[ovn] IPv6 VIPs broken with ML2/OVN
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Rodolfo Alonso |
Bug Description
Originally reported in the Octavia launchpad: https:/
The commit https:/
It adds a validate_
- has non-empty binding:host_id
- has fixed_ips/subnets
- has VIRTUAL type (in ovn)
When we create a load balancer in Octavia (with an IPv6 VIP)
$ openstack loadbalancer create --vip-subnet ipv6-public-subnet --name lb1
+------
| Field | Value |
+------
| admin_state_up | True |
| availability_zone | None |
| created_at | 2023-07-25T07:11:25 |
| description | |
| flavor_id | None |
| id | 75cf51d2-
| listeners | |
| name | lb1 |
| operating_status | OFFLINE |
| pools | |
| project_id | 86f57e2e5687438
| provider | amphora |
| provisioning_status | PENDING_CREATE |
| updated_at | None |
| vip_address | 2001:db8::b1 |
| vip_network_id | 2d16ac53-
| vip_port_id | 83e51017-
| vip_qos_policy_id | None |
| vip_subnet_id | 813adce0-
| tags | |
| additional_vips | [] |
+------
The VIP port contains:
$ openstack port show 83e51017-
+------
| Field | Value |
+------
| admin_state_up | DOWN |
| allowed_
| binding_host_id | gthiemon-devstack |
| binding_profile | |
| binding_vif_details | |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| created_at | 2023-07-
| data_plane_status | None |
| description | |
| device_id | lb-75cf51d2-
| device_owner | Octavia |
| device_profile | None |
| dns_assignment | fqdn='host-
| dns_domain | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | ip_address=
| id | 83e51017-
| ip_allocation | None |
| mac_address | fa:16:3e:c9:4f:7e |
| name | octavia-
| network_id | 2d16ac53-
| numa_affinity_
| port_security_
| project_id | 86f57e2e5687438
| propagate_
| qos_network_
| qos_policy_id | None |
| resource_request | None |
| revision_number | 10 |
| security_group_ids | 7c8d8935-
| status | DOWN |
| tags | |
| trunk_details | None |
| updated_at | 2023-07-
+------
The port is not bound and has a binding_host_id, has a fixed_ips with a subnet and there's another port that has an allowed_
Any updates of this port result in a BadRequest Exception:
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
Jul 24 03:08:07 gthiemon-devstack octavia-
The goal of this validation function seems to raise an exception when the binding_host_id is not empty, but the PortBindingUpda
https:/
Interestingly, it's not 100% reproducible (around 90%) and it is not reproducible with IPv4 VIPs, with IPv4 ports, the binding_host_id is always empty.
I have a couple of questions:
- is the validation function correct? should the binding_host_id be empty for VIP ports?
- why is binding_host_id set for IPv6 VIPs but not for IPv4 VIPs?
I can provide more logs if needed
tags: | added: ovn |
summary: |
- IPv6 VIPs broken with ML2/OVN + [ovn] IPv6 VIPs broken with ML2/OVN |
Changed in neutron: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
In IPv4, there's a PortBindingUpda teVirtualPortsE vent DELETE event that clears the binding_host_id when the allowed_ address_ pair is added to the 2nd port
Jul 25 03:31:48 gthiemon-devstack neutron- server[ 549213] : DEBUG ovsdbapp. backend. ovs_idl. event [None req-57e56002- 2327-4537- 90cf-61b0c904fe 13 None None] Matched DELETE: PortBindingUpda teVirtualPortsE vent(events= ('update' , 'delete'), table=' Port_Binding' , conditions=None, old_conditions= None), priority=20 to row=Port_ Binding( mac=['fa: 16:3e:c8: 2f:45 172.24.4.35'], port_security= ['fa:16: 3e:c8:2f: 45 172.24.4.35'], nat_addresses=[], type=, up=[False], virtual_parent=[], parent_port=[], requested_ additional_ chassis= [], options= {'mcast_ flood_reports' : 'true', 'requested- chassis' : ''}, external_ ids={'name' : 'octavia- lb-36cab1a4- 4a6b-487d- 84d0-ba037e5565 ea', 'neutron:cidrs': '172.24.4.35/24', 'neutron: device_ id': 'lb-36cab1a4- 4a6b-487d- 84d0-ba037e5565 ea', 'neutron: device_ owner': 'Octavia', 'neutron: network_ name': 'neutron- 2d16ac53- 8438-435d- a787-e5ceb4b783 be', 'neutron: port_capabiliti es': '', 'neutron: port_name' : 'octavia- lb-36cab1a4- 4a6b-487d- 84d0-ba037e5565 ea', 'neutron: project_ id': '86f57e2e568743 81a0d586263fc8d 900', 'neutron: revision_ number' : '2', 'neutron: security_ group_ids' : '6511f970- de29-48fe- b87f-18f6988d00 e8', 'neutron: subnet_ pool_addr_ scope4' : '', 'neutron: subnet_ pool_addr_ scope6' : '', 'neutron: vnic_type' : 'normal'}, ha_chassis_ group=[ ], additional_ chassis= [], tag=[], additional_ encap=[ ], mirror_rules=[], encap=[], datapath= 6fd08134- 6556-41b1- 83d4-f80c4a0850 5f, chassis=[], tunnel_key=12, gateway_chassis=[], requested_ chassis= [], logical_ port=2a1763e0- 5ca4-4442- aee6-7fb55eefa0 20) old= {{(pid=549213) matches /usr/local/ lib/python3. 9/site- packages/ ovsdbapp/ backend/ ovs_idl/ event.py: 43}}
In IPv6, we see a similar DELETE event, but there are also additional PortBindingUpda teVirtualPortsE vent UPDATE events that occur after the last request to the neutron API:
Jul 25 03:30:07 gthiemon-devstack neutron- server[ 549209] : DEBUG ovsdbapp. backend. ovs_idl. event [None req-abafc63b- 58db-4175- 9a20-bd5b15776e f0 None None] Matched DELETE: PortBindingUpda teVirtualPortsE vent(events= ('update' , 'delete'), table=' Port_Binding' , conditions=None, old_conditions= None), priority=20 to row=Port_ Binding( mac=['fa: 16:3e:84: 42:0c 2001:db8::172'], port_security= ['fa:16: 3e:84:42: 0c 2001:db8::172'], nat_addresses=[], type=, up=[False], virtual_parent=[], parent_port=[], requested_ additional_ chassis= [], options= {'mcast_ flood_reports' : 'true', 'requested- chassis' : ''}, external_ ids={'name' : 'octavia- lb-9fff8992- f29e-4caa- 828e-6a8b9ff494 bf', 'neutron:cidrs': '2001:db8::172/64', 'neutron: device_ id': 'lb-9fff8992- f29e-4caa- 828e-6a8b9ff494 bf', 'neutron: device_ owner': 'Octavia', 'neutron: network_ name': 'neutron- 2d16ac53- 8438-435d- a787-e5ceb4b783 be', 'neutron: port_capabiliti es': '', 'neutron: port_name' : 'octavia- lb-9fff8992- f29e-4caa- 828e-6a8b9ff494 bf', 'neutron: project_ id': '86f57e2e568743 81a0d586263fc8d 900', 'neutron: revision_ number' : '2', 'neutron: security_ group_ids' : '1adcc745- 52df-4577- 994a-a36f2cc1c5 fe', 'neutron: subnet_ pool_addr_ scope4' : '', 'neutron: subnet_ pool_addr_ scope6' : '', 'neutron: vnic_type' : 'normal'}, ha_chassis_g...