neutron

FIP PF don't works with vlan tenant network and ovn backend

Bug #2028846 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

After patch https://review.opendev.org/c/openstack/neutron/+/878450 was merged, for vlan tenant network neutron sets "reside-on-redirect-chassis=False" in the Logical Router Ports in OVN NB. This is done like that to make sure that such traffic is not centralized.
But the problem is with port forwardings associated with vms connected to ports in the vlan tenant networks as PFs are implemented in OVN backend as OVN Loadbalancers and are centralized. So in such case we should still centralize traffic from such network probably to make such PFs working fine.

Bence Romsics (bence-romsics)
Changed in neutron:
importance: Undecided → High
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Patch proposed https://review.opendev.org/c/openstack/neutron/+/889871

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

After longer investigation it seems that the problem is a bit bigger and in case when both FIP PF and Floating IP are associated with ports in the same tenant network, everything needs to be centralized, including Floating IP traffic which normally would be distributed.
To avoid switching such existing FIPs between centralized/distributed mode, which would break existing connections using such FIP, I will propose patch which will simply force centralized traffic in case if "port_forwarding" service plugin is enabled and vlan or flat networks are configured as tenant network types.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/892542

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

New patch proposed https://review.opendev.org/c/openstack/neutron/+/892542

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/889871
Reason: Superseeded by https://review.opendev.org/c/openstack/neutron/+/892542

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/894766

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/894766
Committed: https://opendev.org/openstack/neutron/commit/b2ceb8b854648b1072a017c022e3d7c83bb89122
Submitter: "Zuul (22348)"
Branch: master

commit b2ceb8b854648b1072a017c022e3d7c83bb89122
Author: Slawek Kaplonski <email address hidden>
Date: Tue Sep 12 16:02:02 2023 +0200

    Add release note with known issue with FIP PFs and vlan tenant networks

    This patch adds just release note with the known issue to describe known
    wrong configuration which cause FIP Port Forwarding to not work properly
    in ML2/OVN backend and distributed FIPs enabled.
    For more details, please check related bug.

    Related-bug: #2028846
    Change-Id: I48b5358f4c3ac492d68b00a4c0153370332e9249

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/907402

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/907403

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/892542
Committed: https://opendev.org/openstack/neutron/commit/ce53fb55ade372431af634638ff90d41ffa88ea3
Submitter: "Zuul (22348)"
Branch: master

commit ce53fb55ade372431af634638ff90d41ffa88ea3
Author: Slawek Kaplonski <email address hidden>
Date: Tue Sep 12 13:05:11 2023 +0200

    [OVN] Warn about invalid OVN and FIP PF config during start of Neutron

    In case when port_forwarding service plugin is enabled and vlan or flat
    network (provider network types) is configured as one of the
    tenant_network_types in the ML2 config there is an issue with
    centralized and distributed traffic.
    FIP port forwarding in ovn backend are implemented as OVN Load balancers
    thus are always centralized but if "enable_distributed_floating_ip" is
    set to True, FIPs are distributed. And in such case it won't work as
    expected as either it tries to send FIP PF's traffic as distributed when
    "reside-on-redirect-chassis" for LRP is set to "false" or
    tries to centralized everything (even FIP which should be distributed)
    when "reside-on-redirect-chassis" is set to "true".

    It's not really easy to avoid that issue from the code so this patch
    adds warning in the upgrade checks and also log warning about it during
    start of the neutron server process to at least warn cloud admin that
    such potential issue may happen in the cloud.

    Related-Bug: #2028846
    Change-Id: I398f3f676c59dc794cf03320fa45efc7b22fc003

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/907402
Committed: https://opendev.org/openstack/neutron/commit/a355d2a0d55b62e4337d5c71dc4c4049883c59c3
Submitter: "Zuul (22348)"
Branch: master

commit a355d2a0d55b62e4337d5c71dc4c4049883c59c3
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:36:29 2024 +0100

    Log warning about port forwardings that won't work properly

    This is follow up patch to [1] in which was added warning about
    incompatible configuration of the vlan/flat networks allowed as tenant
    networks, distributed routing and port forwardings.

    In this new patch similar warning is logged every time when port
    forwarding is created using router which have actually connected vlan or
    flat networks as "internal networks" (external gateway network is fine)
    and when distributed routing is enabled in the Neutron config.

