-b226-2a91a5091e3a" nb_cfg : 0 vtep_logical_switches: [] _uuid : f51ea336-91c6-4052-9052-a4b61780181d encaps : [4f1403f9-2b81-4137-be37-411eb58ca380] external_ids : {datapath-type=system, iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", neutron-metadata-proxy-networks="d6d9b694-b524-4cbc-8534-f8a6e316754b", ovn-bridge-mappings="provider1:br-provider1,provider2:br-provider2,provider3:br-provider3,external:br-ex", ovn-cms-options=""} hostname : "ovn-compute-1.localdomain" name : "3fc188a2-ce7e-4365-a943-47d113b2bf27" nb_cfg : 0 vtep_logical_switches: [] -
Review the
external_gateway_infofrom tenant router (e.g., router1) and theip_address.Example:
$ openstack router show router1 --fit-width +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | availability_zone_hints | None | | availability_zones | None | | created_at | 2019-05-09T04:01:42Z | | description | | | external_gateway_info | {"network_id": "b1441d59-77b2-437a-844a-bb6035b9b244", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "1f050cb2-457c-4c85-b56b-b6f732aad719", "ip_address": "10.74.167.218"}]} | | flavor_id | None | | id | 5cc4530a-23b3-4c3a-973e-52c3531ef55a | | interfaces_info | [{"subnet_id": "34b3779c-580d-4b67-80b6-451ea6c7ec46", "ip_address": "2002::1", "port_id": "26537047-e8ee-4611-8143-83a446de88d9"}, {"subnet_id": "a80e0507-87c2-4866-9a80-0a1e266ca866", "ip_address": | | | "192.168.1.1", "port_id": "7c9f236a-4c27-4a4f-82fb-e79e278d3c40"}, {"subnet_id": "30ac6535-6a43-4ea4-a014-fb9dae80e5aa", "ip_address": "192.168.2.1", "port_id": "98b1012f-4c4b-41a4-b120-4ccd905eb8c1"}, | | | {"subnet_id": "8acffbd5-5482-4b48-b6dd-0a918d2ea746", "ip_address": "2001::1", "port_id": "fd67a0fb-6d42-4822-b628-86e879d534db"}] | | name | router1 | | project_id | 0003bc0071bb4a4ab558fb68bd9ee2db | | revision_number | 6 | | routes | | | status | ACTIVE | | tags | | | updated_at | 2019-05-09T04:02:27Z | +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -
Use neutron router
UUIDwith prefixneutron-parameter to collect routing details fromLogical_Routertable.Example:
# ovn-nbctl find Logical_Router name=neutron-5cc4530a-23b3-4c3a-973e-52c3531ef55a _uuid : b64d5d60-498e-495f-94e5-542a1e5b468f enabled : true external_ids : {"neutron:gw_port_id"="1c737898-c9a1-4968-bb52-20f0a73d4ed7", "neutron:revision_number"="6", "neutron:router_name"="router1"} load_balancer : [] name : "neutron-5cc4530a-23b3-4c3a-973e-52c3531ef55a" nat : [ba280916-f578-4f67-a2da-2a7f1a95e1d6, d66981a1-ddb8-486d-98e4-ac9ef90f70bd, faf6cba8-d923-4a80-a262-4346232cba2d] options : {} ports : [1e1933d2-606f-489f-b437-9c9733095989, 52b36011-1e96-4e50-bb88-e566daa1aaf3, 694c35ee-46c4-4551-bb61-d0e481744879, 72908e0d-5d9f-461a-a590-893a1e67130a, da58d02a-817e-44eb-8ecd-479fbee84d86] static_routes : [62c5b04d-e032-4a7f-9ed1-33346eb46cfb] -
From OVN
NATnorthbound table, verify SNAT mapping details.Example:
# ovn-nbctl find NAT type=snat _uuid : d66981a1-ddb8-486d-98e4-ac9ef90f70bd external_ids : {} external_ip : "10.74.167.218" external_mac : [] logical_ip : "192.168.1.0/24" logical_port : [] type : snat _uuid : ba280916-f578-4f67-a2da-2a7f1a95e1d6 external_ids : {} external_ip : "10.74.167.218" external_mac : [] logical_ip : "192.168.2.0/24" logical_port : [] type : snat -
Now using
reside-on-redirect-chassisflag verify the gateway chassis where the SNAT gateway IP bind. In this below example and in default scenario thegateway_chassisID map to controller nodeUUID.Example:
# ovn-nbctl find logical_router_port options={reside-on-redirect-chassis="true"} _uuid : 694c35ee-46c4-4551-bb61-d0e481744879 enabled : [] external_ids : {"neutron:revision_number"="8", "neutron:router_name"="5cc4530a-23b3-4c3a-973e-52c3531ef55a", "neutron:subnet_ids"="1f050cb2-457c-4c85-b56b-b6f732aad719"} gateway_chassis : [2fc987a9-a01f-4395-a3a8-5c96ee878d96] ipv6_ra_configs : {} mac : "fa:16:3e:43:6c:9a" name : "lrp-1c737898-c9a1-4968-bb52-20f0a73d4ed7" networks : ["10.74.167.218/28"] options : {reside-on-redirect-chassis="true"} peer : [] -
The below
Gateway_Chassisoutput can help to find out associatedchassis_namedetails with priority. If there are three controller the SNAT traffic schedule the traffic the highest priority gateway chassis.Example:
# ovn-nbctl list Gateway_Chassis _uuid : 2fc987a9-a01f-4395-a3a8-5c96ee878d96 chassis_name : "0f14983e-a077-42ae-8003-1c8d52897d17" external_ids : {} name : "lrp-1c737898-c9a1-4968-bb52-20f0a73d4ed7_0f14983e-a077-42ae-8003-1c8d52897d17" options : {} priority : 1 -
If the instance floating IP, query the
NATtable with typednat_and_snat.Example:
# ovn-nbctl find NAT type=dnat_and_snat _uuid : faf6cba8-d923-4a80-a262-4346232cba2d external_ids : {"neutron:fip_external_mac"="fa:16:3e:94:8e:89", "neutron:fip_id"="7c8da56d-2f3f-4d6f-ad7e-e8aaa3ffa9e3", "neutron:fip_port_id"="755413fa-fd8d-4e4f-bcdb-bd9e69b12268", "neutron:revision_number"="2", "neutron:router_name"="neutron-5cc4530a-23b3-4c3a-973e-52c3531ef55a"} external_ip : "10.74.167.211" external_mac : "fa:16:3e:94:8e:89" logical_ip : "192.168.1.6" logical_port : "755413fa-fd8d-4e4f-bcdb-bd9e69b12268" type : dnat_and_snat -
Ensure the
dnat_and_snatrows bind withEXTERNAL_MACaddress, else SNAT and DNAT service of FIP is not routed via compute node.Example:
# ovn-nbctl lr-nat-list neutron-5cc4530a-23b3-4c3a-973e-52c3531ef55a TYPE EXTERNAL_IP LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT dnat_and_snat 10.74.167.211 192.168.1.6 fa:16:3e:94:8e:89 755413fa-fd8d-4e4f-bcdb-bd9e69b12268 snat 10.74.167.218 192.168.2.0/24 snat 10.74.167.218 192.168.1.0/24
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments