openstack
/
neutron
Code Issues Proposed changes

Add info about nf_conntrack_proto_gre when ovs fw is used 

When openvswitch firewall driver is used, it is required to load
nf_conntrack_proto_gre kernel module to make GRE tunnels from VM to VM
working properly.
This patch adds such info in ovs firewall documentation as it should be
deployer decision to load or not load this module.

This patch also adds sanity check which checks if nf_conntrack_proto_gre
module is loaded or not, and can warn user when this module is not
loaded.
It also adds loading of this kernel module in neutron devstack plugin.

Change-Id: Ic97ca00c804f0a540ee0dc53d9e4e07bf8410869
Closes-Bug: #1828053
This commit is contained in:
Slawek Kaplonski 2019-05-08 14:16:49 +02:00
parent bd3d85807c
commit b8a18dc22a
5 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devstack/lib/ovs
View File

@ -210,3 +210,9 @@ function remove_ovs_packages() {
fi
done
}
# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
function load_conntrack_gre_module() {
sudo modprobe nf_conntrack_proto_gre
}

1
devstack/plugin.sh
View File

@ -28,6 +28,7 @@ if [[ "$1" == "stack" ]]; then
[[ "$Q_BUILD_OVS_FROM_GIT" == "True" ]]; then
remove_ovs_packages
compile_ovs True /usr /var
load_conntrack_gre_module
start_new_ovs
fi
;;

18
doc/source/admin/config-ovsfwdriver.rst
View File

@ -53,3 +53,21 @@ Enable the native OVS firewall driver
For more information, see the
:doc:`/contributor/internals/openvswitch_firewall`
and the `video <https://www.youtube.com/watch?v=SOHeZ3g9yxM>`_.
Using GRE tunnels inside VMs with OVS firewall driver
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If GRE tunnels from VM to VM are going to be used, the native OVS firewall
implementation requires ``nf_conntrack_proto_gre`` module to be loaded in
the kernel on nodes running the Open vSwitch agent.
It can be loaded with the command:
.. code-block:: console
# modprobe nf_conntrack_proto_gre
Some Linux distributions have files that can be used to automatically load
kernel modules at boot time, for example, ``/etc/modules``. Check with your
distribution for further information.
This isn't necessary to use ``gre`` tunnel network type Neutron.

10
neutron/cmd/sanity/checks.py
View File

@ -19,6 +19,7 @@ import tempfile
import netaddr
from neutron_lib import constants as n_consts
from neutron_lib import exceptions
from oslo_config import cfg
from oslo_log import log as logging
from oslo_utils import uuidutils
@ -42,6 +43,7 @@ LOG = logging.getLogger(__name__)
MINIMUM_DNSMASQ_VERSION = 2.67
DNSMASQ_VERSION_DHCP_RELEASE6 = 2.76
MINIMUM_DIBBLER_VERSION = '1.0.1'
CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre'
def ovs_vxlan_supported(from_ip='192.0.2.1', to_ip='192.0.2.2'):
@ -485,3 +487,11 @@ def ip_nonlocal_bind():
finally:
ip_lib.delete_network_namespace(nsname1)
return ns1_value == 0
def gre_conntrack_supported():
cmd = ['modinfo', CONNTRACK_GRE_MODULE]
try:
return agent_utils.execute(cmd, log_fail_as_error=False)
except exceptions.ProcessExecutionError:
return False

12
neutron/cmd/sanity_check.py
View File

@ -220,6 +220,15 @@ def check_ovs_conntrack():
return result
def check_gre_conntrack():
result = checks.gre_conntrack_supported()
if not result:
LOG.warning('Kernel module %s is not loaded. GRE tunnels from '
'VM to VM will not work with OVS firewall driver.',
checks.CONNTRACK_GRE_MODULE)
return result
def check_ebtables():
result = checks.ebtables_supported()
if not result:
@ -323,6 +332,9 @@ OPTS = [
help=_('Check ovsdb native interface support')),
BoolOptCallback('ovs_conntrack', check_ovs_conntrack,
help=_('Check ovs conntrack support')),
BoolOptCallback('gre_conntrack', check_gre_conntrack,
help=_('Check if conntrack for gre tunnels traffic is '
'supported')),
BoolOptCallback('ebtables_installed', check_ebtables,
help=_('Check ebtables installation')),
BoolOptCallback('keepalived_ipv6_support', check_keepalived_ipv6_support,