metadata server unreachable with provider networking only

Doing some further testing, port 8775 is not open int he namespace. But it is open on the compute host.

a curl to http://<compute-with-namespace>:8775 provides:

1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
latest

So there's a rule missing or a service not running to allow reaching the metadata running on the compute host that holds the namespace

as a test i swtiched firewall-driver to iptables_hybrid from openvswitch....no effect.

the main concern, I think, is that port 8775 is not open in the namespace.

Enabling dvr on neutron-api gives us a ns-metadata-proxy service running on the copute host that wasn't there also.

This process has opened port 80 in the namespace.

From within the namespace, if we curl against the namespace IP, we get metadata, if we curl against the 169.254.169.254, we get nothing.

Curling to either address from the instance fails (hngs)

Tried enabling allow-automatic-l3agent-failover both with and with dvr, no change

Have you tried to enable this ``neutron-gateway`` configuration option [0]?

0: https://jaas.ai/neutron-gateway/262#charm-config-enable-isolated-metadata

I'm attaching the bundle that was initially linked in the description

Frode,

Just a side comment: there is no neutron gateway in Jeff's deployment and neutron-openvswitch has it enabled for the dhcp agent unconditionally:

➜ charm-neutron-openvswitch git:(stable/19.04) grep -RiP enable_isolated_metadata
templates/icehouse/dhcp_agent.ini:enable_isolated_metadata = True
templates/mitaka/dhcp_agent.ini:enable_isolated_metadata = True

In the Neutron DHCP agent code itself:

neutron/agent/linux/dhcp.py

METADATA_DEFAULT_PREFIX = 16
METADATA_DEFAULT_IP = '169.254.169.254'
METADATA_DEFAULT_CIDR = '%s/%d' % (METADATA_DEFAULT_IP,
                                   METADATA_DEFAULT_PREFIX)

# ...
        if self.conf.force_metadata or self.conf.enable_isolated_metadata:
            ip_cidrs.append(METADATA_DEFAULT_CIDR)

In the doc for provider networks:

neutron/doc/source/admin/deploy-ovs-provider.rst

#. In the ``dhcp_agent.ini`` file, configure the DHCP agent:

   .. code-block:: ini

      [DEFAULT]
      interface_driver = openvswitch
      enable_isolated_metadata = True
      force_metadata = True

   .. note::

      The ``force_metadata`` option forces the DHCP agent to provide
      a host route to the metadata service on ``169.254.169.254``
      regardless of whether the subnet contains an interface on a
      router, thus maintaining similar and predictable metadata behavior
      among subnets.

However, looking at the option documentation descriptions I can see that there is no need to use both options because force_metadata is the stronger one (it enables metadata services unconditionally, not only for router-less networks):
https://github.com/openstack/neutron/blob/stable/queens/neutron/conf/agent/dhcp.py#L41-L57

Looking at the code I could only find the invocations of functions that add metadata-related iptables rules into qrouter namespaces, not qdhcp namespaces:

➜ neutron git:(stable/queens) ✗ grep -RiP metadata_filter_rules

neutron/agent/metadata/driver.py: def metadata_filter_rules(cls, port, mark):
neutron/agent/metadata/driver.py: for c, r in proxy.metadata_filter_rules(proxy.metadata_port,

https://github.com/openstack/neutron/blob/stable/queens/neutron/agent/metadata/driver.py#L172-L196
https://github.com/openstack/neutron/blob/stable/queens/neutron/agent/metadata/driver.py#L286-L294

Based on the information Jeff provided haproxy listens on port 80 in the qdhcp namespace so there is no need for the iptables rule as in qrouter.

