From ce1b99a5f8cde6dc4e67a05d7b711c7e88c6810f Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Thu, 19 Jan 2017 14:11:48 -0500 Subject: doc: Remove tutorials/ovn-basics. The only thing worse than a lack of documentation is incorrect or out-of-date documentation. Over time, this document has not kept up with the pace of OVN and is no longer a good current resource. For a sandbox based tutorial like this, I'd like to start over using ovn-trace as the basis. An even more important type of tutorial would be something along the lines of: http://blog.spinhirne.com/p/blog-series.html That blog series was fantastic and has been the primary tutorial reference I have been sending people to since it was written. Signed-off-by: Russell Bryant Acked-by: Ben Pfaff --- Documentation/automake.mk | 1 - Documentation/index.rst | 1 - Documentation/tutorials/index.rst | 1 - Documentation/tutorials/ovn-basics.rst | 974 ----------------------------- tutorial/automake.mk | 33 +- tutorial/ovn/env1/add-security-ip-ports.sh | 25 - tutorial/ovn/env1/add-third-port.sh | 21 - tutorial/ovn/env1/add-unknown-ports.sh | 25 - tutorial/ovn/env1/packet1.sh | 19 - tutorial/ovn/env1/packet2.sh | 19 - tutorial/ovn/env1/packet3.sh | 19 - tutorial/ovn/env1/packet4.sh | 19 - tutorial/ovn/env1/setup.sh | 46 -- tutorial/ovn/env2/packet1.sh | 18 - tutorial/ovn/env2/packet2.sh | 18 - tutorial/ovn/env2/setup.sh | 36 -- tutorial/ovn/env3/packet1.sh | 19 - tutorial/ovn/env3/packet2.sh | 31 - tutorial/ovn/env3/setup.sh | 44 -- tutorial/ovn/env4/packet1.sh | 21 - tutorial/ovn/env4/packet2.sh | 21 - tutorial/ovn/env4/packet3.sh | 20 - tutorial/ovn/env4/packet4.sh | 20 - tutorial/ovn/env4/setup.sh | 50 -- tutorial/ovn/env5/packet1.sh | 21 - tutorial/ovn/env5/packet2.sh | 20 - tutorial/ovn/env5/setup.sh | 67 -- tutorial/ovn/env6/add-acls.sh | 21 - tutorial/ovn/env6/setup.sh | 46 -- tutorial/ovn/env7/add-container-ports.sh | 60 -- tutorial/ovn/env7/packet1.sh | 19 - tutorial/ovn/env7/packet2.sh | 19 - tutorial/ovn/env7/setup.sh | 36 -- tutorial/ovn/env8/packet1.sh | 21 - tutorial/ovn/env8/packet2.sh | 20 - tutorial/ovn/env8/setup.sh | 47 -- 36 files changed, 1 insertion(+), 1897 deletions(-) delete mode 100644 Documentation/tutorials/ovn-basics.rst delete mode 100755 tutorial/ovn/env1/add-security-ip-ports.sh delete mode 100755 tutorial/ovn/env1/add-third-port.sh delete mode 100755 tutorial/ovn/env1/add-unknown-ports.sh delete mode 100755 tutorial/ovn/env1/packet1.sh delete mode 100755 tutorial/ovn/env1/packet2.sh delete mode 100755 tutorial/ovn/env1/packet3.sh delete mode 100755 tutorial/ovn/env1/packet4.sh delete mode 100755 tutorial/ovn/env1/setup.sh delete mode 100755 tutorial/ovn/env2/packet1.sh delete mode 100755 tutorial/ovn/env2/packet2.sh delete mode 100755 tutorial/ovn/env2/setup.sh delete mode 100755 tutorial/ovn/env3/packet1.sh delete mode 100755 tutorial/ovn/env3/packet2.sh delete mode 100755 tutorial/ovn/env3/setup.sh delete mode 100755 tutorial/ovn/env4/packet1.sh delete mode 100755 tutorial/ovn/env4/packet2.sh delete mode 100755 tutorial/ovn/env4/packet3.sh delete mode 100755 tutorial/ovn/env4/packet4.sh delete mode 100755 tutorial/ovn/env4/setup.sh delete mode 100755 tutorial/ovn/env5/packet1.sh delete mode 100755 tutorial/ovn/env5/packet2.sh delete mode 100755 tutorial/ovn/env5/setup.sh delete mode 100755 tutorial/ovn/env6/add-acls.sh delete mode 100755 tutorial/ovn/env6/setup.sh delete mode 100755 tutorial/ovn/env7/add-container-ports.sh delete mode 100755 tutorial/ovn/env7/packet1.sh delete mode 100755 tutorial/ovn/env7/packet2.sh delete mode 100755 tutorial/ovn/env7/setup.sh delete mode 100755 tutorial/ovn/env8/packet1.sh delete mode 100755 tutorial/ovn/env8/packet2.sh delete mode 100755 tutorial/ovn/env8/setup.sh diff --git a/Documentation/automake.mk b/Documentation/automake.mk index 25c14be57..18e03a338 100644 --- a/Documentation/automake.mk +++ b/Documentation/automake.mk @@ -21,7 +21,6 @@ EXTRA_DIST += \ Documentation/intro/install/windows.rst \ Documentation/intro/install/xenserver.rst \ Documentation/tutorials/index.rst \ - Documentation/tutorials/ovn-basics.rst \ Documentation/tutorials/ovs-advanced.rst \ Documentation/topics/index.rst \ Documentation/topics/bonding.rst \ diff --git a/Documentation/index.rst b/Documentation/index.rst index deb44d397..02b376fc2 100644 --- a/Documentation/index.rst +++ b/Documentation/index.rst @@ -61,7 +61,6 @@ vSwitch? Start here. :doc:`intro/install/dpdk` - **Tutorials:** :doc:`tutorials/ovs-advanced` | - :doc:`tutorials/ovn-basics` Deeper Dive ----------- diff --git a/Documentation/tutorials/index.rst b/Documentation/tutorials/index.rst index 477cadbeb..8a7e6eea3 100644 --- a/Documentation/tutorials/index.rst +++ b/Documentation/tutorials/index.rst @@ -40,4 +40,3 @@ vSwitch. :maxdepth: 2 ovs-advanced - ovn-basics diff --git a/Documentation/tutorials/ovn-basics.rst b/Documentation/tutorials/ovn-basics.rst deleted file mode 100644 index f7783cf4a..000000000 --- a/Documentation/tutorials/ovn-basics.rst +++ /dev/null @@ -1,974 +0,0 @@ -.. - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - - Convention for heading levels in Open vSwitch documentation: - - ======= Heading 0 (reserved for the title in a document) - ------- Heading 1 - ~~~~~~~ Heading 2 - +++++++ Heading 3 - ''''''' Heading 4 - - Avoid deeper levels because they do not render well. - -========== -OVN Basics -========== - -This tutorial is intended to give you a tour of the basic OVN features using -``ovs-sandbox`` as a simulated test environment. It's assumed that you have an -understanding of OVS before going through this tutorial. Detail about OVN is -covered in ovn-architecture_, but this tutorial lets you quickly see it in -action. - -Getting Started ---------------- - -For some general information about ``ovs-sandbox``, see the "Getting Started" -section of the tutorial_. - -``ovs-sandbox`` does not include OVN support by default. To enable OVN, you -must pass the ``--ovn`` flag. For example, if running it straight from the ovs -git tree you would run:: - - $ make sandbox SANDBOXFLAGS="--ovn" - -Running the sandbox with OVN enabled does the following additional steps to the -environment: - -1. Creates the ``OVN_Northbound`` and ``OVN_Southbound`` databases as described in - `ovn-nb(5)`_ and `ovn-sb(5)`_. - -2. Creates a backup server for ``OVN_Southbond`` database. Sandbox launch - screen provides the instructions on accessing the backup database. However - access to the backup server is not required to go through the tutorial. - -3. Creates the ``hardware_vtep`` database as described in `vtep(5)`_. - -4. Runs the `ovn-northd(8)`_, `ovn-controller(8)`_, and - `ovn-controller-vtep(8)`_ daemons. - -5. Makes OVN and VTEP utilities available for use in the environment, including - `vtep-ctl(8)`_, `ovn-nbctl(8)`_, and `ovn-sbctl(8)`_. - -Note that each of these demos assumes you start with a fresh sandbox -environment. **Re-run `ovs-sandbox` before starting each section.** - -Using GDB ---------- - -GDB support is not required to go through the tutorial. See the "Using GDB" -section of the `tutorial`_ for more info. Additional flags exist for launching -the debugger for the OVN programs:: - - --gdb-ovn-northd - --gdb-ovn-controller - --gdb-ovn-controller-vtep - -Simple Two Port Setup ---------------------- - -This first environment is the simplest OVN example. It demonstrates using OVN -with a single logical switch that has two logical ports, both residing on the -same hypervisor. - -Start by running the setup script for this environment:: - - $ ovn/env1/setup.sh - -You can use the ``ovn-nbctl`` utility to see an overview of the logical -topology:: - - $ ovn-nbctl show - switch 78687d53-e037-4555-bcd3-f4f8eaf3f2aa (sw0) - port sw0-port1 - addresses: ["00:00:00:00:00:01"] - port sw0-port2 - addresses: ["00:00:00:00:00:02"] - -The ``ovn-sbctl`` utility can be used to see into the state stored in the -``OVN_Southbound`` database. The ``show`` command shows that there is a single -chassis with two logical ports bound to it. In a more realistic -multi-hypervisor environment, this would list all hypervisors and where all -logical ports are located:: - - $ ovn-sbctl show - Chassis "56b18105-5706-46ef-80c4-ff20979ab068" - Encap geneve - ip: "127.0.0.1" - Port_Binding "sw0-port1" - Port_Binding "sw0-port2" - -OVN creates logical flows to describe how the network should behave in logical -space. Each chassis then creates OpenFlow flows based on those logical flows -that reflect its own local view of the network. The ``ovn-sbctl`` command can -show the logical flows:: - - $ ovn-sbctl lflow-list - Datapath: 2503dd42-14b1-414a-abbf-33e554e09ddc Pipeline: ingress - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw0-port1" && eth.src == {00:00:00:00:00:01}), action=(next;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw0-port2" && eth.src == {00:00:00:00:00:02}), action=(next;) - table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port1" && eth.src == 00:00:00:00:00:01 && arp.sha == 00:00:00:00:00:01), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port1" && eth.src == 00:00:00:00:00:01 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:01) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:01)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port2" && eth.src == 00:00:00:00:00:02 && arp.sha == 00:00:00:00:00:02), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port2" && eth.src == 00:00:00:00:00:02 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:02) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:02)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw0-port1" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw0-port2" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;) - table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;) - table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) - table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=7 (ls_in_lb ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=8 (ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=9 (ls_in_arp_rsp ), priority=0 , match=(1), action=(next;) - table=10(ls_in_l2_lkup ), priority=100 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0-port1"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0-port2"; output;) - Datapath: 2503dd42-14b1-414a-abbf-33e554e09ddc Pipeline: egress - table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;) - table=1 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;) - table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;) - table=3 (ls_out_lb ), priority=0 , match=(1), action=(next;) - table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=5 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_out_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_port_sec_l2 ), priority=100 , match=(eth.mcast), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw0-port1" && eth.dst == {00:00:00:00:00:01}), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw0-port2" && eth.dst == {00:00:00:00:00:02}), action=(output;) - -Now we can start taking a closer look at how ``ovn-controller`` has programmed -the local switch. Before looking at the flows, we can use ``ovs-ofctl`` to -verify the OpenFlow port numbers for each of the logical ports on the switch. -The output shows that ``lport1``, which corresponds with our logical port -``sw0-port1``, has an OpenFlow port number of ``1``. Similarly, ``lport2`` has -an OpenFlow port number of ``2``:: - - $ ovs-ofctl show br-int - OFPT_FEATURES_REPLY (xid=0x2): dpid:00003e1ba878364d - n_tables:254, n_buffers:0 - capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP - actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst mod_nw_src mod_nw_dst mod_nw_tos mod_tp_src mod_tp_dst - 1(lport1): addr:aa:55:aa:55:00:07 - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - 2(lport2): addr:aa:55:aa:55:00:08 - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - LOCAL(br-int): addr:3e:1b:a8:78:36:4d - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0 - -Finally, use ``ovs-ofctl`` to see the OpenFlow flows for ``br-int``. Note that -some fields have been omitted for brevity:: - - $ ovs-ofctl -O OpenFlow13 dump-flows br-int - OFPST_FLOW reply (OF1.3) (xid=0x2): - table=0, priority=100,in_port=1 actions=set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16) - table=0, priority=100,in_port=2 actions=set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16) - table=16, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop - table=16, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop - table=16, priority=50,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01 actions=resubmit(,17) - table=16, priority=50,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02 actions=resubmit(,17) - table=17, priority=0,metadata=0x1 actions=resubmit(,18) - table=18, priority=90,icmp6,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:02 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:00 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01,icmp_type=136,icmp_code=0,nd_tll=00:00:00:00:00:01 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:01 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:00 actions=resubmit(,19) - table=18, priority=90,icmp6,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02,icmp_type=135,icmp_code=0,nd_sll=00:00:00:00:00:02 actions=resubmit(,19) - table=18, priority=90,arp,reg6=0x1,metadata=0x1,dl_src=00:00:00:00:00:01,arp_sha=00:00:00:00:00:01 actions=resubmit(,19) - table=18, priority=90,arp,reg6=0x2,metadata=0x1,dl_src=00:00:00:00:00:02,arp_sha=00:00:00:00:00:02 actions=resubmit(,19) - table=18, priority=80,icmp6,reg6=0x2,metadata=0x1,icmp_type=136,icmp_code=0 actions=drop - table=18, priority=80,icmp6,reg6=0x1,metadata=0x1,icmp_type=136,icmp_code=0 actions=drop - table=18, priority=80,icmp6,reg6=0x1,metadata=0x1,icmp_type=135,icmp_code=0 actions=drop - table=18, priority=80,icmp6,reg6=0x2,metadata=0x1,icmp_type=135,icmp_code=0 actions=drop - table=18, priority=80,arp,reg6=0x2,metadata=0x1 actions=drop - table=18, priority=80,arp,reg6=0x1,metadata=0x1 actions=drop - table=18, priority=0,metadata=0x1 actions=resubmit(,19) - table=19, priority=0,metadata=0x1 actions=resubmit(,20) - table=20, priority=0,metadata=0x1 actions=resubmit(,21) - table=21, priority=0,metadata=0x1 actions=resubmit(,22) - table=22, priority=0,metadata=0x1 actions=resubmit(,23) - table=23, priority=0,metadata=0x1 actions=resubmit(,24) - table=24, priority=0,metadata=0x1 actions=resubmit(,25) - table=25, priority=0,metadata=0x1 actions=resubmit(,26) - table=26, priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=set_field:0xffff->reg7,resubmit(,32) - table=26, priority=50,metadata=0x1,dl_dst=00:00:00:00:00:01 actions=set_field:0x1->reg7,resubmit(,32) - table=26, priority=50,metadata=0x1,dl_dst=00:00:00:00:00:02 actions=set_field:0x2->reg7,resubmit(,32) - table=32, priority=0 actions=resubmit(,33) - table=33, priority=100,reg7=0x1,metadata=0x1 actions=resubmit(,34) - table=33, priority=100,reg7=0xffff,metadata=0x1 actions=set_field:0x2->reg7,resubmit(,34),set_field:0x1->reg7,resubmit(,34),set_field:0xffff->reg7 - table=33, priority=100,reg7=0x2,metadata=0x1 actions=resubmit(,34) - table=34, priority=100,reg6=0x1,reg7=0x1,metadata=0x1 actions=drop - table=34, priority=100,reg6=0x2,reg7=0x2,metadata=0x1 actions=drop - table=34, priority=0 actions=set_field:0->reg0,set_field:0->reg1,set_field:0->reg2,resubmit(,48) - table=48, priority=0,metadata=0x1 actions=resubmit(,49) - table=49, priority=0,metadata=0x1 actions=resubmit(,50) - table=50, priority=0,metadata=0x1 actions=resubmit(,51) - table=51, priority=0,metadata=0x1 actions=resubmit(,52) - table=52, priority=0,metadata=0x1 actions=resubmit(,53) - table=53, priority=0,metadata=0x1 actions=resubmit(,54) - table=54, priority=0,metadata=0x1 actions=resubmit(,55) - table=55, priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,64) - table=55, priority=50,reg7=0x2,metadata=0x1,dl_dst=00:00:00:00:00:02 actions=resubmit(,64) - table=55, priority=50,reg7=0x1,metadata=0x1,dl_dst=00:00:00:00:00:01 actions=resubmit(,64) - table=64, priority=100,reg7=0x1,metadata=0x1 actions=output:1 - -The ``ovs-appctl`` command can be used to generate an OpenFlow trace of how a -packet would be processed in this configuration. This first trace shows a -packet from ``sw0-port1`` to ``sw0-port2``. The packet arrives from port ``1`` -and should be output to port ``2``:: - - $ ovn/env1/packet1.sh - -Trace a broadcast packet from ``sw0-port1``. The packet arrives from port -``1`` and should be output to port ``2``:: - - $ ovn/env1/packet2.sh - -You can extend this setup by adding additional ports. For example, to add a -third port, run this command:: - - $ ovn/env1/add-third-port.sh - -Now if you do another trace of a broadcast packet from ``sw0-port1``, you will -see that it is output to both ports ``2`` and ``3``:: - - $ ovn/env1/packet2.sh - -The logical port may have an unknown set of Ethernet addresses. When an OVN logical -switch processes a unicast Ethernet frame whose destination MAC address is not in any -logical port's addresses column, it delivers it to the port (or ports) whose addresses -columns include unknown:: - - $ ovn/env1/add-unknown-ports.sh - -This trace shows a packet from ``sw0-port1`` to ``sw0-port4``, ``sw0-port5`` -whose addresses columns include unknown. You will see that it is output to -both ports ``4`` and ``5``:: - - $ ovn/env1/packet3.sh - -The logical port would restrict the host to sending packets from and receiving -packets to the ethernet addresses defined in the logical port's -``port_security`` column. In addition to the restrictions described for -Ethernet addresses above, such an element of port_security restricts the IPv4 -or IPv6 