Provide insightful check and operations for OpenStack Neutron!
version 0.5
easyOVS provides a more convenient and fluent way to operate your OpenvSwitch bridges, iptables in OpenStack platform, such as list the rules or validate the configurations in a smart style with color!
If using in OpenStack environment (Currently tested from the Havana to the Kilo release), easyOVS will automatically associate the virtual ports with the vm MAC/IP, VLAN Tag and namespace information, and the iptables rules for vm.
- Support OpenvSwitch version 1.4.6 ~ 2.1.0.
- Support most popular Linux distributions, e.g., Ubuntu,Debian, CentOS and Fedora.
- Format the output and use color to make it clear and easy to compare.
- Associate the OpenStack information (e.g., vm ip) on the virtual port or rule
- Query openvswitch,iptables,namespace information in smart way.
- Check if the DVR configuration is correct.
- Smart command completion, try tab everywhere.
- Support runing local system commands.
- Support runing individual command with
-m 'cmd'
and quit.
Download the latest version and install.
git clone https://github.com/yeasy/easyOVS.git && sudo bash ./easyOVS/util/install.sh
After the installation, start easyovs with
sudo easyovs
easyOVS will show an interactive CLI, which supports command suggestions and formatted colorful output.
remove the :ro
flag if you want to modify the ovs rules or net namespaces.
docker run -it \
--rm \
--net='host' \
--pid='host' \
--privileged \
-v /var/run/openvswitch/:/var/run/openvswitch/:ro \
-v /var/run/netns/:/var/run/netns/:ro \
-v /var/lib/neutron/:/var/lib/neutron/:ro \
-v /etc/sysctl.conf:/etc/sysctl.conf:ro \
-v /etc/neutron/:/etc/neutron/:ro \
yeasy/easyovs:latest
Replace the following openstack credentials with your own.
docker run -it \
--rm \
--net='host' \
--pid='host' \
--privileged \
-v /var/run/openvswitch/:/var/run/openvswitch/:ro \
-v /var/run/netns/:/var/run/netns/:ro \
-v /var/lib/neutron/:/var/lib/neutron/:ro \
-v /etc/sysctl.conf:/etc/sysctl.conf:ro \
-v /etc/neutron/:/etc/neutron/:ro \
-e OS_USERNAME=$OS_USERNAME \
-e OS_PASSWORD=$OS_PASSWORD \
-e OS_TENANT_NAME=$OS_TENANT_NAME \
-e OS_AUTH_URL=$OS_AUTH_URL \
yeasy/easyovs:latest
Certainly, you can wrap the above command into a script, to run command
directly with Docker container without such long typing, e.g., make a ./docker-easyovs.sh
file with content as
#!/bin/sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
docker run -it \
--rm \
--net='host' \
--pid='host' \
--privileged \
-v /var/run/openvswitch/:/var/run/openvswitch/:ro \
-v /var/run/netns/:/var/run/netns/:ro \
-v /var/lib/neutron/:/var/lib/neutron/:ro \
-v /etc/sysctl.conf:/etc/sysctl.conf:ro \
-v /etc/neutron/:/etc/neutron/:ro \
-e OS_USERNAME=$OS_USERNAME \
-e OS_PASSWORD=$OS_PASSWORD \
-e OS_TENANT_NAME=$OS_TENANT_NAME \
-e OS_AUTH_URL=$OS_AUTH_URL \
yeasy/easyovs:latest "$@"
Make the script executable and run it.
# chmod a+x docker-easyovs.sh
# ./docker-easyovs.sh
You can also run easyovs command directly with -m
as
# ./docker-easyovs.sh -m "dump br-int"
ID TAB PKT PRI MATCH ACT
0 0 3525622 2 in_port=int-br-ex drop
1 0 925 1 * NORMAL
2 23 0 0 * drop
If you wanna upgrade easyOVS from a previous version, just run
sudo bash ./easyOVS/util/install.sh -u
If you wanna remove the package from the system
sudo bash ./easyOVS/util/install.sh -d
To integrate the port information collected from OpenStack, please set the authentication information in your environment: e.g.,
export OS_USERNAME=demo
export OS_TENANT_NAME=demo
export OS_PASSWORD=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
Otherwise, set the information into the etc/easyovs.conf
file.
