Dustin Spinhirne has these excellent OVN blogs, having the link below to be referenced often.
http://blog.spinhirne.com/p/blog-series.html#introToOVN
Thursday, November 10, 2016
Few network related commands
To see how many bridges exist in your system:
ovs-vsctl list-br
To verify the connectivities amongs hosts:
netstat -antp | grep destination-IP
For example, to see a host and the connectivity at ip 10.0.2.25, use this command:
ovs-vsctl list-br
To verify the connectivities amongs hosts:
netstat -antp | grep destination-IP
For example, to see a host and the connectivity at ip 10.0.2.25, use this command:
netstat -antp | grep 10.0.2.25 Here is the results: tcp 0 0 10.0.2.26:60536 10.0.2.25:5672 ESTABLISHED 6977/python
tcp 0 0 10.0.2.26:60526 10.0.2.25:5672 ESTABLISHED 31103/python
tcp 0 0 10.0.2.26:34444 10.0.2.25:6642 ESTABLISHED 6717/ovn-controller
tcp 0 0 10.0.2.26:60542 10.0.2.25:5672 ESTABLISHED 6977/python
tcp 0 0 10.0.2.26:60538 10.0.2.25:5672 ESTABLISHED 6977/python
tcp 0 0 10.0.2.26:39282 10.0.2.25:3306 ESTABLISHED 31103/python
tcp 0 0 10.0.2.26:60528 10.0.2.25:5672 ESTABLISHED 31103/python 5672 is the default port for rabbitmq6642 is the port for ovn south bound db3306 is the default port for mysql Monday, October 3, 2016
OpenStack Neutron metadata agent conversation
On Oct. 3rd, I had a conversation regarding the dependency of l3 agent and metadata agent. I installed neutron l3 agent, to my surprise, I found the metadata agent was also installed. Then here is what happened on neutron irc channel:
tongli: hi, I recently installed openstack neutron l3 agent on a compute node, to my surprise, the atp-get install neutron-l3-agent also installed neutron-metadata-agent.
13:36 tongli: which is not something that I expected.
13:36 tongli: can someone tell me if that is a bug or that is intended?
13:36 tongli: this is mitaka release.
kevinbenton: tongli: yeah, that's expected. The L3 agent will handle proxying metadata requests to Nova
13:42 kevinbenton: tongli: (by passing them to the metadata agent)
13:43 tongli: @kevinbenton, thanks for your answer. So it won't make much sense to have l3 agent on a node without metadata agent?
13:44 kevinbenton: tongli: no, unless you don't want to use metadata and set enable_metadata_proxy to false in the l3 agent
13:45 kevinbenton: tongli: you could also force the DHCP agent to always do metadata for you with the force_metadata option if you don't want the l3 agent to do it.
tongli: hi, I recently installed openstack neutron l3 agent on a compute node, to my surprise, the atp-get install neutron-l3-agent also installed neutron-metadata-agent.
13:36 tongli: which is not something that I expected.
13:36 tongli: can someone tell me if that is a bug or that is intended?
13:36 tongli: this is mitaka release.
kevinbenton: tongli: yeah, that's expected. The L3 agent will handle proxying metadata requests to Nova
13:42 kevinbenton: tongli: (by passing them to the metadata agent)
13:43 tongli: @kevinbenton, thanks for your answer. So it won't make much sense to have l3 agent on a node without metadata agent?
13:44 kevinbenton: tongli: no, unless you don't want to use metadata and set enable_metadata_proxy to false in the l3 agent
13:45 kevinbenton: tongli: you could also force the DHCP agent to always do metadata for you with the force_metadata option if you don't want the l3 agent to do it.
Wednesday, September 28, 2016
OpenStack Neutron Network Notes
1. When a network and its subnet get created with DHCP enabled (Linuxbridge used as example):
A Linux name space will be created, the namespace should start with qdhcp-<network-id>, the namespace should have a tap device, the name starts with ns-<tap device name>, that device will bear an IP address of x.x.x.2 (by default), it is where the dhcp server will run on. The other end of the tap device will be in the default name space, the name simply starts as tap<tap device name>
A Linux bridge will be created. The bridge will be named brq< first 11 characters of the network id >. The bridge will have the tap<tap device name> for the dhcp server and the vxlan device which connects this bridge with bridges on other compute node when VM gets created on the network.
