OPENVSWITCH LTS IN CENTOS 6

As some visitors have asked me about installing Open vSwitch on CentOS 6, I’m writing the following post after my first about it almos three years ago. If you find a better way, please let me know so I update the post and remove useless info from the Internet 😉

I’ve found this repository by Alexander Evseev so you may try to use the openvswitch packages (you even have the kmod package) found there. Have a look: http://download.opensuse.org/repositories/home:/aevseev/CentOS6/x86_64/

In any case… I’ll show you what you can do to generate your own RPM packages the old way (no python api supported as it requires Python 2.7 while CentOS 6 uses Python 2.6):

Current LTS version: 2.5.0
Tested on: CentOS 6.8

Let’s start installing some packages:

yum -y install wget openssl-devel gcc make python-devel openssl-devel kernel-devel graphviz kernel-debug-devel autoconf automake rpm-build redhat-rpm-config libtool python-twisted-core python-zope-interface PyQt4 desktop-file-utils libcap-ng-devel groff checkpolicy selinux-policy-devel

Let’s add a new user and switch to that user:

adduser ovs; su - ovs

Let’s prepare the build environment and download the source code:

mkdir -p ~/rpmbuild/SOURCES
wget http://openvswitch.org/releases/openvswitch-2.5.0.tar.gz
cp openvswitch-2.5.0.tar.gz ~/rpmbuild/SOURCES/
tar xfz openvswitch-2.5.0.tar.gz

Now go to the openvswitch directory

cd openvswitch-2.5.0

Let’s modify some lines in the old rhel6 spec file provided by Nicira (copy and paste):

sed -i "s/Requires: logrotate, python >= 2.7/Requires: logrotate/" rhel/openvswitch.spec
sed -i "/$RPM_BUILD_ROOT\/usr\/bin\/ovs-test/d" rhel/openvswitch.spec
sed -i "/$RPM_BUILD_ROOT\/usr\/bin\/ovs-l3ping/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-parse-backtrace/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-pcap/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-tcpundump/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-vlan-test/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/man\/man8\/ovs-bugtool.8.gz/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/bugtool-plugins/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/scripts\/ovs-bugtool-*/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/python/d" rhel/openvswitch.spec
sed -i "/\/usr\/share\/openvswitch\/scripts\/ovs-bugtool-*/d" rhel/openvswitch.spec
sed -i "/\/usr\/bin\/ovs-dpctl-top/d" rhel/openvswitch.spec
sed -i "/\/usr\/sbin\/ovs-bugtool/d" rhel/openvswitch.spec
echo "/usr/bin/ovs-testcontroller" >> rhel/openvswitch.spec

Finally let’s build the RPM packages… and have a cup of coffee as tests are being run! At least you can tell if it works… 😛

rpmbuild -bb rhel/openvswitch.spec

Once the build is finished, type exit.

exit

CentOS 6 already provides an openvswitch kernel module, so we’ve only compiled the binary tools.

[root@localhost ~]# modinfo openvswitch
filename: /lib/modules/2.6.32-642.3.1.el6.x86_64/kernel/net/openvswitch/openvswitch.ko
license: GPL
description: Open vSwitch switching datapath
srcversion: 00938868C288DBF055E30F3
depends: libcrc32c,vxlan
vermagic: 2.6.32-642.3.1.el6.x86_64 SMP mod_unload modversions

As root, we’ll install the RPM package.

 yum localinstall /home/ovs/rpmbuild/RPMS/x86_64/openvswitch-2.5.0-1.x86_64.rpm -y

Finally, start the openvswitch service and check that it’s running

service openvswitch start
...output...
/etc/openvswitch/conf.db does not exist ... (warning).
Creating empty database /etc/openvswitch/conf.db [ OK ]
Starting ovsdb-server [ OK ]
Configuring Open vSwitch system IDs [ OK ]
Inserting openvswitch module [ OK ]
Starting ovs-vswitchd [ OK ]
Enabling remote OVSDB managers [ OK ]

service openvswitch status
...output...
ovsdb-server is running with pid 3404
ovs-vswitchd is running with pid 3416

If you want the openvswitch service to start at boot time:

chkconfig openvswitch on

Let’s check that the command-line tools are ready:

ovs-vsctl -V
...output...
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Aug 31 2016 19:54:41
DB Schema 7.12.1

Done. I can’t be sure if it will work for you as I haven’t been using Open vSwitch with CentOS 6 for a long time… so any feedback is welcomed!

