neutron

OpenStack address scopes / subnet pools / network segments

Documentation
https://docs.openstack.org/neutron/latest/admin/config-address-scopes.html

openstack address scope create --share --ip-version 4 test-scope-v4
 
openstack subnet pool create --share --pool-prefix 10.0.0.0/8 --default-prefix-length 24 --address-scope test-scope-v4 test-subnet-pool-v4
 
openstack network create test-network2
 
openstack subnet create --network test-network2 --subnet-pool test-subnet-pool-v4 test-subnet2
 
openstack network show test-network2
 
# disable address scope
openstack subnet pool set --no-address-scope provider-subnet-pool
 
# disable enable scope
openstack subnet pool set --address-scope provider-addr-scope-v4 provider-subnet-pool

Debug Iptables

ssh -t control1-dev sudo ip netns exec qrouter-cca1d315-c56e-41ed-9a4d-1af6ca092f1a bash
 
iptables -S
...
-A neutron-l3-agent-scope -o qr-80ae710a-ec -m mark ! --mark 0x4000000/0xffff0000 -j DROP
 
iptables -t mangle -n -v -L neutron-l3-agent-scope
 
iptables -t filter -vL neutron-l3-agent-scope
 
iptables -t mangle -vL neutron-l-agent -POSTROUTING
iptables -t nat -vL neutorn-l3-agent-snat

Network segments

openstack network segment list

Links
https://www.youtube.com/watch?v=VsCYSZUOB6U

Show neutron router namespaces by floating IP (FIP) 

FLOATING_IP=1.2.3.4
 
# search in floating IP table
ROUTER_ID=$(openstack floating ip list --floating-ip-address ${FLOATING_IP} --long -c Router -f value)
if [ -z ${ROUTER_ID} ]; then
    # search in router
    ROUTER_ID=$(openstack router list --long | grep ${FLOATING_IP} | cut -d" " -f2)
fi
 
PROJECT_ID=$(openstack router show ${ROUTER_ID} -c project_id -f value)
 
echo -e "\e[34m# Project"
openstack router show ${ROUTER_ID} -c id -c name 
 
echo
echo -e "\e[34m# Router"
openstack project show ${PROJECT_ID} -c id -c name -c description
 
echo
echo -e "\e[34m# Router namespaces"
openstack network agent list --router ${ROUTER_ID} --long --sort-column 'HA State'
echo
 

OpenStack Debug VPN

Find the VPN server and the relevant router UUID

# get VPN connection ID
openstack vpn ipsec site connection list | grep foo
openstack vpn ipsec site connection list --long | grep <project_id>
 
VPN_CONNECTION_ID=142dc25f-13bb-4fda-b093-edf13df98ed8
openstack vpn ipsec site connection show ${VPN_CONNECTION_ID}
 
VPN_SERVICE_ID=$(openstack vpn ipsec site connection show ${VPN_CONNECTION_ID} -c 'VPN Service' -f value)
openstack vpn service show ${VPN_SERVICE_ID}
 
# get router ID
ROUTER_ID=$(openstack vpn service show ${VPN_SERVICE_ID} -c Router -f value)
echo "ROUTER_ID=${ROUTER_ID}"

Find the ctl Node where the active router is running

ROUTER_PORT_ID=$(openstack port list --device-owner network:router_gateway -f value -c id --router ${ROUTER_ID})
CONTROL_NODE=$(openstack port show ${ROUTER_PORT_ID} -c binding_host_id -f value)
echo "CONTROL_NODE: ${CONTROL_NODE}"
 
echo "ssh ${CONTROL_NODE} sudo ip netns exec qrouter-${ROUTER_ID} ip a s"

Connect to that ctl node and "jump" in its neutron-l3-agent docker container

Check OpenvSwitch 

#!/bin/bash
 
export OS_ENV="@globals.environment@"
 
 
if [ "${OS_ENV}" == "dev" ]; then
    export PYENV_ROOT="$HOME/.pyenv"
    export PATH="$PYENV_ROOT/bin:$PATH"
    eval "$(pyenv init -)"
fi
 
source /etc/kolla/admin-openrc.sh
 
EXIT_CODE=0
 
# search for broken ovs entry in DB
for NODE in $(openstack compute service list -c Host -f value | sort -u); do
    OUTPUT=$(ssh ${NODE} docker exec openvswitch_vswitchd ovsdb-client dump | grep qvo | egrep -v "tag|mac" | cut -d "\"" -f2)
    for PORT in ${OUTPUT}; do
        printf "%-20s %s\n" "${NODE}" "${PORT}"
 
        EXIT_CODE=1

Create neutron probe

Install crudini

docker exec -ti -u root neutron_l3_agent apt update
docker exec -ti -u root neutron_l3_agent apt install -y crudini

Create configuration

docker exec -ti neutron_l3_agent bash
umask 077
cat /etc/neutron/neutron.conf > /etc/neutron/debug.ini
crudini --merge /etc/neutron/debug.ini < /etc/neutron/l3_agent.ini

Export credentials

unset HISTFILE
# cat /etc/kolla/admin-openrc.sh
# paste export OS_XXX

Get network ID

SERVER_ID=074e2a72-9bd7-488f-af3d-f45f3bc0b6e7
 
PORT_ID=$(openstack port list --server ${SERVER_ID} -c id -f value)
openstack port show ${PORT_ID} -c network_id -f value

Create probe

neutron-debug --config-file /etc/neutron/debug.ini probe-create ${NETWORK_ID}

Get probe port ID

OpenStack: port

Identify port by MAC

MAC=00:11:22:33:44:55
openstack port list --mac-address ${MAC}
 
SUBNET_ID=b07b6b7a-dfb2-4b58-82cb-1568da8990b3
openstack subnet show ${SUBNET_ID}
 
PROJECT_ID=701e329e-997d-4dfa-b0d0-27a51670ed2d
openstack project show ${PROJECT_ID}

Add security group to port

SERVER_ID=$(openstack server list --all-projects --name vm1-dev -c ID -f value)
openstack port list --server ${SERVER_ID}
PORT_ID=97006537-07b1-4d37-9e2e-3bb71ad23087
openstack port set --security-group 2060fc87-a1bf-4cf5-a497-f6c4b45cffcd ${PORT_ID}
Subscribe to neutron