addresses from which the host may send and to which it may receive -packets to the specified addresses:: - - $ ovn/env1/add-security-ip-ports.sh - -This trace shows a packet from ``sw0-port6`` to ``sw0-port7``:: - - $ ovn/env1/packet4.sh - -Two Switches, Four Ports ------------------------- - -This environment is an extension of the last example. The previous example -showed two ports on a single logical switch. In this environment we add a -second logical switch that also has two ports. This lets you start to see how -``ovn-controller`` creates flows for isolated networks to co-exist on the same -switch:: - - $ ovn/env2/setup.sh - -View the logical topology with ``ovn-nbctl``:: - - $ ovn-nbctl show - switch e3190dc2-89d1-44ed-9308-e7077de782b3 (sw0) - port sw0-port1 - addresses: 00:00:00:00:00:01 - port sw0-port2 - addresses: 00:00:00:00:00:02 - switch c8ed4c5f-9733-43f6-93da-795b1aabacb1 (sw1) - port sw1-port1 - addresses: 00:00:00:00:00:03 - port sw1-port2 - addresses: 00:00:00:00:00:04 - -Physically, all ports reside on the same chassis:: - - $ ovn-sbctl show - Chassis "56b18105-5706-46ef-80c4-ff20979ab068" - Encap geneve - ip: "127.0.0.1" - Port_Binding "sw1-port2" - Port_Binding "sw0-port2" - Port_Binding "sw0-port1" - Port_Binding "sw1-port1" - -OVN creates separate logical flows for each logical switch:: - - $ ovn-sbctl lflow-list - Datapath: 7ee908c1-b0d3-4d03-acc9-42cd7ef7f27d Pipeline: ingress - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw1-port1" && eth.src == {00:00:00:00:00:03}), action=(next;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw1-port2" && eth.src == {00:00:00:00:00:04}), action=(next;) - table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw1-port1" && eth.src == 00:00:00:00:00:03 && arp.sha == 00:00:00:00:00:03), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw1-port1" && eth.src == 00:00:00:00:00:03 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:03) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:03)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw1-port2" && eth.src == 00:00:00:00:00:04 && arp.sha == 00:00:00:00:00:04), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw1-port2" && eth.src == 00:00:00:00:00:04 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:04) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:04)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw1-port1" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw1-port2" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;) - table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;) - table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) - table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=7 (ls_in_lb ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=8 (ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=9 (ls_in_arp_rsp ), priority=0 , match=(1), action=(next;) - table=10(ls_in_l2_lkup ), priority=100 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:03), action=(outport = "sw1-port1"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:04), action=(outport = "sw1-port2"; output;) - Datapath: 7ee908c1-b0d3-4d03-acc9-42cd7ef7f27d Pipeline: egress - table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;) - table=1 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;) - table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;) - table=3 (ls_out_lb ), priority=0 , match=(1), action=(next;) - table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=5 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_out_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_port_sec_l2 ), priority=100 , match=(eth.mcast), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw1-port1" && eth.dst == {00:00:00:00:00:03}), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw1-port2" && eth.dst == {00:00:00:00:00:04}), action=(output;) - Datapath: 9ea0c8f9-4f82-4be3-a6c7-6e6f9c2de583 Pipeline: ingress - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present), action=(drop;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw0-port1" && eth.src == {00:00:00:00:00:01}), action=(next;) - table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw0-port2" && eth.src == {00:00:00:00:00:02}), action=(next;) - table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port1" && eth.src == 00:00:00:00:00:01 && arp.sha == 00:00:00:00:00:01), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port1" && eth.src == 00:00:00:00:00:01 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:01) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:01)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port2" && eth.src == 00:00:00:00:00:02 && arp.sha == 00:00:00:00:00:02), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw0-port2" && eth.src == 00:00:00:00:00:02 && ip6 && nd && ((nd.sll == 00:00:00:00:00:00 || nd.sll == 00:00:00:00:00:02) || ((nd.tll == 00:00:00:00:00:00 || nd.tll == 00:00:00:00:00:02)))), action=(next;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw0-port1" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw0-port2" && (arp || nd)), action=(drop;) - table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;) - table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;) - table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) - table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;) - table=7 (ls_in_lb ), priority=0 , match=(1), action=(next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=8 (ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=8 (ls_in_stateful ), priority=0 , match=(1), action=(next;) - table=9 (ls_in_arp_rsp ), priority=0 , match=(1), action=(next;) - table=10(ls_in_l2_lkup ), priority=100 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:01), action=(outport = "sw0-port1"; output;) - table=10(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:00:00:00:02), action=(outport = "sw0-port2"; output;) - Datapath: 9ea0c8f9-4f82-4be3-a6c7-6e6f9c2de583 Pipeline: egress - table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;) - table=1 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;) - table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1), action=(ct_next;) - table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;) - table=3 (ls_out_lb ), priority=0 , match=(1), action=(next;) - table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1), action=(ct_commit; next;) - table=5 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;) - table=5 (ls_out_stateful ), priority=0 , match=(1), action=(next;) - table=6 (ls_out_port_sec_ip ), priority=0 , match=(1), action=(next;) - table=7 (ls_out_port_sec_l2 ), priority=100 , match=(eth.mcast), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw0-port1" && eth.dst == {00:00:00:00:00:01}), action=(output;) - table=7 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "sw0-port2" && eth.dst == {00:00:00:00:00:02}), action=(output;) - -In this setup, ``sw0-port1`` and ``sw0-port2`` can send packets to each other, -but not to either of the ports on ``sw1``. This first trace shows a packet -from ``sw0-port1`` to ``sw0-port2``. You should see th packet arrive on -OpenFlow port ``1`` and output to OpenFlow port ``2``:: - - $ ovn/env2/packet1.sh - -This next example shows a packet from ``sw0-port1`` with a destination MAC -address of ``00:00:00:00:00:03``, which is the MAC address for ``sw1-port1``. -Since these ports are not on the same logical switch, the packet should just be -dropped:: - - $ ovn/env2/packet2.sh - - -Two Hypervisors ---------------- - -The first two examples started by showing OVN on a single hypervisor. A more -realistic deployment of OVN would span multiple hypervisors. This example -creates a single logical switch with 4 logical ports. It then simulates having -two hypervisors with two of the logical ports bound to each hypervisor:: - - $ ovn/env3/setup.sh - -You can start by viewing the logical topology with ``ovn-nbctl``:: - - $ ovn-nbctl show - switch b977dc03-79a5-41ba-9665-341a80e1abfd (sw0) - port sw0-port1 - addresses: 00:00:00:00:00:01 - port sw0-port2 - addresses: 00:00:00:00:00:02 - port sw0-port4 - addresses: 00:00:00:00:00:04 - port sw0-port3 - addresses: 00:00:00:00:00:03 - -Using ``ovn-sbctl`` to view the state of the system, we can see that there are -two chassis: one local that we can interact with, and a fake remote chassis. -Two logical ports are bound to each. Both chassis have an IP address of -localhost, but in a realistic deployment that would be the IP address used for -tunnels to that chassis:: - - $ ovn-sbctl show - Chassis "56b18105-5706-46ef-80c4-ff20979ab068" - Encap geneve - ip: "127.0.0.1" - Port_Binding "sw0-port2" - Port_Binding "sw0-port1" - Chassis fakechassis - Encap geneve - ip: "127.0.0.1" - Port_Binding "sw0-port4" - Port_Binding "sw0-port3" - -Packets between ``sw0-port1`` and ``sw0-port2`` behave just like