[dvr_snat] Router update deletes rfp interface from qrouter even when VM port is present on this host
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Medium
|
Unassigned | ||
Queens |
Fix Released
|
High
|
Unassigned | ||
Rocky |
Fix Released
|
High
|
Unassigned | ||
Stein |
Fix Released
|
High
|
Unassigned | ||
Train |
Fix Released
|
High
|
Unassigned | ||
Ussuri |
Fix Released
|
Medium
|
Unassigned | ||
Victoria |
Fix Released
|
Medium
|
Unassigned | ||
neutron |
Fix Released
|
Medium
|
Hemanth Nakkina | ||
neutron (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Groovy |
Fix Released
|
Medium
|
Unassigned | ||
Hirsute |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
When neutron schedules snat namespaces it sometimes deletes the rfp interface from qrouter namespaces which breaks external network (fip) connectivity. The fix prevents this from happening.
[Test Case]
* deploy Openstack (Ussuri or above) with dvr_snat enabled in compute hosts.
* ensure min. 2 compute hosts
* create one ext network and one private network
* add private subnet to router and ext as gateway
* check which compute has the snat ns (ip netns| grep snat)
* create a vm on each compute host
* check that qrouter ns on both computes has rfp interface
* ip netns| grep qrouter; ip netns exec <ns> ip a s| grep rfp
* disable and re-enable router
* openstack router set --disable <router>; openstack router set --enable <router>
* check again
* ip netns| grep qrouter; ip netns exec <ns> ip a s| grep rfp
[Where problems could occur]
no regression is expected, but if one occurs it would likely result in breakage with external network connectivity
-------
Hello,
In the case of dvr_snat l3 agents are deployed on hypervisors there can be race condition. The agent creates snat namespaces on each scheduled host and removes them at second step. At this second step agent removes the rfp interface from qrouter even when there is VM with floating IP on the host.
When VM is deployed at the time of second step we can lost external access to VMs floating IP. The issue can be reproduced by hand:
1. Create tenant network and router with external gateway
2. Create VM with floating ip
3. Ensure that VM on the hypervisor without snat-* namespace
4. Set the router to disabled state (openstack router set --disable <router>)
5. Set the router to enabled state (openstack router set --enabled <router>)
6. The external access to VMs FIP have lost because L3 agent creates the qrouter namespace without rfp interface.
Environment:
1. Neutron with ML2 OVS plugin.
2. L3 agents in dvr_snat mode on each hypervisor
3. openstack-
summary: |
- [dvr_snat] Router update deletes rfp interface from qrouter event when - VM port is present on this host + [dvr_snat] Router update deletes rfp interface from qrouter even when VM + port is present on this host |
tags: | added: l3-dvr-backlog |
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Hemanth Nakkina (hemanth-n) |
tags: | added: seg |
Changed in neutron: | |
status: | In Progress → Fix Released |
description: | updated |
Changed in neutron (Ubuntu Hirsute): | |
status: | New → Fix Released |
Changed in neutron (Ubuntu Hirsute): | |
status: | Fix Released → Triaged |
importance: | Undecided → Medium |
Changed in neutron (Ubuntu Groovy): | |
status: | New → Triaged |
Changed in neutron (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in neutron (Ubuntu Groovy): | |
importance: | Undecided → Medium |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
tags: | added: sts |
Changed in neutron (Ubuntu Bionic): | |
importance: | Undecided → High |
status: | New → Triaged |
tags: | added: verification-rocky-needed verification-stein-needed |
description: | updated |
Patch: https:/ /review. opendev. org/c/openstack /neutron/ +/775372