Turns out that when I rebooted my boxes, nothing worked. I debugged the issue back to OpenVSwitch.
The problem is definitely the provider bridge on the Controller / Network node.
I *think* the problem is that I am using only a single interface on the Virtual Machine, and using that same interface for two purposes:
1. vxlan tunneling to OpenStack virtual machines (via the br-tun OpenVSwitch managed bridge.)
2. internet connectivity (via the br-provider OpenVSwitch managed bridge)
I have to verify this, but that is the hunch.
I have backed out OpenVSwitch once again, reverted back to linuxbridge-agent, and more research to follow.
NOTE: To use two interfaces on the VM means quite a bit of work. The interface ens3 on the VM connects to a bridge that connects to an adaptor on the host. I probably need to use two adaptors on the host, and I probably need additional network(s) created, which has routing implications.
Essentially it's a network redesign - or, we could say, expansion.
Thursday, December 7, 2017
What to do if your VM won't boot
After I made a bunch of changes to OpenVSwitch (see last post), I rebooted my VM and it just hung with a "random init crng" message. The last thing it did was bring up a network interface ens3 before this message appeared. I assumed it was trying to start networking, and was waiting for a timeout.
I waited for what seemed like an eternity...5 minutes? 10? Longer? And a prompt came up. I saw little to nothing in the logs, so I became concerned. How would I debug this if I have to wait that long every time I reboot?
I found a few nifty tricks to get you out of a jam if you're virtual machine won't boot.
First, if the VM will come up at all, you can enable "system-debug" with systemctl:
# systemctl enable system-debug
This service allows you to connect on tty9 to the VM as it is booting. On a virtual machine, you typically need to "send" a command to get to this terminal. So on KVM, there is a "Send Command" option and you can send keystroke commands to the VM (i.e. Ctl-Alt-Backspace, Ctl-Alt-F1...F9, et al). This proved to be quite handy, and a sense of relief that I could actually get inside of the VM - especially if you have not snapshotted it or backed it up.
If you need to do more, or go further, you may need to interrupt the boot process and edit the line in the grub config file. For Red Hat users, here is a link to a page that gives some direction on how to get into debug mode for a virtual machine.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-terminal_menu_editing_during_boot
I waited for what seemed like an eternity...5 minutes? 10? Longer? And a prompt came up. I saw little to nothing in the logs, so I became concerned. How would I debug this if I have to wait that long every time I reboot?
I found a few nifty tricks to get you out of a jam if you're virtual machine won't boot.
First, if the VM will come up at all, you can enable "system-debug" with systemctl:
# systemctl enable system-debug
This service allows you to connect on tty9 to the VM as it is booting. On a virtual machine, you typically need to "send" a command to get to this terminal. So on KVM, there is a "Send Command" option and you can send keystroke commands to the VM (i.e. Ctl-Alt-Backspace, Ctl-Alt-F1...F9, et al). This proved to be quite handy, and a sense of relief that I could actually get inside of the VM - especially if you have not snapshotted it or backed it up.
If you need to do more, or go further, you may need to interrupt the boot process and edit the line in the grub config file. For Red Hat users, here is a link to a page that gives some direction on how to get into debug mode for a virtual machine.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-terminal_menu_editing_during_boot
Tuesday, December 5, 2017
OpenStack and OpenVSwitch - Round II
Yesterday I installed OpenVSwitch in conjunction with OpenStack and was excited to see that it worked - first time - after I installed and configured it.
To review, there are two compute nodes. These are NOT virtual machines; they are kvm / libvirtd machines (each kvm host is a compute node). And there is one OpenStack Controller that IS a virtual machine, and this virtual machine also serves as the OpenStack Network node (it is common to see the Controller and Network node separated, but I run them on the same VM).
The two OpenStack Compute Nodes appear to be working perfectly. Each of these has two bridges:
1. br-tun - used for tunneling to the controller
2. br-int - used as an integration hub (virtual patch cords between bridges)
The Controller node, however, is a bit different in that it needs to have an additional bridge called br-provider. This bridge connects out to the internet.