the previous -examples. Packets to ports on a remote chassis are the interesting part of -this example. You may have noticed before that OVN's logical flows are broken -up into ingress and egress tables. Given a packet from ``sw0-port1`` on the -local chassis to ``sw0-port3`` on the remote chassis, the ingress pipeline is -executed on the local switch. OVN then determines that it must forward the -packet over a geneve tunnel. When it arrives at the remote chassis, the egress -pipeline will be executed there. - -This first packet trace shows the first part of this example. It's a packet -from ``sw0-port1`` to ``sw0-port3`` from the perspective of the local chassis. -``sw0-port1`` is OpenFlow port ``1``. The tunnel to the fake remote chassis is -OpenFlow port ``3``. You should see the ingress pipeline being executed and -then the packet output to port ``3``, the geneve tunnel:: - - $ ovn/env3/packet1.sh - -To simulate what would happen when that packet arrives at the remote chassis we -can flip this example around. Consider a packet from ``sw0-port3`` to -``sw0-port1``. This trace shows what would happen when that packet arrives at -the local chassis. The packet arrives on OpenFlow port ``3`` (the tunnel). -You should then see the egress pipeline get executed and the packet output to -OpenFlow port ``1``:: - - $ ovn/env3/packet2.sh - -Locally Attached Networks -------------------------- - -While OVN is generally focused on the implementation of logical networks using -overlays, it's also possible to use OVN as a control plane to manage logically -direct connectivity to networks that are locally accessible to each chassis. - -This example includes two hypervisors. Both hypervisors have two ports on -them. We want to use OVN to manage the connectivity of these ports to a -network attached to each hypervisor that we will call "physnet1". - -This scenario requires some additional configuration of ``ovn-controller``. We -must configure a mapping between ``physnet1`` and a local OVS bridge that -provides connectivity to that network. We call these "bridge mappings". For -our example, the following script creates a bridge called ``br-eth1`` and then -configures ``ovn-controller`` with a bridge mapping from ``physnet1`` to -``br-eth1``. - -We want to create a fake second chassis and then create the topology that tells -OVN we want both ports on both hypervisors connected to ``physnet1``. The way -this is modeled in OVN is by creating a logical switch for each port. The -logical switch has the regular VIF port and a ``localnet`` port:: - - $ ovn/env4/setup.sh - -At this point we should be able to see that ``ovn-controller`` has -automatically created patch ports between ``br-int`` and ``br-eth1``:: - - $ ovs-vsctl show - c0a06d85-d70a-4e11-9518-76a92588b34e - Bridge "br-eth1" - Port "patch-provnet1-1-physnet1-to-br-int" - Interface "patch-provnet1-1-physnet1-to-br-int" - type: patch - options: {peer="patch-br-int-to-provnet1-1-physnet1"} - Port "br-eth1" - Interface "br-eth1" - type: internal - Port "patch-provnet1-2-physnet1-to-br-int" - Interface "patch-provnet1-2-physnet1-to-br-int" - type: patch - options: {peer="patch-br-int-to-provnet1-2-physnet1"} - Bridge br-int - fail_mode: secure - Port "ovn-fakech-0" - Interface "ovn-fakech-0" - type: geneve - options: {key=flow, remote_ip="127.0.0.1"} - Port "patch-br-int-to-provnet1-2-physnet1" - Interface "patch-br-int-to-provnet1-2-physnet1" - type: patch - options: {peer="patch-provnet1-2-physnet1-to-br-int"} - Port br-int - Interface br-int - type: internal - Port "patch-br-int-to-provnet1-1-physnet1" - Interface "patch-br-int-to-provnet1-1-physnet1" - type: patch - options: {peer="patch-provnet1-1-physnet1-to-br-int"} - Port "lport2" - Interface "lport2" - Port "lport1" - Interface "lport1 - - -The logical topology from ``ovn-nbctl`` should look like this:: - - $ ovn-nbctl show - switch 9db81140-5504-4f60-be3d-2bee45b57e27 (provnet1-2) - port provnet1-2-port1 - addresses: ["00:00:00:00:00:02"] - port provnet1-2-physnet1 - addresses: ["unknown"] - switch cf175cb9-35c5-41cf-8bc7-2d322cdbead0 (provnet1-3) - port provnet1-3-physnet1 - addresses: ["unknown"] - port provnet1-3-port1 - addresses: ["00:00:00:00:00:03"] - switch b85f7af6-8055-4db2-ba93-efc7887cf38f (provnet1-1) - port provnet1-1-port1 - addresses: ["00:00:00:00:00:01"] - port provnet1-1-physnet1 - addresses: ["unknown"] - switch 63a5e276-8807-417d-bbec-a7e907e106b1 (provnet1-4) - port provnet1-4-port1 - addresses: ["00:00:00:00:00:04"] - port provnet1-4-physnet1 - addresses: ["unknown"] - -``port1`` on each logical switch represents a regular logical port for a VIF on -a hypervisor. ``physnet1`` on each logical switch is the special ``localnet`` -port. You can use ``ovn-nbctl`` to see that this port has a ``type`` and -``options`` set:: - - $ ovn-nbctl lsp-get-type provnet1-1-physnet1 - localnet - - $ ovn-nbctl lsp-get-options provnet1-1-physnet1 - network_name=physnet1 - -The physical topology should reflect that there are two regular ports on each -chassis:: - - $ ovn-sbctl show - Chassis "56b18105-5706-46ef-80c4-ff20979ab068" - hostname: sandbox - Encap geneve - ip: "127.0.0.1" - Port_Binding "provnet1-1-port1" - Port_Binding "provnet1-2-port1" - Chassis fakechassis - Encap geneve - ip: "127.0.0.1" - Port_Binding "provnet1-3-port1" - Port_Binding "provnet1-4-port1" - -All four of our ports should be able to communicate with each other, but they -do so through ``physnet1``. A packet from any of these ports to any -destination should be output to the OpenFlow port number that corresponds to -the patch port to ``br-eth1``. - -This example assumes following OpenFlow port number mappings: - -* ``1`` = tunnel to the fake second chassis -* ``2`` = ``lport1``, which is the logical port named ``provnet1-1-port1`` -* ``3`` = ``patch-br-int-to-provnet1-1-physnet1``, patch port to ``br-eth1`` -* ``4`` = ``lport2``, which is the logical port named ``provnet1-2-port1`` -* ``5`` = ``patch-br-int-to-provnet1-2-physnet1``, patch port to ``br-eth1`` - -We get those port numbers using ``ovs-ofctl``:: - - $ ovs-ofctl show br-int - OFPT_FEATURES_REPLY (xid=0x2): dpid:00002a84824b0d40 - n_tables:254, n_buffers:0 - capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP - actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst - 1(ovn-fakech-0): addr:aa:55:aa:55:00:0e - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - 2(lport1): addr:aa:55:aa:55:00:0f - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - 3(patch-br-int-to): addr:7a:6f:8a:d5:69:2a - config: 0 - state: 0 - speed: 0 Mbps now, 0 Mbps max - 4(lport2): addr:aa:55:aa:55:00:10 - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - 5(patch-br-int-to): addr:4a:fd:c1:11:fc:a5 - config: 0 - state: 0 - speed: 0 Mbps now, 0 Mbps max - LOCAL(br-int): addr:2a:84:82:4b:0d:40 - config: PORT_DOWN - state: LINK_DOWN - speed: 0 Mbps now, 0 Mbps max - OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0 - -This first trace shows a packet from ``provnet1-1-port1`` with a destination -MAC address of ``provnet1-2-port1``. We expect the packets from ``lport1`` -(OpenFlow port 2) to be sent out to ``lport2`` (OpenFlow port 4). For example, -the following topology illustrates how the packets travel from ``lport1`` to -``lport2``:: - - `lport1` --> `patch-br-int-to-provnet1-1-physnet1`(OpenFlow port 3) - --> `br-eth1` --> `patch-br-int-to-provnet1-2-physnet1` --> `lport2`(OpenFlow port 4) - -Similarly, We expect the packets from ``provnet1-2-port1`` to be sent out to -``provnet1-1-port1``. We then expect the network to handle getting the packet -to its destination. In practice, this will be optimized at ``br-eth1`` and the -packet won't actually go out and back on the network:: - - $ ovn/env4/packet1.sh - -This next trace shows an example of a packet being sent to a destination on -another hypervisor. The source is ``provnet1-1-port1``, but the destination is -``provnet1-3-port1``, which is on the other fake chassis. As usual, we expect -the output to be to ``br-eth1`` (``patch-br-int-to-provnet1-1-physnet1``, -OpenFlow port 3):: - - $ ovn/env4/packet2.sh - -This next test shows a broadcast packet. The destination should still only be -OpenFlow port 3 and 4:: - - $ ovn/env4/packet3.sh - -Finally, this last trace shows what happens when a broadcast packet arrives -from the network. In this case, it simulates a broadcast that originated from a -port on the remote fake chassis and arrived at the local chassis via ``br-eth1``. -We should see it output to both local ports that are attached to this network -(OpenFlow ports 2 and 4):: - - $ ovn/env4/packet4.sh - -Locally Attached Networks with VLANs ------------------------------------- - -This example is an extension of the previous one. We take the same setup and -add two more ports to each hypervisor. Instead of having the new ports -directly connected to ``physnet1`` as