Merge "Add info about nf_conntrack_proto_gre when ovs fw is used"

2019-05-12 01:56:27 +00:00 · 2019-05-12 01:56:27 +00:00 · 71e1cb6cb9
parent 8ffa02bbdb b8a18dc22a
commit 71e1cb6cb9
5 changed files with 47 additions and 0 deletions
--- a/devstack/lib/ovs
+++ b/devstack/lib/ovs
@ -210,3 +210,9 @@ function remove_ovs_packages() {
        fi
    done
 }
+
+
+# load_conntrack_gre_module() - loads nf_conntrack_proto_gre kernel module
+function load_conntrack_gre_module() {
+    sudo modprobe nf_conntrack_proto_gre
+}
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -28,6 +28,7 @@ if [[ "$1" == "stack" ]]; then
               [[ "$Q_BUILD_OVS_FROM_GIT" == "True" ]]; then
                remove_ovs_packages
                compile_ovs True /usr /var
+                load_conntrack_gre_module
                start_new_ovs
            fi
            ;;
--- a/doc/source/admin/config-ovsfwdriver.rst
+++ b/doc/source/admin/config-ovsfwdriver.rst
@ -53,3 +53,21 @@ Enable the native OVS firewall driver
 For more information, see the
 :doc:`/contributor/internals/openvswitch_firewall`
 and the `video <https://www.youtube.com/watch?v=SOHeZ3g9yxM>`_.
+
+Using GRE tunnels inside VMs with OVS firewall driver
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If GRE tunnels from VM to VM are going to be used, the native OVS firewall
+implementation requires ``nf_conntrack_proto_gre`` module to be loaded in
+the kernel on nodes running the Open vSwitch agent.
+It can be loaded with the command:
+
+.. code-block:: console
+
+    # modprobe nf_conntrack_proto_gre
+
+Some Linux distributions have files that can be used to automatically load
+kernel modules at boot time, for example, ``/etc/modules``. Check with your
+distribution for further information.
+
+This isn't necessary to use ``gre`` tunnel network type Neutron.
--- a/neutron/cmd/sanity/checks.py
+++ b/neutron/cmd/sanity/checks.py
@ -19,6 +19,7 @@ import tempfile

 import netaddr
 from neutron_lib import constants as n_consts
+from neutron_lib import exceptions
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import uuidutils
@ -42,6 +43,7 @@ LOG = logging.getLogger(__name__)
 MINIMUM_DNSMASQ_VERSION = 2.67
 DNSMASQ_VERSION_DHCP_RELEASE6 = 2.76
 MINIMUM_DIBBLER_VERSION = '1.0.1'
+CONNTRACK_GRE_MODULE = 'nf_conntrack_proto_gre'


 def ovs_vxlan_supported(from_ip='192.0.2.1', to_ip='192.0.2.2'):
@ -485,3 +487,11 @@ def ip_nonlocal_bind():
    finally:
        ip_lib.delete_network_namespace(nsname1)
    return ns1_value == 0
+
+
+def gre_conntrack_supported():
+    cmd = ['modinfo', CONNTRACK_GRE_MODULE]
+    try:
+        return agent_utils.execute(cmd, log_fail_as_error=False)
+    except exceptions.ProcessExecutionError:
+        return False
--- a/neutron/cmd/sanity_check.py
+++ b/neutron/cmd/sanity_check.py
@ -220,6 +220,15 @@ def check_ovs_conntrack():
    return result


+def check_gre_conntrack():
+    result = checks.gre_conntrack_supported()
+    if not result:
+        LOG.warning('Kernel module %s is not loaded. GRE tunnels from '
+                    'VM to VM will not work with OVS firewall driver.',
+                    checks.CONNTRACK_GRE_MODULE)
+    return result
+
+
 def check_ebtables():
    result = checks.ebtables_supported()
    if not result:
@ -323,6 +332,9 @@ OPTS = [
                    help=_('Check ovsdb native interface support')),
    BoolOptCallback('ovs_conntrack', check_ovs_conntrack,
                    help=_('Check ovs conntrack support')),
+    BoolOptCallback('gre_conntrack', check_gre_conntrack,
+                    help=_('Check if conntrack for gre tunnels traffic is '
+                           'supported')),
    BoolOptCallback('ebtables_installed', check_ebtables,
                    help=_('Check ebtables installation')),
    BoolOptCallback('keepalived_ipv6_support', check_keepalived_ipv6_support,