This Epic is building on top of the other Epic that adds metadata relevant to OpenStack to NetObserv events sent from Dataplane nodes.

This Epic, in addition to flow events already reported in the OCP NetObserv Dashboard, will allow to see when OVN ACLs that implement OpenStack Security Groups are hit. E.g. when ACL dropped a particular flow, the user will be able to see this event in the Dashboard, with the name of the relevant Security Group that blocked access.

This Epic is building on top of the work that was executed by OVN-Kubernetes for the identical feature for Kubernetes workloads; it reuses components from NetObserv project (ebpf agent, observability-lib), adopting them to pull metadata from OpenStack OVN databases instead of OVN-K databases.

•  
• Even though there are ways to see what OVS/OVN is doing with a particular packet, there is no way to know why

• OVN/OVS to generate packet samples enriched with some OVN metadata that can be easily correlated back to SDN-specific objects or other human-readable pieces of information that provide insights of what the SDN is doing with a packet and why

• Drop sampling
• These samples will contain metadata that can be correlated to the specific place in the OVN pipeline where the drop took place (useful for debugging and support) and human-readable explanations that can be shown to customers

• Network Policy Correlation
• Network Policy correlation consists in OVN/OVS generating samples for traffic that goes through specific ACLs (i.e: Network Policies). These samples will contain enough information to correlate them back to the exact Network Policy or policies that the packet went through
• If there are multiple network policies in a service chain policy correlation should be able to map out the network policies along with the nodes / endpoint information for the point of enforcement information
• Sampling Enrichment
• Enrichment for topology 
• Enrichment for network policy

NOTE: Sampling infrastructure for OVN relies on kernel datapath ebpf hooks producing netlink samples monitored by a consuming agent. This Epic follows this implementation. It means that this Epic does NOT cover scenarios when kernel datapath is not used (DPDK). A separate design / Epic will be needed if we are interesting in sampling NFV workloads.

Draft design document covering the possible Sampling integration with RHOSO can be found here: https://docs.google.com/document/d/1l5vHBiZvOLt8BMCQFQxxb_eUiqptRuv6PyGQ5Go5Tdg/edit Please consult the document if you are working on any of the stories attached to this Epic. The document does not cover all the necessary details, but should be a good first guidance.