    This patch additionally adds "neutron:is_ext_gw" flag to the
    Logical_Router_Port's external_ids. With that it's easier to check if
    network is used as gateway network (no checks needed) or not (checks are
    perfomed and warning may be logged).

    [1] https://review.opendev.org/c/openstack/neutron/+/892542

    Related-Bug: #2028846
    Change-Id: I101128bdb421ec83df5cdcb0d486cbafbbca2ce5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/907403
Committed: https://opendev.org/openstack/neutron/commit/cce872ead3026d72f946ec8687589715d647a1b4
Submitter: "Zuul (22348)"
Branch: master

commit cce872ead3026d72f946ec8687589715d647a1b4
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:50:43 2024 +0100

    [Docs] Add info about incompatible PF configuration in ML2/OVN gaps

    This patch adds info about the fact that FIP PFs aren't working when
    in the ML2/OVN backend distributed routing is enabled and provider
    networks are added to the router as internal networks.

    Related-Bug: #2028846
    Change-Id: I3a0ab43c52a3090257a1accaee00f33abff54e74

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/908798

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/908799

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/908800

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2023.1)

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/908822

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/908823

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/908824

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908798
Committed: https://opendev.org/openstack/neutron/commit/37c53085ff20c0ec9ddce844b7566912e61d0d8c
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 37c53085ff20c0ec9ddce844b7566912e61d0d8c
Author: Slawek Kaplonski <email address hidden>
Date: Tue Sep 12 13:05:11 2023 +0200

    [OVN] Warn about invalid OVN and FIP PF config during start of Neutron

    In case when port_forwarding service plugin is enabled and vlan or flat
    network (provider network types) is configured as one of the
    tenant_network_types in the ML2 config there is an issue with
    centralized and distributed traffic.
    FIP port forwarding in ovn backend are implemented as OVN Load balancers
    thus are always centralized but if "enable_distributed_floating_ip" is
    set to True, FIPs are distributed. And in such case it won't work as
    expected as either it tries to send FIP PF's traffic as distributed when
    "reside-on-redirect-chassis" for LRP is set to "false" or
    tries to centralized everything (even FIP which should be distributed)
    when "reside-on-redirect-chassis" is set to "true".

    It's not really easy to avoid that issue from the code so this patch
    adds warning in the upgrade checks and also log warning about it during
    start of the neutron server process to at least warn cloud admin that
    such potential issue may happen in the cloud.

    Conflicts:
        neutron/cmd/upgrade_checks/checks.py
        neutron/common/ovn/utils.py
        neutron/tests/unit/cmd/upgrade_checks/test_checks.py

    Related-Bug: #2028846
    Change-Id: I398f3f676c59dc794cf03320fa45efc7b22fc003
    (cherry picked from commit ce53fb55ade372431af634638ff90d41ffa88ea3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908799
Committed: https://opendev.org/openstack/neutron/commit/3eaa326a7a86d46f5139d6f3c017e6128b391881
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 3eaa326a7a86d46f5139d6f3c017e6128b391881
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:36:29 2024 +0100

    Log warning about port forwardings that won't work properly

    This is follow up patch to [1] in which was added warning about
    incompatible configuration of the vlan/flat networks allowed as tenant
    networks, distributed routing and port forwardings.

    In this new patch similar warning is logged every time when port
    forwarding is created using router which have actually connected vlan or
    flat networks as "internal networks" (external gateway network is fine)
    and when distributed routing is enabled in the Neutron config.

    This patch additionally adds "neutron:is_ext_gw" flag to the
    Logical_Router_Port's external_ids. With that it's easier to check if
    network is used as gateway network (no checks needed) or not (checks are
    perfomed and warning may be logged).

    [1] https://review.opendev.org/c/openstack/neutron/+/892542

    Conflicts:
        neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
        neutron/tests/unit/services/ovn_l3/test_plugin.py

    Related-Bug: #2028846
    Change-Id: I101128bdb421ec83df5cdcb0d486cbafbbca2ce5
    (cherry picked from commit a355d2a0d55b62e4337d5c71dc4c4049883c59c3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908800
Committed: https://opendev.org/openstack/neutron/commit/874855773863e75f2f9f5f6e50fd48581a54be2e
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 874855773863e75f2f9f5f6e50fd48581a54be2e
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:50:43 2024 +0100

    [Docs] Add info about incompatible PF configuration in ML2/OVN gaps

    This patch adds info about the fact that FIP PFs aren't working when
    in the ML2/OVN backend distributed routing is enabled and provider
    networks are added to the router as internal networks.

