Ubuntu Cloud Archive

nova-lxd driver does not work with neutron firewall disabled

Bug #1681758 reported by James Page
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Charm Test Infra
Fix Released
Undecided
Unassigned
Ubuntu Cloud Archive
Fix Released
Low
Unassigned
nova-lxd
Fix Released
Low
James Page
nova-lxd (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

In a deployment where the firewall is disabled in the neutron-openvswitch-agent (don't ask); the agent switches to using non-hybrid ports (no bridge required to apply security group rules).

In this configuration, neutron will expect the tap device to have been plugged directly into the br-int bridge prior to attempting networking binding; however the nova-lxd driver does not do this, so binding fails and instance launch errors after the network binding event times out.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: python-nova-lxd 15.0.0-0ubuntu1~cloud0 [modified: usr/lib/python2.7/dist-packages/nova/virt/lxd/driver.py usr/lib/python2.7/dist-packages/nova/virt/lxd/storage.py] [origin: Canonical]
ProcVersionSignature: Ubuntu 4.4.0-72.93-generic 4.4.49
Uname: Linux 4.4.0-72-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
CrashDB:
 {
                "impl": "launchpad",
                "project": "cloud-archive",
                "bug_pattern_url": "http://people.canonical.com/~ubuntu-archive/bugpatterns/bugpatterns.xml",
             }
Date: Tue Apr 11 10:11:15 2017
PackageArchitecture: all
ProcEnviron:
 TERM=screen-256color-bce
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nova-lxd
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
James Page (james-page) wrote :
Changed in cloud-archive:
status: New → Triaged
importance: Undecided → Low
Changed in nova-lxd (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Revision history for this message
James Page (james-page) wrote :

The driver rather relies on bridges being created, which in this configuration is not required.

Revision history for this message
James Page (james-page) wrote :

neutron ml2/ovs configuration on compute unit:

[ovs]
enable_tunneling = True
local_ip = X.X.X.X
bridge_mappings = physnet1:br-data

[agent]
tunnel_types = gre,vxlan
l2_population = True
enable_distributed_routing = False
prevent_arp_spoofing = False

[securitygroup]
enable_security_group = False

Revision history for this message
James Page (james-page) wrote :

Triaging as 'Low' - this is not a typical configuration for an OpenStack cloud, but is something we do for testing OpenStack ontop of OpenStack in a QA cloud.

Ideally we'd move to using port security extensions, but juju does not support that just yet.

Changed in nova-lxd:
status: New → Triaged
importance: Undecided → Low
James Page (james-page)
Changed in nova-lxd:
status: Triaged → In Progress
assignee: nobody → James Page (james-page)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova-lxd (master)

Reviewed: https://review.openstack.org/474241
Committed: https://git.openstack.org/cgit/openstack/nova-lxd/commit/?id=78b6c14f2cf375493f3fc268d589f2ba23f4f346
Submitter: Jenkins
Branch: master

commit 78b6c14f2cf375493f3fc268d589f2ba23f4f346
Author: James Page <email address hidden>
Date: Wed Jun 14 15:57:47 2017 +0100

    vif: redux interface wiring approach

    The nova-lxd driver has to take a slightly different approach
    to virtual interface wiring due to a lack of an equivalent to
    'launch and pause' in LXD.

    For some interface types, the last mile tap device needs to
    be present for vif plugging to complete successfully which
    occurs prior to the instance being launched; This change
    refactors the vif module to create veth pairs directly
    in nova-lxd, rather than delegating this to LXD as part of
    a bridged network interface type. This allows vif plugging
    to complete prior to the instance being created in LXD.

    The side effect of this change is that all currently supported
    interface types are now configured as 'physical' interfaces
    in LXD profiles for instances - wiring to bridges is handled
    directly by the nova-lxd driver instead.

    This change has been validated with:

       ovs driver + iptables hybrid firewall driver
       ovs driver + openvswitch native firewall driver
       linuxbridge driver + iptables hybrid firewall driver

    The VIF wiring approach is described in detail in the VIF
    wiring documentation included in this change.

    Closes-Bug: 1681758
    Change-Id: Ic268e989d1ee19f696298fb1e0db729a00352a12

Changed in nova-lxd:
status: In Progress → Fix Released
Revision history for this message
James Page (james-page) wrote :

This works as of the Pike release - marking all Bugs as Fix Released.

Changed in nova-lxd (Ubuntu):
status: Triaged → Fix Released
Changed in cloud-archive:
status: Triaged → Fix Released
Changed in charm-test-infra:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.