Add info about nf_conntrack_proto_gre when ovs fw is used
When openvswitch firewall driver is used, it is required to load nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM working properly. This patch adds such info in ovs firewall documentation as it should be deployer decision to load or not load this module. This patch also adds sanity check which checks if nf_conntrack_proto_gre module is loaded or not, and can warn user when this module is not loaded. It also adds loading of this kernel module in neutron devstack plugin. Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869 Closes-Bug: #1828053
This commit is contained in:
parent
bd3d85807c
commit
b8a18dc22a
@ -210,3 +210,9 @@ function remove_ovs_packages() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
|
||||||
|
function load_conntrack_gre_module() {
|
||||||
|
sudo modprobe nf_conntrack_proto_gre
|
||||||
|
}
|
||||||
|
@ -28,6 +28,7 @@ if [[ "$1" == "stack" ]]; then
|
|||||||
[[ "$Q_BUILD_OVS_FROM_GIT" == "True" ]]; then
|
[[ "$Q_BUILD_OVS_FROM_GIT" == "True" ]]; then
|
||||||
remove_ovs_packages
|
remove_ovs_packages
|
||||||
compile_ovs True /usr /var
|
compile_ovs True /usr /var
|
||||||
|
load_conntrack_gre_module
|
||||||
start_new_ovs
|
start_new_ovs
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
@ -53,3 +53,21 @@ Enable the native OVS firewall driver
|
|||||||
For more information, see the
|
For more information, see the
|
||||||
:doc:`/contributor/internals/openvswitch_firewall`
|
:doc:`/contributor/internals/openvswitch_firewall`
|
||||||
and the `video <https://www.youtube.com/watch?v=SOHeZ3g9yxM>`_.
|
and the `video <https://www.youtube.com/watch?v=SOHeZ3g9yxM>`_.
|
||||||
|
|
||||||
|
Using GRE tunnels inside VMs with OVS firewall driver
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If GRE tunnels from VM to VM are going to be used, the native OVS firewall
|
||||||
|
implementation requires ``nf_conntrack_proto_gre`` module to be loaded in
|
||||||
|
the kernel on nodes running the Open vSwitch agent.
|
||||||
|
It can be loaded with the command:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
# modprobe nf_conntrack_proto_gre
|
||||||
|
|
||||||
|
Some Linux distributions have files that can be used to automatically load
|
||||||
|
kernel modules at boot time, for example, ``/etc/modules``. Check with your
|
||||||
|
distribution for further information.
|
||||||
|
|
||||||
|
This isn't necessary to use ``gre`` tunnel network type Neutron.
|
||||||
|
@ -19,6 +19,7 @@ import tempfile
|
|||||||
|
|
||||||
import netaddr
|
import netaddr
|
||||||
from neutron_lib import constants as n_consts
|
from neutron_lib import constants as n_consts
|
||||||
|
from neutron_lib import exceptions
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
@ -42,6 +43,7 @@ LOG = logging.getLogger(__name__)
|
|||||||
MINIMUM_DNSMASQ_VERSION = 2.67
|
MINIMUM_DNSMASQ_VERSION = 2.67
|
||||||
DNSMASQ_VERSION_DHCP_RELEASE6 = 2.76
|
DNSMASQ_VERSION_DHCP_RELEASE6 = 2.76
|
||||||
MINIMUM_DIBBLER_VERSION = '1.0.1'
|
MINIMUM_DIBBLER_VERSION = '1.0.1'
|
||||||
|
CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre'
|
||||||
|
|
||||||
|
|
||||||
def ovs_vxlan_supported(from_ip='192.0.2.1', to_ip='192.0.2.2'):
|
def ovs_vxlan_supported(from_ip='192.0.2.1', to_ip='192.0.2.2'):
|
||||||
@ -485,3 +487,11 @@ def ip_nonlocal_bind():
|
|||||||
finally:
|
finally:
|
||||||
ip_lib.delete_network_namespace(nsname1)
|
ip_lib.delete_network_namespace(nsname1)
|
||||||
return ns1_value == 0
|
return ns1_value == 0
|
||||||
|
|
||||||
|
|
||||||
|
def gre_conntrack_supported():
|
||||||
|
cmd = ['modinfo', CONNTRACK_GRE_MODULE]
|
||||||
|
try:
|
||||||
|
return agent_utils.execute(cmd, log_fail_as_error=False)
|
||||||
|
except exceptions.ProcessExecutionError:
|
||||||
|
return False
|
||||||
|
@ -220,6 +220,15 @@ def check_ovs_conntrack():
|
|||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def check_gre_conntrack():
|
||||||
|
result = checks.gre_conntrack_supported()
|
||||||
|
if not result:
|
||||||
|
LOG.warning('Kernel module %s is not loaded. GRE tunnels from '
|
||||||
|
'VM to VM will not work with OVS firewall driver.',
|
||||||
|
checks.CONNTRACK_GRE_MODULE)
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
def check_ebtables():
|
def check_ebtables():
|
||||||
result = checks.ebtables_supported()
|
result = checks.ebtables_supported()
|
||||||
if not result:
|
if not result:
|
||||||
@ -323,6 +332,9 @@ OPTS = [
|
|||||||
help=_('Check ovsdb native interface support')),
|
help=_('Check ovsdb native interface support')),
|
||||||
BoolOptCallback('ovs_conntrack', check_ovs_conntrack,
|
BoolOptCallback('ovs_conntrack', check_ovs_conntrack,
|
||||||
help=_('Check ovs conntrack support')),
|
help=_('Check ovs conntrack support')),
|
||||||
|
BoolOptCallback('gre_conntrack', check_gre_conntrack,
|
||||||
|
help=_('Check if conntrack for gre tunnels traffic is '
|
||||||
|
'supported')),
|
||||||
BoolOptCallback('ebtables_installed', check_ebtables,
|
BoolOptCallback('ebtables_installed', check_ebtables,
|
||||||
help=_('Check ebtables installation')),
|
help=_('Check ebtables installation')),
|
||||||
BoolOptCallback('keepalived_ipv6_support', check_keepalived_ipv6_support,
|
BoolOptCallback('keepalived_ipv6_support', check_keepalived_ipv6_support,
|
||||||
|
Loading…
Reference in New Issue
Block a user