[OS]
auth_url = http://127.0.0.1:5000/v2.0
username = demo
password = admin
tenant_name = demo
Show the available commands and some usage examples.
List the available bridges. The output would look like
EasyOVS> list
s1
Port: s1-eth2 s1 s1-eth1
Interface: s1-eth2 s1 s1-eth1
Controller:ptcp:6634 tcp:127.0.0.1:6633
Fail_Mode: secure
s2
Port: s2 s2-eth3 s2-eth2 s2-eth1
Interface: s2 s2-eth3 s2-eth2 s2-eth1
Controller:tcp:127.0.0.1:6633 ptcp:6635
Fail_Mode: secure
s3
Port: s3-eth1 s3-eth3 s3-eth2 s3
Interface: s3-eth1 s3-eth3 s3-eth2 s3
Controller:ptcp:6636 tcp:127.0.0.1:6633
Fail_Mode: secure
EasyOVS> show [bridge|default]
Show the ports information of a given bridge. The output would look like
EasyOVS> show br-int
br-int
Intf Port Vlan Type vmIP vmMAC
int-br-eth0 15
qvo260209fa-72 11 1 192.168.0.4 fa:16:3e:0f:17:04
qvo583c7038-d3 2 1 192.168.0.2 fa:16:3e:9c:dc:3a
qvo8bf9cba2-3f 9 1 192.168.0.5 fa:16:3e:a2:2f:0e
qvod4de9fe0-6d 8 2 10.0.0.2 fa:16:3e:38:2b:2e
br-int LOCAL internal
EasyOVS> addbr br-test
Create a new bridge. The output would look like
EasyOVS> addbr br1,br2
bridge br1 was created
bridge br2 was created
EasyOVS> delbr br-test
Delete a bridge. The output would look like
EasyOVS> delbr br1
bridge br1 was deleted
EasyOVS> dump [bridge|default]
Dump flows in a bridge. The output would look like
EasyOVS> dump br-tun
ID PKT TAB PRI MATCH ACT
0 44 0 1 in_port=gre-ac1da15d resubmit(,3)
1 1 0 1 in_port=gre-ac1da15f resubmit(,3)
2 40 0 1 in_port=patch-int resubmit(,2)
3 0 0 1 in_port=vxlan-ac1da15d resubmit(,4)
4 0 0 1 in_port=vxlan-ac1da15f resubmit(,4)
5 0 0 0 * drop
6 40 2 0 dl_dst=00::00/01:00::00 resubmit(,20)
7 0 2 0 dl_dst=01:00::00/01:00::00 resubmit(,22)
8 44 3 1 tun_id=0x2 mod_vlan_vid:1,resubmit(,10)
9 1 3 0 * drop
10 0 4 0 * drop
11 44 10 1 * learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:patch-int
12 3 20 0 * resubmit(,22)
13 3 22 0 strip_vlan,set_tunnel:0x2,output:gre-ac1da15f,output:gre-ac1da15d
14 0 22 0 * drop
EasyOVS> addflow [bridge|default] [match] actions=[action]
Add a flow into the bridge, e.g.,
EasyOVS> addflow br-int priority=3 ip actions=OUTPUT:1
EasyOVS> delflow [bridge|default] id1 id2...
Delete flows with given ids (see the first column of the dump
output).
EasyOVS> set bridge
Set the default bridge. Then you will go into a bridge mode, and can ignore the bridge parameter when using the command.
EasyOVS> set br-int
Set the default bridge to br-int.
EasyOVS: br-int>
EasyOVS> exit
Exit from the bridge mode, or quit EasyOVS if already at the top level.
EasyOVS> get
Get the current default bridge.
EasyOVS: br-int> get
Current default bridge is br-int
EasyOVS> ipt vm vm_ip...
Show the related iptables rules of the given vms.
EasyOVS> ipt vm 192.168.0.2
## IP = 192.168.0.2, port = qvo583c7038-d ##
PKTS SOURCE DESTINATION PROT OTHER
#IN:
672 all all all state RELATED,ESTABLISHED
0 all all tcp tcp dpt:22
0 all all icmp
0 192.168.0.4 all all
3 192.168.0.5 all all
8 10.0.0.2 all all
85784 192.168.0.3 all udp udp spt:67 dpt:68
#OUT:
196K all all udp udp spt:68 dpt:67
86155 all all all state RELATED,ESTABLISHED
1241 all all all
#SRC_FILTER:
59163 192.168.0.2 all all MAC FA:16:3E:9C:DC:3A
EasyOVS> ipt show [table] [chain]...
Show the related iptables rules of the given table or chain.
EasyOVS> ipt show filter FORWARD
table=filter
chain=FORWARD
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
6 691K 1117M DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
7 691K 1117M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 463K 26M ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
9 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Check namespaces related operations
EasyOVS> ns list
will list all existing namespace names.
EasyOVS> ns show id_prefix
will show the information of namespace whose id has the prefix.
EasyOVS> ns find pattern
will find the namespace whose content has the pattern.
EasyOVS> ns show id
# Namespace = id
ID Intf Mac IPs
12 tapd41cd120-62 fa:16:3e:75:01:0e 11.3.3.2/24, 169.254.169.254/16
EasyOVS> query vm_ip1, port_id...
Show the related port information by giving the IP address or part of the id string.
EasyOVS> query 10.0.0.2,c4493802
## port_id = f47c62b0-dbd2-4faa-9cdd-8abc886ce08f
status: ACTIVE
name:
allowed_address_pairs: []
admin_state_up: True
network_id: ea3928dc-b1fd-4a1a-940e-82b8c55214e6
tenant_id: 3a55e7b5f5504649a2dfde7147383d02
extra_dhcp_opts: []
binding:vnic_type: normal
device_owner: compute:az_compute
mac_address: fa:16:3e:52:7a:f2
fixed_ips: [{u'subnet_id': u'94bf94c0-6568-4520-aee3-d12b5e472128', u'ip_address': u'10.0.0.2'}]
id: f47c62b0-dbd2-4faa-9cdd-8abc886ce08f
security_groups: [u'7c2b801b-4590-4a1f-9837-1cceb7f6d1d0']
device_id: c3522974-8a08-481c-87b5-fe3822f5c89c
## port_id = c4493802-4344-42bd-87a6-1b783f88609a
status: ACTIVE
name:
allowed_address_pairs: []
admin_state_up: True
network_id: ea3928dc-b1fd-4a1a-940e-82b8c55214e6
tenant_id: 3a55e7b5f5504649a2dfde7147383d02
extra_dhcp_opts: []
binding:vnic_type: normal
device_owner: compute:az_compute
mac_address: fa:16:3e:94:84:90
fixed_ips: [{u'subnet_id': u'94bf94c0-6568-4520-aee3-d12b5e472128', u'ip_address': u'10.0.0.4'}]
id: c4493802-4344-42bd-87a6-1b783f88609a
security_groups: [u'7c2b801b-4590-4a1f-9837-1cceb7f6d1d0']
device_id: 9365c842-9228-44a6-88ad-33d7389cda5f
This feature is still experimental. Check your local dvr configuration information, such as the virtual ports, namespaces, iptables, etc.
EasyOVS> dvr check [compute, net]
will check for the given node.
If no node type is given, it will smartly guess on what node.
# No type given, guessing...compute node
=== Checking DVR on compute node ===
>>> Checking config files...
# Checking file = /etc/sysctl.conf...
# Checking file = /etc/neutron/neutron.conf...
# Checking file = /etc/neutron/plugins/ml2/ml2_conf.ini...
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has [agent]
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has l2_population = True
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has enable_distributed_routing = True
file /etc/neutron/plugins/ml2/ml2_conf.ini Not has arp_responder = True
# Checking file = /etc/neutron/l3_agent.ini...
<<< Checking config files has warnings
>>> Checking bridges...
# Existing bridges are br-tun, br-int, br-eno1, br-ex
# Vlan bridge is at br-tun, br-int, br-eno1, br-ex
<<< Checking bridges passed
>>> Checking vports ...
## Checking router port = qr-b0142af2-12
### Checking rfp port rfp-f046c591-7
Found associated floating ips : 172.29.161.127/32, 172.29.161.126/32
### Checking associated fpr port fpr-f046c591-7
### Check related fip_ns=fip-9e1c850d-e424-4379-8ebd-278ae995d5c3
Bridging in the same subnet
fg port is attached to br-ex
floating ip 172.29.161.127 match fg subnet
floating ip 172.29.161.126 match fg subnet
Checking chain rule number: neutron-postrouting-bottom...Passed
Checking chain rule number: OUTPUT...Passed
Checking chain rule number: neutron-l3-agent-snat...Passed
Checking chain rules: neutron-postrouting-bottom...Passed
Checking chain rules: PREROUTING...Passed
Checking chain rules: OUTPUT...Passed
Checking chain rules: POSTROUTING...Passed
Checking chain rules: POSTROUTING...Passed
Checking chain rules: neutron-l3-agent-POSTROUTING...Passed
Checking chain rules: neutron-l3-agent-PREROUTING...Passed
Checking chain rules: neutron-l3-agent-OUTPUT...Passed
DNAT for incomping: 172.29.161.127 --> 10.0.0.3 passed
Checking chain rules: neutron-l3-agent-float-snat...Passed
SNAT for outgoing: 10.0.0.3 --> 172.29.161.127 passed
Checking chain rules: neutron-l3-agent-OUTPUT...Passed
DNAT for incomping: 172.29.161.126 --> 10.0.0.216 passed
Checking chain rules: neutron-l3-agent-float-snat...Passed
SNAT for outgoing: 10.0.0.216 --> 172.29.161.126 passed
## Checking router port = qr-8c41bfc7-56
Checking passed already
<<< Checking vports passed
EasyOVS> sh cmd
Run the system cmd locally, e.g., using ls -l to show local directory's content.
EasyOVS> sh ls -l
total 48
drwxr-xr-x. 2 root root 4096 Apr 1 14:34 bin
drwxr-xr-x. 5 root root 4096 Apr 1 14:56 build
drwxr-xr-x. 2 root root 4096 Apr 1 14:56 dist
drwxr-xr-x. 2 root root 4096 Apr 1 14:09 doc
drwxr-xr-x. 4 root root 4096 Apr 1 14:56 easyovs
-rw-r--r--. 1 root root 660 Apr 1 14:56 easyovs.1
drwxr-xr-x. 2 root root 4096 Apr 1 14:56 easyovs.egg-info
-rw-r--r--. 1 root root 2214 Apr 1 14:53 INSTALL.md
-rw-r--r--. 1 root root 1194 Apr 1 14:53 Makefile
-rw-r--r--. 1 root root 3836 Apr 1 14:53 README.md
-rw-r--r--. 1 root root 1177 Apr 1 14:53 setup.py
drwxr-xr-x. 2 root root 4096 Apr 1 14:09 util
Input ^d
or quit
to exit EasyOVS.
##Options
Show the help message on supported options, such as
$ easyovs -h
Usage: easyovs [options]
(type easyovs -h for details)
The easyovs utility creates operation CLI from the command line. It can run
given commands, invoke the EasyOVS CLI, and run tests.
Options:
-h, --help show this help message and exit
-c, --clean clean and exit
-m CMD, --cmd=CMD Run customized commands for tests.
-v VERBOSITY, --verbosity=VERBOSITY
info|warning|critical|error|debug|output
--version
Clean the env.
Run the given command in easyovs directly, show the output, and exit.
easyovs -m "show br-int"
E.g. easyovs -m 'br-int dump'
.
Set verbosity level.
Show the version information.
#Known Issues
- Using Docker to run easyOVS, when local host's namespaces are changed during the running. easyOVS may complain access namespace error. This is possiblly due to the access privilege with Docker. Just restart it.
- The DVR check feature can check pure network node or pure compute node, but does not support mixing those two types together at one node (This is not recommended in production environment).
#Credits Thanks to the OpenvSwitch Team, Mininet Team and OpenStack Team, who gives helpful implementation example and useful tools.