L3 agent fails on FIP when DVR and HA both enabled in router

@Swami: any chance you can triage this?

@Jonathan: any chance you can provide server and l3 agent logs?

We mostly exercise this path using VXLAN, I am not sure why the VLAN case might be different but I can expect that things do not work exactly how one would expect. If you could try this out on VXLAN to rule out any other potential configuration error, it would be great.

@Jonathan: Do you mean delete router and then create another router? Or you can provide how to reproduce in detail and more logs.
My enviroment is also VLAN mode, router mode is ha + dvr, but I can't reproduce, FIP works well.

@Dungcan: Sorry if I was less than clear. I mean that I'm testing one router configuration at a time. So if I'm going to test with dvr and ha both off, then I remove any existing routers, and create one for that configuration, and then test. And then if I want to test dvr on and ha off, I again remove any existing routers, create one with dvr on and ha off, and test. wash, rinse, repeat. Is that more clear?

I absolutely believe that ha + dvr is working for you. I'm wondering if my issue is specific to CentOS 7, or to RDO packages, or to my (mis-)configuration? I will try to follow up with some examples, but I may not try to reproduce every possible scenario, as that will take awhile.

@armax Yes I will try to look into it and triage it.

Okay, this is an example of how the failure manifests itself with the router has both DVR and HA enabled:

http://paste.openstack.org/show/560821/

It seems that the keepalivedmanager is returning noneobject and that's the reason it is failing at https://github.com/openstack/neutron/blob/0f3008dd3251a2b6436ebb7af240fe4c37b0cc42/neutron/agent/l3/ha_router.py#L219

@Swaminathan: Thanks for the feedback. What can I do about it? I can't help but notice that the node where the FIP succeeds (dscn1066) is one of the nodes participating in the keepalived HA:

# neutron l3-agent-list-hosting-router atadm-router5
+--------------------------------------+----------------------------------------+----------------+-------+----------+
| id | host | admin_state_up | alive | ha_state |
+--------------------------------------+----------------------------------------+----------------+-------+----------+
| 1e4b71a9-bf96-4a3b-9f54-5198d2bbebc4 | dscn1066.openstack.adapt.nccs.nasa.gov | True | :-) | active |
| b83fec5a-2d88-47b8-8f77-12ac88405c3e | dscn1021.openstack.adapt.nccs.nasa.gov | True | :-) | standby |
| 98c6882c-3063-4d16-87cc-c6236fb71a98 | dscn1065 | True | :-) | active |
+--------------------------------------+----------------------------------------+----------------+-------+----------+

All the other nodes, where FIPs are failing, are not participating in this HA arrangement. So this begs the question...is it a communication failure? How do these nodes talk to keepalivedmanager? And thus is it possible iptables may be blocking something?

There must be a different in the code that initializes the keepalived manager with a regular HA router and an HA+DVR router. I'm surprised this wasn't caught via functional testing, meaning that maybe the reproduction step isn't trivial.

@Jonathan, can I ask you to find the simplest / minimal way to reproduce this?

@Assaf: "simplest / minimal way to reproduce this" -- hard for me to know where to begin. I don't run DevStack, I've only tested this on bare metal, across many nodes -- that's my environment. I start by provisioning bare metal with CentOS 7, and installing Mitaka from RDO packages using Packstack. Let's say 1 controller, 1 network node, and 1 more compute node than the number of nodes in the HA/keepalived setup (so, let's say four). You then must modify config files for DVR+SNAT (as packstack won't do that for you). Then I create my internal and external networks and subnets, and create a router with DVR and HA enabled. I boot some number of VMs and assign FIPs, and then try to reach the VMs via FIP. What I seem to be seeing is that it fails most of the time, but not always.

I've deleted the last dvr+ha router I was testing with, and created a new one, because I wanted the keepalived instances to fall on different nodes, and then see if my observance follows. My theory is that it works fine if the VM falls on a compute node where keepalived is running, and that it fails massively otherwise (and it does). Here's results:

http://paste.openstack.org/show/560853/

Alright, I've had some time to dig deeper into this, and I think I may understand the situation. Someone please correct me if I'm wrong, but it sure seems like when Neutron is in DVR + HA L3 + SNAT mode, every single nova-compute node needs to have an HA port assignment. If that isn't the case, then you end up with this error in l3-agent.log:

2016-08-18 16:49:26.418 15621 ERROR neutron.agent.l3.ha_router [-] Unable to process HA router 1952e774-ca97-4cdf-a8e9-3dc2c9d3d6c0 without HA port

Does that sound right to everyone (and I do apologize for my ignorance, if this should have been obvious).

So, here's what's tricky, and where I got tripped up. Maybe it's the default setting, or maybe it's PackStack's default setting, but in /etc/neutron/neutron.conf (on the system running neutron-server) you find this:

# Maximum number of L3 agents which a HA router will be scheduled on. If it is
# set to 0 then the router will be scheduled on every agent. (integer value)
#max_l3_agents_per_router = 3

and even though it's commented out, it must be the default, because it was setting max_l3_agents_per_router to 3. You could clearly see that in some of my cli output in earlier posts.

Nevertheless, nova scheduler is happy to place VMs on nova-compute nodes that don't have an HA port, which is what results in the "Unable to process HA router 1952e774-ca97-4cdf-a8e9-3dc2c9d3d6c0 without HA port" error.

I have tested setting max_l3_agents_per_router = 0 in neutron.conf on my neutron-server box, and rebuilding my router. It does in fact result in an HA port assigned to every hypervisor. This results in working FIPs for any number of VMs I've been able to create.

Thanks for your input. I have asked adolfo to provide some input on the impact of 'max_l3_agent_per_router' and HA routers.

The expected behavior is that it should work perfectly fine with max_l3_agent_per_router set to 2 or 3, and that you don't need an HA port on every node, only on nodes where the l3 agent mode is set to 'dvr_snat', nodes commonly referred to as network nodes. These are nodes your SNAT traffic (North/south VM traffic for VMs without a floating IP) will go through, and these are the ones you provide HA for when you create a DVR router with ha=True.

You should be able to set max_l3_agent_per_router back to 3, and check for errors on nodes that did not schedule the DVR+HA router.

Assaf:

Thanks for this follow-up. Indeed, my mistake is clear now. On every node running an l3-agent, I had the agent mode set to dvr_snat. I now have dvr_snat set only on l3 agents on network nodes. On compute nodes, my l3 agent mode is simply 'dvr'. I now see the expected behavior when 'max_l3_agent_per_router' is set to 3.

Thank you all for your assistance with this!

Jonathan