Networks

A Check_MK plugin which is supplied as part of the standard install but not 'turned on' is the 'smart' agent. It is a plugin which resides on the target with hard-drives to be monitored. Temperatures and other useful statistics can be collected.

The plugin can be found in the share/check_mk/agents/plugins/ directory amongst a number of other useful plugins.

It needs to be copied to the /usr/lib/check_mk_agent/plugins/ directory on the target to be monitored.

In order to be useful, the 'smartmontools' package needs to be installed as a pre-requisite.

On one of my systems, I get output some output similar to:

SMART WDC_WD1003FZEX-00K3CA0_WD-WCC6Y3PN9XKC Stats
  OK - Powered on: 3529 hours, Power cycles: 51, Reallocated sectors: 0, 
  Reallocated events: 0 (was 0 during discovery: normalized value looks OK), 
  Spin retries: 0, Pending sectors: 0, UDMA CRC errors: 0
Temperature SMART WDC_WD1003FZEX-00K3CA0_WD-WCC6Y3PN9XKC
  OK - 30 °C

Values are charted as well.

To get at various hardware sensors like temperatures and voltages, it is typically necessary to install the 'lm-sensors' package. Once the package is installed, sensors can be auto-detected with:

sensors-detect --auto

A variation of that is:

yes | sensors-detect

At the end of the output, this will probably generate an output similar to:

To load everything that is needed, add this to /etc/modules:
#----cut here----
# Chip drivers
coretemp
#----cut here----

'modprobe coretemp' can be used to obtain instant gratification by loading the module interactively, instead of at the next reboot.

On a simple system, some values can be seen:

# sensors
acpitz-virtual-0
Adapter: Virtual device
temp1:        +27.8°C  (crit = +105.0°C)
temp2:        +29.8°C  (crit = +105.0°C)

coretemp-isa-0000
Adapter: ISA adapter
Package id 0:  +50.0°C  (high = +105.0°C, crit = +105.0°C)
Core 0:        +49.0°C  (high = +105.0°C, crit = +105.0°C)
Core 1:        +48.0°C  (high = +105.0°C, crit = +105.0°C)

For obtaining an output suitable for scraping by a check_mk agent, a different format can be emitted:

# sensors -u
acpitz-virtual-0
Adapter: Virtual device
temp1:
  temp1_input: 27.800
  temp1_crit: 105.000
temp2:
  temp2_input: 29.800
  temp2_crit: 105.000

coretemp-isa-0000
Adapter: ISA adapter
Package id 0:
  temp1_input: 49.000
  temp1_max: 105.000
  temp1_crit: 105.000
  temp1_crit_alarm: 0.000
Core 0:
  temp2_input: 48.000
  temp2_max: 105.000
  temp2_crit: 105.000
  temp2_crit_alarm: 0.000
Core 1:
  temp3_input: 48.000
  temp3_max: 105.000
  temp3_crit: 105.000
  temp3_crit_alarm: 0.000

While writing this article, a few interesting web sites were encountered:

• Arch Linux' Sensors Page
• Plugins for Check_MK
• Check_MK plugin: lmsensors: a place to which I need to return and try installing his plugin for more information display in Check_MK.
• Earlier Article I wrote doing something similar but different.

I use an app called 'psensor' for watching system temperatures in a chart form.

OMD is a collection of monitoring tools which include the Check_MK monitoring application. Check_MK is a series of Python scripts and agents designed to simplify the use of a Nagios based scanning engine.

I have a small server running Debian Buster. I have used LXC to build a container. I used the following command to build a container:

lxc-create -n omd  -f /var/lib/lxc/persist/omd/config -t debian -B btrfs -- -r stretch

I have a BTRFS filesystem mounted on /var/lib/lxc. the -B btrfs creates a BTRFS subvolume for the container, which allows snapshots and the like.

The config file looks something like:

# cat /var/lib/lxc/persist/omd/config 
# 20171015
# lxc-create -n omd  -f /var/lib/lxc/persist/omd/config -t debian -B btrfs -- -r stretch
lxc.utsname = omd
lxc.start.auto = 1
lxc.start.order = 5
lxc.start.delay = 1

lxc.network.type = veth
lxc.network.name = eth50
lxc.network.veth.pair = veth-omd-v50
lxc.network.hwaddr = 0a:00:40:50:00:xx
lxc.network.ipv4 = 10.0.10.201/24
lxc.network.ipv4.gateway = 10.0.10.254
lxc.network.script.up = /etc/lxc/ovsup.sh
lxc.network.script.down = /etc/lxc/ovsdn.sh
lxc.network.flags = up

I am using Open vSwitch to provide bridging capabilities to the container and its environs. This particular container, using the lxc.start.auto value, will auto-start when the host restarts.

