Skip to content

Instantly share code, notes, and snippets.

View trozet's full-sized avatar

Tim Rozet trozet

32 followers · 3 following
  • Red Hat
View GitHub Profile
@trozet
trozet / no_undnat_enable_router_port_acl
Created April 22, 2024 13:00
[root@ovn-worker2 ~]# ovs-dpctl dump-flows
recirc_id(0x48),in_port(2),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=66:49:b8:4b:12:3e,dst=0a:58:0a:f4:01:05),eth_type(0x0800),ipv4(src=10.244.1.2,dst=10.244.1.5,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=19,mark=0/0x1,nat(src)),6
recirc_id(0),in_port(3),skb_mark(0),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=6,frag=no),tcp(dst=8192/0xe000), packets:797, bytes:70414, used:0.004s, flags:SP., actions:ct(zone=64000,nat),recirc(0x27)
recirc_id(0),in_port(3),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=6081), packets:1, bytes:132, used:0.753s, actions:4
recirc_id(0x46),tunnel(tun_id=0xff0003,src=172.18.0.2,dst=172.18.0.3,geneve({}{}),flags(-df+csum+key)),in_port(5),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=0a:58:0a:f4:01:01,dst=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.244.0.0/255.255.255.0,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=
@trozet
trozet / basic.yaml
Last active April 18, 2024 19:26
---
apiVersion: v1
kind: Pod
metadata:
name: client
labels:
pod-name: client
role: webserver
#app: spk-coredns
spec:
@trozet
trozet / gist:627a77d5360e573c1919559f928ab812
Last active April 17, 2024 20:17
[root@ovn-control-plane ~]# ovs-appctl ofproto/trace --ct-next trk,rpl --ct-next trk,rpl br-int in_port=3,tun_id=16711683,tun_metadata0=262147,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,tcp6,tp_src=8080,tp_dst=43434,ipv6_dst=fd00:10:244:1::7,ipv6_src=fc00:f853:ccd:e793::4,nw_ttl=254 | ovn-detrace
Flow: tcp6,tun_id=0xff0003,in_port=3,vlan_tci=0x0000,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,ipv6_src=fc00:f853:ccd:e793::4,ipv6_dst=fd00:10:244:1::7,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=254,nw_frag=no,tp_src=8080,tp_dst=43434,tcp_flags=0
bridge("br-int")
----------------
0. in_port=3, priority 100
move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23]
-> OXM_OF_METADATA[0..23] is now 0xff0003
move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14]
-> NXM_NX_REG14[0..14] is now 0x4
@trozet
trozet / gist:ffd71554812969514c401b48c1033920
Created April 17, 2024 17:09
[root@ovn-control-plane ~]# ovn-trace --ct trk,rpl --ct trk,rpl transit_switch 'inport == "tstor-ovn-worker" && eth.src ==0a:58:2b:22:eb:86 && eth.dst==0a:58:92:3f:71:e5 && ip6 && ip.ttl==64 && ip6.src==fc00:f853:ccd:e793::4 && ip6.dst==fd00:10:244:1::7 && tcp && tcp.src == 8080 && tcp.dst ==43434'
2024-04-17T17:08:05Z|00001|ovntrace|WARN|ct.new && !ct.rel && ip6 && ip6.dst == ^NODEIP_IPv6_0 && tcp && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00002|ovntrace|WARN|ct.new && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00003|ovntrace|WARN|reg0[2] == 1 && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00004|ovntrace|WARN|ip && ip6.dst == ^NODEIP_IPv6_0: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
#
@trozet
trozet / gist:a900192ce0a84396d466f27ce2796d0f
Created February 9, 2024 17:16
chatgpt netlink socket ebpf
### ebpf
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/tcp.h>
struct data_t {
__u32 src_ip;
__u32 dst_ip;
@trozet
trozet / gist:41b4e8f381154e74e257d2e0693d8a3c
Created January 19, 2024 16:19
