networking-ovn

Metadata HTTP connections blocked

Asked by Mark Hall

I have an OpenStack Pike installation running on Ubuntu 16.04 (package based install, no devstack). I am running networking-ovn 3.0.0 with OVS 2.8 and DPDK. Provider networks, tenant networks, routers, NAT, Floating IPs and DHCP all appear to be working perfectly. The only thing I cannot get to work is the metadata proxy.

The namespaces are created, both the networking-ovn-metadata-proxy and haproxy are running. I see no errors in any logs. For some reason, it appears as if the packets traveling from the proxy back to the VM are being dropped.

How can I convince the vSwitch to forward the packets back toward the VM?

I see the packets leaving the proxy netns

root@Pike-Compute1:/root# ip netns exec ovnmeta-341aa038-f40e-452c-8c57-f1d11d5c977f tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap341aa038-f1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:45:39.387695 IP 10.109.181.5.60032 > 169.254.169.254.http: Flags [S], seq 468129238, win 14600, options [mss 1460,sackOK,TS val 4294917104 ecr 0,nop,wscale 4], length 0
19:45:39.387717 IP 169.254.169.254.http > 10.109.181.5.60032: Flags [S.], seq 1535996162, ack 468129239, win 28960, options [mss 1460,sackOK,TS val 95894 ecr 4294917104,nop,wscale 7], length 0
19:45:40.384106 IP 10.109.181.5.60032 > 169.254.169.254.http: Flags [S], seq 468129238, win 14600, options [mss 1460,sackOK,TS val 4294917354 ecr 0,nop,wscale 4], length 0
19:45:40.384115 IP 169.254.169.254.http > 10.109.181.5.60032: Flags [S.], seq 1535996162, ack 468129239, win 28960, options [mss 1460,sackOK,TS val 96143 ecr 4294917104,nop,wscale 7], length 0
19:45:40.496858 IP 169.254.169.254.http > 10.109.181.7.47384: Flags [S.], seq 1901681992, ack 2706330805, win 28960, options [mss 1460,sackOK,TS val 96172 ecr 4294908110,nop,wscale 7], length 0
19:45:41.380853 IP 169.254.169.254.http > 10.109.181.5.60032: Flags [S.], seq 1535996162, ack 468129239, win 28960, options [mss 1460,sackOK,TS val 96393 ecr 4294917104,nop,wscale 7], length 0
19:45:41.543466 IP 10.109.181.7.47387 > 169.254.169.254.http: Flags [S], seq 3085697909, win 14600, options [mss 1460,sackOK,TS val 4294917124 ecr 0,nop,wscale 4], length 0
19:45:41.543482 IP 169.254.169.254.http > 10.109.181.7.47387: Flags [S.], seq 4188813093, ack 3085697910, win 28960, options [mss 1460,sackOK,TS val 96433 ecr 4294917124,nop,wscale 7], length 0
19:45:42.388139 IP 10.109.181.5.60032 > 169.254.169.254.http: Flags [S], seq 468129238, win 14600, options [mss 1460,sackOK,TS val 4294917855 ecr 0,nop,wscale 4], length 0
19:45:42.388148 IP 169.254.169.254.http > 10.109.181.5.60032: Flags [S.], seq 1535996162, ack 468129239, win 28960, options [mss 1460,sackOK,TS val 96644 ecr 4294917104,nop,wscale 7], length 0
19:45:42.540443 IP 10.109.181.7.47387 > 169.254.169.254.http: Flags [S], seq 3085697909, win 14600, options [mss 1460,sackOK,TS val 4294917374 ecr 0,nop,wscale 4], length 0
19:45:42.540452 IP 169.254.169.254.http > 10.109.181.7.47387: Flags [S.], seq 4188813093, ack 3085697910, win 28960, options [mss 1460,sackOK,TS val 96682 ecr 4294917124,nop,wscale 7], length 0
19:45:43.536853 IP 169.254.169.254.http > 10.109.181.7.47387: Flags [S.], seq 4188813093, ack 3085697910, win 28960, options [mss 1460,sackOK,TS val 96932 ecr 4294917124,nop,wscale 7], length 0
19:45:44.384854 IP 169.254.169.254.http > 10.109.181.5.60032: Flags [S.], seq 1535996162, ack 468129239, win 28960, options [mss 1460,sackOK,TS val 97144 ecr 4294917104,nop,wscale 7], length 0
19:45:44.528853 IP 169.254.169.254.http > 10.109.181.7.47386: Flags [S.], seq 3816169130, ack 3775423454, win 28960, options [mss 1460,sackOK,TS val 97180 ecr 4294914120,nop,wscale 7], length 0

They appear to be dropped by connection tracking (the entry from table 14 accounts for the missing TCP frames)

root@Pike-Compute1:/root# ovs-ofctl dump-flows br-int | grep -v n_packets=0 | grep drop
 cookie=0x1f5859a7, duration=231.112s, table=14, n_packets=343, n_bytes=25422, idle_age=0, priority=65535,ct_state=+inv+trk,metadata=0x3 actions=drop
 cookie=0x0, duration=232.242s, table=34, n_packets=1, n_bytes=78, idle_age=224, priority=100,reg10=0/0x1,reg14=0x5,reg15=0x5,metadata=0x3 actions=drop
 cookie=0x0, duration=230.840s, table=34, n_packets=48, n_bytes=3024, idle_age=198, priority=100,reg10=0/0x1,reg14=0x1,reg15=0x1,metadata=0x3 actions=drop
 cookie=0x0, duration=230.840s, table=34, n_packets=1, n_bytes=78, idle_age=222, priority=100,reg10=0/0x1,reg14=0x4,reg15=0x4,metadata=0x3 actions=drop

Question information

Language:
English Edit question
Status:
Expired
For:
networking-ovn Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.