Yesterday, I attempted to install the Buster version of OMD, but some package dependencies were stale (repository) , and since I didn't have time to troubleshoot that, I went with the stable Stretch version:

apt install nano bash-completion gnupg2 wget
wget --no-check-certificate https://labs.consol.de/repo/stable/RPM-GPG-KEY
apt-key add RPM-GPG-KEY
echo "deb http://labs.consol.de/repo/stable/debian stretch main" > /etc/apt/sources.list.d/labs-consol-stable.list
apt update
apt install omd

It is as easy as that.

To configure a monitoring instance:

omd setup
omd create site01
omd config site01
omd start site01
su - site01
nano etc/check_mk/main.mk

During the 'omd create site01' step, I select the Nagios 3 engine, and set the Check_MK interface as default.

The next experiment is to install the Raw Version and see how that differs.

Monitoring buffer queues has had a recent update on Cumulus running on Mellanox swtiches using watermark values to determine what happens during microbursts.

Also on the same site is a page devoted to documenting Buffer Queue Sizes in various switch lines.

I am more into nftables now-a-days (which just had release 0.8 in the last couple days), but maybe these iptables/xtaqbles thingies can be made to work in nftables:

• Xtables-Addons On Centos 6 & Iptables GeoIP Filtering
• search for 'tarpit nftables' and see if there is anything, it is an interesting sticky concept
• A series of Xtables-addons. It would be interesting which of them could be re-implemented with nftables functionality.

port number with port name:

# ovs-ofctl dump-ports-desc <ovs bridge>

dump flows:

# ovs-ofctl dump-flows <ovs bridge>

Dump OVSDB table:

# ovsdb-client dump 

Obtain schema of OVSDB:

# ovsdb-client get-schema --pretty

Some background info on OVSDB from Brent Salisbury's Blog: Getting Started with OVSDB As Introduction to Open vSwitch says:

Like OSPF, OpenFlow directly influences the forwarding behavior of a networking devices (albeit way differently than OSPF) but isn’t able to actually change the configuration of that device. OSPF cannot disable a router’s interface, or create a GRE tunnel, for instance. For that, we need a management plane protocol.

In the world of OVS, this role is filled by OVSDB. This allows us to use well-understood wire protocols (namely JSON-RPC) to send commands to an OVS instance to do things like create tunnels, turn on/off certain features, get configuration data, and more.

I have wondered about the 'tcp' vs 'ptcp' syntax. Well the answer:

“Manager” refers to an OVSDB client. The “ptcp::" syntax means that OVS is passively listening on that port and local address for incoming JSON-RPC data.

“Controller” refers to an OpenFlow controller. The “tcp:" syntax means that OVS proactively reaches out to a controller at that address to establish the relationship. (Standard port of 6633)

Redhat has an excellent entry on Open vSwitch: Overview of 802.1ad (QinQ) Support.

A key point raised is:

Enabling QinQ support in OVS is a simple configuration change. You must set the vlan-limit option to a value of 0 (unlimited) or 2. By default vlan-limit has a value of 1, which means only one VLAN tag will be inspected. This preserves backward compatibility with older OVS releases.

$ ovs-vsctl set Open_vSwitch . other_config:vlan-limit=2

The article continues with ovs-ofctl and ovs-vsctl examples.

I've been writing some OpenFlow Controller code to get a feel on how OpenFlow works. As I get into it, I've been wondering if what I want to do is quite correct. Open vSwitch has various extensions available, which may or may not be available via the OpenFlow standards. So writing code conforming to something like OF 1.4.1, will I be able to gain access to those extensions, or will I need to access Open vSwitch differently? Not sure. More research is needed. These links track some of that research.

First off, there are libraries in OVS for tracking BFD by watching a vswitch table. Also, there is an lldp encoder/decoder.

From an OpenFlow perspective, there is a tutorial called Open vSwitch Advanced Features, which shows, via the command line tools, how to use multiple flow tables to build a simple learning switch. That documentation makes reference to some extension files:

• include/openvswitch/meta-flow.h
• include/openflow/nicira-ext.h

So, the question is, how to make use of those extensions via an API? Support for that question may start at the Integration Guide for Centralized Control.

Design Decisions In Open vSwitch has various comments on: what a master sees vs a slave, talks about v1.4 bundles and transactions, clarification on vlan matching in the various versions, and talks extensively about in-band and out-band control.

The FAQ Using OpenFlow talks about: hidden flows and how to dump them, how to set out-of-band mode, how to get a list of port numbers as they associate to interface name, and how to adjust mtu on internal interfaces.

The General FAQ talks about the current standard ports as of OVS 2.4:

• 6653 (was 6633) - OpenFlow
• 6640 (was 6632) - OVSDB - which is what I need to investigate for the OVSDB protocol API

OVS with KVM talks about starting up a KVM guest and connecting it via a couple custom scripts to the network. libvirt can also play nicely with OVS.

Bash Completion is Available with

• ovs-appctl-bashcomp.bash
• ovs-vsctl-bashcomp.bash

Tracing explains how to test the series of flow table entries against a sample packet.

For each OpenFlow version, there is a separate header. The same directory has headers for extensions as well.

On the documentation page, some interesting entries:

• ovs-vswtichd.conf.db - describes the OVSDB tables - can flows be inserted via the flow table?
• ovs-vswitchd - desribes the primary service, and has detailed examples of related client commands ovs-ofctl, ovs-vsctl, ....
• ovs-fields - is an important document describing match and action fields, whether they are openflow standard or ncira extensions, and some are just OVS based.
• ovs-dbclient - can be used to dump tables in OVSDB - so use this to check flows once a controller has been activated

I found hints at Getting Started With OVSDB for getting JSON out of some of the command line utilities. It also alludes to an OVSDB method specification. It also talks about the ability to 'monitor', which is what I'm looking for from a BFD scenario (if I don't implement that myself from a packet_in / packet_out perspective).

I get closer by looking at All About the OVSDB Server by describing non OVS database uses.

That article references RFC 7047 which talks about the database generically. It says JSON is being used for the schema format and for the wire protocol format. So, by using looking into the tables and fields, it should be possible to come up with the appropriate JSON structures and commands to perform the necessary updates without the use of OpenFlow.

Understanding Hardware VTEPs shows some ways of composing and transmitting JSON via the command line to the database.

On the Presentations page, for troubleshooting, "OVS Deep Dive" and "Debugging OVS" are useful.

OVS-Cheat-Sheet has the following useful diagram:

+---------+ +-----------+                                                              
|ovs-ofctl| |sFlow Trend|                                                                         
+----^----+ +-----^-----+                                                                         
     |            |                                                                      Remote   
+-----------------------------------------------------------------------------------------------+   
     |            |                                                                               
     |      sFlow |                                                                               
     |            |  +---------+   +----------+             +---------+   +------------+          
     |            |  |ovs-dpctl|   |ovs-appctl|             |ovs-vsctl|   |ovsdb-client|          
     |            |  +----+----+   +------^---+             +-----+---+   +-------^----+          
     |            |       |     Command   |                       | Config        | DB operation  
     |            |  +----v---------------v--+ Unix socket   +----v---------------v-+             
     |            +--+                       +--------------->                      | 
     |OpenFlow       |    ovsdb-vswitchd     |               |     ovsdb-server     | +----------+
     +---------------+                       <---------------+                      | |ovsdb-tool|
                     +-----^------------+----+ Apply changes +------------^---------+ +----+-----+
                           |            |                                 |                |      
                           |            |                                 |                |      
                           |            |                           +-----v-----+          |      
            upcall(netlink)|            |netlink                    |   ovsdb   <----------+      
                           |            |                           +-----------+                 
+-----------------------------------------------------------------------------------------------+   
                           |            |                                           Kernel space      
                     +-----+------------v------+                                                  
                     |Openvswitch kernel module|                                                  
                     +-------------------------+          

Open vSwitch Cheat Sheet has another useful cheatsheet of commands.

Matt Oswalt has a couple of relevant OpenFlow related articles:

• Storage Traffic Magic with OpenFlow where he talks about a now defunct storage company Coho Storage using OpenFlow to steer requests and responses in and out of appropriate nodes by appropropriate mac address mangling.
• [SDN Protocols] Part 2 - OpenFlow Deep-Dive where he provides a good overview of OpenFlow tables, pipelines, write actions, action sets, as well as proactive vs reactive flow instantiation.

When getting into network discovery, Discovery in Software-Defined Networks talks about using LLDP (Link Layer Discovery Protocol) as well as BDDP (Broadcaset Domain Discovery Protocol) packets. BDDP packets can be used to discover non-LLDP responding switches, or switches not part of an SDN managed domain. The article suggests discovery packets on 5 second intervals.

mimosa: Mimosa Networks is a leading provider of 5G Fixed wireless solutions that enable service providers to connect dense urban and hard-to-reach rural homes at a fraction of the cost of fiber-to-the-premises solutions.