before, we indicate that we want them on -VLAN 101 of ``physnet1``. This shows how ``localnet`` ports can be used to -provide connectivity to either a flat network or a VLAN on that network:: - - $ ovn/env5/setup.sh - -The logical topology shown by ``ovn-nbctl`` is similar to ``env4``, except we -now have 8 regular VIF ports connected to ``physnet1`` instead of 4. The -additional 4 ports we have added are all on VLAN 101 of ``physnet1``. Note -that the ``localnet`` ports representing connectivity to VLAN 101 of -``physnet1`` have the ``tag`` field set to ``101``:: - - $ ovn-nbctl show - switch 3e60b940-00bf-44c6-9db6-04abf28d7e5f (provnet1-1) - port provnet1-1-physnet1 - addresses: ["unknown"] - port provnet1-1-port1 - addresses: ["00:00:00:00:00:01"] - switch 87f6bea0-f74d-4f39-aa65-ca1f94670429 (provnet1-2) - port provnet1-2-port1 - addresses: ["00:00:00:00:00:02"] - port provnet1-2-physnet1 - addresses: ["unknown"] - switch e6c9cb69-a056-428d-aa40-e903ce416dcd (provnet1-6-101) - port provnet1-6-101-port1 - addresses: ["00:00:00:00:00:06"] - port provnet1-6-physnet1-101 - parent: - tag: 101 - addresses: ["unknown"] - switch 5f8f72ca-6030-4f66-baea-fe6174eb54df (provnet1-4) - port provnet1-4-port1 - addresses: ["00:00:00:00:00:04"] - port provnet1-4-physnet1 - addresses: ["unknown"] - switch 15d585eb-d2c1-45ea-a946-b08de0eb2f55 (provnet1-7-101) - port provnet1-7-physnet1-101 - parent: - tag: 101 - addresses: ["unknown"] - port provnet1-7-101-port1 - addresses: ["00:00:00:00:00:07"] - switch 7be4aabe-1bb0-4e16-a755-a1f6d81c1c2f (provnet1-5-101) - port provnet1-5-101-port1 - addresses: ["00:00:00:00:00:05"] - port provnet1-5-physnet1-101 - parent: - tag: 101 - addresses: ["unknown"] - switch 9bbdbf0e-50f3-4286-ba5a-29bf347531bb (provnet1-8-101) - port provnet1-8-101-port1 - addresses: ["00:00:00:00:00:08"] - port provnet1-8-physnet1-101 - parent: - tag: 101 - addresses: ["unknown"] - switch 70d053f7-2bca-4dff-96ae-bd728d3ba1d2 (provnet1-3) - port provnet1-3-physnet1 - addresses: ["unknown"] - port provnet1-3-port1 - addresses: ["00:00:00:00:00:03"] - -The physical topology shows that we have 4 regular VIF ports on each simulated -hypervisor:: - - $ ovn-sbctl show - Chassis fakechassis - Encap geneve - ip: "127.0.0.1" - Port_Binding "provnet1-3-port1" - Port_Binding "provnet1-8-101-port1" - Port_Binding "provnet1-7-101-port1" - Port_Binding "provnet1-4-port1" - Chassis "56b18105-5706-46ef-80c4-ff20979ab068" - hostname: sandbox - Encap geneve - ip: "127.0.0.1" - Port_Binding "provnet1-2-port1" - Port_Binding "provnet1-5-101-port1" - Port_Binding "provnet1-1-port1" - Port_Binding "provnet1-6-101-port1" - -All of the traces from the previous example, ``env4``, should work in this -environment and provide the same result. Now we can show what happens for the -ports connected to VLAN 101. This first example shows a packet originating -from ``provnet1-5-101-port1``, which is OpenFlow port 6. We should see VLAN -tag 101 pushed on the packet and then output to OpenFlow port 7, the patch port -to ``br-eth1`` (the bridge providing connectivity to ``physnet1``), and finally -arrives on OpenFlow port 8. - - $ ovn/env5/packet1.sh - -If we look at a broadcast packet arriving on VLAN 101 of ``physnet1``, we -should see it output to OpenFlow ports 6 and 8 only:: - - $ ovn/env5/packet2.sh - -Stateful ACLs -------------- - -ACLs provide a way to do distributed packet filtering for OVN networks. One -example use of ACLs is that OpenStack Neutron uses them to implement security -groups. ACLs are implemented using conntrack integration with OVS. - -Start with a simple logical switch with 2 logical ports:: - - $ ovn/env6/setup.sh - -A common use case would be the following policy applied for ``sw0-port1``: - -* Allow outbound IP traffic and associated return traffic. -* Allow incoming ICMP requests and associated return traffic. -* Allow incoming SSH connections and associated return traffic. -* Drop other incoming IP traffic. - -The following script applies this policy to our environment:: - - $ ovn/env6/add-acls.sh - -We can view the configured ACLs on this network using the ``ovn-nbctl`` -command:: - - $ ovn-nbctl acl-list sw0 - from-lport 1002 (inport == "sw0-port1" && ip) allow-related - to-lport 1002 (outport == "sw0-port1" && ip && icmp) allow-related - to-lport 1002 (outport == "sw0-port1" && ip && tcp && tcp.dst == 22) allow-related - to-lport 1001 (outport == "sw0-port1" && ip) drop - -Now that we have ACLs configured, there are new entries in the logical flow -table in the stages ``switch_in_pre_acl``, ``switch_in_acl``, -``switch_out_pre_acl``, and ``switch_out_acl``. - - $ ovn-sbctl lflow-list - -Let's look more closely at ``switch_out_pre_acl`` and ``switch_out_acl``. - -In ``switch_out_pre_acl``, we match IP traffic and put it through the -connection tracker. This populates the connection state fields so that we can -apply policy as appropriate:: - - table=0(switch_out_pre_acl), priority= 100, match=(ip), action=(ct_next;) - table=1(switch_out_pre_acl), priority= 0, match=(1), action=(next;) - -In ``switch_out_acl``, we allow packets associated with existing connections. -We drop packets that are deemed to be invalid (such as non-SYN TCP packet not -associated with an existing connection):: - - table=1(switch_out_acl), priority=65535, match=(!ct.est && ct.rel && !ct.new && !ct.inv), action=(next;) - table=1(switch_out_acl), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(next;) - table=1(switch_out_acl), priority=65535, match=(ct.inv), action=(drop;) - -For new connections, we apply our configured ACL policy to decide whether to -allow the connection or not. In this case, we'll allow ICMP or SSH. -Otherwise, we'll drop the packet:: - - table=1(switch_out_acl), priority= 2002, match=(ct.new && (outport == "sw0-port1" && ip && icmp)), action=(ct_commit; next;) - table=1(switch_out_acl), priority= 2002, match=(ct.new && (outport == "sw0-port1" && ip && tcp && tcp.dst == 22)), action=(ct_commit; next;) - table=1(switch_out_acl), priority= 2001, match=(outport == "sw0-port1" && ip), action=(drop;) - -When using ACLs, the default policy is to allow and track IP connections. -Based on our above policy, IP traffic directed at ``sw0-port1`` will never hit -this flow at priority 1:: - - table=1(switch_out_acl), priority= 1, match=(ip), action=(ct_commit; next;) - table=1(switch_out_acl), priority= 0, match=(1), action=(next;) - -Note that conntrack integration is not yet supported in ovs-sandbox, so the -OpenFlow flows will not represent what you'd see in a real environment. The -logical flows described above give a very good idea of what the flows look -like, though. - -`This blog post -`__ -discusses OVN ACLs from an OpenStack perspective and also provides an example -of what the resulting OpenFlow flows look like. - -Container Ports ---------------- - -OVN supports containers running directly on the hypervisors and running -containers inside VMs. This example shows how OVN supports network -virtualization to containers when run inside VMs. Details about how to use -docker containers in OVS can be found in :doc:`/howto/docker`. - -To support container traffic created inside a VM and to distinguish network -traffic coming from different container vifs, for each container a logical port -needs to be created with parent name set to the VM's logical port and the tag -set to the vlan tag of the container vif. - -Start with a simple logical switch with three logical ports:: - - $ ovn/env7/setup.sh - -Lets create a container vif attached to the logical port ``sw0-port1`` and -another container vif attached to the logical port ``sw0-port2``:: - - $ ovn/env7/add-container-ports.sh - -Run the ``ovn-nbctl`` command to see the logical ports:: - - $ovn-nbctl show - -As you can see a logical port ``csw0-cport1`` is created on a logical switch -'csw0' whose parent is ``sw0-port1`` and it has tag set to ``42``. In -addition, a logical port ``csw0-cport2`` is created on the logical switch -``csw0`` whose parent is ``sw0-port2`` and it has tag set to ``43``. - -Bridge ``br-vmport1`` represents the ovs bridge running inside the VM connected -to the logical port ``sw0-port1``. In this tutorial the ovs port to -``sw0-port1`` is created as a patch port with its peer connected to the ovs -bridge ``br-vmport1``. An ovs port ``cport1`` is added to ``br-vmport1`` which -represents the container interface connected to the ovs bridge and vlan tag set -to ``42``. Similarly ``br-vmport2`` represents the ovs bridge for the logical -port ``sw0-port2`` and ``cport2`` connected to ``br-vmport2`` with vlan tag set -to ``43``. - -This first trace shows a packet from ``csw0-port1`` with a destination mac -address of ``csw0-port2``. You can see ovs bridge of the vm ``br-vmport1`` tags -the traffic with vlan id ``42`` and the traffic reaches to the br-int because -of the patch port. As you