[trozet@fedora 250-nodetracker]$ cat must-gather.local.3877710284032856534/inspect.local.4295100335563262757/namespaces/openshift-ovn-kubernetes/pods/ovnkube-node-5ksf5/ovnkube-controller/ovnkube-controller/logs/current.log | grep -E 'Starting controller|router changed, syncing services| Node tracker sync took|Full service sync requested'
2024-01-16T02:33:18.213324326Z I0116 02:33:18.213311 3961 services_controller.go:163] Starting controller ovn-lb-controller
2024-01-16T02:33:18.213864591Z I0116 02:33:18.213856 3961 node_tracker.go:185] Node ip-10-0-236-9.us-west-2.compute.internal switch + router changed, syncing services
2024-01-16T02:33:18.214366306Z I0116 02:33:18.214357 3961 services_controller.go:513] Full service sync requested
2024-01-16T02:33:18.238191487Z I0116 02:33:18.238179 3961 node_tracker.go:185] Node ip-10-0-149-39.us-west-2.compute.internal switch + router changed, syncing services
2024-01-16T02:33:18.238242960Z I0116 02:33:18.238234 3961 services_controller.go:513] Full serv
@trozet
trozet / gist:4f54ec9f3fbdb6bc17c5515360cde1c3
Created January 18, 2024 02:06
ndp ocp mac change
pkt received on worker node:
01:30:41.176263 M 00:07:35:c0:23:cd ethertype IPv6 (0x86dd), length 88: (flowlabel 0x8e949, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:35ff:fec0:23cd > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fd2e:6f44:5dd8:c956::18, Flags [override]
destination link-address option (2), length 8 (1): 00:07:35:c0:23:cd
datapath flow:
recirc_id(0xd),in_port(1),ct_state(-new-est-rel+trk),ct_mark(0),eth(src=00:07:35:c0:23:cd,dst=33:33:00:00:00:01),eth_type(0x86dd),ipv6(src=fe80::207:35ff:fec0:23cd,dst=ff02::1,proto=58,hlimit=255,frag=no),icmpv6(type=136,code=0), packets:27611, bytes:2374546, used:0.002s, actions:2,check_pkt_len(size=1414,gt(sample(sample=100.0%,actions(meter(3),userspace(pid=4294967295,controller(reason=1,dont_send=0,continuation=0,recirc_id=25194,rule_cookie=0x25862262,controller_id=0,max_len=65535))))),le(drop)
mac is not changing:
@trozet
trozet / gist:025d8afe714ef3c724d063bcfe1b4ac6
Last active January 11, 2024 19:29
kube proxy session affinity
#### setup, client curling a service with session affinity that is backed by server and server-sdn pods
[trozet@fedora test]$ oc get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.30.0.1 <none> 443/TCP 46m
my-service1 ClusterIP 172.30.189.139 <none> 1337/UDP,80/TCP 5m5s
openshift ExternalName <none> kubernetes.default.svc.cluster.local <none> 41m
@trozet
trozet / np_portrange.txt
Last active June 5, 2023 19:06
NP with port range vs individual ports
## NP with port range
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector:
policyTypes:
@trozet
trozet / gist:8fb0149cd727939dcc78c60fdcb38f13
Created December 15, 2022 14:02
Creating core file for analysis with OCP and golang
0. Use ovn-k master leader pod for the following process
1. Install dependencies (gdb)
In order to be able to generate a core file of the ovnkube-master process, you will need the gcore binary from the gdb package. The easiest way to get this package is by spawning a toolbox on the node in question and by installing gdb:
# toolbox
# yum install gdb -y
One may have to change the toolbox image (https://docs.openshift.com/container-platform/4.10/support/gathering-cluster-data.html?extIdCarryOver=true&sc_cid=701f2000001OH7JAAW#starting-an-alternative-image-with-toolbox_gathering-cluster-data)
2. Generating a gcore of the current running ovnkube-master process