The WiFi Pineapple® NANO and TETRA are the 6th generation auditing platforms from Hak5. Thoughtfully developed for mobile and persistent deployments, they build on over 8 years of WiFi penetration testing expertise.

A confirmation that a bridge should be placed in the 'up' state in order to function properly.

This is (bridge) br0. Is it up or down? If it's down, the broadcasts for that port will be dropped and accounted.

A note on scaling networks (packet processing) in Linux:

In order to have multiple CPUs processing packets in parallel with the kernel datapath, you need multiple queues with their interrupts spread among all relevant CPUs. And in order to the NIC to spread the traffic to different queues, you need different streams (5-tuple). That is called RSS.

For example, stream A would go to queue#1 which is mapped to CPU#1 and stream B would go to queue#2 which is mapped to CPU#2 and so on.

That is how Linux kernel works in general (as standalone NIC, or using Linux bridge or OVS). Here is a doc explaining it in more details:

Linux Kernel Docs for Scaling -- with RSS (Receive Side Scaling), among other concepts, explained.

This is an easy combination, but a quick google didn't surface a succinct entry, so for my own documentation, here is what I use:

Add a bridge:

ovs-vsctl add-br br0

Add a physical port to the bridge, which defaults to 802.1q trunk mode:

ovs-vsctl add-port br0 eno1

Allow and make use of a designated untagged VLAN:

ovs-vsctl set port eno1 vlan_mode=native-untagged

Designate which vlan is untagged:

ovs-vsctl set port eno1 tag=20

Specify which VLANs are trunked and allowed:

ovs-vsctl set port eno1 trunks=10,30,50,60

A short form diagnostic command:

# ovs-vsctl list port eno1
_uuid               : 579b2c91-ad26-4ba0-bdcc-172c18daae80
bond_active_slave   : []
bond_downdelay      : 0
bond_fake_iface     : false
bond_mode           : []
bond_updelay        : 0
external_ids        : {}
fake_bridge         : false
interfaces          : [bfec126c-375c-435e-9fae-3b71d513724b]
lacp                : []
mac                 : []
name                : "eno1"
other_config        : {}
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : 20
trunks              : [10, 30, 50, 60]
vlan_mode           : native-untagged


A longer form diagnostic command:

# ovs-vsctl list interface eno1
_uuid               : bfec126c-375c-435e-9fae-3b71d513724b
admin_state         : up
bfd                 : {}
bfd_status          : {}
cfm_fault           : []
cfm_fault_status    : []
cfm_flap_count      : []
cfm_health          : []
cfm_mpid            : []
cfm_remote_mpids    : []
cfm_remote_opstate  : []
duplex              : full
error               : []
external_ids        : {}
ifindex             : 2
ingress_policing_burst: 0
ingress_policing_rate: 0
lacp_current        : []
link_resets         : 1
link_speed          : 100000000
link_state          : up
lldp                : {}
mac                 : []
mac_in_use          : "4c:72:b9:4b:16:5c"
mtu                 : 1500
mtu_request         : []
name                : "eno1"
ofport              : 1
ofport_request      : []
options             : {}
other_config        : {}
statistics          : {collisions=0, rx_bytes=62197532, rx_crc_err=0, rx_dropped=0, rx_errors=0, rx_frame_err=0, rx_over_err=0, rx_packets=92875, tx_bytes=30437234, tx_dropped=0, tx_errors=0, tx_packets=86960}
status              : {driver_name="r8169", driver_version="2.3LK-NAPI", firmware_version=""}
type                : ""


A short, all-in-one lcommand for adding an internal access port:

ovs-vsctl add-port ovsbr0 vlan40 tag=40 -- set Interface vlan40 type=internal
                           

With the release of FRRouting Protoocol Suite, a wide range of networking abilities become possible. Some MPLS/LDP capabilities become available. But problem FRR's power comes with it's implementation of EVPN based upon BGP MPLS-Based Ethernet VPN. This RFC refers to Requirements for Ethernet VPN (EVPN).

The FRR implementation of EVPN uses VXLAN as the underlying encapsulation mechanism.

The first details I saw of EVPN in FRR was from RIPE 74 Presentations site. Slides 15 through 18 discuss some features. EVPN route types 2, 3 (L2 EVPN overlay), and 5 (segment routing) are supported.