can see below ``ovn-controller`` has added a flow to -strip the vlan tag and set the reg6 and metadata appropriately:: - - $ ovs-ofctl -O OpenFlow13 dump-flows br-int - OFPST_FLOW reply (OF1.3) (xid=0x2): - cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=3,dl_vlan=42 actions=pop_vlan,set_field:0x3->reg5,set_field:0x2->metadata,set_field:0x1->reg6,resubmit(,16) - cookie=0x0, duration=2767.002s, table=0, n_packets=0, n_bytes=0, priority=150,in_port=4,dl_vlan=43 actions=pop_vlan,set_field:0x4->reg5,set_field:0x2->metadata,set_field:0x2->reg6,resubmit(,16) - cookie=0x0, duration=2767.032s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=3 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16) - cookie=0x0, duration=2767.001s, table=0, n_packets=0, n_bytes=0, priority=100,in_port=4 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16) - -:: - - $ ovn/env7/packet1.sh - -The second trace shows a packet from ``csw0-port2`` to ``csw0-port1``:: - - $ ovn/env7/packet2.sh - -You can extend this setup by adding additional container ports with two -hypervisors. Refer to tutorial three above. - -L2Gateway Ports ---------------- - -L2Gateway provides a way to connect logical switch ports of type ``l2gateway`` -to a physical network. The difference between ``l2gateway`` ports and -``localnet`` ports is that an ``l2gateway`` port is bound to a specific -chassis. A single chassis serves as the L2 gateway to the physical network and -all traffic between chassis continues to go over geneve tunnels. - -Start with a simple logical switch with three logical ports:: - - $ ovn/env8/setup.sh - -This first example shows a packet originating from ``lport1``, which is -OpenFlow port 1. We expect all packets from ``lport1`` to be sent out to -``br-eth1`` (``patch-br-int-to-sw0-port3``, OpenFlow port 3). The patch port -to ``br-eth1`` provides connectivity to the physical network. - - $ ovn/env8/packet1.sh - -The last trace shows what happens when a broadcast packet arrives from the -network. In this case, it simulates a broadcast that originated from a port on -the physical network and arrived at the local chassis via ``br-eth1``. We -should see it output to the local ports ``lport1`` and ``lport2``:: - - $ ovn/env8/packet2.sh - -.. _ovn-architecture: http://openvswitch.org/support/dist-docs/ovn-architecture.7.html -.. _Tutorial: :ref:`ovs-advanced` -.. _ovn-nb(5): http://openvswitch.org/support/dist-docs/ovn-nb.5.html -.. _ovn-sb(5): http://openvswitch.org/support/dist-docs/ovn-sb.5.html -.. _vtep(5): http://openvswitch.org/support/dist-docs/vtep.5.html -.. _ovn-northd(8): http://openvswitch.org/support/dist-docs/ovn-northd.8.html -.. _ovn-controller(8): http://openvswitch.org/support/dist-docs/ovn-controller.8.html -.. _ovn-controller-vtep(8): http://openvswitch.org/support/dist-docs/ovn-controller-vtep.8.html -.. _vtep-ctl(8): http://openvswitch.org/support/dist-docs/vtep-ctl.8.html -.. _ovn-nbctl(8): http://openvswitch.org/support/dist-docs/ovn-nbctl.8.html -.. _ovn-sbctl(8): http://openvswitch.org/support/dist-docs/ovn-sbctl.8.html diff --git a/tutorial/automake.mk b/tutorial/automake.mk index 5509062ea..9dea3b5c4 100644 --- a/tutorial/automake.mk +++ b/tutorial/automake.mk @@ -5,37 +5,6 @@ EXTRA_DIST += \ tutorial/t-stage1 \ tutorial/t-stage2 \ tutorial/t-stage3 \ - tutorial/t-stage4 \ - tutorial/ovn/env1/setup.sh \ - tutorial/ovn/env1/packet1.sh \ - tutorial/ovn/env1/packet2.sh \ - tutorial/ovn/env1/packet3.sh \ - tutorial/ovn/env1/packet4.sh \ - tutorial/ovn/env1/add-third-port.sh \ - tutorial/ovn/env1/add-unknown-ports.sh \ - tutorial/ovn/env1/add-security-ip-ports.sh \ - tutorial/ovn/env2/setup.sh \ - tutorial/ovn/env2/packet1.sh \ - tutorial/ovn/env2/packet2.sh \ - tutorial/ovn/env3/setup.sh \ - tutorial/ovn/env3/packet1.sh \ - tutorial/ovn/env3/packet2.sh \ - tutorial/ovn/env4/setup.sh \ - tutorial/ovn/env4/packet1.sh \ - tutorial/ovn/env4/packet2.sh \ - tutorial/ovn/env4/packet3.sh \ - tutorial/ovn/env4/packet4.sh \ - tutorial/ovn/env5/setup.sh \ - tutorial/ovn/env5/packet1.sh \ - tutorial/ovn/env5/packet2.sh \ - tutorial/ovn/env6/setup.sh \ - tutorial/ovn/env6/add-acls.sh \ - tutorial/ovn/env7/add-container-ports.sh \ - tutorial/ovn/env7/packet1.sh \ - tutorial/ovn/env7/packet2.sh \ - tutorial/ovn/env7/setup.sh \ - tutorial/ovn/env8/packet1.sh \ - tutorial/ovn/env8/packet2.sh \ - tutorial/ovn/env8/setup.sh + tutorial/t-stage4 sandbox: all cd $(srcdir)/tutorial && MAKE=$(MAKE) ./ovs-sandbox -b $(abs_builddir) $(SANDBOXFLAGS) diff --git a/tutorial/ovn/env1/add-security-ip-ports.sh b/tutorial/ovn/env1/add-security-ip-ports.sh deleted file mode 100755 index 5be152849..000000000 --- a/tutorial/ovn/env1/add-security-ip-ports.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl lsp-add sw0 sw0-port6 -ovn-nbctl lsp-add sw0 sw0-port7 -ovn-nbctl lsp-set-addresses sw0-port6 "00:00:00:00:00:06" -ovn-nbctl lsp-set-addresses sw0-port7 "00:00:00:00:00:07" -ovn-nbctl lsp-set-port-security sw0-port6 00:00:00:00:00:06 192.168.1.10/24 -ovn-nbctl lsp-set-port-security sw0-port7 00:00:00:00:00:07 192.168.1.20/24 -ovs-vsctl add-port br-int lport6 -- set Interface lport6 external_ids:iface-id=sw0-port6 -ovs-vsctl add-port br-int lport7 -- set Interface lport7 external_ids:iface-id=sw0-port7 diff --git a/tutorial/ovn/env1/add-third-port.sh b/tutorial/ovn/env1/add-third-port.sh deleted file mode 100755 index 06c496923..000000000 --- a/tutorial/ovn/env1/add-third-port.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl lsp-add sw0 sw0-port3 -ovn-nbctl lsp-set-addresses sw0-port3 00:00:00:00:00:03 -ovn-nbctl lsp-set-port-security sw0-port3 00:00:00:00:00:03 -ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw0-port3 diff --git a/tutorial/ovn/env1/add-unknown-ports.sh b/tutorial/ovn/env1/add-unknown-ports.sh deleted file mode 100755 index be161d25d..000000000 --- a/tutorial/ovn/env1/add-unknown-ports.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl lsp-add sw0 sw0-port4 -ovn-nbctl lsp-add sw0 sw0-port5 -ovn-nbctl lsp-set-addresses sw0-port4 unknown -ovn-nbctl lsp-set-addresses sw0-port5 unknown -ovn-nbctl lsp-set-port-security sw0-port4 00:00:00:00:00:04 00:00:00:00:00:05 -ovn-nbctl lsp-set-port-security sw0-port5 00:00:00:00:00:04 00:00:00:00:00:05 -ovs-vsctl add-port br-int lport4 -- set Interface lport4 external_ids:iface-id=sw0-port4 -ovs-vsctl add-port br-int lport5 -- set Interface lport5 external_ids:iface-id=sw0-port5 diff --git a/tutorial/ovn/env1/packet1.sh b/tutorial/ovn/env1/packet1.sh deleted file mode 100755 index 35ab04b75..000000000 --- a/tutorial/ovn/env1/packet1.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from sw0-port1 to sw0-port2. -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate diff --git a/tutorial/ovn/env1/packet2.sh b/tutorial/ovn/env1/packet2.sh deleted file mode 100755 index bb5c5dce8..000000000 --- a/tutorial/ovn/env1/packet2.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a broadcast packet from sw0-port1 -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff -generate diff --git a/tutorial/ovn/env1/packet3.sh b/tutorial/ovn/env1/packet3.sh deleted file mode 100755 index b26680157..000000000 --- a/tutorial/ovn/env1/packet3.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from sw0-port1 to sw0-port4, sw0-port5 which address is set as unknown. -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:04 -generate diff --git a/tutorial/ovn/env1/packet4.sh b/tutorial/ovn/env1/packet4.sh deleted file mode 100755 index 2fa45305e..000000000 --- a/tutorial/ovn/env1/packet4.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from sw0-port6 to sw0-port7. -ovs-appctl ofproto/trace br-int in_port=6,dl_type=0x0800,dl_src=00:00:00:00:00:06,dl_dst=00:00:00:00:00:07,nw_src=192.168.1.10,nw_dst=192.168.1.20 -generate diff --git a/tutorial/ovn/env1/setup.sh b/tutorial/ovn/env1/setup.sh deleted file mode 100755 index a9c6f39a7..000000000 --- a/tutorial/ovn/env1/setup.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# -# See "Simple two-port setup" in Documentation/tutorial/ovn-basics.rst. -# - -set -o xtrace - -# Create a logical switch named "sw0" -ovn-nbctl ls-add sw0 - -# Create two logical ports on "sw0". -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-add sw0 sw0-port2 - -# Set a MAC address for each of the two logical ports. -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 - -# Set up port security for the two logical ports. This ensures that -# the logical port mac address we have configured is the only allowed -# source and destination mac address for these ports. -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 - -# Create ports on the local OVS bridge, br-int. When ovn-controller -# sees these ports show up with an "iface-id" that matches the OVN -# logical port names, it associates these local ports with the OVN -# logical ports. ovn-controller will then set up the flows necessary -# for these ports to be able to communicate each other as defined by -# the OVN logical topology. -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 diff --git a/tutorial/ovn/env2/packet1.sh b/tutorial/ovn/env2/packet1.sh deleted file mode 100755 index f1ca3bfb2..000000000 --- a/tutorial/ovn/env2/packet1.