Hide Forgot
Description of problem: When installing OVN hosts and central servers on RHEL 7, as a apart of the installation, iptables/firewalld should be configured to allow OVN/OVS communication traffic. For both host->central communication and tunnel overlay between hosts. In addition, there's lack of setup documentation regarding firewall configuration requirements for OVN/OVS environments. Version-Release number of selected component (if applicable): OVS: openvswitch-2.6.90-1 oVirt Engine Version: 4.1.0-0.0.master.20161101211323.git410903b.el7.centos How reproducible: 100% Steps to Reproduce: 1. Install oVirt-engine and OVN central server on RHEL 7. 2. Install 2 hosts and OVN controllers on RHEL 7. 3. Check that servers are running iptables/firewalld service by default. 4. Create OVN network. 5. Create 2 VM's and attach the OVN network to the VM's. 6. Run each VM on a different host. 7. Assign static IP's to the VM's. 8. Try to send ICMP ping between them. Actual results: OVN traffic is blocked. Expected results: OVN traffic should pass. Additional info: I tried to capture traffic on the tap interface (on host), but no traffic is passing through.
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
We'd be pleased to have a firewalld "service" exposing the needed ports on central and controllers.
As an example, for the ovirt provider for ovn we give the user the following file: /etc/firewalld/services/ovirt-provider-ovn.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="9696"/> </service> To add it to firewalld it's enought to run: firewall-cmd --zone=<zone to add service to> --add-service=ovirt-provider-ovn --permanent
In our test environment, we added a rule to allow UDP destination port 6081 (for geneve tunnel) in the INPUT table and it worked.
Just to add, if we want to turn on firewalld on the controllers and central (engine in our case), we also need to configure oVirt services ports (e.g.: http://www.ovirt.org/documentation/how-to/faq/ -> "Which network ports should be enabled when setting up oVirt environment?"). For Vdsm, there's a RFE: https://bugzilla.redhat.com/show_bug.cgi?id=995362 without target milestone or target release.
(In reply to Mor from comment #6) > Just to add, if we want to turn on firewalld on the controllers and central > (engine in our case), we also need to configure oVirt services ports (e.g.: > http://www.ovirt.org/documentation/how-to/faq/ -> "Which network ports > should be enabled when setting up oVirt environment?"). For Vdsm, there's a > RFE: https://bugzilla.redhat.com/show_bug.cgi?id=995362 without target > milestone or target release. and I think it makes sense to ship some firewalld config files with OVN. We just wanted to update results of our testing to confirm the firewall rule needed to allow geneve tunnels.
Hello everyone, I made some progress with this issue yesterday, and I managed to get it working with the following firewalld service configuration files: On OVN central server: ---------------------- <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="9696"/> <port protocol="tcp" port="6641"/> <port protocol="tcp" port="6442"/> </service> On OVN host server: ------------------- <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn-driver</short> <description>oVirt provider OVN driver</description> <port protocol="udp" port="6081"/> </service> Just to make sure, I still want to test it on a clean environment.
(In reply to Mor from comment #8) > Hello everyone, > > I made some progress with this issue yesterday, and I managed to get it > working with the following firewalld service configuration files: > > On OVN central server: > ---------------------- > > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>ovirt-provider-ovn</short> > <description>oVirt provider ovn</description> > <port protocol="tcp" port="9696"/> > <port protocol="tcp" port="6641"/> > <port protocol="tcp" port="6442"/> > </service> > > On OVN host server: > ------------------- > > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>ovirt-provider-ovn-driver</short> > <description>oVirt provider OVN driver</description> > <port protocol="udp" port="6081"/> > </service> > > Just to make sure, I still want to test it on a clean environment. Just adding, TCP port 9696 is used by our OVN provider service (which uses OVN).
Note that 9696 is an ovirt related port. This should be enough: Central: <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="6641"/> <port protocol="tcp" port="6442"/> </service> Host: <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn-driver</short> <description>oVirt provider OVN driver</description> <port protocol="udp" port="6081"/> </service>
Brew build for fd beta package: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976
Hi Mor, I know nothing about oVirt. Can you please help verify this BZ? Thanks QJ
(In reply to qding from comment #15) > Hi Mor, > > I know nothing about oVirt. Can you please help verify this BZ? > > Thanks > QJ Hi QJ, Sorry for the delay in response. Do you want to verify it with oVirt and OVN setup? or just with OVN?
(In reply to qding from comment #15) > Hi Mor, > > I know nothing about oVirt. Can you please help verify this BZ? > > Thanks > QJ I will verify it with my own setup of oVirt and OVN.
(In reply to Mor from comment #17) > > I will verify it with my own setup of oVirt and OVN. I hope OVN only if it can be used to verify this issue. Thanks QJ
Hi Mor, Sorry for that I should have given more explanation. I hope cover this feature with OVN only if you can give me some suggestions. Thank you very much for help verify this issue, then should I assign QA contact to you? Thanks QJ
(In reply to qding from comment #19) > Hi Mor, > > Sorry for that I should have given more explanation. I hope cover this > feature with OVN only if you can give me some suggestions. Thank you very > much for help verify this issue, then should I assign QA contact to you? > > Thanks > QJ No problem.
