OSDOCS-6269: updates network flow for OVN-K i/c

2026-02-05 12:46:18 +01:00 · 2023-09-12 07:42:55 -04:00
parent 6f44dd4c70
commit 77bb768fb8
4 changed files with 67 additions and 52 deletions
--- a/modules/nw-network-flows-create.adoc
+++ b/modules/nw-network-flows-create.adoc
@@ -65,7 +65,7 @@ $ for pod in $(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-node -o js
  do ;
    echo;
    echo $pod;
-    oc -n openshift-ovn-kubernetes exec -c ovnkube-node $pod \
+    oc -n openshift-ovn-kubernetes exec -c ovnkube-controller $pod \
      -- bash -c 'for type in ipfix sflow netflow ; do ovs-vsctl find $type ; done';
 done
 ----
--- a/modules/nw-ovn-kubernetes-install-ovnkube-trace-local.adoc
+++ b/modules/nw-ovn-kubernetes-install-ovnkube-trace-local.adoc
@@ -19,14 +19,14 @@ The `ovnkube-trace` tool traces packet simulations for arbitrary UDP or TCP traf
 +
 [source,terminal]
 ----
-$  POD=$(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-master -o name | head -1 | awk -F '/' '{print $NF}')
+$  POD=$(oc get pods -n openshift-ovn-kubernetes -l app=ovnkube-control-plane -o name | head -1 | awk -F '/' '{print $NF}')
 ----

-. Run the following command on your local host to copy the binary from the `ovnkube-master` pods:
+. Run the following command on your local host to copy the binary from the `ovnkube-control-plane` pods:
 +
 [source,terminal]
 ----
-$  oc cp -n openshift-ovn-kubernetes $POD:/usr/bin/ovnkube-trace ovnkube-trace
+$  oc cp -n openshift-ovn-kubernetes $POD:/usr/bin/ovnkube-trace -c ovnkube-cluster-manager ovnkube-trace
 ----

 . Make `ovnkube-trace` executable by running the following command:
@@ -47,8 +47,9 @@ $  ./ovnkube-trace -help
 +
 [source,terminal]
 ----
-I0111 15:05:27.973305  204872 ovs.go:90] Maximum command line arguments set to: 191102
 Usage of ./ovnkube-trace:
+  -addr-family string
+    	Address family (ip4 or ip6) to be used for tracing (default "ip4")
  -dst string
    	dest: destination pod name
  -dst-ip string
--- a/modules/nw-ovn-kubernetes-running-ovnkube-trace.adoc
+++ b/modules/nw-ovn-kubernetes-running-ovnkube-trace.adoc
@@ -24,7 +24,7 @@ This example illustrates how to test the DNS resolution from a deployed pod to t
 +
 [source,terminal]
 ----
-$ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
+$ oc run web --namespace=default --image=quay.io/openshifttest/nginx --labels="app=web" --expose --port=80
 ----

 . List the pods running in the `openshift-dns` namespace:
@@ -39,21 +39,21 @@ oc get pods -n openshift-dns
 [source,terminal]
 ----
 NAME                  READY   STATUS    RESTARTS   AGE
-dns-default-467qw     2/2     Running   0          49m
-dns-default-6prvx     2/2     Running   0          53m
-dns-default-fkqr8     2/2     Running   0          53m
-dns-default-qv2rg     2/2     Running   0          49m
-dns-default-s29vr     2/2     Running   0          49m
-dns-default-vdsbn     2/2     Running   0          53m
-node-resolver-6thtt   1/1     Running   0          53m
-node-resolver-7ksdn   1/1     Running   0          49m
-node-resolver-8sthh   1/1     Running   0          53m
-node-resolver-c5ksw   1/1     Running   0          50m
-node-resolver-gbvdp   1/1     Running   0          53m
-node-resolver-sxhkd   1/1     Running   0          50m
+dns-default-8s42x     2/2     Running   0          5h8m
+dns-default-mdw6r     2/2     Running   0          4h58m
+dns-default-p8t5h     2/2     Running   0          4h58m
+dns-default-rl6nk     2/2     Running   0          5h8m
+dns-default-xbgqx     2/2     Running   0          5h8m
+dns-default-zv8f6     2/2     Running   0          4h58m
+node-resolver-62jjb   1/1     Running   0          5h8m
+node-resolver-8z4cj   1/1     Running   0          4h59m
+node-resolver-bq244   1/1     Running   0          5h8m
+node-resolver-hc58n   1/1     Running   0          4h59m
+node-resolver-lm6z4   1/1     Running   0          5h8m
+node-resolver-zfx5k   1/1     Running   0          5h
 ----