2. When a router gets created without external gateway or connect to a tenant network, there is nothing happening other than a record in neutron database. No actual network construct gets created.
3. When a router gets external gateway set:
A Linux name space will be created, the namespace name will be qroute-<router-id>.
A tap device will be created in that namespace, the tap device name starts qg-<first 11 characters of the port id>, this is the port that bears floating IP address (so here we consume one floating IP), qg means quantum gateway. The other end of this tap device will be in the default namespace and the name is tap<first 11 characters of the port id>, this device bears no IP address since it is hooked up in the bridge which take all the traffic to the public network which gets created for the public (provider) network.
4. When a router gets hooked up with a tenant network (add interface from a tenant sub network to router):
A pair of tap device will be created. One end will be placed in the qrouter name space created in step 3. The name of that tap device will be qr-< first 11 characters of the port id >, qr means quantum router. This device will normally take the first IP of that subnet which mostly is .1 IP address. The other end of the tap device is named as tap< first 11 characters of the port id >, this tap device will be in default name space and placed in the bridge which represents the network created in step 1.
Use the following command to show tap device pairs:
A Linux name space will be created, the namespace should start with qdhcp-<network-id>, the namespace should have a tap device, the name starts with ns-<tap device name>, that device will bear an IP address of x.x.x.2 (by default), it is where the dhcp server will run on. The other end of the tap device will be in the default name space, the name simply starts as tap<tap device name>
A Linux bridge will be created. The bridge will be named brq< first 11 characters of the network id >. The bridge will have the tap<tap device name> for the dhcp server and the vxlan device which connects this bridge with bridges on other compute node when VM gets created on the network.
2. When a router gets created without external gateway or connect to a tenant network, there is nothing happening other than a record in neutron database. No actual network construct gets created.
3. When a router gets external gateway set:
A Linux name space will be created, the namespace name will be qroute-<router-id>.
A tap device will be created in that namespace, the tap device name starts qg-<first 11 characters of the port id>, this is the port that bears floating IP address (so here we consume one floating IP), qg means quantum gateway. The other end of this tap device will be in the default namespace and the name is tap<first 11 characters of the port id>, this device bears no IP address since it is hooked up in the bridge which take all the traffic to the public network which gets created for the public (provider) network.
4. When a router gets hooked up with a tenant network (add interface from a tenant sub network to router):
A pair of tap device will be created. One end will be placed in the qrouter name space created in step 3. The name of that tap device will be qr-< first 11 characters of the port id >, qr means quantum router. This device will normally take the first IP of that subnet which mostly is .1 IP address. The other end of the tap device is named as tap< first 11 characters of the port id >, this tap device will be in default name space and placed in the bridge which represents the network created in step 1.
Use the following command to show tap device pairs:
ip -d link show
Tuesday, September 27, 2016
Change open file limits on Ubuntu
Two things have to be done to increase the number of open files on ubuntu system:
1. Change /etc/security/limits.conf file, add the following two lines in the file:
2. Change /etc/pam.d/common-session* file, add the following line in the file:
session required pam_limits.so
3. (Optional)If you will be accessing the node via secure shell (ssh), you should also edit
and set its value to
1. Change /etc/security/limits.conf file, add the following two lines in the file:
* soft nofile 4096
* hard nofile 4096
2. Change /etc/pam.d/common-session* file, add the following line in the file:
session required pam_limits.so
3. (Optional)If you will be accessing the node via secure shell (ssh), you should also edit
/etc/ssh/sshd_config and uncomment the
following line: #UseLogin no
and set its value to
yes as shown here: UseLogin yes
To see the open file limits on process, do the following:
cat /proc/__process_id__/limits Show linux system hard disk and file system
The following command will show system wide block devices and file systems: lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL Thursday, September 22, 2016
Certificates
For self signed certificates, the public half of the certificate can be obtained by using a browser (such as Firefox) exporting the certificate. The exported certificate should be in the form of pem. Now you can use the following command to convert it to .crt file.
openssl x509 -outform der -in your-cert.pem -out your-cert.crt If only allows system wide acceptance of the certificates, do the following: 1. copy pem to /etc/ssl/certs 2. Run the following command to create a file name: openssl x509 -noout -hash -in _PEM_FILE 3. The above command will produce a hash, then create a link in /etc/ssl/certs: ln -s _PEM_FILE_ <theHash>.0
Subscribe to:
Posts (Atom)