|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * network_observability/configuring-operator.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="network-observability-SR-IOV-config_{context}"] |
| 7 | += Configuring virtual machine (VM) secondary network interfaces for Network Observability |
| 8 | +You can observe networking patterns on an OpenShift Virtualization setup by identifying eBPF-enriched network flows coming from VMs that are connected to additional network interfaces. |
| 9 | +// NOTE to tech review: |
| 10 | +// do we need to mention anything about CNI here? I noted this in our convo, but I'm not sure if its relevant in the context of this procedure. Maybe its a prerequisite? |
| 11 | +// You can identify network flows coming from virtual machines connected to additional network interfaces that are using the Network Observability CNI plugin. |
| 12 | + |
| 13 | + |
| 14 | +.Prerequisites |
| 15 | +* Access to an {product-title} cluster with an additional network interface, such as a secondary interface or an L2 network. |
| 16 | +* Any other prerequisites? |
| 17 | + |
| 18 | +.Procedure |
| 19 | +. Get information about the virtual machine by running the following command. This information is used in Step 2: |
| 20 | ++ |
| 21 | +[source,terminal] |
| 22 | +---- |
| 23 | +oc get network-attachment-definitions.k8s.cni.cncf.io/netdevice67619-1 -o yaml |
| 24 | +---- |
| 25 | +// NOTE to tech review: |
| 26 | +// does any of this need to be anonymized for the customer? Or made to a <user_replaceable_value>? and is it necessary to use a different oc get command for different interfaces? Like I know the one above is from Mehul's SR-IOV example. But then in the QE test, its `$ oc get pod/virt-launcher-test-vm1-bsfb4 -o jsonpath='{.metadata.annotations.k8s\.v1\.cni\.cncf\.io/network-status}' | jq`. I can split this up and put both, but just not sure and want to verify. |
| 27 | +. Investigate each additional network interface to find relevant pod annotations. These annotations differ depending on the kind of network interface you have: |
| 28 | +.. For SR-IOV, look for the annotated fields: |
| 29 | ++ |
| 30 | +[source,yaml] |
| 31 | +---- |
| 32 | +apiVersion: k8s.cni.cncf.io/v1 |
| 33 | +kind: NetworkAttachmentDefinition |
| 34 | +metadata: |
| 35 | + annotations: |
| 36 | + k8s.v1.cni.cncf.io/resourceName: openshift.io/netpolicy67619 |
| 37 | + creationTimestamp: "2024-10-03T20:40:48Z" |
| 38 | + generation: 1 |
| 39 | + name: netdevice67619-1 |
| 40 | + namespace: openshift-sriov-network-operator |
| 41 | + resourceVersion: "159492" |
| 42 | + uid: 13131f06-e7b1-4b42-8d95-ac7c53e908cb |
| 43 | +spec: |
| 44 | + config: |- |
| 45 | + { |
| 46 | + "cniVersion": "1.0.0", |
| 47 | + "name": "netdevice67619-1", <1> |
| 48 | + "type": "sriov", |
| 49 | + "vlan": 0, |
| 50 | + "vlanQoS": 0, |
| 51 | + "logLevel": "info", |
| 52 | + "ipam": { |
| 53 | + "type": "static", |
| 54 | + "addresses": [ |
| 55 | + { |
| 56 | + "address": "192.168.122.71/24" <2> |
| 57 | + } |
| 58 | + ] |
| 59 | + } |
| 60 | +---- |
| 61 | +<1> Name of the virtual virtual machine connected to the additional network interface. |
| 62 | +<2> The MAC address to identify the virtual machine. |
| 63 | + |
| 64 | +.. For L2, look for the annotated fields: |
| 65 | ++ |
| 66 | +[source,yaml] |
| 67 | +---- |
| 68 | + # ... |
| 69 | + { |
| 70 | + "name": "ovn-kubernetes", |
| 71 | + "interface": "eth0", |
| 72 | + "ips": [ |
| 73 | + "10.129.2.39" |
| 74 | + ], |
| 75 | + "mac": "0a:58:0a:81:02:27", |
| 76 | + "default": true, |
| 77 | + "dns": {} |
| 78 | + }, |
| 79 | + { |
| 80 | + "name": "my-vms/l2-network", <1> |
| 81 | + "interface": "podc0f69e19ba2", |
| 82 | + "mac": "02:fb:f8:00:00:12", <2> |
| 83 | + "dns": {} |
| 84 | + } |
| 85 | + # ... |
| 86 | +---- |
| 87 | +<1> The name of the virtual machine connected to the additional network interface. |
| 88 | +<2> The MAC address to identify the virtual machine. |
| 89 | + |
| 90 | +. Configure `FlowCollector` based on the information you found from the additional network investigation. |
| 91 | ++ |
| 92 | +[source,yaml] |
| 93 | +---- |
| 94 | +apiVersion: flows.netobserv.io/v1beta2 |
| 95 | +kind: FlowCollector |
| 96 | +metadata: |
| 97 | + name: cluster |
| 98 | +spec: |
| 99 | +# ... |
| 100 | +ebpf: |
| 101 | + privileged: true <1> |
| 102 | + processor: |
| 103 | + advanced: |
| 104 | + secondaryNetworks: |
| 105 | + - index: |
| 106 | + - MAC "02:fb:f8:00:00:12" <2> |
| 107 | + - IP "192.168.122.71/24" <3> |
| 108 | + name: my-vms/l2-network <4> |
| 109 | +# ... |
| 110 | +---- |
| 111 | +<1> Ensure that the ebpf agent is in `privileged` mode so that the flows are enriched according to the MAC address. |
| 112 | +<2> If your additional network information has a MAC address, specify add it here. |
| 113 | +<3> If your additional network information has an IP address, specify add it here. |
| 114 | +<4> Specify the name of the virtual machine. |
| 115 | + |
| 116 | +. Ping from one VM to another for secondary interface IP |
| 117 | + |
| 118 | +.Verification |
| 119 | +. Navigate to Netflow traffic page, Filter by *Source* IP the 10.10.10.15. |
| 120 | +. View both *Source* and *Destination* fields should enriched identifying VM Pods and VM as Owners |
0 commit comments