On 4/10/25 1:10 PM, Brendan Doyle via discuss wrote:
> Hi Dumitru/Adrian,
>
Hi Brendan,
>
>
> I'm working my way through IPFIX test in system-ovn.at, just a couple of
> questions.
>
>> collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
>> probability=65535 set_id=100)
>> collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
>> probability=65535 set_id=200)
>> check_row_count nb:Sample_Collector 2
>>
>> check_uuid ovn-nbctl create Sampling_App type="acl-new" id="42"
>> check_uuid ovn-nbctl create Sampling_App type="acl-est" id="43"
>> check_row_count nb:Sampling_App 2
>>
>> dnl Create ACLs that match the 3 types of traffic in all 3 possible
>> stages:
>> dnl from-lport, from-lport-after-lb, to-lport.
>> check_uuid ovn-nbctl \
>> -- --id=@sample_in_1c_new create Sample collector="$collector1"
>> metadata=1001 \
> I don't follow this syntax, it is not described in the ovn-nbctl man
> page, there we just
> have
> ovn-nbctl --sample-new=<uuid of a row of the Sample table> acl-add
>
The NB.Sample table is defined as non-root in the schema. Which means
that if there's no row in any other table that references a sample
record UUID the sample record will be automatically deleted by ovsdb-server.
> So what is 'id' above?
>
The --id=@var syntax tells the DB client to store the uuid-name it
generates for the "create" operation (in this case the uuid-name of the
sample it creates in the first part of the transaction it received as
argument).
Then the second part of the nbctl args (the second operation in the
transaction):
-- --sample-new=@sample_in_1c_new --sample-est=@sample_in_1c_est \
acl-add ls from-lport 1 "inport == \"vm1\" && udp.dst == 1000" \
allow-related
references that (to be created) uuid-name.
The result is that ovsdb-server will (in the same transaction) create
both the sample record and the ACL that references it.
> what is '@sample_in_1c_new' is it "42"?
>
This is a placeholder (uuid-name) for the to-be-allocated UUID of the
sample record that ovsdb-server will insert in the database when
processing the jsonrpc request from nbctl.
> Is it required to also specify 'create Sample collector', it is not
> described in the ovn-nbctl man page.
>
In theory you could create NB.Sample records with no collectors (the
schema allows that). The result is that no sample is generated for
packets hitting that ACL. Once a Sample_Collector is created and added
to the NB.Sample.collectors column of a NB.Sample record, traffic that
hits ACLs with associated Sample configs will be, well, sampled
according to the Sample_Collector configuration. That is:
- with a given probability
- and will use the OVS.Flow_Sample_Collector_Set that has the same ID as
the NB.Sample_Collector.set_id value
<column name="set_id">
The 8-bit integer identifier of the set of of collectors to send
packets to. See Flow_Sample_Collector_Set Table in ovs-vswitchd's
database schema.
</column>
> Is '$collector1' the UUID of the Sample_Collector table row we created
> with set_id=100 ?
>
Yes.
> What is 'metadata' - Is it arbitrary?
>
Yes, it's arbitrary, it will be included in the actual samples generated
by the datapath. It's stored in the sample's Observation Point ID.
> Also I see in the ovn-nbctl man page, we have --sample-new and --sample-
> est, but no
> --sample-drop, even though the ovn-nb man pages says the 'type' in the
> Sampling_App
> Table can be acl-est, acl-new, or drop
>
I see how this might be confusing but the idea with --sample-new and
--sample-est is to match on packets that are part of either:
- new connections (no established conntrack entry for these)
- established connections (conntrack entry in state established)
Drop ACLs drop all packets that match so the connection is always "new"
from conntrack perspective. That's why --sample-new is used for drop ACLs.
> Thanks.
>
Hope this helps.
Regards,
Dumitru
>
>
> On 14/02/2025 13:40, Dumitru Ceara wrote:
>> On 2/13/25 7:50 PM, Brendan Doyle via discuss wrote:
>>> Hi,
>>>
>> Hi Brendan,
>>
>>> Does the ACL sampling only work for stateful ACLs?
>>>
>> No, it works for all kinds of ACLs.
>>
>>> Also how is the sample data queried?
>>>
>> The data is forwarded to a collector based on configuration in the local
>> OVS database. That can be an IPFIX or a local collector:
>>
>> https://urldefense.com/v3/__https://github.com/openvswitch/ovs/
>> blob/9f7eb58f77da9fd453dbfd211eb619fdb5273416/vswitchd/
>> vswitch.xml*L7094-L7149__;Iw!!ACWV5N9M2RV99hQ!
>> NkknGGZtqABNTqs6tNdA8F21-
>> hcz298CHOF8mVr3GQQwXfIAMStSbj2zXFAlPif8iFdWn1hLx3_9SMDH5w$
>>
>>> And is there any documentation/tutorial on this that shows how to use
>>> it?
>>>
>> Here's an end-to-end example from the OVN system tests. This one uses
>> an IPFIX collector.
>>
>> https://urldefense.com/v3/__https://github.com/ovn-org/ovn/
>> blob/800fd0681579a553c5d381dfcd30cc7ff1a50798/tests/system-
>> ovn.at*L13353-L13567__;Iw!!ACWV5N9M2RV99hQ!NkknGGZtqABNTqs6tNdA8F21-
>> hcz298CHOF8mVr3GQQwXfIAMStSbj2zXFAlPif8iFdWn1hLx3_edaSFdw$
>>
>>> The ovn-nbctl section on it is pretty minimal
>> That's true, maybe we should improve the documentation on this front.
>> In case it helps, however, here's a link to a talk Nadia, Adrian and I
>> did on OVS/OVN/OVN-K sampling at ovscon '24:
>>
>> https://urldefense.com/v3/__https://www.openvswitch.org/support/
>> ovscon2024/*t19__;Iw!!ACWV5N9M2RV99hQ!NkknGGZtqABNTqs6tNdA8F21-
>> hcz298CHOF8mVr3GQQwXfIAMStSbj2zXFAlPif8iFdWn1hLx38pGPTlIQ$
>> https://urldefense.com/v3/__https://www.youtube.com/watch?
>> v=gLwDsaiUuN4&t=2s__;!!ACWV5N9M2RV99hQ!NkknGGZtqABNTqs6tNdA8F21-
>> hcz298CHOF8mVr3GQQwXfIAMStSbj2zXFAlPif8iFdWn1hLx38T5E5Pzw$
>>
>> I'm not sure why the slides are not linked on the conference page but if
>> you think you need them I can try to share those too.
>>
>> Regards,
>> Dumitru
>>
>>> Thanks
>>>
>>> Brendan
>>>
>
> _______________________________________________
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