I am taking this architecture STRAIGHT out of the OpenStack documentation (I am running Newton but these diagrams are also identical and present in the Ocata release of OpenStack), which is at this website: https://docs.openstack.org/newton/networking-guide/deploy-ovs-selfservice.html
Having it this way can be difficult in some ways. For instance, I have to run an OpenVSwitch Agent on this Network Node - and this is not well-documented (documentation leads you to believe you only need the linuxbridge agent or openvswitch agent on the Compute Nodes). Another issue with this is that there are ports (tap) for every dhcp agent, and every instance, which gets confusing when you look at your OpenVSwitch and see all of these, with these cryptic names beginning in qr, qq, etc. You don't always know which is which and where to start debugging.
Anyway...I had a VERY difficult time getting OpenVSwitch to work. The first issue I had was that the bridges in OpenVSwitch did not seem to have the right interfaces. This was a configuration issue. Another issue had to do with the br-provider bridge. I actually thought I should put those on the Compute Nodes even though the diagram did not have those. I didn't understand why the Compute Nodes could not go straight out - and why they needed to be tunneled over to the Controller / Network nodes, which seemed like a huge unnecessary performance hit.
But the MAIN issue I had was that once configured and after I instantiated virtual machine instances, they would come up but without an IP Address. I set the instantiated VM's IP Address statically, and lo and behold, it could communicate just fine. This told me that the issue was DHCP; that the VMs were not getting an IP Address via DHCP. At least I knew, but this concerned me because it did not seem like it would be easy to debug or fix (it wasn't).
2. I checked the dhcp agent services. They were running. I checked the logs. They looked okay. I also did the same for the l3 agent.
3. I then mentioned this to my boss, and he suggested that the OpenVSwitch was not handling broadcast messages. He suggested I trace the broadcast by checking the endpoints and working in from there.
This led to me having to go into the namespaces with "ip netns exec". What I found was that the interfaces inside of the namespaces had "@" characters in the names, making it difficult to run tcpdump.
I finally ran across the ovs-testing package, which has some utilities such as ovs-tcpdump that help debug bridges and interfaces inside the switch. When I did this, I found the broadcast traffic reaching the OpenStack Controller.
Finally - I realized that I needed to DELETE the dhcp agents and RECREATE them. The original agents were created when the networks were created, using the linuxbridge. Apparently switching to OpenVSwitch rendered these agents inoperable. They could not "adapt" to that change. So - I deleted those dhcp agents, OpenStack recreated them, and now things are working just fine.
Monday, November 27, 2017
Elasticity and Autoscaling - More Testing
Today I went back and did some further testing on AutoScaling.
Here are some new things that I tested:
1. Two Scaling policies in a single descriptor.
It does no good to have "just" a Scale Out, if you don't have a corresponding "Scale In"!
You cannot have true Elasticity without the expansion and contraction - obviously - right?
So I did this, and this parsed just fine, as it should have.
I also learned you can put these scaling directives in different levels of descriptors - like the NSD. If you do this, I presume that what will happen is that it will factor in all instances across VNFMs. But I did not test this.
2. I tested to make sure that the scaling MAXED OUT where it should.
If cumulative average CPU across instances was greater then 35% CPU, then the SCALE_OUT 3 would take affect. This seemed to work. I started with 2 instances, and as I added load to CPUs to boost the cum average up, it would scale out 3 - and then scale out 3 more for a total of 8 no matter what load was on the CPUs. So it maxed out at 8 and stayed put. This test passed.
I was curious to see if the engine would instantiate one VM at a time, or would it instantiate in bunches of 3 (per the descriptor), or would it actually just instantiate up to the max (which would be errant behavior). Nova in OpenStack staggers the instantiations so it APPEARS to look like it is doing one at a time up to three (i.e. 1-1-1), at which point re-processing may kick off another series of 1-1-1. So this is probably to-be-expected behavior. The devil is in the details when it comes to the Orchestrator, OpenStack, and the OpenStack Nova API in terms of whether it is possible and to what extent you can instantiate VMs simultaneously.
