What is the best approach access from host to ovn containers

cemzafer · June 1, 2022, 6:25pm

Hi,
I have constructed a simple ovn network lxd cluster system, but cant access from host to ovn containers, what is the best approach to access containers, cant access using ssh.
Here is my configuration details.
Regards.

indiana@pinehost1:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 02:ba:2a:17:4c:fc brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 76:19:e8:6f:74:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.20/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::7419:e8ff:fe6f:7401/64 scope link 
       valid_lft forever preferred_lft forever
4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether c6:8e:31:b0:56:e5 brd ff:ff:ff:ff:ff:ff
5: br-int: <BROADCAST,MULTICAST> mtu 1442 qdisc noop state DOWN group default qlen 1000
    link/ether 1e:f5:8e:a9:ca:9f brd ff:ff:ff:ff:ff:ff
6: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether de:a2:3f:70:d2:99 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::941d:85ff:fed9:e727/64 scope link 
       valid_lft forever preferred_lft forever
7: lxdovn1b@lxdovn1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether b6:04:1a:e3:16:0a brd ff:ff:ff:ff:ff:ff
8: lxdovn1a@lxdovn1b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether 7a:b6:42:92:59:14 brd ff:ff:ff:ff:ff:ff
9: lxdovn1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 72:90:e0:0a:30:44 brd ff:ff:ff:ff:ff:ff
11: veth3bc9d005@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether f2:57:84:a3:14:a9 brd ff:ff:ff:ff:ff:ff link-netnsid 0

indiana@pinehost1:~$ lxc network ls
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
|  NAME   |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |  STATE  |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| UPLINK  | physical | YES     |                |                           |             | 1       | CREATED |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| aovn    | ovn      | YES     | 10.188.69.1/24 | fd42:bc70:3c7b:55d9::1/64 |             | 2       | CREATED |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| br0     | bridge   | NO      |                |                           |             | 1       |         |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| br-int  | bridge   | NO      |                |                           |             | 0       |         |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| eth0    | physical | NO      |                |                           |             | 0       |         |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+
| lxdovn1 | bridge   | NO      |                |                           |             | 0       |         |
+---------+----------+---------+----------------+---------------------------+-------------+---------+---------+

stgraber · June 1, 2022, 9:13pm

A few possible approaches:

Use a network forward to forward an address on your uplink network to one or more instances within your OVN network
Directly route an address from your uplink network to a specific instance (using ipv4.routes.external on the NIC)

Alternatively you could also restore a behavior similar to that of lxdbr0 by adding a route to your client system for 10.188.69.0/24 through the OVN gateway address (visible in a volatile key in lxc network show aovn).

cemzafer · June 2, 2022, 9:09pm

I follow up the first approach but there is something wrong, I have added these two commands but cant ping the 192.168.2.100, any assistance would be great.
Thanks.

lxc network set UPLINK ipv4.routes=192.168.1.20/32
lxc network forward create aovn 192.168.1.20 target_address=10.188.69.2

indiana@pinehost1:~$ lxc network show aovn
config:
  bridge.mtu: "1442"
  ipv4.address: 10.188.69.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:bc70:3c7b:55d9::1/64
  ipv6.nat: "true"
  network: UPLINK
  volatile.network.ipv4.address: 192.168.1.200
description: ""
name: aovn
type: ovn
used_by:
- /1.0/instances/sshserver
- /1.0/profiles/default
managed: true
status: Created
locations:
- pinehost1
- pinehost2
- pinehost3

indiana@pinehost1:~$ lxc network show UPLINK
config:
  dns.nameservers: 8.8.8.8
  ipv4.gateway: 192.168.1.1/24
  ipv4.ovn.ranges: 192.168.1.200-192.168.1.254
  ipv4.routes: 192.168.1.20/32
  volatile.last_state.created: "false"
description: ""
name: UPLINK
type: physical
used_by:
- /1.0/networks/aovn
managed: true
status: Created
locations:
- pinehost1
- pinehost2
- pinehost3

tomp · June 2, 2022, 9:17pm

What does

lxc network info aovn

Show?

cemzafer · June 2, 2022, 9:32pm

Here is the output.

indiana@pinehost1:~$ lxc network info aovn
Name: aovn
MAC address: 00:16:3e:96:46:fd
MTU: 1442
State: up
Type: broadcast

