diff options
Diffstat (limited to 'doc/source/contributor/internals/ovn/ovn_network_logging.rst')
-rw-r--r-- | doc/source/contributor/internals/ovn/ovn_network_logging.rst | 114 |
1 files changed, 57 insertions, 57 deletions
diff --git a/doc/source/contributor/internals/ovn/ovn_network_logging.rst b/doc/source/contributor/internals/ovn/ovn_network_logging.rst index eca6c0c953..ff3fe8ad70 100644 --- a/doc/source/contributor/internals/ovn/ovn_network_logging.rst +++ b/doc/source/contributor/internals/ovn/ovn_network_logging.rst @@ -10,10 +10,10 @@ manage affected security group rules. Thus, there is no need for an agent. It is good to keep in mind that Openstack Security Groups (SG) and their rules (SGR) map 1:1 into OVN's Port Groups (PG) and Access Control Lists (ACL): - .. code-block:: none +.. code-block:: none - Openstack Security Group <=> OVN Port Group - Openstack Security Group Rule <=> OVN ACL + Openstack Security Group <=> OVN Port Group + Openstack Security Group Rule <=> OVN ACL Just like SGs have a list of SGRs, PGs have a list of ACLs. PGs also have a list of logical ports, but that is not really relevant in this context. @@ -50,22 +50,22 @@ https://github.com/ovn-org/ovn/commit/880dca99eaf73db7e783999c29386d03c82093bf Below is an example of a meter configuration in OVN. You can locate the fair, unit, burst_size, and rate attributes: - .. code-block:: bash +.. code-block:: bash - $ ovn-nbctl list meter - _uuid : 70c76ba9-f303-471b-9d49-25dee299827f - bands : [f114c205-a170-4425-8ca6-4e71099d1955] - external_ids : {"neutron:device_owner"=logging-plugin} - fair : true - name : acl_log_meter - unit : pktps + $ ovn-nbctl list meter + _uuid : 70c76ba9-f303-471b-9d49-25dee299827f + bands : [f114c205-a170-4425-8ca6-4e71099d1955] + external_ids : {"neutron:device_owner"=logging-plugin} + fair : true + name : acl_log_meter + unit : pktps - $ ovn-nbctl list meter-band - _uuid : f114c205-a170-4425-8ca6-4e71099d1955 - action : drop - burst_size : 25 - external_ids : {} - rate : 100 + $ ovn-nbctl list meter-band + _uuid : f114c205-a170-4425-8ca6-4e71099d1955 + action : drop + burst_size : 25 + external_ids : {} + rate : 100 The burst_size and rate attributes are configurable through neutron.conf.services.logging.log_driver_opts. That is not new. @@ -78,39 +78,39 @@ Moreover, there are a few attributes in each ACL that makes it able to provide the networking logging feature. Let's use the example below to point out the relevant fields: - .. code-block:: none - - $ openstack network log create --resource-type security_group \ - --resource ${SG} --event ACCEPT logme -f value -c ID - 2e456c7f-154e-40a8-bb10-f88ba51b90b5 - - $ openstack security group show ${SG} -f json -c rules | jq '.rules | .[2]' | grep -v 'null' - { - "id": "de4ea1e4-c946-40ed-b5b6-53c59418dc0b", - "tenant_id": "2600067ea3a446dba332d20a30ed44fa", - "security_group_id": "c604e984-0789-4c9a-a297-3e7f62fa73fd", - "ethertype": "IPv4", - "direction": "egress", - "standard_attr_id": 48, - "tags": [], - "created_at": "2021-02-06T22:17:44Z", - "updated_at": "2021-02-06T22:17:44Z", - "revision_number": 0, - "project_id": "2600067ea3a446dba332d20a30ed44fa" - } - - $ ovn-nbctl find acl \ - "external_ids:\"neutron:security_group_rule_id\""="de4ea1e4-c946-40ed-b5b6-53c59418dc0b" - _uuid : 791679e9-237d-4732-a31e-aa634496e02b - action : allow-related - direction : from-lport - external_ids : {"neutron:security_group_rule_id"="de4ea1e4-c946-40ed-b5b6-53c59418dc0b"} - log : true - match : "inport == @pg_c604e984_0789_4c9a_a297_3e7f62fa73fd && ip4" - meter : acl_log_meter - name : neutron-2e456c7f-154e-40a8-bb10-f88ba51b90b5 - priority : 1002 - severity : info +.. code-block:: none + + $ openstack network log create --resource-type security_group \ + --resource ${SG} --event ACCEPT logme -f value -c ID + 2e456c7f-154e-40a8-bb10-f88ba51b90b5 + + $ openstack security group show ${SG} -f json -c rules | jq '.rules | .[2]' | grep -v 'null' + { + "id": "de4ea1e4-c946-40ed-b5b6-53c59418dc0b", + "tenant_id": "2600067ea3a446dba332d20a30ed44fa", + "security_group_id": "c604e984-0789-4c9a-a297-3e7f62fa73fd", + "ethertype": "IPv4", + "direction": "egress", + "standard_attr_id": 48, + "tags": [], + "created_at": "2021-02-06T22:17:44Z", + "updated_at": "2021-02-06T22:17:44Z", + "revision_number": 0, + "project_id": "2600067ea3a446dba332d20a30ed44fa" + } + + $ ovn-nbctl find acl \ + "external_ids:\"neutron:security_group_rule_id\""="de4ea1e4-c946-40ed-b5b6-53c59418dc0b" + _uuid : 791679e9-237d-4732-a31e-aa634496e02b + action : allow-related + direction : from-lport + external_ids : {"neutron:security_group_rule_id"="de4ea1e4-c946-40ed-b5b6-53c59418dc0b"} + log : true + match : "inport == @pg_c604e984_0789_4c9a_a297_3e7f62fa73fd && ip4" + meter : acl_log_meter + name : neutron-2e456c7f-154e-40a8-bb10-f88ba51b90b5 + priority : 1002 + severity : info The first command creates a networking-log for a given SG. The second shows an SGR from that SG. The third shell command is where we can see how the ACL with the meter information gets populated. @@ -128,14 +128,14 @@ These are the attributes pertinent to network logging: If we poked the SGR with packets that match its criteria, the ovn-controller local to where the ACLs is enforced will log something that looks like this: - .. code-block:: none +.. code-block:: none - 2021-02-16T11:59:00.640Z|00045|acl_log(ovn_pinctrl0)|INFO| - name="neutron-2e456c7f-154e-40a8-bb10-f88ba51b90b5", - verdict=allow, severity=info: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:24:dc:88, - dl_dst=fa:16:3e:15:6d:e0, - nw_src=10.0.0.12,nw_dst=10.0.0.11,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8, - icmp_code=0 + 2021-02-16T11:59:00.640Z|00045|acl_log(ovn_pinctrl0)|INFO| + name="neutron-2e456c7f-154e-40a8-bb10-f88ba51b90b5", + verdict=allow, severity=info: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:24:dc:88, + dl_dst=fa:16:3e:15:6d:e0, + nw_src=10.0.0.12,nw_dst=10.0.0.11,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8, + icmp_code=0 It is beyond the scope of this document to talk about what happens after the logs are generated by ovn-controllers. The harvesting of files across compute nodes is something a project like |