On 4/14/25 11:56 AM, Brendan Doyle via discuss wrote:
>
>
> On 11/04/2025 13:45, Adrián Moreno wrote:
>> On Fri, Apr 11, 2025 at 02:11:20PM +0200, Adrián Moreno wrote:
>>> On Thu, Apr 10, 2025 at 12:10:13PM +0100,brendan.do...@oracle.com wrote:
>>>> Hi Dumitru/Adrian,
>>>>
>>>>
>>>>
>>>> I'm working my way through IPFIX test in system-ovn.at, just a
>>>> couple of
>>>> questions.
>>>>
>>>>> collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
>>>>> probability=65535 set_id=100)
>>>>> collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
>>>>> probability=65535 set_id=200)
>>>>> check_row_count nb:Sample_Collector 2
>>>>>
>>>>> check_uuid ovn-nbctl create Sampling_App type="acl-new" id="42"
>>>>> check_uuid ovn-nbctl create Sampling_App type="acl-est" id="43"
>>>>> check_row_count nb:Sampling_App 2
>>>>>
>>>>> dnl Create ACLs that match the 3 types of traffic in all 3 possible
>>>>> stages:
>>>>> dnl from-lport, from-lport-after-lb, to-lport.
>>>>> check_uuid ovn-nbctl \
>>>>> -- --id=@sample_in_1c_new create Sample collector="$collector1"
>>>>> metadata=1001 \
>>>> I don't follow this syntax, it is not described in the ovn-nbctl man
>>>> page,
>>>> there we just
>>>> have
>>>> ovn-nbctl --sample-new=<uuid of a row of the Sample table> acl-add
>>>>
>>>> So what is 'id' above?
>>>>
>>>> what is '@sample_in_1c_new' is it "42"?
>>> All OVS and OVN commands that interact with an OVSDB (such as ovn-nbctl
>>> or ovs-vsctl), apart from some specific "high level" commands,
>>> (such as "acl-add [---sample-new]..."), support interacting with the
>>> OVSDB directly,
>>>
>>> See "Database Commands" section in ovn-nbctl(8).
>>>
>>> This part of the command is creating an entry in the Sample action and
>>> _storing_ its id in a temporary reference called "sample_in_1c_new"
>>> which can be used in the same OVSDB transaction futher below.
>>>
>>>> Is it required to also specify 'create Sample collector', it is not
>>>> described in the ovn-nbctl man page.
>>>>
>>> From manpage:
>>>
>>> ovn-nbctl [--id=(@name|uuid)] create table column[:key]=value...
>>>
>>>
>>>> Is '$collector1' the UUID of the Sample_Collector table row we
>>>> created with
>>>> set_id=100 ?
>>>>
>>> Yes
>>>
>>>> What is 'metadata' - Is it arbitrary?
>>>>
>>> Since the command is editing the DB directly, you should look at the
>>> ovn-nb(5) for the documentation of each column in the table. Quoting
>>> such manpage:
>>>
>>> """
>>> metadata: integer, in range 1 to 4,294,967,295 (must be unique within
>>> table)
>>>
>>> Will be used as Observation Point ID in every sample. The
>>> Observation Domain ID will be generated by ovn-northd and includes
>>> the logical datapath key as the least significant 24 bits and the
>>> sampling application type (e.g., drop debugging) as the 8 most
>>> significant bits.
>>> """
>>>
>>>> Also I see in the ovn-nbctl man page, we have --sample-new and --
>>>> sample-est,
>>>> but no
>>>> --sample-drop, even though the ovn-nb man pages says the 'type' in the
>>>> Sampling_App
>>>> Table can be acl-est, acl-new, or drop
>>>>
>>> You are right. "--sample-{new,est}" are options to "acl-add". If you
>>> enable those options, _only_ ACL drops will be sampled.
>>>
>>> In order to sample _all_ drops (including implicit ones), we used to
>>> have two flags in NB_Global:options but those got superceeded by just
>>> configuring the Sampling_App table. Nevertheless, this was not added as
>>> a "high level" command to ovn-nbctl. Global options tend not to be, plus
>>> this is a debugging-oriented feature.
>>>
>>> Thanks.
>>> Adrián
>>>
>> It seems my email client tricked me and did not that Dumitru has already
>> answered! :-) Please ignore as his answer is more complete.
>
> Yes, thanks, but I did have a few more questions on the unit tests, that
> I'd still
> like answers for......
>
>
Hi Brendan,
>
>> dnl Configure the OVS flow sample collector.
>> ovs-vsctl --id=@br get Bridge br-int \
>> -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\"
>> template_interval=1 \
>> -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br
>> ipfix=@ipfix
>
> So this would need to be done on each controller node where a VM that is
> affected
> by the IPFIX ACL could run, right?
>
>
Yes, indeed, this needs to be configured on all nodes that process
packets hitting those ACLs.
> I don't see a reference to 'template_interval' in ovs-vsctl(8) , is
> this how often
> flow records are generated?
>
It's actually in the ovs-vswitchd.conf.db(5) man page:
https://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.txt
template_interval: optional integer, in range 1 to 3,600
Interval (in seconds) for sending IPFIX Template information for
each Observation Domain ID.
Default value is 600
> I don't see a reference to 'Flow_Sample_Collector_Set' in ovs-vsctl(8),
This is also part of ovs-vswitchd.conf.db(5), the "Flow_Sample_Collector_Set
TABLE" section.
> does:
>
> "-id=@cs create Flow_Sample_Collector_Set id=100"
>
> Mean that only records are generated for samples Observation Domain ID 100,
> which matches collector1 that we configured earlier:
> collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
> probability=65535 set_id=100)
>
"id" is just an unique ID:
id: integer, in range 0 to 4,294,967,295
The ID of this collector set, unique among the bridge’s collec‐
tor sets, to be used as the collector_set_id in OpenFlow sample
actions.
the Observation Domain ID is populated by OVN in the "sample()" logical
flow action generated for packets matching the ACLs. Please see the
"sample(probability=packets, ...)" definition here:
https://www.ovn.org/support/dist-docs/ovn-sb.5.txt
With ACL sampling enabled, the observation point ID ovn generates is actually
the NB.Sample.metadata value.
>
> ipfix create IPFIX targets=\"127.0.0.1:4242\"
>
> I assume this can be any IP/port that the samples are sent to?
>
Right. But keep in mind that in this case these are IPFIX samples so you'll
need to run an IPFIX collector on that IP:PORT. In the tests we use nfdump.
>
> Also how do you undo the above? in the ovs-vsctl man page I see:
>
>
>> Deconfigure the IPFIX settings from*br0*, which also destroys the
>> IPFIX record (since it is now unreferenced):
>>
>> *ovs-vsctl clear Bridge br0 ipfix*
>
> But I assume that would remove everything, but If I just wanted to remove
> the record generation for " Flow_Sample_Collector_Set id=100" how would
> that be done?
>
That would be "ovs-vsctl destroy Flow_Sample_Collector_Set <UUID>". E.g.:
ovs-vsctl destroy Flow_Sample_Collector_Set $(ovs-vsctl --bare --columns _uuid
find Flow_Sample_Collector_Set id=100)
>
>
>
> Thanks
>
> Brendan
>
Regards,
Dumitru
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