Cheers!

Advertisement

Some errors you could face when configuring SSL encryption between your Floodlight controller and Openvswitch

Hi there!
Floodlight controller’s documentation provides an awesome article explaining how to use SSL to encrypt OpenFlow connections between your Floodlight controller and your Openvswich virtual switches. Please, read it, it helped me to continue with my current Floodlight testing.

If you follow the steps provided, you shouldn’t find any problem… however sometimes we read too fast or we forget something important and things don’t work as expected :-D. Just in case, I’ve compiled some problems and solutions when configuring SSL to secure OpenFlow communication.

—

Problem #1: Unknown wire version: 22

In your Floodlight controller’s log (e.g /var/log/floodlight/floodlight.log) you may find the following message:

ERROR [New I/O worker #12] n.f.c.i.OFChannelHandler [OFChannelHandler.java:731] Illegal argument exception with switch [? from …]. java.lang.IllegalArgumentException: Unknown wire version: 22

Solution: Well.. Have you added/edited the following line in your floodlightdefault.properties file?

net.floodlightcontroller.core.internal.OFSwitchManager.useSsl=YES

Try adding that and restart your controller…

—

Problem #2:  Exception initializing SSL OpenFlow socket: /path/to/your/keystore-file.jks (No such file or directory)

Solution: That’s an easy one!, have you specified where’s your keystore file?

Please be sure to set the keystore location and password in your floodlightdefault.properties configuration file changing these lines:

net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePath=/path/to/your/keystore-file.jks
net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePassword=your-keystore-password

—

Problem #3:  Exception initializing SSL OpenFlow socket: /path/to/your/keystore-file.jks (No such file or directory)

Have you added (imported) to the keystore the private key associated with the public certificate used by your Floodlight Controller?

—

Problem #4: Disconnecting switch due to message parse failure

If you find a message like “Disconnecting switch [? from X.X.X:X:Y] due to message parse failure org.projectfloodlight.openflow.exceptions.OFParseError: Wrong length: Expected=8(8), got=16” maybe Openvswitch and Floodlight are not speaking the same OpenFlow protocol.

You can try to force the OpenFlow protocol version used by an Openvswitch bridge with the following ovs-vsctl command applied to your bridge (e.g I’ve a bridge named ovs-mgmt0):

ovs-vsctl set Bridge ovs-mgmt0 protocols=OpenFlow13

—

I’m sure you won’t need any of these if following Floodlight’s instructions but if Google sent you here I hope these notes has helped you somehow. Use the comments if you need more help.

Cheers!

CentOS 7 – Installing Openvswitch 2.3.2 LTS

Openvswitch 2.3.2 was released on June 2015 and this post explains how to quickly generate an RPM to install Openvswitch command-line tools. This is a rewrite of my old post. I’ll be using the Openvswitch’s kernel module that comes with CentOS kernel so no kernel module is compiled.

As the root user let’s install some packages and add a new user:

yum -y install wget gcc make python-devel openssl-devel kernel-devel graphviz kernel-debug-devel autoconf automake rpm-build redhat-rpm-config libtool

adduser ovs

su - ovs

Now as the ovs user we’ll generate the rpm file. In this post I’m skipping the rpmbuild tests included with openvswitch as I’m solving some dependency problems.

mkdir -p ~/rpmbuild/SOURCES

wget http://openvswitch.org/releases/openvswitch-2.3.2.tar.gz

cp openvswitch-2.3.2.tar.gz ~/rpmbuild/SOURCES/

tar xfz openvswitch-2.3.2.tar.gz

sed 's/openvswitch-kmod, //g' openvswitch-2.3.2/rhel/openvswitch.spec > openvswitch-2.3.2/rhel/openvswitch_no_kmod.spec

rpmbuild -bb --nocheck openvswitch-2.3.2/rhel/openvswitch_no_kmod.spec

exit

We’ll create the /etc/openvswitch configuration directory:

mkdir /etc/openvswitch

Let’s install the rpm package:

 yum localinstall /home/ovs/rpmbuild/RPMS/x86_64/openvswitch-2.3.2-1.x86_64.rpm

If you’re using SELinux in enfocing mode let’s change some contexts:

yum install policycoreutils-python 

semanage fcontext -a -t openvswitch_rw_t "/etc/openvswitch(/.*)?" 
restorecon -Rv /etc/openvswitch

Start the openvswitch service:

systemctl start openvswitch.service

If you want the openvswitch service to start at boot time:

chkconfig openvswitch on

Let’s check that the command-line tools are ready:

ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.3.2
Compiled Jun 28 2015 13:01:11
DB Schema 7.6.2

If you’re using SELinux in enfocing mode, if you try to start the service (systemctl start openvswitch.service) you’ll find some errors unless you execute the SELinux commands:

• install: cannot change owner and permissions of ‘/etc/openvswitch’: No such file or directory
• Creating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error: /etc/openvswitch/conf.db: failed to lock lockfile (No such file or directory).