-. Run the following `ovn-kube-trace` command to verify DNS resolution is working:
+. Run the following `ovnkube-trace` command to verify DNS resolution is working:
 +
 [source,terminal]
 ----
@@ -61,7 +61,7 @@ $ ./ovnkube-trace \
  -src-namespace default \ <1>
  -src web \ <2>
  -dst-namespace openshift-dns \ <3>
-  -dst dns-default-467qw \ <4>
+  -dst dns-default-p8t5h \ <4>
  -udp -dst-port 53 \ <5>
  -loglevel 0 <6>
 ----
@@ -71,24 +71,37 @@ $ ./ovnkube-trace \
 <3> Namespace of destination pod
 <4> Destination pod name
 <5> Use the `udp` transport protocol. Port 53 is the port the DNS service uses.
-<6> Set the log level to 1 (0 is minimal and 5 is debug)
+<6> Set the log level to 0 (0 is minimal and 5 is debug)
 +
-.Expected output
+.Example output if the `src&dst` pod lands on the same node:
 [source,terminal]
 ----
-I0116 10:19:35.601303   17900 ovs.go:90] Maximum command line arguments set to: 191102
-ovn-trace source pod to destination pod indicates success from web to dns-default-467qw
-ovn-trace destination pod to source pod indicates success from dns-default-467qw to web
-ovs-appctl ofproto/trace source pod to destination pod indicates success from web to dns-default-467qw
-ovs-appctl ofproto/trace destination pod to source pod indicates success from dns-default-467qw to web
-ovn-detrace source pod to destination pod indicates success from web to dns-default-467qw
-ovn-detrace destination pod to source pod indicates success from dns-default-467qw to web
+ovn-trace source pod to destination pod indicates success from web to dns-default-p8t5h
+ovn-trace destination pod to source pod indicates success from dns-default-p8t5h to web
+ovs-appctl ofproto/trace source pod to destination pod indicates success from web to dns-default-p8t5h
+ovs-appctl ofproto/trace destination pod to source pod indicates success from dns-default-p8t5h to web
+ovn-detrace source pod to destination pod indicates success from web to dns-default-p8t5h
+ovn-detrace destination pod to source pod indicates success from dns-default-p8t5h to web
+----
+
+.Example output if the `src&dst` pod lands on a different node:
+[source,terminal]
+----
+ovn-trace source pod to destination pod indicates success from web to dns-default-8s42x
+ovn-trace (remote) source pod to destination pod indicates success from web to dns-default-8s42x
+ovn-trace destination pod to source pod indicates success from dns-default-8s42x to web
+ovn-trace (remote) destination pod to source pod indicates success from dns-default-8s42x to web
+ovs-appctl ofproto/trace source pod to destination pod indicates success from web to dns-default-8s42x
+ovs-appctl ofproto/trace destination pod to source pod indicates success from dns-default-8s42x to web
+ovn-detrace source pod to destination pod indicates success from web to dns-default-8s42x
+ovn-detrace destination pod to source pod indicates success from dns-default-8s42x to web
+
 ----
 +
 The ouput indicates success from the deployed pod to the DNS port and also indicates that it is
 successful going back in the other direction. So you know bi-directional traffic is supported on UDP port 53 if my web pod wants to do dns resolution from core DNS.

-If for example that did not work and you wanted to get the `ovn-trace`, the `ovs-appctl ofproto/trace` and `ovn-detrace`, and more debug type information increase the log level to 2 and run the command again as follows:
+If for example that did not work and you wanted to get the `ovn-trace`, the `ovs-appctl` of `proto/trace` and `ovn-detrace`, and more debug type information increase the log level to 2 and run the command again as follows:

 [source,terminal]
 ----
@@ -140,7 +153,7 @@ networkpolicy.networking.k8s.io/deny-by-default created
 +
 [source,terminal]
 ----
-$ oc run web --namespace=default --image=nginx --labels="app=web" --expose --port=80
+$ oc run web --namespace=default --image=quay.io/openshifttest/nginx --labels="app=web" --expose --port=80
 ----