IP addresses:
  inet	10.188.69.1/24 (link)
  inet6	fd42:bc70:3c7b:55d9::1/64 (link)

Network usage:
  Bytes received: 0B
  Bytes sent: 0B
  Packets received: 0
  Packets sent: 0

OVN:
  Chassis: pinehost3

tomp · June 2, 2022, 9:43pm

Does it work from pinehost3?

cemzafer · June 2, 2022, 9:44pm

Yes, it works. Also ping from pinehost2 is working just pinehost1 doesnt work.

indiana@pinehost3:~$ ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_seq=1 ttl=254 time=6.10 ms
64 bytes from 192.168.1.200: icmp_seq=2 ttl=254 time=2.65 ms
^C
--- 192.168.1.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 2.650/4.377/6.104/1.727 ms

tomp · June 2, 2022, 9:45pm

What is the uplink parent on pinehost1?

Perhaps a firewall issue?

tomp · June 2, 2022, 9:47pm

Ah good, so that suggests the uplink parent is not a shared layer 2 segment between all cluster members.

The ovn network’s external router port is only ever active on one cluster member at a time (it will fail over to other members if one goes down though), so in order to reach it from the other members the uplink network must be a shared l2.

cemzafer · June 2, 2022, 9:49pm

What is that mean ‘What is the uplink parent on pinehost1?’

indiana@pinehost1:~$ systemctl status ufw
Unit ufw.service could not be found.

indiana@pinehost1:~$ sudo iptables -L
[sudo] password for indiana: 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

tomp · June 2, 2022, 9:50pm

iptables-legacy -L

cemzafer · June 2, 2022, 9:51pm

indiana@pinehost1:~$ sudo iptables-legacy -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

tomp · June 2, 2022, 9:51pm

I mean does pinehost1 uplink parent connect to same l2 as the other hosts?

tomp · June 2, 2022, 9:51pm

It suggests ARP packets are not making it between hosts

cemzafer · June 2, 2022, 9:53pm

indiana@pinehost1:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 02:ba:2a:17:4c:fc brd ff:ff:ff:ff:ff:ff
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 76:19:e8:6f:74:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.20/24 brd 192.168.1.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::7419:e8ff:fe6f:7401/64 scope link 
       valid_lft forever preferred_lft forever
4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether c6:8e:31:b0:56:e5 brd ff:ff:ff:ff:ff:ff
5: br-int: <BROADCAST,MULTICAST> mtu 1442 qdisc noop state DOWN group default qlen 1000
    link/ether 1e:f5:8e:a9:ca:9f brd ff:ff:ff:ff:ff:ff
6: genev_sys_6081: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether de:a2:3f:70:d2:99 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::941d:85ff:fed9:e727/64 scope link 
       valid_lft forever preferred_lft forever
7: lxdovn1b@lxdovn1a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether b6:04:1a:e3:16:0a brd ff:ff:ff:ff:ff:ff
8: lxdovn1a@lxdovn1b: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether 7a:b6:42:92:59:14 brd ff:ff:ff:ff:ff:ff
9: lxdovn1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 72:90:e0:0a:30:44 brd ff:ff:ff:ff:ff:ff
25: veth15930a9f@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 22:b0:bd:0f:bb:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0

cemzafer · June 2, 2022, 9:54pm

indiana@pinehost1:~$ sudo arp -a
homefw.home.arpa (192.168.1.1) at e8:94:f6:02:f8:4b [ether] on br0
? (192.168.1.22) at 76:19:e8:6f:74:03 [ether] on br0
? (192.168.1.200) at 00:16:3e:96:46:fd [ether] on br0
? (192.168.1.21) at 76:19:e8:6f:74:02 [ether] on br0
? (192.168.1.5) at 64:70:02:14:4b:8f [ether] on br0

tomp · June 2, 2022, 10:00pm

You can’t use the

192.168.1.20

For both the br0 ip and the ovn networks external route.
Otherwise the ip will be in use on two interfaces concurrently.

cemzafer · June 2, 2022, 10:01pm

So any IP in that subnet can be suitable then, for example. 192.168.1.2/32.

tomp · June 2, 2022, 10:02pm

Any ip that is not in use that ovn router can use on its external router port (which it will then forward into the virtual ovn network).

tomp · June 2, 2022, 10:04pm

Br0 could have no ips on it and ovn would still work as it just needs the l2 connection to the uplink network.