Dmitrii had me run:

---

iptables -t mangle -A OUTPUT -o ns-+ -p tcp --sport 80 -j CHECKSUM --checksum-fill

---

within the namespace and now the instance can curl the metadata url of 169.254.169.254

iptables-save from within the NS

https://www.irccloud.com/pastebin/V49B0uvB/

ss -tlpna from within the NS

https://www.irccloud.com/pastebin/sEwHqlwG/

ip a from within the NS

https://www.irccloud.com/pastebin/yeyDtoGs/

RE: https://review.opendev.org/#/c/654645/ where some checksum'ing was reverted

Applying field-critical per Dmitrii

It should also be noted, that from my observation, haproxy wasn't running in the namespace until we set enable-dvr=True on neutron-api

So, while the iptables rule allowed an instance that was deployed with config-drive (so I could SSH in with my key), a newly created instance after that rule was created still has the message:

[WARNING]: No active metadata service found

And it never tries http://169.254.169.254

so no key applied and no metadata found, again.

Console log of instance not getting metadata

https://pastebin.canonical.com/p/qbFwvD4Kgd/

I went to each dpdk interface on each host and ran:

---

ovs-vsctl set Interface dpdk-<whatever> mtu_request=9000

---

and i was able to boot an instance and it received my ssh key. I still got the message No metadata service found, but I guess that's just irrelevant.

Testing without the mangle rule, but MTU in place resulted in the instance not receiving my key, (no metadata)

Re-applying the mangle rule one more time as a test resulted in my being able to login with my key (got metadata).

so the rule is still required

Fix proposed to branch: master
Review: https://review.opendev.org/664001

Summary:

We had three distinct issues:

1) MTU setting on the DPDK interfaces
This is resolved in master for neutron-openvswitch and the fix can be seen at [0].

2) An upstream neutron bug where the checksum for metadata traffic is not getting filled [1]
that bug will be tracked separately in LP Bug#1832021

3) The neutron-openvswitch charm was not setting force_metadata = True and was not installing haproxy which are requirements for ns-metdata-proxy which proxies metdata requests from the netns to the nova-api-metadata service.
This is being resolved in [2] and will be the focus of this bug.

[0] https://github.com/juju/charm-helpers/pull/333
[1] https://bugs.launchpad.net/neutron/+bug/1832021
[2] https://review.opendev.org/#/c/664001/

Once [2] lands, the neutron-openvswitch will be fully ready at master. It resolves the first and third problems and will NOT require enabling DVR.

Until [1] is resolved upstream, the workaround setting the checksum fill inside the qdhcp ip netns will remain necessary:

iptables -t mangle -A OUTPUT -o ns-+ -p tcp --sport 80 -j CHECKSUM --checksum-fill

Reviewed: https://review.opendev.org/664001
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-openvswitch/commit/?id=a1639fe51f48b9a6cdb5185c5bffc4480f4e264b
Submitter: Zuul
Branch: master

commit a1639fe51f48b9a6cdb5185c5bffc4480f4e264b
Author: David Ames <email address hidden>
Date: Fri Jun 7 09:58:11 2019 -0700

    Enable isolated provider network metadata access

    When an isolated provider network with no virtual routers metadata
    access occurs in the qdhcp netns.

    Without the force_metadata option in dhcp_agent.ini and the haproxy
    package installed ns-metadata-proxy is not enabled. ns-metdata-proxy
    sits in the ip netns and proxies requests from 169.254.169.254 to the
    nova-api-metadata service outside the netns.

    This change adds the force_metadata option and installs haproxy when
    enable-local-dhcp-and-metadata is True.

    Closes-Bug: #1831935

    Change-Id: Iaad1501e8d7d58888ef0917b6700d22a7cf05ecf

Fix proposed to branch: stable/19.04
Review: https://review.opendev.org/664260

Update:

The charm fix [0] has landed in master and is currently being back ported to stable [2].

The checksum bug turned out to be a duplicate of LP Bug #1722584 [2]. The fix (a revert) is in upstream neutron but still needs SRU into Ubuntu packaging.