 . Run the following command to create the `prod` namespace:
@@ -179,14 +192,11 @@ $ ./ovnkube-trace \
 -loglevel 0
 ----
 +
-.Expected output
-
+.Example output
 [source,terminal]
 ----
-I0116 14:20:47.380775   50822 ovs.go:90] Maximum command line arguments set to: 191102
 ovn-trace source pod to destination pod indicates failure from test-6459 to web
 ----
-
 . Increase the log level to 2 to expose the reason for the failure by running the following command:
 +
 [source,terminal]
@@ -200,21 +210,29 @@ $ ./ovnkube-trace \
 -loglevel 2
 ----
 +
-.Expected output
-
+.Example output
 [source,terminal]
 ----
-ct_lb_mark /* default (use --ct to customize) */
+...
 ------------------------------------------------
- 3. ls_out_acl_hint (northd.c:6092): !ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0, priority 4, uuid 32d45ad4
+ 3. ls_out_acl_hint (northd.c:7454): !ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0, priority 4, uuid 12efc456
    reg0[8] = 1;
    reg0[10] = 1;
    next;
- 4. ls_out_acl (northd.c:6435): reg0[10] == 1 && (outport == @a16982411286042166782_ingressDefaultDeny), priority 2000, uuid f730a887 <1>
-    ct_commit { ct_mark.blocked = 1; };
+ 5. ls_out_acl_action (northd.c:7835): reg8[30..31] == 0, priority 500, uuid 69372c5d
+    reg8[30..31] = 1;
+    next(4);
+ 5. ls_out_acl_action (northd.c:7835): reg8[30..31] == 1, priority 500, uuid 2fa0af89
+    reg8[30..31] = 2;
+    next(4);
+ 4. ls_out_acl_eval (northd.c:7691): reg8[30..31] == 2 && reg0[10] == 1 && (outport == @a16982411286042166782_ingressDefaultDeny), priority 2000, uuid 447d0dab
+    reg8[17] = 1;
+    ct_commit { ct_mark.blocked = 1; }; <1>
+    next;
+...
 ----
 +
-<1> Ingress traffic is blocked due to the default deny policy being in place
+<1> Ingress traffic is blocked due to the default deny policy being in place.

 . Create a policy that allows traffic from all pods in a particular namespaces with a label `purpose=production`. Save the YAML in the `web-allow-prod.yaml` file:
 +
@@ -261,7 +279,6 @@ $ ./ovnkube-trace \
 .Expected output
 [source,terminal]
 ----
-I0116 14:25:44.055207   51695 ovs.go:90] Maximum command line arguments set to: 191102
 ovn-trace source pod to destination pod indicates success from test-6459 to web
 ovn-trace destination pod to source pod indicates success from web to test-6459
 ovs-appctl ofproto/trace source pod to destination pod indicates success from test-6459 to web
@@ -270,7 +287,7 @@ ovn-detrace source pod to destination pod indicates success from test-6459 to we
 ovn-detrace destination pod to source pod indicates success from web to test-6459
 ----

-. In the open shell run the following command:
+. Run the following command in the shell that was opened in step six to connect nginx to the web-server:
 +
 [source,terminal]
 ----
@@ -286,9 +303,11 @@ ovn-detrace destination pod to source pod indicates success from web to test-645
 <head>
 <title>Welcome to nginx!</title>
 <style>
-html { color-scheme: light dark; }
-body { width: 35em; margin: 0 auto;
-font-family: Tahoma, Verdana, Arial, sans-serif; }
+  body {
+    width: 35em;
+    margin: 0 auto;
+    font-family: Tahoma, Verdana, Arial, sans-serif;
+  }
 </style>
 </head>
 <body>
--- a/networking/ovn_kubernetes_network_provider/ovn-kubernetes-tracing-using-ovntrace.adoc
+++ b/networking/ovn_kubernetes_network_provider/ovn-kubernetes-tracing-using-ovntrace.adoc
@@ -10,11 +10,6 @@ OVN and OVS traffic flows can be simulated in a single utility called `ovnkube-t

 You can execute the `ovnkube-trace` binary from a dedicated container. For releases after {product-title} 4.7, you can also copy the binary to a local host and execute it from that host.

-[NOTE]
-====
-The binaries in the Quay images do not currently work for Dual IP stack or IPv6 only environments. For those environments, you must build from source.
-====
-
 include::modules/nw-ovn-kubernetes-install-ovnkube-trace-local.adoc[leveloffset=+1]

 include::modules/nw-ovn-kubernetes-running-ovnkube-trace.adoc[leveloffset=+1]