If you run the ovs-vsctl show command and you receive the following error, please check that your Openvswitch service has been started (systemctl start openvswitch.service)

• ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)

Done!

CentOS 7 – Installing Floodlight

Hi there!,
In the following weeks, I’ll be using the Floodlight controller to develop some code to get a deeper understanding on Software-Defined Networks. In my lab environment I’ll using OpenFlow to configure some OpenVswitch virtual switches.

In this post I’m showing you how I’ve installed Floodlight on my CentOS 7 machine, creating a service, configuring logging and more.

Let’s begin installing some development tools, Git, Java and Ant:

yum group install -y "Development Tools"
yum -y install git
yum install -y java-1.7.0-openjdk ant

We need Floodlight’s source code and then we’ll build it:

cd /opt
git clone git://github.com/floodlight/floodlight.git
cd floodlight/
ant

...
Buildfile: /opt/floodlight/build.xml
init:
...
[jar] Building jar: /opt/floodlight/target/floodlight.jar
...
BUILD SUCCESSFUL
Total time: 50 seconds

Awesome, Floodlight was built succesfully. We’ll now create some directories:

mkdir /var/lib/floodlight
mkdir /etc/floodlight
mkdir /var/log/floodlight/

OpenFlow protocol will use IANA’s reserved port 6653. I’ll add a rule allowing that traffic from my management network 192.168.4.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.4.0/24" port port="6653" protocol="tcp" accept'

firewall-cmd --reload

Also, if using the REST API (HTTP) or using the web user interface, we’ll need a rule allowing traffic on port 8080. In my lab, I’ll add a rule to allow traffic from my development network 192.168.5.0/24:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.5.0/24" port port="8080" protocol="tcp" accept'

firewall-cmd --reload

Next. Let’s add a user called, guess it? floodlight!, set the JAVA_HOME and change some directories ownership:

useradd floodlight
echo 'export JAVA_HOME=/usr/lib/jvm/jre-openjdk' >> /home/floodlight/.bash_profile 

chown -R floodlight:floodlight /opt/floodlight
chown -R floodlight:floodlight /var/lib/floodlight
chown -R floodlight:floodlight /var/log/floodlight
chown -R floodlight:floodlight /etc/floodlight

Now let’s open a shell using our floodlight user:

su - floodlight

Let’s copy the default floodlight’s properties file to our /etc/floodlight directory:

cp /opt/floodlight/src/main/resources/floodlightdefault.properties /etc/floodlight/

Let’s start Floodlight for the first time, specifying where’s our properties file. If everything is OK we’ll see some info and warning messages:

java -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
...
11:00:08.221 INFO [n.f.c.m.FloodlightModuleLoader:main] Loading modules from /etc/floodlight/floodlightdefault.properties
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTPS disabled; HTTPS will not be used to connect to the REST API.
11:00:08.702 WARN [n.f.r.RestApiServer:main] HTTP enabled; Allowing unsecure access to REST API on port 8080.
11:00:19.552 WARN [n.f.c.i.OFSwitchManager:main] SSL disabled. Using unsecure connections between Floodlight and switches.
...
11:00:19.603 INFO [n.f.c.i.Controller:main] Controller role set to ACTIVE
...
11:00:19.716 INFO [n.f.f.Forwarding:main] Default flow matches set to: VLAN=true, MAC=true, IP=true, TPPT=true
11:00:20.572 INFO [o.s.s.i.r.RPCService:main] Listening for internal floodlight RPC on localhost/127.0.0.1:6642
11:00:20.812 INFO [n.f.c.i.OFSwitchManager:main] Listening for switch connections on 0.0.0.0/0.0.0.0:6653
11:00:20.831 INFO [n.f.l.i.LinkDiscoveryManager:main] Setting autoportfast feature to OFF
11:00:35.997 INFO [n.f.l.i.LinkDiscoveryManager:Scheduled-1] Sending LLDP packets out of all the enabled ports
11:00:37.959 INFO [n.f.j.JythonServer:debugserver-main] Starting DebugServer on :6655

If using the default properties, we’ll now have an active OpenFlow controller with a Forwarding module that allows our virtual switches (if using Floodlight as the controller, of course!) to forward ethernet frames.