    Conflicts:
        doc/source/ovn/gaps.rst

    Related-Bug: #2028846
    Change-Id: I3a0ab43c52a3090257a1accaee00f33abff54e74
    (cherry picked from commit cce872ead3026d72f946ec8687589715d647a1b4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908822
Committed: https://opendev.org/openstack/neutron/commit/c40f637bde3942ae54284d2f7b0305a5e8f5cb93
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit c40f637bde3942ae54284d2f7b0305a5e8f5cb93
Author: Slawek Kaplonski <email address hidden>
Date: Tue Sep 12 13:05:11 2023 +0200

    [OVN] Warn about invalid OVN and FIP PF config during start of Neutron

    In case when port_forwarding service plugin is enabled and vlan or flat
    network (provider network types) is configured as one of the
    tenant_network_types in the ML2 config there is an issue with
    centralized and distributed traffic.
    FIP port forwarding in ovn backend are implemented as OVN Load balancers
    thus are always centralized but if "enable_distributed_floating_ip" is
    set to True, FIPs are distributed. And in such case it won't work as
    expected as either it tries to send FIP PF's traffic as distributed when
    "reside-on-redirect-chassis" for LRP is set to "false" or
    tries to centralized everything (even FIP which should be distributed)
    when "reside-on-redirect-chassis" is set to "true".

    It's not really easy to avoid that issue from the code so this patch
    adds warning in the upgrade checks and also log warning about it during
    start of the neutron server process to at least warn cloud admin that
    such potential issue may happen in the cloud.

    Conflicts:
        neutron/cmd/upgrade_checks/checks.py
        neutron/common/ovn/utils.py
        neutron/tests/unit/cmd/upgrade_checks/test_checks.py

    Related-Bug: #2028846
    Change-Id: I398f3f676c59dc794cf03320fa45efc7b22fc003
    (cherry picked from commit ce53fb55ade372431af634638ff90d41ffa88ea3)
    (cherry picked from commit 1c6d3d448d419d6176647dc0e50760c19d3fefcb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908823
Committed: https://opendev.org/openstack/neutron/commit/bd6595ddb8663dfd9cbf22ddd11f06d774702216
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit bd6595ddb8663dfd9cbf22ddd11f06d774702216
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:36:29 2024 +0100

    Log warning about port forwardings that won't work properly

    This is follow up patch to [1] in which was added warning about
    incompatible configuration of the vlan/flat networks allowed as tenant
    networks, distributed routing and port forwardings.

    In this new patch similar warning is logged every time when port
    forwarding is created using router which have actually connected vlan or
    flat networks as "internal networks" (external gateway network is fine)
    and when distributed routing is enabled in the Neutron config.

    This patch additionally adds "neutron:is_ext_gw" flag to the
    Logical_Router_Port's external_ids. With that it's easier to check if
    network is used as gateway network (no checks needed) or not (checks are
    perfomed and warning may be logged).

    [1] https://review.opendev.org/c/openstack/neutron/+/892542

    Conflicts:
        neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/maintenance.py
        neutron/tests/unit/services/ovn_l3/test_plugin.py

    Related-Bug: #2028846
    Change-Id: I101128bdb421ec83df5cdcb0d486cbafbbca2ce5
    (cherry picked from commit a355d2a0d55b62e4337d5c71dc4c4049883c59c3)
    (cherry picked from commit 3eaa326a7a86d46f5139d6f3c017e6128b391881)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/neutron/+/908824
Committed: https://opendev.org/openstack/neutron/commit/475a25259f1019d05cbcb29fa95eafbcd55c0b40
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 475a25259f1019d05cbcb29fa95eafbcd55c0b40
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 1 11:50:43 2024 +0100

    [Docs] Add info about incompatible PF configuration in ML2/OVN gaps

    This patch adds info about the fact that FIP PFs aren't working when
    in the ML2/OVN backend distributed routing is enabled and provider
    networks are added to the router as internal networks.

    Conflicts:
        doc/source/ovn/gaps.rst

    Related-Bug: #2028846
    Change-Id: I3a0ab43c52a3090257a1accaee00f33abff54e74
    (cherry picked from commit cce872ead3026d72f946ec8687589715d647a1b4)
    (cherry picked from commit 874855773863e75f2f9f5f6e50fd48581a54be2e)

Slawek Kaplonski (slaweq)
Changed in neutron:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.