1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
<?xml version="1.0" encoding="utf-8"?>
<manpage program="ovn-trace" section="8" title="ovn-trace">
<h1>Name</h1>
<p>ovn-trace -- Open Virtual Network logical network tracing utility</p>
<h1>Synopsis</h1>
<p><code>ovn-trace</code> [<var>options</var>] <var>datapath</var> <var>microflow</var></p>
<p><code>ovn-trace</code> [<var>options</var>] <code>--detach</code></p>
<h1>Description</h1>
<p>
This utility simulates packet forwarding within an OVN logical network.
It can be used to run through ``what-if'' scenarios: if a packet
originates at a logical port, what will happen to it and where will it
ultimately end up? Users already familiar with the Open vSwitch
<code>ofproto/trace</code> command described in
<code>ovs-vswitch</code>(8) will find <code>ovn-trace</code> to be a
similar tool for logical networks.
</p>
<p>
<code>ovn-trace</code> works by reading the <code>Logical_Flow</code> and
other tables from the OVN southbound database (see
<code>ovn-sb</code>(5)). It simulates a packet's path through logical
networks by repeatedly looking it up in the logical flow table, following
the entire tree of possibilities.
</p>
<p>
<code>ovn-trace</code> simulates only the OVN logical network. It does
not simulate the physical elements on which the logical network is
layered. This means that, for example, it is unimportant how VMs are
distributed among hypervisors, or whether their hypervisors are
functioning and reachable, so <code>ovn-trace</code> will yield the same
results regardless. There is one important exception:
<code>ovn-northd</code>, the daemon that generates the logical flows that
<code>ovn-trace</code> simulates, treats logical ports differently based
on whether they are up or down. Thus, if you see surprising results,
ensure that the ports involved in a simulation are up.
</p>
<p>
The simplest way to use <code>ovn-trace</code> is to provide
<var>datapath</var> and <var>microflow</var> arguments on the command
line. In this case, it simulates the behavior of a single packet and
exits. For an alternate usage model, see <code>Daemon Mode</code> below.
</p>
<p>
The <var>datapath</var> argument specifies the name of a logical
datapath. Acceptable names are the <code>name</code> from the northbound
<code>Logical_Switch</code> or <code>Logical_Router</code> table, the
UUID of a record from one of those tables, or the UUID of a record from
the southbound <code>Datapath_Binding</code> table.
</p>
<p>
The <var>microflow</var> argument describes the packet whose forwarding
is to be simulated, in the syntax of an OVN logical expression, as
described in <code>ovn-sb</code>(5), to express constraints. The parser
understands prerequisites; for example, if the expression refers to
<code>ip4.src</code>, there is no need to explicitly state
<code>ip4</code> or <code>eth.type == 0x800</code>.
</p>
<p>
For reasonable L2 behavior, the microflow should include at least
<code>inport</code> and <code>eth.dst</code>, plus <code>eth.src</code>
if port security is enabled. For example:
</p>
<pre>
inport == "lp11" && eth.src == 00:01:02:03:04:05 && eth.dst == ff:ff:ff:ff:ff:ff
</pre>
<p>
For reasonable L3 behavior, <var>microflow</var> should also include
<code>ip4.src</code> and <code>ip4.dst</code> (or <code>ip6.src</code>
and <code>ip6.dst</code>) and <code>ip.ttl</code>. For example:
</p>
<pre>
inport == "lp111" && eth.src == f0:00:00:00:01:11 && eth.dst == 00:00:00:00:ff:11
&& ip4.src == 192.168.11.1 && ip4.dst == 192.168.22.2 && ip.ttl == 64
</pre>
<p>Here's an ARP microflow example:</p>
<pre>
inport == "lp123"
&& eth.dst == ff:ff:ff:ff:ff:ff && eth.src == f0:00:00:00:01:11
&& arp.op == 1 && arp.sha == f0:00:00:00:01:11 && arp.spa == 192.168.1.11
&& arp.tha == ff:ff:ff:ff:ff:ff && arp.tpa == 192.168.2.22
</pre>
<p>
<code>ovn-trace</code> will reject erroneous microflow expressions, which
beyond syntax errors fall into two categories. First, they can be
ambiguous. For example, <code>tcp.src == 80</code> is ambiguous because
it does not state IPv4 or IPv6 as the Ethernet type. <code>ip4
&& tcp.src > 1024</code> is also ambiguous because it does not
constrain bits of <code>tcp.src</code> to particular values. Second,
they can be contradictory, e.g. <code>ip4 && ip6</code>.
</p>
<h1>Output</h1>
<p>
<code>ovn-trace</code> supports the three different forms of output, each
described in a separate section below. Regardless of the selected output
format, <code>ovn-trace</code> starts the output with a line that shows
the microflow being traced in OpenFlow syntax.
</p>
<h2>Detailed Output</h2>
<p>
The detailed form of output is also the default form. This form groups
output into sections headed up by the ingress or egress pipeline being
traversed. Each pipeline lists each table that was visited (by number and
name), the <code>ovn-northd</code> source file and line number of the code
that added the flow, the match expression and priority of the logical flow
that was matched, and the actions that were executed.
