I’ve created a LXD cluster with three nodes using OVN.
Container on cluster node-2 can ping other containers on the same private network, but cannot ping 114.114.114.114. when I change node-1’s role to ovn-chassis, the container on cluster node-1 cannot ping 114.114.114.114.
I’ve create a available physical network Ex.
[root@node-1 ~]# lxd network show Ex
config:
ipv4.gateway: 192.168.6.1/24
ipv4.ovn.ranges: 192.168.6.151-192.168.6.170
ipv4.routes: 192.168.6.0/24,0.0.0.0/0
user.created_at: 2024-02-22T16:18:05
user.created_by: admin
user.ipv4_address: 192.168.6.0/24
user.ipv4_ranges: 192.168.6.95-192.168.6.150
user.netcard_config: '{"node-1": "Ex", "node-3": "Ex", "node-2": "Ex"}'
user.role: business
user.updated_at: 2024-02-22T16:18:05
volatile.last_state.created: "false"
description: ""
name: Ex
type: physical
used_by:
- /1.0/networks/zy-p
managed: true
status: Created
locations:
- node-1
- node-2
- node-3
[root@node-1 ~]# lxd network show zy-p
config:
bridge.mtu: "1442"
ipv4.address: 11.11.11.1/24
ipv4.dhcp: "true"
ipv4.nat: "true"
ipv6.address: fd42:3cf6:63c5:3da3::1/64
ipv6.nat: "true"
network: Ex
user.created_at: 2024-02-22T15:29:58
user.created_by: admin
user.name: P_net
user.updated_at: 2024-02-22T15:29:58
volatile.network.ipv4.address: 192.168.6.151
description: ""
name: zy-p
type: ovn
used_by:
- /1.0/instances/zy-Pnet-ocs-0
- /1.0/instances/zy-Pnet-ocs-3
- /1.0/instances/zy-Pnet-ocs-6
managed: true
status: Created
locations:
- node-1
- node-2
- node-3
[root@node-1 ~]# lxd ls
+---------------+---------+----------------------+------------------------------------------------+-----------+-----------+----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | LOCATION |
+---------------+---------+----------------------+------------------------------------------------+-----------+-----------+----------+
| zy-Pnet-ocs-0 | RUNNING | 11.11.11.10 (eth0) | fd42:3cf6:63c5:3da3:e082:2a4:1c1e:ca4e (eth0) | CONTAINER | 0 | node-1 |
+---------------+---------+----------------------+------------------------------------------------+-----------+-----------+----------+
| zy-Pnet-ocs-3 | RUNNING | 11.11.11.13 (eth0) | | CONTAINER | 0 | node-2 |
+---------------+---------+----------------------+------------------------------------------------+-----------+-----------+----------+
| zy-Pnet-ocs-6 | RUNNING | 11.11.11.16 (eth0) | | CONTAINER | 0 | node-3 |
+---------------+---------+----------------------+------------------------------------------------+-----------+-----------+----------+
the cluster node can ping 192.168.6.151.
[root@node-1 ~]# ping 192.168.6.151
PING 192.168.6.151 (192.168.6.151) 56(84) bytes of data.
64 bytes from 192.168.6.151: icmp_seq=1 ttl=254 time=1.28 ms
64 bytes from 192.168.6.151: icmp_seq=2 ttl=254 time=0.627 ms
^C
--- 192.168.6.151 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.627/0.955/1.283/0.328 ms
[root@node-2 ~]# ping 192.168.6.151
PING 192.168.6.151 (192.168.6.151) 56(84) bytes of data.
64 bytes from 192.168.6.151: icmp_seq=1 ttl=254 time=0.959 ms
64 bytes from 192.168.6.151: icmp_seq=2 ttl=254 time=0.557 ms
^C
--- 192.168.6.151 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.557/0.758/0.959/0.201 ms
[root@node-3 ~]# ping 192.168.6.151
PING 192.168.6.151 (192.168.6.151) 56(84) bytes of data.
