Ipset Race Condition
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Mirantis OpenStack | Status tracked in 10.0.x | |||||
10.0.x |
Invalid
|
High
|
Unassigned | |||
6.1.x |
Fix Released
|
High
|
Alexey Stupnikov | |||
7.0.x |
Fix Released
|
High
|
Alexey Stupnikov | |||
8.0.x |
Invalid
|
High
|
Unassigned | |||
9.x |
Invalid
|
High
|
Unassigned |
Bug Description
Detailed bug description:
It was determined that the fix associated with the following upstream Neutron bug (with release fixed in Juno and Kilo) is not present in MOS 6.1 and MOS 7.0:
https:/
Steps to reproduce:
According to the upstream Neutron LP bug, this is difficult to reproduce, but this is sometimes reproduced by creating a security group rule that has a rule which is a source group back to itself, then deleting multiple instances that with that source group.
Expected results:
-to catch when ipset tries to remove an ipset that has already been removed
Actual result:
-OVS agent churns forever trying to delete an ipset that doesn't exist
-Iptables attempts to apply rules for an ipset that was not added
-Ipset churns trying to remove ips
Reproducibility: Yes
Workaround: Restart neutron OVS agent on compute node
Impact:
Newly scheduled instances not obtaining IPs
Description of the environment:
- Operation system: CentOS 6.5
- Versions of components: MOS 6.1, 7.0
- Reference architecture: -
- Network model: Neutron + OVS (with GRE)
- Related projects installed: N/A
Additional information: N/A
Changed in mos: | |
assignee: | MOS Maintenance (mos-maintenance) → Alexey Stupnikov (astupnikov) |
tags: | added: on-verification |
tags: | removed: on-verification |
Marking as confirmed and moving to 7.0 and 6.1 updates. MOS-maintenance team, please take a look on the u[stream fix and if it can be applied to earlier Neutron versions.