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate diff --git a/tutorial/ovn/env2/packet2.sh b/tutorial/ovn/env2/packet2.sh deleted file mode 100755 index c8be34557..000000000 --- a/tutorial/ovn/env2/packet2.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:03 -generate diff --git a/tutorial/ovn/env2/setup.sh b/tutorial/ovn/env2/setup.sh deleted file mode 100755 index 008caa1d1..000000000 --- a/tutorial/ovn/env2/setup.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl ls-add sw0 -ovn-nbctl ls-add sw1 -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-add sw0 sw0-port2 -ovn-nbctl lsp-add sw1 sw1-port1 -ovn-nbctl lsp-add sw1 sw1-port2 -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-addresses sw1-port1 00:00:00:00:00:03 -ovn-nbctl lsp-set-addresses sw1-port2 00:00:00:00:00:04 -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-port-security sw1-port1 00:00:00:00:00:03 -ovn-nbctl lsp-set-port-security sw1-port2 00:00:00:00:00:04 - -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 -ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw1-port1 -ovs-vsctl add-port br-int lport4 -- set Interface lport4 external_ids:iface-id=sw1-port2 diff --git a/tutorial/ovn/env3/packet1.sh b/tutorial/ovn/env3/packet1.sh deleted file mode 100755 index 6d26e587d..000000000 --- a/tutorial/ovn/env3/packet1.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from sw0-port1 to sw0-port3. -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:03 -generate diff --git a/tutorial/ovn/env3/packet2.sh b/tutorial/ovn/env3/packet2.sh deleted file mode 100755 index 0de461f52..000000000 --- a/tutorial/ovn/env3/packet2.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# -# This trace simulates a packet arriving over a Geneve tunnel from a remote OVN -# chassis. The fields are as follows: -# -# tun_id - -# The logical datapath (or logical switch) ID. In this case, we only -# have a single logical switch and its ID is 1. -# -# tun_metadata0 - -# This field holds 2 pieces of metadata. The low 16 bits hold the logical -# destination port (1 in this case). The upper 16 bits hold the logical -# source port (3 in this case. -# -ovs-appctl ofproto/trace br-int in_port=3,dl_src=00:00:00:00:00:03,dl_dst=00:00:00:00:00:01,tun_id=1,tun_metadata0=$[1 + $[3 << 16]] -generate diff --git a/tutorial/ovn/env3/setup.sh b/tutorial/ovn/env3/setup.sh deleted file mode 100755 index d67b1c83c..000000000 --- a/tutorial/ovn/env3/setup.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl ls-add sw0 - -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-add sw0 sw0-port2 -ovn-nbctl lsp-add sw0 sw0-port3 -ovn-nbctl lsp-add sw0 sw0-port4 - -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-addresses sw0-port3 00:00:00:00:00:03 -ovn-nbctl lsp-set-addresses sw0-port4 00:00:00:00:00:04 - -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-port-security sw0-port3 00:00:00:00:00:03 -ovn-nbctl lsp-set-port-security sw0-port4 00:00:00:00:00:04 - -# Bind sw0-port1 and sw0-port2 to the local chassis -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 - -# Create a fake remote chassis. -ovn-sbctl chassis-add fakechassis geneve 127.0.0.1 - -# Bind sw0-port3 and sw0-port4 to the fake remote chassis. -ovn-sbctl lsp-bind sw0-port3 fakechassis -ovn-sbctl lsp-bind sw0-port4 fakechassis diff --git a/tutorial/ovn/env4/packet1.sh b/tutorial/ovn/env4/packet1.sh deleted file mode 100755 index 7b23738af..000000000 --- a/tutorial/ovn/env4/packet1.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# input from local vif, lport1 (ofport 2) -# destination MAC is lport2 -# expect to go out via localnet port (ofport 3) and lport2 (ofport 4) -ovs-appctl ofproto/trace br-int in_port=2,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate diff --git a/tutorial/ovn/env4/packet2.sh b/tutorial/ovn/env4/packet2.sh deleted file mode 100755 index 134056e88..000000000 --- a/tutorial/ovn/env4/packet2.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# input from local vif, lport1 (ofport 2) -# destination MAC is on remote chassis -# expect to go out via localnet port (ofport 3) -ovs-appctl ofproto/trace br-int in_port=2,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:03 -generate diff --git a/tutorial/ovn/env4/packet3.sh b/tutorial/ovn/env4/packet3.sh deleted file mode 100755 index f90f2fc4d..000000000 --- a/tutorial/ovn/env4/packet3.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# input from local vif, lport1 (ofport 2) -# expect to go out via localnet port (ofport 3) and lport2 (ofport 4) -ovs-appctl ofproto/trace br-int in_port=2,dl_src=00:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff -generate diff --git a/tutorial/ovn/env4/packet4.sh b/tutorial/ovn/env4/packet4.sh deleted file mode 100755 index be805bc72..000000000 --- a/tutorial/ovn/env4/packet4.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# We use the LOCAL port of br-eth1 to simulate the port connected to network. -# expect to arrive on lport1 (ofport 2) and lport2 (ofport 4) -ovs-appctl ofproto/trace br-eth1 in_port=LOCAL,dl_src=00:00:00:00:00:03,dl_dst=ff:ff:ff:ff:ff:ff -generate diff --git a/tutorial/ovn/env4/setup.sh b/tutorial/ovn/env4/setup.sh deleted file mode 100755 index 03950f0a1..000000000 --- a/tutorial/ovn/env4/setup.sh +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This script simulates 2 chassis connected to a physical switch, -# which we call "physnet1". We have two logical ports, one on each hypervisor, -# that OVN will connect to physnet1. -# -# The way to accomplish this in OVN is to create a logical switch for each -# logical port. In addition to the normal logical port, each logical switch -# has a special "localnet" port, which represents the connection to physnet1. -# -# In this setup we see the view of this environment from one of the hypervisors. - -set -o xtrace - -ovs-vsctl add-br br-eth1 -ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth1 - -ovn-sbctl chassis-add fakechassis geneve 127.0.0.1 - -for n in 1 2 3 4; do - ovn-nbctl ls-add provnet1-$n - - ovn-nbctl lsp-add provnet1-$n provnet1-$n-port1 - ovn-nbctl lsp-set-addresses provnet1-$n-port1 00:00:00:00:00:0$n - ovn-nbctl lsp-set-port-security provnet1-$n-port1 00:00:00:00:00:0$n - - ovn-nbctl lsp-add provnet1-$n provnet1-$n-physnet1 - ovn-nbctl lsp-set-addresses provnet1-$n-physnet1 unknown - ovn-nbctl lsp-set-type provnet1-$n-physnet1 localnet - ovn-nbctl lsp-set-options provnet1-$n-physnet1 network_name=physnet1 -done - -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=provnet1-1-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=provnet1-2-port1 - -ovn-sbctl lsp-bind provnet1-3-port1 fakechassis -ovn-sbctl lsp-bind provnet1-4-port1 fakechassis diff --git a/tutorial/ovn/env5/packet1.sh b/tutorial/ovn/env5/packet1.sh deleted file mode 100755 index 64025c425..000000000 --- a/tutorial/ovn/env5/packet1.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# input from local vif, lport5 (ofport 6) -# destination MAC is lport6 -# expect to go out via localnet port (ofport 7) and lport6 (ofport 8) -ovs-appctl ofproto/trace br-int in_port=6,dl_src=00:00:00:00:00:05,dl_dst=00:00:00:00:00:06 -generate diff --git a/tutorial/ovn/env5/packet2.sh b/tutorial/ovn/env5/packet2.sh deleted file mode 100755 index 7ac5dd62c..000000000 --- a/tutorial/ovn/env5/packet2.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# We use the LOCAL port of br-eth1 to simulate the port connected to network. -# expect to arrive on lport5 (ofport 6) and lport6 (ofport 8) -ovs-appctl ofproto/trace br-eth1 in_port=LOCAL,dl_src=00:00:00:00:00:07,dl_dst=ff:ff:ff:ff:ff:ff,dl_vlan=101 -generate diff --git a/tutorial/ovn/env5/setup.sh b/tutorial/ovn/env5/setup.sh deleted file mode 100755 index b5eee6ae4..000000000 --- a/tutorial/ovn/env5/setup.