kvm: Refactory VXLAN script and add IPv6 support #3070
Conversation
This script was using TAB instead of 4 spaces and had many blank lines containing whitespace. This commit also fixes some Bash styling, but it does not touch the functionality of the script. Signed-off-by: Wido den Hollander <wido@widodh.nl>
Bash suggest using double brackets instead of single brackets in if-statement test logic Signed-off-by: Wido den Hollander <wido@widodh.nl>
They are only transport devices and should not be interacting in the IPv6 traffic. If IPv6 is enabled Instances can connect to the Hypervisor over Link-Local IPv6 which is a potential security issue. By disabling IPv6 on the Bridge and VXLAN device they still forward Layer 2 packets as intended, but they do not respond on anything. IPv4 and IPv6 traffic towards the Instances is untouched and works as before. Signed-off-by: Wido den Hollander <wido@widodh.nl>
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-2476 |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-3242)
|
This commit refactors the modifyvxlan.sh script by using only iproute2, the 'ip' command for all functions. brctl is deprecated and most bridge functionality can be performed with the 'ip' command. This commit also fixes various Bash coding fixes and removes a lot of exit status checking which was redundant. In addition it add IPv6 underlay for VXLAN transport. If the caller (KVM Agent) adds the '-6' flag it will generate IPv6 multicast groups and routes which will transport the VXLAN encapsulated packaes over IPv6 multicast groups. Signed-off-by: Wido den Hollander <wido@widodh.nl>
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-2478 |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
A manual test of this script: Create a VXLAN device and a bridge. root@n01:~# /usr/share/cloudstack-common/scripts/vm/network/vnet/modifyvxlan.sh -v 3000 -p cloudbr0 -b brvx-3000 -o add
multicast 239.0.11.184 for VNI 3000 on cloudbr0
vxlan: destination port not specified
Will use Linux kernel default (non-standard value)
Use 'dstport 4789' to get the IANA assigned value
Use 'dstport 0' to get default and quiet this message
root@n01:~# ip link show dev vxlan3000
182: vxlan3000: mtu 8950 qdisc noqueue master brvx-3000 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 76:e4:c1:bb:73:5c brd ff:ff:ff:ff:ff:ff
root@n01:~# bridge link show|grep brvx-3000
182: vxlan3000 state UNKNOWN : mtu 8950 master brvx-3000 state forwarding priority 32 cost 100
root@n01:~#
Delete the interfaces again root@n01:~# /usr/share/cloudstack-common/scripts/vm/network/vnet/modifyvxlan.sh -v 3000 -p cloudbr0 -b brvx-3000 -o delete root@n01:~# |
|
Trillian test result (tid-3243)
|
|
Is there somebody who can test this? I verified it works for us, but I would like a second pair of eyes. |
|
@kiwiflyer Can you comment? |
|
@andrijapanic Can you also take a look? |
|
@wido I've a vxlan+kvm based ci env, I'll try to test this week/soon |
|
Yes, I'll take a look
…On Wed, Dec 12, 2018, 12:56 PM Rohit Yadav ***@***.***> wrote:
@wido <https://github.com/wido> I've a vxlan+kvm based ci env, I'll try
to test this week/soon
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3070 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AQek8lsupNOxut58xNIUS5RoQ5Lfoz-pks5u4VF6gaJpZM4Y7-vn>
.
|
|
Need some time here, but will check. |
|
@kiwiflyer and @andrijapanic Have you been able to look at this? |
|
hm...did we drop support for Ubuntu 14.04 for cloudstack-agent ? @wido |
|
Which of this PR suggests that to you? All these commands should work on 14.04. Keep in mind, 14.04 is almost EOL. |
|
Sorry, perhaps I was not clear - it's 4.12/master with your PR.... cloudstack-agent : Depends: lsb-base (>= 9) but 4.1+Debian11ubuntu6.2 is to be installed So in 4.12 it seems Ubuntu 14.04 was deprecated... I can't easily test this...will try to give it some more effort possibly, but can't promise. |
|
@wido Sorry, I've been really busy the last few days. I'm trying to get to this really soon. |
|
LGTM @wido - I did replace the script in 4.11.2 with your version, before zone was built - and whole automation of zone deployment, different operations etc - and series of Marvin tests passed- with no difference to original/vanilla setup of 4.11.2. I did not test anything ipv6 related. |
|
Thanks! The IPv6 can't be tested at this moment nor is it used. The foundation has been added that Ipv6 multicast groups can be used if needed. |
|
Tested on Centos 7.5 - LGTM 2019-01-02 08:38:45,851 DEBUG [kvm.resource.BridgeVifDriver] (agentRequest-Handler-3:null) (logid:1d5cf06b) nic=[Nic:Guest-10.1.1.57-vxlan://7767] ip a|grep 7767 brctl show brvx-7767 |
|
Thanks! Could you ack the PR here in Github? Btw, 'brctl' is deprecated, it has been replcaed by the 'bridge' command :) |
|
yeah, call me old school ;-) |
DaanHoogland
left a comment
DaanHoogland
left a comment
There was a problem hiding this comment.
looks nice, any relevant integration tests?
|
@DaanHoogland Thanks! We do not have integration tests for this. That's why I asked for manual testing by users which all came back with LGTM |
| LOCKFILE=/var/run/cloud/vxlan.lock | ||
|
|
||
| ( | ||
| flock -x -w 10 200 || exit 1 |
There was a problem hiding this comment.
can we confirm if flock is installed/available by default on centos6/centos7 otherwise this will break on both distros? @wido /cc @DagSonsteboSB @borisstoyanov @PaulAngus @dhlaluku @anuragaw @shwstppr
There was a problem hiding this comment.
I've confirmed that flock comes default on CentOS7 and on Ubuntu 18.04. Not sure about CentOS6 and Ubuntu 16.04.
There was a problem hiding this comment.
I just checked, and I can confirm that flock is available by default on Ubuntu 16.04 and CentOS 6.
There was a problem hiding this comment.
Good! Thanks for checking that @rhtyd @rafaelweingartner.
9 participants
Description
This PR refactors the modifyvxlan.sh script for VXLAN support on KVM Hypervisors.
Highlights:
The script does not change existing functionality, running KVM hypervisors will keep functioning as they are doing right now.
This script hasn't been touched in 5 years (last commit in 2013) and needed some attention.
There are multiple commits in this PR to see how I got to the current code.
Types of changes
Screenshots (if appropriate):
How Has This Been Tested?
Tested on a local setup with CloudStack 4.12 (master) running.