Ubuntu Cloud Archive

[SRU] Return traffic from metadata service may get dropped by hypervisor due to wrong checksum

Bug #1722584 reported by Trygve Vea
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
Queens
Fix Released
Undecided
Unassigned
Rocky
Fix Released
Undecided
Unassigned
Stein
Fix Released
Undecided
Unassigned
Train
Fix Released
Undecided
Unassigned
neutron
Fix Released
Medium
Brian Haley
neutron (Ubuntu)
Fix Released
High
Unassigned
Bionic
Fix Released
High
Unassigned
Cosmic
Fix Released
High
Unassigned
Disco
Fix Released
High
Unassigned
Eoan
Fix Released
High
Unassigned

Bug Description

[Impact]
Prior addition of code to add checksum rules was found to cause problems with newer kernels. Patch subsequently reverted so this request is to backport those patches to the ubuntu archives.

[Test Case]
* deploy openstack (>= queens)
* create router/network/instance (dvr=false,l3ha=false)
* go to router ns on neutron-gateway and check that the following returns nothing
sudo ip netns exec qrouter-<id> iptables -t mangle -S| grep '\--sport 9697 -j CHECKSUM --checksum-fill'

[Regression Potential]
Backporting the revert patch will mean that routers created with this patch will no longer have a checksum rule added for metadata tcp packets. The original patch added a rule that turned out not to be the fix for the root issue and was subsequently found to cause problems with kernels < 4.19 since it was never intended for gso tcp packets to have their checksum verified using this type of rule. So, removal of this rule (by addition of the revert patch) is not intended to change behaviour at all. The only potential side-effect is that rules that were already created will not be cleaned up (until node reboot or router recreate) and in an L3HA config you could end up with some router instances having the rule and some not depending on whether they were created before or after the patch was included.

[Other Info]
This revert patch does not remove rules added by the original patch so manual cleanup of those old rules is required.

-----------------------------------------------------------------------------
We have a problem with the metadata service not being responsive, when the proxied in the router namespace on some of our networking nodes after upgrading to Ocata (Running on CentOS 7.4, with the RDO packages).

Instance routes traffic to 169.254.169.254 to it's default gateway.
Default gateway is an OpenStack router in a namespace on a networking node.

- