OpenStack - networking debug commands

ML2/OVN debug

export SB=$(docker exec openvswitch_vswitchd ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g')
export NB=$(docker exec openvswitch_vswitchd ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g' | sed -e 's/6642/6641/g')

openstack network list
openstack port list
docker exec -it ovn_controller ovn-nbctl --db=$NB ls-list
docker exec -it ovn_controller ovn-nbctl --db=$NB show caad04e9-6402-4dad-84ed-429e88dcab86

openstack router list
docker exec -it ovn_controller ovn-nbctl --db=$NB lr-list
docker exec -it ovn_controller ovn-nbctl --db=$NB show 34f3d442-978f-49ff-aef6-c199267a4f24
docker exec -it ovn_controller ovn-nbctl --db=$NB lr-nat-list 34f3d442-978f-49ff-aef6-c199267a4f24

openstack network agent list -f yaml --host compute4
openstack network agent show -f yaml -c configuration 3f476030-9809-5082-a6dd-25db27e5e24c # (Agent Type: OVN Metadata agent)

openstack floating ip list
docker exec -it ovn_controller ovn-nbctl --db=$NB show
docker exec -it ovn_controller ovn-nbctl --db=$NB find NAT type='dnat_and_snat'

openstack security group list
docker exec -it ovn_controller ovn-nbctl --db=$NB list Port_Group
openstack security group rule list d85f1b0e-656c-4f28-b03e-0493b47e3eb5
docker exec -it ovn_controller ovn-nbctl --db=$NB acl-list c7e3f472-de6c-423f-b8cb-963aaeca13bb

tcpdump -i ethTenant
ovn-nbctl show
ovn-sbctl lflow-list N

docker exec -it ovn_controller ovn-nbctl --db=$NB show
ovn-trace --ct=new --summary neutron-86eef28a-5dcb-4d82-b5f6-0c7cccdb06bd 'inport == "provnet-0ac72901-9472-4958-a30f-2f2d292cd1ce" && ip4.src == 172.17.32.1 && ip4.dst == 172.17.32.201 && ip.ttl == 32 && icmp4.type == 8'



ovn-nbctl list Logical_Switch
ovn-nbctl list Logical_Switch_Port
ovn-nbctl list ACL
ovn-nbctl list Address_Set
ovn-nbctl list Logical_Router
ovn-nbctl list Logical_Router_Port

ovn-sbctl list Chassis
ovn-sbctl list Encap
ovn-nbctl list Address_Set
ovn-sbctl lflow-list
ovn-sbctl list Multicast_Group
ovn-sbctl list Datapath_Binding
ovn-sbctl list Port_Binding
ovn-sbctl list MAC_Binding



export SB=$(docker exec openvswitch_vswitchd ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g')
export NB=$(docker exec openvswitch_vswitchd ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g' | sed -e 's/6642/6641/g')
alias ovs-vsctl='docker exec openvswitch_vswitchd ovs-vsctl'
alias ovs-ofctl='docker exec openvswitch_vswitchd ovs-ofctl'
alias ovs-appctl='docker exec openvswitch_vswitchd ovs-appctl'
alias ovs-dpctl='docker exec openvswitch_vswitchd ovs-dpctl'
alias ovs-tcpdump='docker exec openvswitch_vswitchd ovs-tcpdump'
alias ovn-sbctl='docker exec ovn_controller ovn-sbctl --db=$SB'
alias ovn-nbctl='docker exec ovn_controller ovn-nbctl --db=$NB'
alias ovn-trace='docker exec ovn_controller ovn-trace --db=$SB'
alias ovn-appctl='docker exec ovn_controller ovn-appctl'
alias ovn-detrace='cat >/tmp/trace && $containerTool cp /tmp/trace ovn_controller:/tmp/trace && docker exec -it ovn_controller bash -c "ovn-detrace --ovnsb=$SB --ovnnb=$NB </tmp/trace"'

# https://lewisdenny.io/tracing_packets_out_an_external_network_with_ovn/
# https://lewisdenny.io/how_to_trace_packets_in_ovn/
# https://lewisdenny.io/ovs_ovn_command_cheat_sheet/

OVS

tcpdump br-int

Create:

ip link add name snooper0 type dummy
ip link set dev snooper0 up
docker exec -it openvswitch_vswitchd ovs-vsctl add-port br-int snooper0
docker exec -it openvswitch_vswitchd ovs-vsctl -- set Bridge br-int mirrors=@m  -- --id=@snooper0 get Port snooper0  -- --id=@patch-tun get Port patch-tun -- --id=@m create Mirror name=mymirror select-dst-port=@patch-tun select-src-port=@patch-tun output-port=@snooper0 select_all=1

Listen:

tcpdump -i snooper0 -nn

Destroy:

docker exec -it openvswitch_vswitchd ovs-vsctl clear Bridge br-int mirrors
docker exec -it openvswitch_vswitchd ovs-vsctl del-port br-int snooper0
ip link delete dev snooper0

tcpdump br-ext

Create:

ip link add name snooper1 type dummy
ip link set dev snooper1 up
docker exec -it openvswitch_vswitchd ovs-vsctl add-port br-ex snooper1
docker exec -it openvswitch_vswitchd ovs-vsctl -- set Bridge br-ex mirrors=@m  -- --id=@snooper1 get Port snooper1  -- --id=@phy-br-ex get Port phy-br-ex -- --id=@m create Mirror name=mymirror select-dst-port=@phy-br-ex select-src-port=@phy-br-ex output-port=@snooper1 select_all=1

Listen:

tcpdump -i snooper1 -nn

Destroy:

docker exec -it openvswitch_vswitchd ovs-vsctl clear Bridge br-ex mirrors
docker exec -it openvswitch_vswitchd ovs-vsctl del-port br-ex snooper1
ip link delete dev snooper1

tcpdump br-tun

Create:

ip link add name snooper2 type dummy
ip link set dev snooper2 up
docker exec -it openvswitch_vswitchd ovs-vsctl add-port br-tun snooper2
docker exec -it openvswitch_vswitchd ovs-vsctl -- set Bridge br-tun mirrors=@m  -- --id=@snooper2 get Port snooper2  -- --id=@patch-int get Port patch-int -- --id=@m create Mirror name=mymirror select-dst-port=@patch-int select-src-port=@patch-int output-port=@snooper2 select_all=1

Listen:

tcpdump -i snooper2 -nn

Destroy:

docker exec -it openvswitch_vswitchd ovs-vsctl clear Bridge br-tun mirrors
docker exec -it openvswitch_vswitchd ovs-vsctl del-port br-tun snooper2
ip link delete dev snooper2

tcpdump qrouter

List namespaces:

ip netns list

Choose qrouter:

export QR='qrouter-5ecea156-c41e-45ed-9602-2dbb29cc5359'

ip netns exec $QR bash
ip netns exec $QR ip a
ip netns exec $QR ping -c 1 172.17.0.1
ip netns exec $QR ping -c 1 172.17.0.17
ip netns exec $QR ping -c 1 172.17.0.18
ip netns exec $QR ping -c 1 172.17.0.19
ip netns exec $QR ping -c 1 172.17.0.109
ip netns exec $QR ping -c 1 10.10.100.252
ip netns exec $QR tcpdump
ip netns exec $QR arp -an
ip netns exec $QR netstat -rn

## ML2/OVS debug



openstack subnet list
openstack port list



docker exec -it openvswitch_vswitchd bash
docker exec -it openvswitch_vswitchd ovs-vsctl list-br
docker exec -it openvswitch_vswitchd ovs-vsctl list-ifaces br-ex
docker exec -it openvswitch_vswitchd ovs-vsctl list-ports br-ex
docker exec -it openvswitch_vswitchd ovs-vsctl show
docker exec -it openvswitch_vswitchd ovs-ofctl show br-ex
docker exec -it openvswitch_vswitchd ovs-ofctl show br-int
docker exec -it openvswitch_vswitchd ovs-ofctl show br-tun
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports br-ex
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports br-int
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports br-tun
docker exec -it openvswitch_vswitchd ovs-ofctl dump-flows br-ex
docker exec -it openvswitch_vswitchd ovs-ofctl dump-flows br-int
docker exec -it openvswitch_vswitchd ovs-ofctl dump-flows br-tun
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports-desc br-ex
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports-desc br-int
docker exec -it openvswitch_vswitchd ovs-ofctl dump-ports-desc br-tun

https://stackoverflow.com/questions/25543925/openstack-neutron-cant-ping-external-network
https://files-cdn.cnblogs.com/files/wtfbk/neutron_packet_flows-notes-handout.pdf

https://docs.openstack.org/operations-guide/ops-network-troubleshooting.html
https://docs.openstack.org/liberty/networking-guide/scenario-classic-ovs.html
https://docs.openstack.org/liberty/networking-guide/scenario-classic-lb.html
https://wiki.openstack.org/wiki/OpsGuide-Network-Troubleshooting


proj_id=$(openstack project list | grep admin | awk '{print $2}')
group_id=$(openstack security group list | grep $proj_id | awk '{print $2}')

openstack security group rule create --proto icmp $group_id
openstack security group rule create --proto tcp --dst-port 1:65535 $group_id
openstack security group rule create --proto udp --dst-port 1:65535 $group_id