(In reply to qding from comment #19) > Hi Mor, > > Sorry for that I should have given more explanation. I hope cover this > feature with OVN only if you can give me some suggestions. Thank you very > much for help verify this issue, then should I assign QA contact to you? > > Thanks > QJ Hi QJ, Currently, I'm unable to verify it on RHV hypervisors when firewalld is on, because RHV hosts do not support firewalld yet. But in order to make some ticket progress, I want to try and setup OVN environment for it, and try it out with RHV engine and OVN-only hosts. I will update with my findings. Thanks.
(In reply to Lance Richardson from comment #11) > Brew build for fd beta package: > > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976 Hi Lance, 1. Can you please clarify which RPM in the candidate build includes the addition of the host firewalld service file? 2. Is it internal build? Or it is also included in openvswitch-ovn-central-2.6.1-10.git20161206? Thanks.
(In reply to Mor from comment #22) > (In reply to Lance Richardson from comment #11) > > Brew build for fd beta package: > > > > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976 > > Hi Lance, > > 1. Can you please clarify which RPM in the candidate build includes the > addition of the host firewalld service file? > > 2. Is it internal build? Or it is also included in > openvswitch-ovn-central-2.6.1-10.git20161206? > > Thanks. Hi Mor, Yes, it is in 2.6.1-10.git20161206 That version can be found here: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/10.git20161206.el7fdb/
(In reply to Mor from comment #21) > > Currently, I'm unable to verify it on RHV hypervisors when firewalld is on, > because RHV hosts do not support firewalld yet. But in order to make some > ticket progress, I want to try and setup OVN environment for it, and try it > out with RHV engine and OVN-only hosts. > > I will update with my findings. > Thanks
Hi, I tried to look for the service file that contains 6081 UDP port (comment #10). Do you know which package provides it on 2.6.1-10? I can't find it.
(In reply to Mor from comment #25) > Hi, > > I tried to look for the service file that contains 6081 UDP port (comment > #10). Do you know which package provides it on 2.6.1-10? I can't find it. Hi Mor, It seems the needed files are indeed not being installed, a fix will be needed. Unfortunately, since this is on QE already it will likely have to wait until the next fdb/fdp release (assuming it's not a blocker). Lance
Fix pushed to fd beta and fd production packages. Builds can be found here: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/11.git20161206.el7fdb/ and: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/11.git20161206.el7fdp/ The host rules to allow UDP port 6081 (GENEVE) are included in the openvswitch-ovn-host RPM: /usr/lib/firewalld/services/ovn-host-firewall-service.xml
The original upstream patch, which appears to have been based on https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c8 , has the wrong port number (6442) for the southbound db connection. This patch will need to be backported for the next fd drop: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329532.html
(In reply to Lance Richardson from comment #32) > The original upstream patch, which appears to have been based on > https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c8 , has the > wrong port number (6442) for the southbound db connection. > > This patch will need to be backported for the next fd drop: > > https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329532.html This could explain the reason for block. It was a typo. Thanks Lance.
The patch referenced in https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c32 has been back-ported to fast datapath beta and production packages. RPMs with this patch are available here: Fast datapath beta: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/17.git20161206.el7fdb/ Fast datpath production: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/14.git20161206.el7fdp/
Verified with openvswitch-2.7.0-7.git20170530.el7fdb.x86_64 [root@dell-per730-04 ovn]# uname -r 3.10.0-673.el7.x86_64 [root@dell-per730-04 ovn]# rpm -q openvswitch openvswitch-2.7.0-7.git20170530.el7fdb.x86_64 [root@dell-per730-04 ovn]# [root@dell-per730-04 ovn]# cat /usr/lib/firewalld/services/ovn-host-firewall-service.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>ovn-host-firewall-service</short> <description>Firewall service for ovn host</description> <port protocol="udp" port="6081"/> </service> [root@dell-per730-04 ovn]# cat /usr/lib/firewalld/services/ovn-central-firewall-service.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>ovn-central-firewall-service</short> <description>Firewall service for ovn central</description> <port protocol="tcp" port="6641"/> <port protocol="tcp" port="6642"/> </service> [root@dell-per730-04 ovn]# [root@dell-per730-04 ovn]# firewall-cmd --zone=public --remove-service=ovn-host-firewall-service success [root@dell-per730-04 ovn]# firewall-cmd --zone=public --remove-service=ovn-central-firewall-service success [root@dell-per730-04 ovn]# ovn-sbctl show [root@dell-per730-04 ovn]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@dell-per730-04 ovn]# ovn-sbctl show [root@dell-per730-04 ovn]# [root@dell-per730-04 ovn]# firewall-cmd --zone=public --add-service=ovn-host-firewall-service success [root@dell-per730-04 ovn]# firewall-cmd --zone=public --add-service=ovn-central-firewall-service success [root@dell-per730-04 ovn]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: em1 sources: services: ssh dhcpv6-client ovn-host-firewall-service ovn-central-firewall-service ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@dell-per730-04 ovn]# ovn-sbctl show Chassis "18b7c59a-8a0b-4338-9d28-358b45528a80" hostname: "dell-per730-05.rhts.eng.pek2.redhat.com" Encap geneve ip: "192.168.1.144" options: {csum="true"}
Submitted the patch to fix this - https://review.openstack.org/#/c/518440/ and upstream bug link - https://bugs.launchpad.net/tripleo/+bug/1730711
(In reply to Numan Siddique from comment #39) > Submitted the patch to fix this - https://review.openstack.org/#/c/518440/ > and upstream bug link - https://bugs.launchpad.net/tripleo/+bug/1730711 Oops. Sorry. Please ignore - I mean to comment on this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1510879