As an example, these are information messages when the first switch connects to Floodlight:

11:15:13.041 INFO [n.f.c.i.OFChannelHandler:New I/O worker #11] New switch connection from /192.168.4.2:44893
11:15:13.201 INFO [n.f.c.i.OFSwitchHandshakeHandler:New I/O worker #11] Switch OFSwitchBase DPID[00:00:bc:30:5b:da:eb:60] bound to class class net.floodlightcontroller.core.OFSwitch, description SwitchDescription [manufacturerDescription=Nicira, Inc., hardwareDescription=Open vSwitch, softwareDescription=2.3.1, serialNumber=None, datapathDescription=None]

Once we’ve checked that Floodlight can be started we’ll kill the process using Ctrl-C and close our session.

^C[floodlight@tornasol ~]$ exit

I’m not using floodlight as an interactive user anymore so I’ll remove the shell:

usermod -s /sbin/nologin floodlight

Floodlight by default, will use standard output to write many messages. I want to reduce log level and set a file where logs will be written. Thanks to the information provided by Volkan Yazici and Luca Prete in this Google’s group, these are the steps I’ve followed.

First I create a backup file for the /opt/floodlight/logback.xml file:

cp /opt/floodlight/logback.xml /opt/floodlight/logback.xml.orig

Then I create a new /opt/floodlight/logback.xml file with the following content. Basically I’m reducing the log level so only INFO and WARN messages are sent to /var/log/floodlight/floodlight.log and no messages are sent to standard output:

cat <<EOT > /opt/floodlight/logback.xml
<configuration scan="true">
<appender name="FILE" class="ch.qos.logback.core.FileAppender">
<file>/var/log/floodlight/floodlight.log</file>
<encoder>
<pattern>%date %level [%thread] %logger{10} [%file:%line] %msg%n</pattern>
</encoder>
</appender>
<root level="INFO">
<appender-ref ref="FILE" />
</root>
<logger name="org" level="WARN"/>
<logger name="LogService" level="WARN"/> <!-- Restlet access logging -->
<logger name="net.floodlightcontroller" level="INFO"/>
<logger name="net.floodlightcontroller.logging" level="WARN"/>
</configuration>
EOT

Ok. Now we’ll create a systemd service so Floodlight is started and stopped nicely. I’m specifying where is the configuration file for logback and where’s the properties file.

cat <<EOT > /etc/systemd/system/floodlight.service
[Unit]
Description=FloodLight Service 
After=network.target
[Service]
EnvironmentFile=/etc/sysconfig/floodlight
User=floodlight
WorkingDirectory=/etc/floodlight
ExecStart=/usr/bin/java -Dlogback.configurationFile=/opt/floodlight/logback.xml -jar /opt/floodlight/target/floodlight.jar -cf /etc/floodlight/floodlightdefault.properties
Restart=on-abort
[Install]
WantedBy=multi-user.target
EOT

We’ll create the /etc/sysconfig/floodlight file so we’re sure that the JAVA_HOME environment variable is properly used:

cat <<EOT > /etc/sysconfig/floodlight
JAVA_HOME=/usr/lib/jvm/jre-openjdk
EOT

Let’s cross our fingers. Starting the service and checking status:

systemctl start floodlight.service

systemctl status floodlight.service

Looks good! Let’s enable service start at boot time:

systemctl enable floodlight.service

I think it’s a good idea to add a logrotate.d file so our Floodlight’s log file is rotated. I’ll use libvirtd file as a template to create the /etc/logrotate.d/floodlight file:

/var/log/floodlight/floodlight.log {
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}

Finally I’ll check that the web user interface is listening on the 8080 port and that I’ve information about my OpenFlow switches (URL http://x.x.x.x:8080/ui/index.html, use your IP address of course!)

OK. Nice!, now I’m ready to start developing. I’ll post any useful information about Floodlight’s development or usage in my blog, but you should start visiting the official page, as I’m going to do right now 😀

Cheers!

CentOS 7 – Installing Openvswitch 2.3.1 LTS

Openvswitch 2.3.1 was released on December 2014 and this post explains how to quickly generate an RPM to install Openvswitch command-line tools. I’ll be using the Openvswitch’s kernel module that comes with CentOS kernel so no kernel module is compiled.

