Ubuntu Cloud Archive

Inconsistent connectivity between instances with floating IPs

Bug #1178745 reported by Brent Eagles
38
This bug affects 11 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Brent Eagles
OpenStack Compute (nova) 2013.2 "havana"
Nominated for Folsom by Yaguang Tang
Grizzly
Fix Released
High
Vish Ishaya
OpenStack Compute (nova) 2013.1.2
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
Ubuntu
Fix Released
Undecided
Unassigned

Bug Description

Communication between instances on the same fixed network using assigned floating IP addresses does not behave in a consistent fashion. In all-in-one and (possibly) multi-host deployments, creating connections using floating IPs appear to work (at least within the confines of the security groups). However, with standalone compute nodes, instances that are on the same compute node cannot successfully create a connection. Routing and matching endpoints seem to be at the core of this issue.

Related branches

lp:~heut2008/nova/lp1178745
Openstack Ubuntu Testers: Pending requested
Diff: 39 lines (+19/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/fix-connectivity-using-floating-ips.patch (+11/-0)
debian/patches/series (+1/-0)
Brent Eagles (beagles)
Changed in nova:
assignee: nobody → Brent Eagles (beagles)
OpenStack Infra (hudson-openstack)
Changed in nova:
status: New → In Progress
Russell Bryant (russellb)
Changed in nova:
milestone: none → havana-1
Russell Bryant (russellb)
Changed in nova:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/29268

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Master patch: https://review.openstack.org/#/c/28815/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/28815
Committed: http://github.com/openstack/nova/commit/314c419323ddd512babc4504ef8a4be1e04f2af7
Submitter: Jenkins
Branch: master

commit 314c419323ddd512babc4504ef8a4be1e04f2af7
Author: Brent Eagles <email address hidden>
Date: Fri May 10 14:26:24 2013 -0230

    Reverse path SNAT for DNAT floating-ip.

    This patch applies a reverse SNAT rule to allow instances that have an
    assigned floating IP to communicate with other instances in the same
    OpenStack deployment, security group rules permitting. The patch
    allows members of the same private network to communicate with each
    other using their floating-ips in a more consistent fashion. The rule
    also addresses the situation where the target is on another private
    network.

    This will only work for interaction between two servers that both have
    floating IPs assigned to them.

    Specifically, this patch solves the problem where a target server
    "sees" the private address of the client. By SNAT'ing to the client's
    floating-IP, the "sees" the correct reply address and the reverse
    route follows the same path that an actual external connection would
    take. The SNAT ONLY occurs if a DNAT occurred before hand, allowing
    communication on private networks using private IPs to remain fully
    private and internal. The limitation is of course if a DNAT occurs for
    other reasons, there may be issues.

    Resolves bug 1178745

    Change-Id: I55b7131cff5fd5a2ebf826945370d4d550e74136

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/29268
Committed: http://github.com/openstack/nova/commit/b8c434630d31f49ae0e9686ddfac8f25acf117b1
Submitter: Jenkins
Branch: stable/grizzly

commit b8c434630d31f49ae0e9686ddfac8f25acf117b1
Author: Brent Eagles <email address hidden>
Date: Fri May 10 14:26:24 2013 -0230

    Reverse path SNAT for DNAT floating-ip.

    This patch applies a reverse SNAT rule to allow instances that have an
    assigned floating IP to communicate with other instances in the same
    OpenStack deployment, security group rules permitting. The patch
    allows members of the same private network to communicate with each
    other using their floating-ips in a more consistent fashion. The rule
    also addresses the situation where the target is on another private
    network.

    This will only work for interaction between two servers that both have
    floating IPs assigned to them.

    Specifically, this patch solves the problem where a target server
    "sees" the private address of the client. By SNAT'ing to the client's
    floating-IP, the "sees" the correct reply address and the reverse
    route follows the same path that an actual external connection would
    take. The SNAT ONLY occurs if a DNAT occurred before hand, allowing
    communication on private networks using private IPs to remain fully
    private and internal. The limitation is of course if a DNAT occurs for
    other reasons, there may be issues.

    Resolves bug 1178745

    Change-Id: I55b7131cff5fd5a2ebf826945370d4d550e74136
    (cherry picked from commit 314c419323ddd512babc4504ef8a4be1e04f2af7)

Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: havana-1 → 2013.2
Yaguang Tang (heut2008)
no longer affects: ubuntu
Revision history for this message
John Kim (kotux) wrote :

The branch has been pending for a few weeks. Can someone review it?

John Kim (kotux)
Changed in ubuntu:
status: New → Fix Released
James Page (james-page)
Changed in cloud-archive:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.