neutron

Assign gateway IP to LB VIP would disrupt traffic

Bug #1391059 reported by Pauline Yeung
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Undecided
Pauline Yeung
neutron 2015.1.0 "kilo"

Bug Description

A neutron network directly connected to a hardware router will have a gateway IP which does not have a neutron port. While gateway of a neutron network connected to a neutron router has a neutron port. In our production, there were multiple incidences when user successfully configured network gateway IP not associated with a neutron port as a load balancer VIP. In such scenario, traffic from VM destined outside the network may go to the LB VIP instead. And WAN traffic may not be able to reach VM in this network.

Neutron server should not allow clients to configure a gateway IP as LB VIP, even if this gateway IP is not associated with a neutron port.

The following steps in devstack simulate our production scenario which gateway of a neutron network does not have a port, using
    ubuntu 14.04
    devstack master e6165e80bab0c06035a0b7002200bcbcfe4e62ab
    neutron master 49234a824c16164a56cbfbf644490d07bb22e241
    python-neutronclient master 9ed73c04aaaedcd8757d1f3ff99669276f069c72

$ neutron net-create net-test
Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 5463f934-ed66-49b4-b4c6-2769ecd19b12 |
| name | net-test |
:

$ neutron subnet-create --name subnet-test net-test --enable_dhcp=True --gateway=10.33.101.129 10.33.101.128/25
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "10.33.101.130", "end": "10.33.101.254"} |
| cidr | 10.33.101.128/25 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.33.101.129 |
| host_routes | |
| id | fc1f55de-9c4d-4d2b-8934-e54690fd80f9 |
:

$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-1
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 6495b5e4-0bf0-45e4-b706-9b5939b3d035 | vm-test-1 | ACTIVE | - | Running | net-test=10.33.101.130 |
| 274c0da6-403e-42da-9d07-58022f298814 | vm-test-2 | ACTIVE | - | Running | net-test=10.33.101.132 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+

$ neutron lb-pool-create --lb-method ROUND_ROBIN --name lb-test --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9
$ neutron lb-member-create --address 10.33.101.130 --protocol-port 80 lb-test
$ neutron lb-member-create --address 10.33.101.132 --protocol-port 80 lb-test
$ neutron lb-vip-create --name vip-test --address 10.33.101.129 --protocol-port 80 --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9 lb-test
$ neutron lb-vip-list
+--------------------------------------+----------+---------------+----------+----------------+--------+
| id | name | address | protocol | admin_state_up | status |
+--------------------------------------+----------+---------------+----------+----------------+--------+
| 95dbf2b6-205c-40de-a8a6-f8a7bc34ecda | vip-test | 10.33.101.129 | TCP | True | ACTIVE |
+--------------------------------------+----------+---------------+----------+----------------+--------+

For neutron network which gateway IP is associated with a neutron port, neutron raises IpAddressInUse exception, and does not allow user to configure gateway IP as LB VIP, as this gateway IP is already used by another port.

$ neutron lb-vip-create --name vip-test --address 192.168.55.1 --protocol-port 80 --protocol TCP --subnet-id e609183f-c423-4916-be22-bbd2f981e534 lb-test
Unable to complete operation for network 5c614a70-ff72-48c4-a6e7-925df96e168c. The IP address 192.168.55.1 is in use.

neutron/db/db_base_plugin_v2.py
 391 def _test_fixed_ips_for_port(self, context, network_id, fixed_ips,
 392 device_owner):
 :
 432 if 'ip_address' in fixed:
 433 # Ensure that the IP's are unique
 434 if not NeutronDbPluginV2._check_unique_ip(context, network_id,
 435 subnet_id,
 436 fixed['ip_address']):
 437 raise n_exc.IpAddressInUse(net_id=network_id,
 438 ip_address=fixed['ip_address'])

Tags: api lbaas
Revision history for this message
Pauline Yeung (yeungp) wrote :

Will check in a fix.

Changed in neutron:
assignee: nobody → Pauline Yeung (yeungp)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/133399

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (feature/lbaasv2)

Fix proposed to branch: feature/lbaasv2
Review: https://review.openstack.org/141120

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Henry Gessau (<email address hidden>) on branch: master
Review: https://review.openstack.org/133399
Reason: This needs to be re-proposed to the splitted out neutron-lbaas project.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (feature/lbaasv2)

Change abandoned by Henry Gessau (<email address hidden>) on branch: feature/lbaasv2
Review: https://review.openstack.org/141120
Reason: Please re-propose to the neutron-lbaas repo.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lbaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/145877

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lbaas (master)

Reviewed: https://review.openstack.org/145877
Committed: https://git.openstack.org/cgit/openstack/neutron-lbaas/commit/?id=571fc0c56e51ae07c1d43f2c4c28c0f485412d70
Submitter: Jenkins
Branch: master

commit 571fc0c56e51ae07c1d43f2c4c28c0f485412d70
Author: Pauline Yeung <email address hidden>
Date: Thu Jan 8 10:37:35 2015 -0800

    Block subnet gateway IP to be used as LB VIP

    This fix raises an IpAddressInUse exception when subnet gateway IP is assigned
    to a loadbalancer VIP.

    For a neutron network that is connected to a hardware router, its subnet
    gateway IP address is not associated with a neutron port. But neutron allows
    user to set this gateway IP as a loadbalancer VIP. When both the router and LB
    VIP uses the same IP address, traffic to and from the subnet may not reach its
    intended destination.

    Change-Id: I97fb0208f4178fad1a3c5c2a80604661817c448a
    Closes-Bug: 1391059

Changed in neutron:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.