As the root user let’s install some packages and add a new user:

yum -y install wget openssl-devel gcc make python-devel openssl-devel kernel-devel graphviz kernel-debug-devel autoconf automake rpm-build redhat-rpm-config libtool

adduser ovs

su - ovs

Now as the ovs user we’ll generate the rpm file. In this post I’m skipping the rpmbuild tests included with openvswitch as I’m solving some dependency problems.

mkdir -p ~/rpmbuild/SOURCES

wget http://openvswitch.org/releases/openvswitch-2.3.1.tar.gz

cp openvswitch-2.3.1.tar.gz ~/rpmbuild/SOURCES/

tar xfz openvswitch-2.3.1.tar.gz

sed 's/openvswitch-kmod, //g' openvswitch-2.3.1/rhel/openvswitch.spec > openvswitch-2.3.1/rhel/openvswitch_no_kmod.spec

rpmbuild -bb --nocheck ~/openvswitch-2.3.1/rhel/openvswitch_no_kmod.spec

exit

Finally we install the rpm package:

 yum localinstall /home/ovs/rpmbuild/RPMS/x86_64/openvswitch-2.3.1-1.x86_64.rpm

Let’s check that the command-line tools are ready:

ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.3.1
Compiled Jan 25 2015 02:13:00
DB Schema 7.6.2

UPDATE: If you’re using SELinux in enfocing mode, if you try to start the service (systemctl start openvswitch.service) you’ll find some errors: install: cannot change owner and permissions of ‘/etc/openvswitch’: No such file or directory andCreating empty database /etc/openvswitch/conf.db ovsdb-tool: I/O error: /etc/openvswitch/conf.db: failed to lock lockfile (No such file or directory). This is how I solved them (the commands are executed as root):

yum install policycoreutils-python
mkdir /etc/openvswitch
semanage fcontext -a -t openvswitch_rw_t "/etc/openvswitch(/.*)?"
restorecon -Rv /etc/openvswitch

UPDATE: If you run the ovs-vsctl show command and you receive the following error, please check that your openvswitch service has been started (use systemctl start openvswitch.service)

• ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)

Done!

Openvswitch 1.9.3 LTS – Debian Wheezy

I’m preparing a lab with two nodes, one with Debian Wheezy and the other one with CentOS 6.5.

I’m not a Debian guy so I hope I’m not doing things wrong, but first of all I’d like to thank again Nicira Inc as I used the information included in the README.Debian included in Openvswitch’s recent versions.

Here are my notes on how I installed Openvswitch 1.9.3 LTS, but first a warning, you may find Openvswitch in the official Debian repositories or from Ubuntu repositories, so use this post if you really can’t find the deb packages on the Internet. I just want to help 🙂

1. Let’s install some development packages. If you have any problems you can try to install the build-essential packages.

   aptitude -y install gcc make automake autoconf debhelper libssl-dev pkg-config python-all python-qt4 python-zopeinterface python-twisted-conch gdebi-core

2. Now we’re going to create a user, and “use” it to prepare the debian packages. Be patient, we need to compile.

3. useradd -s /bin/bash -m openvswitch
   su – openvswitch
   wget http://openvswitch.org/releases/openvswitch-1.9.3.tar.gz
   tar xvfz openvswitch-1.9.3.tar.gz
   mv openvswitch-1.9.3.tar.gz openvswitch_1.9.3.orig.tar.gz
   cd openvswitch-1.9.3/
   dpkg-buildpackage -us -uc
   exit

4. Now as root we are going to install the Debian packages we’ve just created and generate the kernel module. Remember to accept the installations :-):

   gdebi /home/openvswitch/openvswitch-datapath-source_1.9.3-1_all.deb
   module-assistant auto-install openvswitch-datapath
   gdebi /home/openvswitch/openvswitch-common_1.9.3-1_amd64.deb 
   gdebi /home/openvswitch/openvswitch-switch_1.9.3-1_amd64.deb accept to install 
   
   [ ok ] Inserting openvswitch module. 
   [warn] /etc/openvswitch/conf.db does not exist ... (warning). 
   [ ok ] Creating empty database /etc/openvswitch/conf.db. 
   [ ok ] Starting ovsdb-server. 
   [ ok ] Configuring Open vSwitch system IDs. 
   [ ok ] Starting ovs-vswitchd. 

