OpenStack: Neutron (network)

CLI
https://developer.openstack.org/firstapp-libcloud/networking.html

# search server by port ID
openstack port show -c device_id -f value ${PORT_ID}
openstack show show ${PORT_ID}
openstack router show ${PORT_ID}

Port
https://docs.openstack.org/python-openstackclient/latest/cli/command-objects/port.html

# get port ID for OVS interface
openstack port list -c id -f value | grep $(awk '{print substr($OVS_INTERFACE,4,8)}')
 
# list all port by a network
openstack port list --fixed-ip subnet=mgmt-dev-net --sort-column Name
 
# allow incomming (ingress) SSH for specific IP / subnet
openstack security group rule create --protocol tcp --dst-port 22 --remote-ip 10.20.30/24 default
 
# create port without security
openstack port create openstack-net-port1 --network openstack-net --no-security-group --disable-port-security --no-fixed-ip
openstack port set --disable-port-security openstack-net-port1
 
# get all port by subnet
openstack port list -c ID -f value --fixed-ip subnet=dev-net1
 
# search ports (filter with json)
openstack port list -c ID -c "Fixed IP Addresses" -f json | jq -r '.[] | select(."Fixed IP Addresses"[].ip_address | startswith("10.11")).ID'

Creat and assign port

openstack port create foo-db3-dev-mgmt-net \
    --network mgmt-net1-dev \
    --mac-address 00:16:3e:9b:b7:10 \
    --fixed-ip ip-address=10.0.0.14 \
    --security-group 5b825582-17c5-475b-9253-ec373ba96eb7 \
    --project 6df9bd4956404f06bf169a382fe4035a
 
openstack server add port foo-db3-dev-vm foo-db3-dev-mgmt-net

Security group
https://docs.openstack.org/ocata/user-guide/cli-nova-configure-access-security-for-instances.html

openstack security group list
 
# allow SSH ingress
openstack security group rule create --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0  ${SECURITY_GROUP_ID}
 
# show
openstack security group show ${SECURITY_GROUP_ID}
 
# add
openstack port set --security-group ${SECURITY_GROUP} ${PORT_ID}
 
# remove
openstack port unset --security-group ${SECURITY_GROUP} ${PORT_ID}

Cleanup OpenvSwitch "No such device" devices

# Evacuate all VMs
# Cleanup "No such device" Open vSwitch devices
 
openstack compute service list --host compute1.example.com
openstack server list --all --host compute1.example.com
 
ssh compute1.example.com
docker exec -it openvswitch_vswitchd ovs-vsctl show | grep "No such device"
docker exec -it openvswitch_vswitchd ovs-vsctl show | tee ovs-vsctl_show.1.out
docker exec -it neutron_openvswitch_agent neutron-ovs-cleanup
docker exec -it openvswitch_vswitchd ovs-vsctl show | tee ovs-vsctl_show.2.out
 
# diff ovs-vsctl_show.1.out ovs-vsctl_show.2.out
# reboot node

Debug DHCP errors

for NODE in ctl{1..6}-dev; do
    echo ${NODE}
    ssh ${NODE} cat /var/lib/docker/volumes/kolla_logs/_data/neutron/dnsmasq.log | grep "lease not found" | awk '{print $1, $2}' | uniq -c | awk '$1 > 100 {print}'
    echo
done

API

curl -s -H "X-Auth-Token: $(openstack token issue -c id -f value)" -X GET http://neutron.service.i.example.com:9696/v2.0/routers | jq

RBAC
https://docs.openstack.org/mitaka/networking-guide/config-rbac.html
https://docs.openstack.org/python-openstackclient/pike/cli/command-objects/quota.html
https://docs.openstack.org/ocata/admin-guide/cli-networking-advanced-quotas.html

# show rbac quota
neutron quota-show --tenant_id <PROJECT_ID> | grep rbac_policy
 
# set rbac quota to unlimited
openstack quota set --rbac-policies -1 <PROJECT_ID>

Check ARP count for subnet

# get total port count
ssh admin-dev "source /etc/kolla/admin-openrc.sh; openstack port list -c ID -f value --fixed-ip subnet=dev-rbac-net1 | wc -l"
 
# get ARP entry by compute node
for COMPUTE_NODE in com{{1..16},{101..102}}-dev; do
    echo -n "${COMPUTE_NODE}: "
    for OVS in br-tun br-int; do
        ssh ${COMPUTE_NODE} docker exec -t openvswitch_vswitchd ovs-ofctl dump-flows ${OVS} | grep arp | grep -c 10.11.0
    done | paste -s -d+ | bc
done
 
# check specific ARP entry
ssh ${COMPUTE_NODE}
TARGET_IP=10.0.11.1
docker exec -t openvswitch_vswitchd ovs-ofctl dump-flows br-tun | grep "arp_tpa=${TARGET_IP} "
 
# delete ARP entry
docker exec -t openvswitch_vswitchd ovs-ofctl --strict del-flows br-tun "priority=1,arp,dl_vlan=21,arp_tpa=10.11.12.13"

Public IP

# show public network
openstack subnet list --network public

Find IP in namespace

IP=172.16.0
for NS in $(ip netns | cut -d" " -f1); do
    ip netns exec ${NS} ip a | grep ${IP} && echo ${NS}
done

Add / Delete port

# show ports
nova interface-list ${SERVER_ID}
 
# add port
openstack server add port ${SERVER_ID} ${PORT_ID}
 
# add remove port
openstack server remove port ${SERVER_ID} ${PORT_ID}

Debug

# search for INACTIVE ports
DB_PASS=$(grep neutron_database_password /etc/kolla/passwords.yml | cut -d " " -f2)
mysql --host=${DB_HOST} --password=${DB_PASS} --port=3306 --user=neutron --database=neutron \
  -se "select port_id from ml2_port_bindings where status = 'INACTIVE'"
 
# check total port count for a network
for COMPUTE_NODE in com{{1..10},{150..155}}-stage; do
    BR_INT=$(ssh ${COMPUTE_NODE} docker exec -t openvswitch_vswitchd ovs-ofctl dump-flows br-int | grep arp | cut -d"," -f9 | cut -d"=" -f2 | cut -d" " -f1)
    BR_TUN=$(ssh ${COMPUTE_NODE} docker exec -t openvswitch_vswitchd ovs-ofctl dump-flows br-tun | grep arp | cut -d"," -f9 | cut -d"=" -f2 | cut -d" " -f1)
    comm -12  <(echo "$BR_INT" | sort) <(echo "$BR_TUN" | sort) | grep 10.123.0
done