64 bytes from 192.168.6.151: icmp_seq=1 ttl=254 time=1.09 ms
64 bytes from 192.168.6.151: icmp_seq=2 ttl=254 time=0.614 ms
^C
--- 192.168.6.151 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.614/0.850/1.087/0.236 ms
[root@manager-controller ~]# ovn-sbctl show
Chassis "ab5e3b16-494a-406d-a410-42f60a08dc2b"
hostname: node-2
Encap geneve
ip: "10.0.172.2"
options: {csum="true"}
Port_Binding lxd-net5-instance-8ac6b2f4-7e9b-4c99-9875-c052519fcba7-eth-79fb98ebb6
Port_Binding cr-lxd-net5-lr-lrp-ext
Port_Binding lxd-net5-instance-0c643b98-d0b1-452b-85d4-852e88f405f2-eth-f2129f604e
Port_Binding lxd-net5-instance-16ba7f75-1dfa-456a-998d-0efafef7d40f-eth-124f266a19
Chassis "5439eab0-453b-4bd0-b720-2f265f072ba3"
hostname: node-3
Encap geneve
ip: "10.0.172.3"
options: {csum="true"}
Port_Binding lxd-net5-instance-1604fb3c-74e4-4adf-b71a-24319c0c130c-eth-1747103a1b
Port_Binding lxd-net5-instance-9a6dd052-8d74-4e58-9166-0c6525a9f540-eth-3397ab2a26
Port_Binding lxd-net5-instance-89e6fd53-db91-4e3f-a2b6-38389bf4d12c-eth-2bcc816967
Port_Binding lxd-net5-instance-31dc7bdd-8298-4300-b5fb-85a3d19c37cd-eth-e11cfecbe0
Port_Binding lxd-net5-instance-eaa7ece1-a255-41a5-89da-2a87203ef291-eth-e3c1c2b300
Chassis "adcafd81-996b-4b49-a055-1f92feebdbc5"
hostname: node-1
Encap geneve
ip: "10.0.172.1"
options: {csum="true"}
Port_Binding lxd-net5-instance-d3c3f522-45de-4f6e-a1c3-dfa8e41f80d2-eth-55a75b4454
Port_Binding lxd-net5-instance-c50febd8-623c-4037-b69e-f856f83e1856-eth-3ecbca353c
Port_Binding lxd-net5-instance-83946725-b129-4f3f-9bc6-5903dd459266-eth-acdf55d884
Port_Binding lxd-net5-instance-b59c91b8-9c13-452d-9e63-2afb04f0096d-eth-3337d05013
[root@node-1 ~]# lxd exec zy-Pnet-ocs-0 bash
[root@Pnet-ocs-0 ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=62 time=23.2 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=88 time=19.4 ms
^C
--- 114.114.114.114 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 19.433/21.327/23.222/1.894 ms
[root@node-1 ~]# lxd exec zy-Pnet-ocs-3 bash
[root@Pnet-ocs-3 ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
^C
--- 114.114.114.114 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7282ms
[root@node-1 ~]# lxd exec zy-Pnet-ocs-6 bash
[root@Pnet-ocs-6 ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=64 time=26.6 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=65 time=20.6 ms
^C
--- 114.114.114.114 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 20.575/23.611/26.648/3.036 ms
Southbound flows for 192.168.6.151 :
[root@manager-controller ~]# ovn-sbctl lflow-list | grep 192.168.6.151
table=13(ls_in_arp_rsp ), priority=100 , match=(arp.tpa == 192.168.6.151 && arp.op == 1 && inport == "ocsd-net5-ls-ext-lsp-router"), action=(next;)
table=13(ls_in_arp_rsp ), priority=50 , match=(arp.tpa == 192.168.6.151 && arp.op == 1), action=(eth.dst = eth.src; eth.src = 00:16:3e:c7:54:ec; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = 00:16:3e:c7:54:ec; arp.tpa = arp.spa; arp.spa = 192.168.6.151; outport = inport; flags.loopback = 1; output;)
table=19(ls_in_l2_lkup ), priority=75 , match=(flags[1] == 0 && arp.op == 1 && arp.tpa == { 192.168.6.151}), action=(outport = "ocsd-net5-ls-ext-lsp-router"; output;)
table=3 (lr_in_ip_input ), priority=120 , match=(inport == "ocsd-net5-lr-lrp-ext" && ip4.src == 192.168.6.151), action=(next;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src == {192.168.6.151, 192.168.6.255} && reg9[0] == 0), action=(drop;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport == "ocsd-net5-lr-lrp-ext" && arp.spa == 192.168.6.0/24 && arp.tpa == 192.168.6.151 && arp.op == 1 && is_chassis_resident("cr-ocsd-net5-lr-lrp-ext")), action=(eth.dst = eth.src; eth.src = 00:16:3e:c7:54:ec; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = 00:16:3e:c7:54:ec; arp.tpa = arp.spa; arp.spa = 192.168.6.151; outport = "ocsd-net5-lr-lrp-ext"; flags.loopback = 1; output;)
table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst == 192.168.6.151 && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <-> ip4.src; ip.ttl = 255; icmp4.type = 0; flags.loopback = 1; next; )
table=3 (lr_in_ip_input ), priority=40 , match=(inport == "ocsd-net5-lr-lrp-ext" && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src = 192.168.6.151; ip.ttl = 255; next; };)
table=5 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 192.168.6.151 && inport == "ocsd-net5-lr-lrp-ext" && is_chassis_resident("cr-ocsd-net5-lr-lrp-ext")), action=(ct_snat;)
table=9 (lr_in_ip_routing ), priority=449 , match=(ip4.dst == 192.168.6.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1 = 192.168.6.151; eth.src = 00:16:3e:c7:54:ec; outport = "ocsd-net5-lr-lrp-ext"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=401 , match=(ip4.dst == 0.0.0.0/0), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 192.168.6.1; reg1 = 192.168.6.151; eth.src = 00:16:3e:c7:54:ec; outport = "ocsd-net5-lr-lrp-ext"; flags.loopback = 1; next;)
table=12(lr_in_arp_resolve ), priority=100 , match=(outport == "ocsd-net5-lr-lrp-ext" && reg0 == 192.168.6.151), action=(eth.dst = 00:16:3e:c7:54:ec; next;)
table=1 (lr_out_snat ), priority=153 , match=(ip && ip4.src == 11.11.11.0/24 && outport == "ocsd-net5-lr-lrp-ext" && is_chassis_resident("cr-ocsd-net5-lr-lrp-ext")), action=(ct_snat(192.168.6.151);)
table=2 (lr_out_egr_loop ), priority=100 , match=(ip4.dst == 192.168.6.151 && outport == "ocsd-net5-lr-lrp-ext" && is_chassis_resident("cr-ocsd-net5-lr-lrp-ext")), action=(clone { ct_clear; inport = outport; outport = ""; flags = 0; flags.loopback = 1; reg0 = 0; reg1 = 0; reg2 = 0; reg3 = 0; reg4 = 0; reg5 = 0; reg6 = 0; reg7 = 0; reg8 = 0; reg9 = 0; reg9[0] = 1; next(pipeline=ingress, table=0); };)