[lxc-devel] [lxc-ci/master] Network: Adds OVN routed ingress mode tests

tomponline on Github lxc-bot at linuxcontainers.org
Wed Dec 9 11:43:41 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 350 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201209/59d297f8/attachment.bin>
-------------- next part --------------
From 5f02b017fdb125fe27992f6808c021e2ab7ae896 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 9 Dec 2020 10:53:08 +0000
Subject: [PATCH 1/4] bin/test-lxd-ovn: Adds external routes allowed check

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index f011144..d16729d 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -177,9 +177,13 @@ lxc network set ovn-virtual-network --project testovn \
     ipv4.nat=true \
     ipv6.nat=true
 
-# Check external routes are ensured to be within uplink's external routes.
+# Check external routes are not too big (when using l2proxy uplink ingress mode).
 ! lxc config device set u1 eth0 ipv4.routes.external=198.51.100.0/24 --project testovn || false
 ! lxc config device set u1 eth0 ipv6.routes.external=2001:db8:1:2::/64 --project testovn || false
+
+# Check external routes are ensured to be within uplink's external routes.
+! lxc config device set u1 eth0 ipv4.routes.external=203.0.113.0/26 --project testovn || false
+! lxc config device set u1 eth0 ipv6.routes.external=2001:db8:2:2::/122  --project testovn || false
 lxc config device set u1 eth0 ipv4.routes.external=198.51.100.0/26 --project testovn
 lxc config device set u1 eth0 ipv6.routes.external=2001:db8:1:2::/122 --project testovn
 

From 32ad6cdfae2edfb7875bd9f84448ff3d576fe13d Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 9 Dec 2020 11:09:41 +0000
Subject: [PATCH 2/4] bin/test-lxd-ovn: Typo

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index d16729d..0a50dca 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -132,7 +132,7 @@ lxc network create ovn-virtual-network network=lxdbr0 --project testovn
 lxc network delete ovn-virtual-network --project testovn
 lxc network delete lxdbr1 --project default
 
-# Test physical uplink with external IPs
+# Test physical uplink with external IPs.
 ip link add dummy0 type dummy
 lxc network create dummy --type=physical --project default \
     parent=dummy0 \

From 043d77f45a43b6017f36efb0fc9e70c14648aba9 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 9 Dec 2020 11:09:55 +0000
Subject: [PATCH 3/4] bin/test-lxd-ovn: Add NAT rule cleanup checks

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index 0a50dca..18f2d33 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -160,6 +160,10 @@ lxc network create ovn-virtual-network --type=ovn --project testovn network=dumm
 
 lxc init images:ubuntu/20.04 u1 --project testovn
 lxc config device add u1 eth0 nic network=ovn-virtual-network name=eth0 --project testovn
+
+# Record NAT rules count before u1 started.
+natRulesBefore=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
+
 lxc start u1 --project testovn
 
 # Test external IPs allocated and published using dnat.
@@ -170,6 +174,13 @@ ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | gr
 ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | grep "${U1_EXT_IPV6},${U1_EXT_IPV6},dnat_and_snat"
 lxc stop -f u1 --project testovn
 
+# Check NAT rules got cleaned up.
+natRulesAfter=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
+if [ "$natRulesBefore" -ne "$natRulesAfter" ]; then
+    echo "NAT rules left over. Started with ${natRulesBefore} now have ${natRulesAfter}"
+    false
+fi
+
 # Test external IPs routed to OVN NIC.
 lxc network set ovn-virtual-network --project testovn \
     ipv4.address=auto \
@@ -177,6 +188,9 @@ lxc network set ovn-virtual-network --project testovn \
     ipv4.nat=true \
     ipv6.nat=true
 
+# Record NAT rules count before u1 started again.
+natRulesBefore=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
+
 # Check external routes are not too big (when using l2proxy uplink ingress mode).
 ! lxc config device set u1 eth0 ipv4.routes.external=198.51.100.0/24 --project testovn || false
 ! lxc config device set u1 eth0 ipv6.routes.external=2001:db8:1:2::/64 --project testovn || false
@@ -204,6 +218,14 @@ ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | gr
 ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l | grep 132
 
 lxc delete -f u1 --project testovn
+
+# Check NAT rules got cleaned up.
+natRulesAfter=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
+if [ "$natRulesBefore" -ne "$natRulesAfter" ]; then
+    echo "NAT rules left over. Started with ${natRulesBefore} now have ${natRulesAfter}"
+    false
+fi
+
 lxc network delete ovn-virtual-network --project testovn
 lxc image delete "${FINGERPRINT}" --project testovn
 lxc project delete testovn

From dd8891ece1159825610056cca91d890bef261294 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 9 Dec 2020 11:42:43 +0000
Subject: [PATCH 4/4] bin/test-lxd-ovn: Adds check that DNAT rules don't
 created when using routed ingress mode

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 bin/test-lxd-ovn | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/bin/test-lxd-ovn b/bin/test-lxd-ovn
index 18f2d33..f5cbc92 100755
--- a/bin/test-lxd-ovn
+++ b/bin/test-lxd-ovn
@@ -217,7 +217,7 @@ ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | gr
 ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | grep "2001:db8:1:2::3f,2001:db8:1:2::3f,dnat_and_snat"
 ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l | grep 132
 
-lxc delete -f u1 --project testovn
+lxc stop -f u1 --project testovn
 
 # Check NAT rules got cleaned up.
 natRulesAfter=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
@@ -226,6 +226,21 @@ if [ "$natRulesBefore" -ne "$natRulesAfter" ]; then
     false
 fi
 
+# Check routed ingress mode allows larger subnets and doesn't add DNAT rules.
+lxc network set dummy ovn.ingress_mode=routed
+lxc config device set u1 eth0 ipv4.routes.external=198.51.100.0/24 --project testovn
+lxc config device set u1 eth0 ipv6.routes.external=2001:db8:1:2::/64 --project testovn
+lxc start u1 --project testovn
+
+# Check no NAT rules got added.
+natRulesAfter=$(ovn-nbctl --bare --format=csv --column=external_ip,logical_ip,type find nat | wc -l)
+if [ "$natRulesBefore" -ne "$natRulesAfter" ]; then
+    echo "NAT rules got added in routed ingress mode. Started with ${natRulesBefore} now have ${natRulesAfter}"
+    false
+fi
+
+lxc delete -f u1 --project testovn
+
 lxc network delete ovn-virtual-network --project testovn
 lxc image delete "${FINGERPRINT}" --project testovn
 lxc project delete testovn

More information about the lxc-devel mailing list