-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support port mirror for assigned Pods #3008
Comments
@leonstack Thanks for the detailed issue. Could you clarify why you propose to introduce a new bridge ( |
Hi, because the mirror function will forward the packets to the |
So, the assumption is users can manually add flows to the mirror bridge to filter packets? What you think about a solution of creating a DaemonSet or adding a separate container to the antrea-agent DS to create the mirror bridge and enable mirroring (e.g. using ovs-vsctl command)? In this way, we need not to change Antrea code for that. And what you think about ERSPAN for the use case? |
I guess you want to programmably control what Pods should be mirrored (with a CRD?), and so this way does not work. @leonstack |
@jianjuns Thanks for your reply. Yes, use ovs-vsctl command can do such thing, but not automaticlly enough, if pod failed and recreated on another host, the flows created on the old host won't work any more. With CRD, we can watch the pods' lifecycle, and keep the flows binding to the host which pod belong to, even the pod recreated on another host. I‘m not quite familiar with ERSPAN, seems it's based on GRE Tunnel, I think we can choose the network tunnel type to adapt any remote server (Of course, we need to take care of pod's MTU, too). |
@leonstack I was thinking about adding something similar to Antrea to support several use cases. Maybe it can meet your requirement too.
The capability itself is generic and could be used in many scenarios. In your use case, I think you could just create an OVS tunnel device on each node via a separate job, then create a CR to mirror specific traffic to that device, without touching the OpenFlow pipeline and OVS configuration much. Do you think it could work? BTW, I didn't plan to use an extra bridge and |
Yes, it can meet my requirement. After some consideration, filter the traffic seems useless, because mostly the pod is running for one progress, which bind to one port, so ignore this requirement. |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
@leonstack Antrea v1.7.0 introduced a TrafficControl API as #3008 (comment) mentioned, could you see if it can meet your requirement? https://github.com/antrea-io/antrea/blob/main/docs/traffic-control.md |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment, or this will be closed in 90 days |
Describe the problem/challenge you have
Some times we have a remote server wants to analyse the packets which translate from/to some pods, so we need to pass these packets to the server, and also won't break the original translation for the pod.
Describe the solution you'd like
br-int--br-mirror(on br-int) and br-mirror--br-int(on br-mirror)
ovs-vsctl add-port br-mirror tun -- set interface tun type=vxlan options:remote_ip=172.18.123.12
actions=output:tun
to send the packet to the remote server.Anything else you would like to add?
The text was updated successfully, but these errors were encountered: