neutron

[OVS] multicast between VM instances on different compute nodes is broken with IGMP snooping enabled

Bug #1884723 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Committed
Medium
Slawek Kaplonski
neutron (Ubuntu)
New
Undecided
Unassigned

Bug Description

It was originally reported by Matt Flusche in Red Hat's bugzilla. Below is description of the issue:

I was verifying these OVS configuration options and the impact on tenant networking. My thought going into testing was vxlan would not be impacted but vlan tenant would break; however, for vxlan tenant networks it looks like these options will break multicast also.

In a lab test (osp13), multicast is broken between VM instances on different compute nodes after applying:

> # ovs-vsctl set Bridge br-int mcast_snooping_enable=true
> # ovs-vsctl set Bridge br-int other_config:mcast-snooping-disable-flood-unregistered=true

The following can be used to temporarily allow multicast over vxlan:

ovs-vsctl set Port patch-tun other_config:mcast-snooping-flood-reports=true

This will flood reports to br-tun and the other vxlan endpoints will learn the remote port. This allows multicast snooping to work for a period of time; however, since there is no IGMP querier to continue to solicit IGMP reports once the Age timer expires (300 secs) the traffic will be blocked.

It seems that this solution as suggested will work if only provider networking is used. Is that correct?

An options that might work would be:

ovs-vsctl set Bridge br-int mcast_snooping_enable=true
ovs-vsctl set Bridge br-int other_config:mcast-snooping-disable-flood-unregistered=false #<--- change to false; default

Then, for each patch on br-int:

ovs-vsctl set Port <patch> other_config:mcast-snooping-flood-reports=true
ovs-vsctl set Port <patch> other_config:mcast-snooping-flood=true

This might provide best effort snooping. multicast isolation where IGMP queriers are available and flood everywhere else?

Slawek Kaplonski (slaweq)
Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Patch proposed https://review.opendev.org/c/openstack/neutron/+/766360

Changed in neutron:
status: Confirmed → In Progress
Edward Hope-Morley (hopem)
Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.0.0.0rc1

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.3.4

This issue was fixed in the openstack/neutron 15.3.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.3.2

This issue was fixed in the openstack/neutron 16.3.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.1.2

This issue was fixed in the openstack/neutron 17.1.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/770794
Committed: https://opendev.org/openstack/neutron/commit/5d21998524514c0cab6a40e7fa415d9ff6a88f4a
Submitter: "Zuul (22348)"
Branch: stable/rocky

commit 5d21998524514c0cab6a40e7fa415d9ff6a88f4a
Author: Slawek Kaplonski <email address hidden>
Date: Thu Dec 10 00:10:38 2020 +0100

    Fix multicast traffic with IGMP snooping enabled

    In the ML2/OVS when igmp_snooping is enabled but there is no
    external querier multicast traffic will stop working after few minutes
    as packets will not be flooded to tunnel/external bridges.

    So this patch sets "mcast-snooping-disable-flood-unregistered" option
    of the br-int to False (default value) even when igmp_snooping is
    enabled in the neutron-ovs-agent's config file.

    Additionally it configures "mcast-snooping-flood-reports" and
    "mcast-snooping-flood" on patch ports in br-int to True.

    That way we can provide best effort snooping: multicast isolation where
    IGMP queriers are available and flood everywhere else?

    Conflicts:
        neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
        neutron/tests/functional/agent/common/test_ovs_lib.py
        neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
        neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_tunnel.py

    Closes-Bug: #1884723
    Change-Id: Iefa0044dba9e92592295a79448e5d57d9e14a40b
    (cherry picked from commit b4070c975274f53a4a2caaabeb5af55683232d3d)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron queens-eol

This issue was fixed in the openstack/neutron queens-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron rocky-eol

This issue was fixed in the openstack/neutron rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron stein-eol

This issue was fixed in the openstack/neutron stein-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.