</p>
<p>
The execution of OVN logical actions naturally forms a ``control stack''
that resembles that of a program in conventional programming languages
such as C or Java. Because the <code>next</code> action that calls into
another logical flow table for a lookup is a recursive construct, OVN
``programs'' in practice tend to form deep control stacks that, displayed
in the obvious way using additional indentation for each level, quickly
use up the horizontal space on all but the widest displays. To make
detailed output more readable, without loss of generality,
<code>ovn-trace</code> omits indentation for ``tail recursion,'' that is,
when <code>next</code> is the last action in a logical flow, it does not
indent details of the next table lookup more deeply. Output still uses
indentation when it is needed for clarity.
</p>
<p>
OVN ``programs'' traces also tend to encounter long strings of logical
flows with match expression <code>1</code> (which matches every packet)
and the single action <code>next;</code>. These are uninteresting
and merely clutter output, so <code>ovn-trace</code> omits them
entirely even from detailed output.
</p>
<p>
The following excerpt from detailed <code>ovn-trace</code> output shows a
section for a packet traversing the ingress pipeline of logical datapath
<code>ls1</code> with ingress logical port <code>lp111</code>. The
packet matches a logical flow in table 0 (aka
<code>ls_in_port_sec_l2</code>) with priority 50 and executes
<code>next(1);</code> to pass to table 1. Tables 1 through 11 are
trivial and omitted. In table 12 (aka <code>ls_in_l2_lkup</code>), the
packet matches a flow with priority 50 based on its Ethernet destination
address and the flow's actions output the packet to the
<code>lrp11-attachement</code> logical port.
</p>
<pre fixed="yes">
ingress(dp="ls1", inport="lp111")
---------------------------------
0. ls_in_port_sec_l2: inport == "lp111", priority 50
next(1);
12. ls_in_l2_lkup: eth.dst == 00:00:00:00:ff:11, priority 50
outport = "lrp11-attachment";
output;
</pre>
<h2>Summary Output</h2>
<p>
Summary output includes the logical pipelines visited by a packet and the
logical actions executed on it. Compared to the detailed output,
however, it removes details of tables and logical flows traversed by a
packet. It uses a format closer to that of a programming language and
does not attempt to avoid indentation. The summary output equivalent to
the above detailed output fragment is:
</p>
<pre fixed="yes">
ingress(dp="ls1", inport="lp111") {
outport = "lrp11-attachment";
output;
...
};
</pre>
<h2>Minimal Output</h2>
<p>
Minimal output includes only actions that modify packet data (not
including OVN registers or metadata such as <code>outport</code>) and
<code>output</code> actions that actually deliver a packet to a logical
port (excluding patch ports). The operands of actions that modify packet
data are displayed reduced to constants, e.g. <code>ip4.dst =
reg0;</code> might be show as <code>ip4.dst = 192.168.0.1;</code> if that
was the value actually loaded. This yields output even simpler than the
summary format. (Users familiar with Open vSwitch may recognize this as
similar in spirit to the datapath actions listed at the bottom of
<code>ofproto/trace</code> output.)
</p>
<p>
The minimal output format reflects the externally seen behavior of the
logical networks more than it does the implementation. This makes this
output format the most suitable for use in regression tests, because it
is least likely to change when logical flow tables are rearranged without
semantic change.
</p>
<h1>Daemon Mode</h1>
<p>
If <code>ovn-trace</code> is invoked with the <code>--detach</code> option
(see <code>Daemon Options</code>, below), it runs in the background as a
daemon and accepts commands from <code>ovs-appctl</code> (or another
JSON-RPC client) indefinitely. The currently supported commands are
described below.
</p>
<p>
</p>
<dl>
<dt><code>trace</code> [<var>options</var>] <var>datapath</var> <var>microflow</var></dt>
<dd>
Traces <var>microflow</var> through <var>datapath</var> and replies with
the results of the trace. Accepts the <var>options</var> described under
<code>Trace Options</code> below.
</dd>
<dt><code>exit</code></dt>
<dd>Causes <code>ovn-trace</code> to gracefully terminate.</dd>
</dl>
<h1>Options</h1>
<h2>Trace Options</h2>
<dl>
<dt><code>--detailed</code></dt>
<dt><code>--summary</code></dt>
<dt><code>--minimal</code></dt>
<dd>
These options control the form and level of detail in
<code>ovn-trace</code> output. If more than one of these options is
specified, all of the selected forms are output, in the order listed
above, each headed by a banner line. If none of these options is
given, <code>--detailed</code> is the default. See
<code>Output</code>, above, for a description of each kind of output.
</dd>
<dt><code>--all</code></dt>
<dd>
Selects all three forms of output.
</dd>
</dl>
<h2>Daemon Options</h2>
<xi:include href="lib/daemon.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>Logging Options</h2>
<xi:include href="lib/vlog.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>PKI Options</h2>
<p>
PKI configuration is required to use SSL for the connection to the
database.
</p>
<xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>Other Options</h2>
<dl>
<dt><code>--db</code> <var>database</var></dt>
<dd>
The OVSDB database remote to contact. If the <env>OVN_SB_DB</env>
environment variable is set, its value is used as the default.
Otherwise, the default is <code>unix:@RUNDIR@/db.sock</code>, but this
default is unlikely to be useful outside of single-machine OVN test
environments.
</dd>
</dl>
<xi:include href="lib/common.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
</manpage>
|