When a new VM comes up, it takes a while for it to participate in measurements. The scaling engine would actually skip the interval due to a "measurements received less than measurements requested" exception and only start evaluating things until and unless it had all of the VMs reporting in measurements that were expected. I have to think about whether I like this or not.
3. Elasticity Contraction - by using SCALE_IN_TO parameter.
I set things up so that it would scale in to 2 instances - to ensure at least two instances would always be running. I would do this when cumulative average CPU was less than 15% CPU across instances.
This test, actually, failed. I saw the alarm get generated, and I saw the engine attempting to scale in, but some kind of decision-making policy was rejecting the scale in "because conditions are not met".
We will need to go into the code and debug this, and see what is going on.
Here are some new things that I tested:
1. Two Scaling policies in a single descriptor.
It does no good to have "just" a Scale Out, if you don't have a corresponding "Scale In"!
You cannot have true Elasticity without the expansion and contraction - obviously - right?
So I did this, and this parsed just fine, as it should have.
I also learned you can put these scaling directives in different levels of descriptors - like the NSD. If you do this, I presume that what will happen is that it will factor in all instances across VNFMs. But I did not test this.
2. I tested to make sure that the scaling MAXED OUT where it should.
If cumulative average CPU across instances was greater then 35% CPU, then the SCALE_OUT 3 would take affect. This seemed to work. I started with 2 instances, and as I added load to CPUs to boost the cum average up, it would scale out 3 - and then scale out 3 more for a total of 8 no matter what load was on the CPUs. So it maxed out at 8 and stayed put. This test passed.
I was curious to see if the engine would instantiate one VM at a time, or would it instantiate in bunches of 3 (per the descriptor), or would it actually just instantiate up to the max (which would be errant behavior). Nova in OpenStack staggers the instantiations so it APPEARS to look like it is doing one at a time up to three (i.e. 1-1-1), at which point re-processing may kick off another series of 1-1-1. So this is probably to-be-expected behavior. The devil is in the details when it comes to the Orchestrator, OpenStack, and the OpenStack Nova API in terms of whether it is possible and to what extent you can instantiate VMs simultaneously.
When a new VM comes up, it takes a while for it to participate in measurements. The scaling engine would actually skip the interval due to a "measurements received less than measurements requested" exception and only start evaluating things until and unless it had all of the VMs reporting in measurements that were expected. I have to think about whether I like this or not.
3. Elasticity Contraction - by using SCALE_IN_TO parameter.
I set things up so that it would scale in to 2 instances - to ensure at least two instances would always be running. I would do this when cumulative average CPU was less than 15% CPU across instances.
This test, actually, failed. I saw the alarm get generated, and I saw the engine attempting to scale in, but some kind of decision-making policy was rejecting the scale in "because conditions are not met".
We will need to go into the code and debug this, and see what is going on.
Thursday, November 23, 2017
Ubiquiti Edge Router ER-X - Impressive
I just love this router.
- The icon on the top that shows colorized ethernet plugs (colorization related to status). Cool.
- It was sooooo easy to configure it.
- It has a shell that takes you into Ubuntu Linux (uses Ubuntu = impressive). I'm not even sure it is using BusyBox or some slimmed down quasi-linux. It looks like a custom compile of Ubuntu.
- One cool feature is that it can support link aggregation. I am not using that feature, but it's cool.
- Has excellent support for IPv6.
It can also automatically switch the ports on the router so that you don't need a L3 switch to go with it.
So for example, you can set up:
- eth0 as the management port
- eth1 as the WAN port, and
- eth2, eth3 and eth4 are switched so that anything plugged into these are on the same network (you defined the network).
I have it set up with a hairpin NAT, and the firewall rules configured on it are rather trivial at the moment but designed to protect ingress through iptables rules.
