L3 agent allows multiple gateway ports in fip namespace
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Fix Released
|
High
|
Brian Haley | ||
Bug Description
At the end of deleting a GW port for a router, l3_dvr_db.py will look
for any more router gw ports on the external network. If there are
none, then it calls delete_
should fan out to all l3 agents on all compute nodes [2]. Each agent
should then delete the port [3].
In some cases, the fip namespace and the gateway port are not deleted.
I don't know where things are going wrong. This seems pretty
straight-forward. Do some agents miss the fanout? We know at least
some of them are getting the fanout. So, it is definitely being sent.
When I checked, the port had been deleted from the database. The fact
that a new one is created supports this because if one existed in the DB
already then it would be returned.
[1] https:/
[2] https:/
[3] https:/
| Changed in neutron: | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| tags: | added: l3-dvr-backlog l3-ipam-dhcp |
| description: | updated |
| Carl Baldwin (carl-baldwin) wrote | #1 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to neutron (master) | #2 |
| Changed in neutron: | |
| assignee: | nobody → Carl Baldwin (carl-baldwin) |
| status: | Confirmed → In Progress |
| Changed in neutron: | |
| milestone: | none → newton-2 |
| Changed in neutron: | |
| assignee: | Carl Baldwin (carl-baldwin) → Brian Haley (brian-haley) |
| OpenStack Infra (hudson-openstack) wrote Fix merged to neutron (master) | #3 |
| Changed in neutron: | |
| status: | In Progress → Fix Released |
| tags: | added: mitaka-backport-potential |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to neutron (stable/mitaka) | #4 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to neutron (stable/mitaka) | #5 |
| tags: | added: in-stable-mitaka |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to neutron (stable/liberty) | #6 |
| Doug Hellmann (doug-hellmann) wrote Fix included in openstack/neutron 9.0.0.0b2 | #7 |
| tags: | added: neutron-proactive-backport-potential |
| OpenStack Infra (hudson-openstack) wrote Fix merged to neutron (stable/liberty) | #8 |
| tags: | added: in-stable-liberty |
| Doug Hellmann (doug-hellmann) wrote Fix included in openstack/neutron 7.1.2 | #9 |
| Doug Hellmann (doug-hellmann) wrote Fix included in openstack/neutron 8.2.0 | #10 |
| tags: | removed: mitaka-backport-potential neutron-proactive-backport-potential |
I'm marking this High because of what happens when there are multiple fg ports in the fip namespace. Because DVR uses proxy_arp on the fg port, having two of them with the same route to the external network makes the host essentially reply to any arp request on the subnet, receive the traffic, and then spit it right back out the other fg interface.
This happens because proxy_arp works by responding to any arp request for an IP address it thinks it can route to on another interface. With two fg interfaces with the same route, it thinks it can always route the packet to another interface, regardless of the IP address.
With one of these fip namespaces on the network, it manifests as a performance degradation because traffic passes through an extra host. With two or three, things get really ugly. These hosts can form a routing loop and packets go round and round until TTL expires. Yikes!