5. And now let’s if openvswitch is ready:

   # ovs-vsctl -V 
   ovs-vsctl (Open vSwitch) 1.9.3 
   Compiled Feb 18 2014 19:20:41
   # ovs-vsctl show 
   859be08b-200c-40dc-9863-0323a655589b 
       ovs_version: "1.9.3"

And… finished, or at least that’s what it seems.

Thanks for reading, and please visit my personal page if you want to hire me… for free.

CentOS 6.5 – Openvswitch 1.9.3 LTS installation

Happy new year!

I’ve just installed CentOS 6.5 and I wanted to use Openvswitch. I’ve succeded installing the 1.9.3 LTS version using the instructions included by Nicira.

#yum install wget openssl-devel
#yum groupinstall "Development Tools"

#adduser ovswitch
#su ovswitch

$cd
$wget http://openvswitch.org/releases/openvswitch-1.9.3.tar.gz
$tar xvfz openvswitch-1.9.3.tar.gz
$cd openvswitch-1.9.3
$mkdir -p /home/ovswitch/rpmbuild/SOURCES
$ cp ../openvswitch-1.9.3.tar.gz /home/ovswitch/rpmbuild/SOURCES/
$cp rhel/openvswitch-kmod.files /home/ovswitch/rpmbuild/SOURCES/
$rpmbuild -bb rhel/openvswitch.spec
$rpmbuild -bb rhel/openvswitch-kmod-rhel6.spec
$exit

#yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/kmod-openvswitch-1.9.3-1.el6.x86_64.rpm
#yum localinstall /home/ovswitch/rpmbuild/RPMS/x86_64/openvswitch-1.9.3-1.x86_64.rpm

And that’s all, openvswitch 1.9.3 is ready in CentOS 6.5

I’ve tried to use the latest stable version 2.0.0 but I’ve found some problems building the kernel module with netdev:

“error: conflicting types for ‘netdev_features_t'”

It seems that Jesse Gross from Nicira wrote a patch for this problem, but I must be doing something wrong and I can’t get the module built so I’ll try again in a few days and I’ll update this post if I get it working.

Of course you can always use the latest version from Git where that patch must be already applied so I suggest you to read Tyler Bishop’s post about how to use the latest openvswitch’s git version with CentOS 6.5

See ya!

OpenVswitch – Port mirroring

I’m preparing a virtual laboratory for IDS and Honeypot testing that will be running on my OpenNebula private cloud. In the following diagram you can see that I want my IDS (sherlock) to inspect traffic from/to my Vyatta firewall so I’ll do that configuring port mirroring, thanks to openvswitch impressive functionalities. (I’ve used Dia for creating this diagram, what a great tool!).

My N40L server has only one physical ethernet interface (eth0) and I’ve already created an openvswitch bridge called br0 which is associated to eth0.

In OpenNebula I’ve configured one virtual network called inet which is assigned to br0. Watson (my vyatta router) and Sherlock (my OSSIM machine full of sensors) have one interface attached to inet/br0: vnet2 and vnet0 respectively.

#ovs-vsctl show
...
Bridge "br0"
    Port "vnet2"
        Interface "vnet2"
    Port "eth0"
        Interface "eth0"
    Port "vnet0"
        Interface "vnet0"
    Port "br0"
        Interface "br0"
          type: internal

OK. Now, according to ovs-vsctl man page, if I want the vnet2’s traffic to be mirrored onto vnet0 I’ll run this command:

#ovs-vsctl -- set Bridge br0 mirrors=@m \
 -- --id=@vnet0 get Port vnet0 \
 -- --id=@vnet2 get Port vnet2 \
 -- --id=@m create Mirror name=mymirror select-dst-port=@vnet0 select-src-port=@vnet0 output-port=@vnet2
b74eaf43-92ca-48f5-9fe6-9a561a9937dd // the mirror id

#ovs-vsctl list Bridge br0
_uuid : e3e03141-9754-489b-b4b8-17de2f063b44
controller : []
datapath_id : "0000009c029752bd"
datapath_type : ""
external_ids : {}
fail_mode : []
flood_vlans : []
flow_tables : {}
mirrors : [b74eaf43-92ca-48f5-9fe6-9a561a9937dd] // The mirror id is the one shown after the previous command<strong>
</strong>

I checked that as soon as the mirror was set, my tcpdump started showing traffic sent to my firewall so that’s what I exactly wanted 😀

If you want to stop the mirror you can use:

# ovs-vsctl clear Bridge br0 mirrors

Well, ovs-vsctl man page is full of info so if I find more interesting things I’ll let you know.