Other documents:
• Major Changes as listed on the FRR github wiki.
• EVPN: Intro to next gen L2VPN has some L2VPN comparisons, provides some terminology, and some high level examples for split horizon, multicast, and aliasing.
• BGP EVPN VXLAN from Cumulus, a good high level review with some console examples
• Vincent Bernat: VXLAN BGP EVPN with Cumulus covers some interop examples with Juniper and GoBGP. The same thing on Vincent Bernat's Website.
• MC-LAG is dead, Long Live EVPN Multi-Homing is an article from Juniper describing how the ESI attribute of EVPN is used to multi-home a CPE to two or more devices. I wonder if that works in FRR? Some more related material, with extracts from the RFC can be found at EVPN Technologies.
• FRR VRF: in issue 483, a small example for MP-BGP and VRF-lite. Some mailing list talk on BGP VRF processing handling.
• VRF Docs in the kernel doc directory.
• Sam Russell MPLS Test Bed on kernel 4.3
• Rick Mur's take on RFC 7432 from a Juniper perspective.
• Patch Work version of the BGP VRF processing handling discussion. Patchwork has been replaced by github.

Side Tracks:
• Segment Routing ipv6 introduced in kernel v4.10.
• Kernel Implementation: more info

Following on from my previous post on building a FRR package series, this provides the process for installing an FRR (Free Range Routing) package. Some content is taken from Building_FRR_on_Debian8.md.

# update/upgrade existing packages
sudo apt update
sudo apt upgrade

# install a few necessary packages
sudo apt install iproute libc-ares2  libjson-c3

# install frr (users and groups installed via the package)
sudo dpkg -i frr_3.1-dev_amd64.deb

# create empty frr configuration files
sudo install -m 755 -o frr -g frr -d /var/log/frr
sudo install -m 775 -o frr -g frrvty -d /etc/frr
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/zebra.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/bgpd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/ospfd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/ospf6d.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/isisd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/ripd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/ripngd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/pimd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/ldpd.conf
sudo install -m 640 -o frr -g frr /dev/null /etc/frr/nhrpd.conf
sudo install -m 640 -o frr -g frrvty /dev/null /etc/frr/vtysh.conf

Enable routing by setting the following in /etc/sysctl.conf, then running 'sysctl -p'

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Configuration files can then be edited as appropriate, then the services started with:

sudo systemctl start frr

Basic instructions for building Debian packages for FRR (Free Range Routing), a fork of Quagga, can be found in the github repository as Building FRR on Debian 8 from Git Source.

# update/upgrade existing packages
apt update
apt upgrade

# install necessary packages
apt install \
 libsystemd-dev \
 linuxdoc-tools \
 build-essential \
 debhelper \
 git autoconf automake libtool make gawk \
 libreadline-dev texinfo libjson-c-dev pkg-config bison flex \
 python-pip libc-ares-dev python3-dev

# install newer pytest (>3.0) from pip
pip install pytest

# add frr groups and user (not sure if this step is actually needed)
addgroup --system --gid 92 frr
addgroup --system --gid 85 frrvty
adduser --system --ingroup frr --home /var/run/frr/  \
  --gecos "FRR suite" --shell /bin/false frr
usermod -a -G frrvty frr

# download source for master
git clone https://github.com/FRRouting/frr.git frr

# prepare build files
cd frr
./bootstrap.sh

# invoke debian package builder
dh binary-arch

As of this writing, the following packages are built, with the first being the one of interest:

frr_3.1-dev_amd64.deb
frr-dbg_3.1-dev_amd64.deb
frr-dbgsym_3.1-dev_amd64.deb

gcc -v for debian/stretch yields:

gcc version 6.3.0 20170516 (Debian 6.3.0-18)

From demystifying openvswitch (with the slide deck showing some interesting edit shortcuts with virsh, and slide 13 may be incorrect as trunk is default):

• ovs-vsctl: Set up, maintain, and inspect various openvswitch configurations. It provides a high level interface to the database to query and apply changes at run time. Operations are persistent across reboot. Example: ovs-vsctl --format=table --column=name,vlan_mode
• ovs-ofctl, ovs-dpctl: Administer and monitor flow entries. Two kinds of flows: openflows (flows managed at control plane) and datapath (kernel flow, cached version of openflow). ovs-ofctl speaks to openflow module. ovs-dpctl talks to kernel module.
• ovs-appctl: Sends commands to a running openvswitch to gather information which is not directly exposed to ovs-ofctl -- the Swiss Army knife of openflow troubleshooting. Example: ovs-appctl vlog/list, ovs-appctl vlog/set module(:facility(:level)) where level is emer, err, warn, info, dbg
• ovsdb-client: query the ovs database. Example: ovsdb-lient list-tables, ovsdb-client list-columns , ovsdb-client monitor --detach
• ovsdb-tool showlog

openvswitch deep dive on slide 14 and 15, shows relationship between commands and the daemons.