The final work for this bug will continue on LP Bug #1722584 [2]

[0] https://review.opendev.org/#/c/664001/
[1] https://review.opendev.org/664260
[2] https://bugs.launchpad.net/cloud-archive/+bug/1722584

Reviewed: https://review.opendev.org/664260
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-openvswitch/commit/?id=03eb908d822fcdc91f14c22434a0fd0b51761c90
Submitter: Zuul
Branch: stable/19.04

commit 03eb908d822fcdc91f14c22434a0fd0b51761c90
Author: David Ames <email address hidden>
Date: Fri Jun 7 09:58:11 2019 -0700

    Enable isolated provider network metadata access

    When an isolated provider network with no virtual routers metadata
    access occurs in the qdhcp netns.

    Without the force_metadata option in dhcp_agent.ini and the haproxy
    package installed ns-metadata-proxy is not enabled. ns-metdata-proxy
    sits in the ip netns and proxies requests from 169.254.169.254 to the
    nova-api-metadata service outside the netns.

    This change adds the force_metadata option and installs haproxy when
    enable-local-dhcp-and-metadata is True.

    Closes-Bug: #1831935

    Change-Id: Iaad1501e8d7d58888ef0917b6700d22a7cf05ecf
    (cherry picked from commit a1639fe51f48b9a6cdb5185c5bffc4480f4e264b)

Fix proposed to branch: master
Review: https://review.opendev.org/701476

Fix proposed to branch: master
Review: https://review.opendev.org/704462

Reviewed: https://review.opendev.org/704462
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-gateway/commit/?id=a03fe36fa65b710b6cd8059b870c44204f3e3856
Submitter: Zuul
Branch: master

commit a03fe36fa65b710b6cd8059b870c44204f3e3856
Author: David Ames <email address hidden>
Date: Mon Jan 27 14:54:42 2020 -0800

    Make ovs_use_veth a config option

    This change uses a common DHCPAgentContext and takes care to check for a
    pre-existing setting in the dhcp_agent.ini. Only allowing a config
    change if there is no pre-existing setting.

    Please review and merge charm-helpers PR:
    https://github.com/juju/charm-helpers/pull/422

    Partial-Bug: #1831935

    func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/157
    Change-Id: Ia01c637b0837a4e594d16f6565c605460ad3f922

Reviewed: https://review.opendev.org/701476
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-openvswitch/commit/?id=4075af6a1154246c9653549763e470bb74e7500f
Submitter: Zuul
Branch: master

commit 4075af6a1154246c9653549763e470bb74e7500f
Author: David Ames <email address hidden>
Date: Tue Jan 7 15:21:55 2020 -0800

    Make ovs_use_veth a config option

    This was originally fixed in commit 7578326 but this caused problems. It
    was subsequently reverted in commit 6d2e9ee.

    This change uses a common DHCPAgentContext and takes care to check for a
    pre-existing setting in the dhcp_agent.ini. Only allowing a config
    change if there is no pre-existing setting.

    Please review and merge charm-helpers PR:
    https://github.com/juju/charm-helpers/pull/422

    Partial-Bug: #1831935

    func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/157
    Change-Id: I4848a3246d3450540acb8d2f479dfa2e7767be60

We're also facing this bug in our deployment atm.

VLAN provider networks, metadata server is not accessible. tcpdump shows incorrect checksums on replies from metadata server

We're using charm neutron-openvswitch-269

This bug should actually be closed based on the above gerrit reviews. I'll hold off till I get confirmation from Nikolay.

Nikolay can you please test with the 20.02 release version:
cs:neutron-openvswitch-273

turning tcp tx checksumming off on the qdhcp namespace for the metadata service bound interface also makes it work.
`ethtool -K ns-5546cbc-c9 tx off`

Tested cs:neutron-openvswitch-274. The metadata server is reachable with vlan provider network.

Sorry about the typo,it has been tested on cs:neutron-openvswitch-273

Nikolay, thank you for confirmation. I will close this bug.