This is truly a "power user" routing device, and it can fit into the palm of your hand; it is no bigger than a Raspberry Pi device.
This router also comes with some interesting Wizards that allow you to configure the router for certain use cases, like the WAN+LAN wizard.
So I have not done anything in-depth, but I spent an hour messing around with this device and I'm pretty impressed with it.
Security - Antivirus specifically
My McAfee just expired on this computer and I am now getting a bunch of intrusive "buy me" pop-ups. I have never thought McAfee to be top of the line when it comes to Anti-Virus, but the question is, is anybody really stopping viri these days?
I have started to get smarter about Security. I went to RSA in 2016, and I bought a book on Exploits. This is very very hardcode book, and I have not managed to get through it all yet. It requires Assembler and C programming, and teaches you how hackers actually exploit code. I think once I finish this it will be awesome knowledge, and I am about halfway through it. I got pulled off of this due to the longer hours at work playing with virtualization and orchestration.
So - I am not current on malware. So I spent some time looking around this morning, reading anti-virus reviews.
It does not appear that there is much out there in the way of OpenSource AV. ClamAV looks like the only thing actively maintained. This is a bit of a surprise.
There are some free packages out there, but I am sure they probably nag you incessantly to buy or upgrade. The big question is this: Can you really trust FREE?
I also see some interesting Cloud-based packages out there that are working from outside your network. This would have been an absolute no-no for me in earlier times, but considering the danger of today's malware, maybe this kind of approach is worth re-examining, is good results are coming from it. One such company is Crystal Security.
I see some products like VoodooShield. And some new ones I had not previously encountered like GlarySoft Malware Hunter.
Of course, Kaspersky, ESET - these guys always get good reviews.
It is probably good to stay up to speed on this stuff. To take an hour here and there and stay current.
I have started to get smarter about Security. I went to RSA in 2016, and I bought a book on Exploits. This is very very hardcode book, and I have not managed to get through it all yet. It requires Assembler and C programming, and teaches you how hackers actually exploit code. I think once I finish this it will be awesome knowledge, and I am about halfway through it. I got pulled off of this due to the longer hours at work playing with virtualization and orchestration.
So - I am not current on malware. So I spent some time looking around this morning, reading anti-virus reviews.
It does not appear that there is much out there in the way of OpenSource AV. ClamAV looks like the only thing actively maintained. This is a bit of a surprise.
There are some free packages out there, but I am sure they probably nag you incessantly to buy or upgrade. The big question is this: Can you really trust FREE?
I also see some interesting Cloud-based packages out there that are working from outside your network. This would have been an absolute no-no for me in earlier times, but considering the danger of today's malware, maybe this kind of approach is worth re-examining, is good results are coming from it. One such company is Crystal Security.
I see some products like VoodooShield. And some new ones I had not previously encountered like GlarySoft Malware Hunter.
Of course, Kaspersky, ESET - these guys always get good reviews.
It is probably good to stay up to speed on this stuff. To take an hour here and there and stay current.
OpenBaton Fault Management and AutoScaling
It has been a while since I have taken any notes or blogged anything. That doesn't mean I haven't been doing anything, though. 😎
Over the last month or so I have been testing some of the more advanced features of OpenBaton.
- Fault Management
- Auto Scaling
- Network Slicing
These have taken time to test. I was informed by the development team that the "release" code was not suitable for the kind of rigorous testing I planned to do, and that I needed to use the development branch.
This led me down a road of having to familiarize myself with the "git" software management utility. I know git has been around for a while and silently crept in as almost a de-facto standard for code repository and source management. In many shops it has replaced the classic stalwart Clearcase, CVS, SVN and other software that has actually been in use for decades. Even in my own company's shop, they brought in a "git guy", and of course since that is the recipe he cooks, we now use that. But up to this point, I had not really had a need to do more than "git clone". Now - I am having to work with different branches, and as I said, this took some time. Git is fairly simple if you do simple things, but it is far more complex "under the hood" than it looks, especially if you are doing non-simple things with it. I could do a post just on git alone. I'm not an authority on it, but have picked up a few things - including opinions - on it (some favorable, some not).
