On Mon, Apr 14, 2025 at 12:42:31PM +0200, Dumitru Ceara wrote:
> On 4/14/25 11:56 AM, Brendan Doyle via discuss wrote:
> >
> >
> > On 11/04/2025 13:45, Adrián Moreno wrote:
> >> On Fri, Apr 11, 2025 at 02:11:20PM +0200, Adrián Moreno wrote:
> >>> On Thu, Apr 10, 2025 at 12:10:13PM +0100,brendan.do...@oracle.com wrote:
> >>>> Hi Dumitru/Adrian,
> >>>>
> >>>>
> >>>>
> >>>> I'm working my way through IPFIX test in system-ovn.at, just a
> >>>> couple of
> >>>> questions.
> >>>>
> >>>>> collector1=$(ovn-nbctl create Sample_Collector id=1 name=c1
> >>>>> probability=65535 set_id=100)
> >>>>> collector2=$(ovn-nbctl create Sample_Collector id=2 name=c2
> >>>>> probability=65535 set_id=200)
> >>>>> check_row_count nb:Sample_Collector 2
> >>>>>
> >>>>> check_uuid ovn-nbctl create Sampling_App type="acl-new" id="42"
> >>>>> check_uuid ovn-nbctl create Sampling_App type="acl-est" id="43"
> >>>>> check_row_count nb:Sampling_App 2
> >>>>>
> >>>>> dnl Create ACLs that match the 3 types of traffic in all 3 possible
> >>>>> stages:
> >>>>> dnl from-lport, from-lport-after-lb, to-lport.
> >>>>> check_uuid ovn-nbctl \
> >>>>> -- --id=@sample_in_1c_new create Sample collector="$collector1"
> >>>>> metadata=1001 \
> >>>> I don't follow this syntax, it is not described in the ovn-nbctl man
> >>>> page,
> >>>> there we just
> >>>> have
> >>>> ovn-nbctl --sample-new=<uuid of a row of the Sample table> acl-add
> >>>>
> >>>> So what is 'id' above?
> >>>>
> >>>> what is '@sample_in_1c_new' is it "42"?
> >>> All OVS and OVN commands that interact with an OVSDB (such as ovn-nbctl
> >>> or ovs-vsctl), apart from some specific "high level" commands,
> >>> (such as "acl-add [---sample-new]..."), support interacting with the
> >>> OVSDB directly,
> >>>
> >>> See "Database Commands" section in ovn-nbctl(8).
> >>>
> >>> This part of the command is creating an entry in the Sample action and
> >>> _storing_ its id in a temporary reference called "sample_in_1c_new"
> >>> which can be used in the same OVSDB transaction futher below.
> >>>
> >>>> Is it required to also specify 'create Sample collector', it is not
> >>>> described in the ovn-nbctl man page.
> >>>>
> >>> From manpage:
> >>>
> >>> ovn-nbctl [--id=(@name|uuid)] create table column[:key]=value...
> >>>
> >>>
> >>>> Is '$collector1' the UUID of the Sample_Collector table row we
> >>>> created with
> >>>> set_id=100 ?
> >>>>
> >>> Yes
> >>>
> >>>> What is 'metadata' - Is it arbitrary?
> >>>>
> >>> Since the command is editing the DB directly, you should look at the
> >>> ovn-nb(5) for the documentation of each column in the table. Quoting
> >>> such manpage:
> >>>
> >>> """
> >>> metadata: integer, in range 1 to 4,294,967,295 (must be unique within
> >>> table)
> >>>
> >>> Will be used as Observation Point ID in every sample. The
> >>> Observation Domain ID will be generated by ovn-northd and includes
> >>> the logical datapath key as the least significant 24 bits and the
> >>> sampling application type (e.g., drop debugging) as the 8 most
> >>> significant bits.
> >>> """
> >>>
> >>>> Also I see in the ovn-nbctl man page, we have --sample-new and --
> >>>> sample-est,
> >>>> but no
> >>>> --sample-drop, even though the ovn-nb man pages says the 'type' in the
> >>>> Sampling_App
> >>>> Table can be acl-est, acl-new, or drop
> >>>>
> >>> You are right. "--sample-{new,est}" are options to "acl-add". If you
> >>> enable those options, _only_ ACL drops will be sampled.
> >>>
> >>> In order to sample _all_ drops (including implicit ones), we used to
> >>> have two flags in NB_Global:options but those got superceeded by just
> >>> configuring the Sampling_App table. Nevertheless, this was not added as
> >>> a "high level" command to ovn-nbctl. Global options tend not to be, plus
> >>> this is a debugging-oriented feature.
> >>>
> >>> Thanks.
> >>> Adrián
> >>>
> >> It seems my email client tricked me and did not that Dumitru has already
> >> answered! :-) Please ignore as his answer is more complete.
> >
> > Yes, thanks, but I did have a few more questions on the unit tests, that
> > I'd still
> > like answers for......
> >
> >
>
> Hi Brendan,
>
> >
> >> dnl Configure the OVS flow sample collector.
> >> ovs-vsctl --id=@br get Bridge br-int \
> >> -- --id=@ipfix create IPFIX targets=\"127.0.0.1:4242\"
> >> template_interval=1 \
> >> -- --id=@cs create Flow_Sample_Collector_Set id=100 bridge=@br
> >> ipfix=@ipfix
> >
> > So this would need to be done on each controller node where a VM that is
> > affected
> > by the IPFIX ACL could run, right?
> >
> >
>
> Yes, indeed, this needs to be configured on all nodes that process
> packets hitting those ACLs.
>
> > I don't see a reference to 'template_interval' in ovs-vsctl(8) , is
> > this how often
> > flow records are generated?
> >
>
> It's actually in the ovs-vswitchd.conf.db(5) man page:
> https://www.openvswitch.org/support/dist-docs/ovs-vswitchd.conf.db.5.txt
>
> template_interval: optional integer, in range 1 to 3,600
> Interval (in seconds) for sending IPFIX Template information for
> each Observation Domain ID.
>
> Default value is 600
>
>
Exactly, so it's not how often the flow records are generated, but how
often the templates are (re-)sent.
If you want to control how often records are sent, you can set
"cache-active-timeout".
Thanks.
Adrián
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