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This script simulates 2 chassis connected to a physical switch, -# which we call "physnet1". We have two logical ports, one on each hypervisor, -# that OVN will connect to physnet1. -# -# The way to accomplish this in OVN is to create a logical switch for each -# logical port. In addition to the normal logical port, each logical switch -# has a special "localnet" port, which represents the connection to physnet1. -# -# In this setup we see the view of this environment from one of the hypervisors. - -set -o xtrace - -ovs-vsctl add-br br-eth1 -ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth1 - -ovn-sbctl chassis-add fakechassis geneve 127.0.0.1 - -for n in 1 2 3 4 5 6 7 8; do - if [ $n -gt 4 ] ; then - ls_name="provnet1-$n-101" - lsp_name="$ls_name-port1" - else - ls_name="provnet1-$n" - fi - ovn-nbctl ls-add $ls_name - - lsp_name="$ls_name-port1" - ovn-nbctl lsp-add $ls_name $lsp_name - ovn-nbctl lsp-set-addresses $lsp_name 00:00:00:00:00:0$n - ovn-nbctl lsp-set-port-security $lsp_name 00:00:00:00:00:0$n - - if [ $n -gt 4 ] ; then - lsp_name="provnet1-$n-physnet1-101" - ovn-nbctl lsp-add $ls_name $lsp_name "" 101 - else - lsp_name="provnet1-$n-physnet1" - ovn-nbctl lsp-add $ls_name $lsp_name - fi - ovn-nbctl lsp-set-addresses $lsp_name unknown - ovn-nbctl lsp-set-type $lsp_name localnet - ovn-nbctl lsp-set-options $lsp_name network_name=physnet1 -done - -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=provnet1-1-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=provnet1-2-port1 -ovs-vsctl add-port br-int lport5 -- set Interface lport5 external_ids:iface-id=provnet1-5-101-port1 -ovs-vsctl add-port br-int lport6 -- set Interface lport6 external_ids:iface-id=provnet1-6-101-port1 - -ovn-sbctl lsp-bind provnet1-3-port1 fakechassis -ovn-sbctl lsp-bind provnet1-4-port1 fakechassis -ovn-sbctl lsp-bind provnet1-7-101-port1 fakechassis -ovn-sbctl lsp-bind provnet1-8-101-port1 fakechassis diff --git a/tutorial/ovn/env6/add-acls.sh b/tutorial/ovn/env6/add-acls.sh deleted file mode 100755 index 74cf17b2e..000000000 --- a/tutorial/ovn/env6/add-acls.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -ovn-nbctl acl-add sw0 from-lport 1002 "inport == \"sw0-port1\" && ip" allow-related -ovn-nbctl acl-add sw0 to-lport 1002 "outport == \"sw0-port1\" && ip && icmp" allow-related -ovn-nbctl acl-add sw0 to-lport 1002 "outport == \"sw0-port1\" && ip && tcp && tcp.dst == 22" allow-related -ovn-nbctl acl-add sw0 to-lport 1001 "outport == \"sw0-port1\" && ip" drop diff --git a/tutorial/ovn/env6/setup.sh b/tutorial/ovn/env6/setup.sh deleted file mode 100755 index a9c6f39a7..000000000 --- a/tutorial/ovn/env6/setup.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# -# See "Simple two-port setup" in Documentation/tutorial/ovn-basics.rst. -# - -set -o xtrace - -# Create a logical switch named "sw0" -ovn-nbctl ls-add sw0 - -# Create two logical ports on "sw0". -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-add sw0 sw0-port2 - -# Set a MAC address for each of the two logical ports. -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 - -# Set up port security for the two logical ports. This ensures that -# the logical port mac address we have configured is the only allowed -# source and destination mac address for these ports. -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 - -# Create ports on the local OVS bridge, br-int. When ovn-controller -# sees these ports show up with an "iface-id" that matches the OVN -# logical port names, it associates these local ports with the OVN -# logical ports. ovn-controller will then set up the flows necessary -# for these ports to be able to communicate each other as defined by -# the OVN logical topology. -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 diff --git a/tutorial/ovn/env7/add-container-ports.sh b/tutorial/ovn/env7/add-container-ports.sh deleted file mode 100755 index fc9b001f9..000000000 --- a/tutorial/ovn/env7/add-container-ports.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# create a logical switch -ovn-nbctl ls-add csw0 - -# create a container port with parent set to sw0-port1 -ovn-nbctl lsp-add csw0 csw0-cport1 sw0-port1 42 -ovn-nbctl lsp-set-addresses csw0-cport1 00:00:00:00:01:01 -ovn-nbctl lsp-set-port-security csw0-cport1 00:00:00:00:01:01 - -# create another container port with parent set to sw0-port1 -ovn-nbctl lsp-add csw0 csw0-cport2 sw0-port2 43 -ovn-nbctl lsp-set-addresses csw0-cport2 00:00:00:00:01:02 -ovn-nbctl lsp-set-port-security csw0-cport2 00:00:00:00:01:02 - - -# Make lport1 as a patch port, other end connected to br-vmport1 -ovs-vsctl set interface lport1 type=patch -ovs-vsctl set interface lport1 options:peer=patch-lport1 - -ovs-vsctl set interface lport2 type=patch -ovs-vsctl set interface lport2 options:peer=patch-lport2 - - -# This represents ovs bridge inside a VM attached to lport1 -ovs-vsctl add-br br-vmport1 - -# create a patch port with peer set to lport1. -ovs-vsctl add-port br-vmport1 patch-lport1 -ovs-vsctl set interface patch-lport1 type=patch -ovs-vsctl set interface patch-lport1 options:peer=lport1 - -# create a container port on br-vmport1. Any traffic sent on this -# port will reach to the br-int of the host via the patch port -ovs-vsctl add-port br-vmport1 cport1 -ovs-vsctl set port cport1 tag=42 - -# This represents ovs bridge inside a VM attached to lport2 -ovs-vsctl add-br br-vmport2 -ovs-vsctl add-port br-vmport2 patch-lport2 -ovs-vsctl set interface patch-lport2 type=patch -ovs-vsctl set interface patch-lport2 options:peer=lport2 - -ovs-vsctl add-port br-vmport2 cport2 -ovs-vsctl set port cport2 tag=43 diff --git a/tutorial/ovn/env7/packet1.sh b/tutorial/ovn/env7/packet1.sh deleted file mode 100755 index 660566b96..000000000 --- a/tutorial/ovn/env7/packet1.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from csw0-port1 to csw0-port2. -ovs-appctl ofproto/trace br-vmport1 in_port=3,dl_src=00:00:00:0:01:01,dl_dst=00:00:00:00:01:02 -generate diff --git a/tutorial/ovn/env7/packet2.sh b/tutorial/ovn/env7/packet2.sh deleted file mode 100755 index 244fbbd47..000000000 --- a/tutorial/ovn/env7/packet2.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Trace a packet from csw0-port2 to csw0-port1. -ovs-appctl ofproto/trace br-vmport2 in_port=3,dl_src=00:00:00:0:01:02,dl_dst=00:00:00:00:01:01 -generate diff --git a/tutorial/ovn/env7/setup.sh b/tutorial/ovn/env7/setup.sh deleted file mode 100755 index 39acf3a6e..000000000 --- a/tutorial/ovn/env7/setup.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# Create a logical switch named "sw0" -ovn-nbctl ls-add sw0 - -# Create two logical ports on "sw0". -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-add sw0 sw0-port2 -ovn-nbctl lsp-add sw0 sw0-port3 - -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-addresses sw0-port3 00:00:00:00:00:03 - -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-port-security sw0-port3 00:00:00:00:00:03 - -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 -ovs-vsctl add-port br-int lport3 -- set Interface lport3 external_ids:iface-id=sw0-port3 diff --git a/tutorial/ovn/env8/packet1.sh b/tutorial/ovn/env8/packet1.sh deleted file mode 100755 index 13a49d0d1..000000000 --- a/tutorial/ovn/env8/packet1.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# input from local vif, lport1 (ofport 1) -# The destination MAC is not assigned to any host. -# expect to go out via l2gateway port (ofport 3) -ovs-appctl ofproto/trace br-int in_port=1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:03 -generate diff --git a/tutorial/ovn/env8/packet2.sh b/tutorial/ovn/env8/packet2.sh deleted file mode 100755 index a4a7f8c74..000000000 --- a/tutorial/ovn/env8/packet2.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -set -o xtrace - -# We use the LOCAL port of br-eth1 to simulate the port connected to network. -# expect to arrive on lport1 (ofport 1) and lport2 (ofport 2) -ovs-appctl ofproto/trace br-eth1 in_port=LOCAL,dl_src=00:00:00:00:00:03,dl_dst=ff:ff:ff:ff:ff:ff -generate diff --git a/tutorial/ovn/env8/setup.sh b/tutorial/ovn/env8/setup.sh deleted file mode 100755 index 2bb05ff84..000000000 --- a/tutorial/ovn/env8/setup.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This script simulates 2 chassis connected to a physical switch, -# which we call "physnet1". We have two logical ports, one on each hypervisor, -# that OVN will connect to physnet1. -# -# The way to accomplish this in OVN is to create a logical switch for each -# logical port. In addition to the normal logical port, each logical switch -# has a special "localnet" port, which represents the connection to physnet1. -# -# In this setup we see the view of this environment from one of the hypervisors. - -set -o xtrace - -ovn-nbctl ls-add sw0 - -ovn-nbctl lsp-add sw0 sw0-port1 -ovn-nbctl lsp-set-addresses sw0-port1 00:00:00:00:00:01 -ovn-nbctl lsp-set-port-security sw0-port1 00:00:00:00:00:01 -ovs-vsctl add-port br-int lport1 -- set Interface lport1 external_ids:iface-id=sw0-port1 - -ovn-nbctl lsp-add sw0 sw0-port2 -ovn-nbctl lsp-set-addresses sw0-port2 00:00:00:00:00:02 -ovn-nbctl lsp-set-port-security sw0-port2 00:00:00:00:00:02 -ovs-vsctl add-port br-int lport2 -- set Interface lport2 external_ids:iface-id=sw0-port2 - -ovn-nbctl lsp-add sw0 sw0-port3 -ovn-nbctl lsp-set-addresses sw0-port3 unknown -ovn-nbctl lsp-set-type sw0-port3 l2gateway -# The chassis UUID is hard-coded in tutorial/ovs-sandbox. -ovn-nbctl lsp-set-options sw0-port3 l2gateway-chassis=56b18105-5706-46ef-80c4-ff20979ab068 network_name=physnet1 - -ovs-vsctl --may-exist add-br br-eth1 -ovs-vsctl set open . external-ids:ovn-bridge-mappings=physnet1:br-eth1 -- cgit v1.2.1