The first thing I tested was Fault Management (FM). Fault Management is essentially the ability to identify faults and trigger actions around those faults. The actions can be an attempt to heal - or it can be an attempt to Scale, or it can be an attempt to fail-over based on a configured redundancy mechanism. The ETSI standard descriptors allow you to specify all of this. The interesting thing about FM in a virtualized context is that it gets into the "philosophy" of whether it makes sense to spend effort healing something, as opposed to just killing it and re-instantiating it. This is called the "Cattle vs Pets" argument. I think there ARE cases where you need to fix and heal VMs (Pets), but in most cases I think VMs can be treated as Cattle. When VMs are treated as Pets, the nodes are generally going to be important (i.e. they manage something important, as in a control plane or signaling plane element), and cannot just be taken down and re-instantiated due to load or function.
I then tested AutoScaling - or, using a better term, Elasticity. This allows a virtualized network to expand and contract based on real-time utilization. This feature took me a while to get working due to having to compile different modules of code from different moving-target git branches over and over until I could finally get some code that wanted to work, with slight modifications and patches. When I finally got this working, it was super cool to see this work. I could do a separate post on this feature alone. After I got it working I wound up helping some other guys in a German network integration company get the feature working.
Network Slicing has been more difficult to get to work. That is probably a separate post altogether, related and intertwined with QoS such topics.
Over the last month or so I have been testing some of the more advanced features of OpenBaton.
- Fault Management
- Auto Scaling
- Network Slicing
These have taken time to test. I was informed by the development team that the "release" code was not suitable for the kind of rigorous testing I planned to do, and that I needed to use the development branch.
This led me down a road of having to familiarize myself with the "git" software management utility. I know git has been around for a while and silently crept in as almost a de-facto standard for code repository and source management. In many shops it has replaced the classic stalwart Clearcase, CVS, SVN and other software that has actually been in use for decades. Even in my own company's shop, they brought in a "git guy", and of course since that is the recipe he cooks, we now use that. But up to this point, I had not really had a need to do more than "git clone". Now - I am having to work with different branches, and as I said, this took some time. Git is fairly simple if you do simple things, but it is far more complex "under the hood" than it looks, especially if you are doing non-simple things with it. I could do a post just on git alone. I'm not an authority on it, but have picked up a few things - including opinions - on it (some favorable, some not).
The first thing I tested was Fault Management (FM). Fault Management is essentially the ability to identify faults and trigger actions around those faults. The actions can be an attempt to heal - or it can be an attempt to Scale, or it can be an attempt to fail-over based on a configured redundancy mechanism. The ETSI standard descriptors allow you to specify all of this. The interesting thing about FM in a virtualized context is that it gets into the "philosophy" of whether it makes sense to spend effort healing something, as opposed to just killing it and re-instantiating it. This is called the "Cattle vs Pets" argument. I think there ARE cases where you need to fix and heal VMs (Pets), but in most cases I think VMs can be treated as Cattle. When VMs are treated as Pets, the nodes are generally going to be important (i.e. they manage something important, as in a control plane or signaling plane element), and cannot just be taken down and re-instantiated due to load or function.
I then tested AutoScaling - or, using a better term, Elasticity. This allows a virtualized network to expand and contract based on real-time utilization. This feature took me a while to get working due to having to compile different modules of code from different moving-target git branches over and over until I could finally get some code that wanted to work, with slight modifications and patches. When I finally got this working, it was super cool to see this work. I could do a separate post on this feature alone. After I got it working I wound up helping some other guys in a German network integration company get the feature working.
Network Slicing has been more difficult to get to work. That is probably a separate post altogether, related and intertwined with QoS such topics.
Subscribe to:
Posts (Atom)
SLAs using Zabbix in a VMware Environment
Zabbix 7 introduced some better support for SLAs. It also had better support for VMware. VMware, of course now owned by BroadSoft, has prio...
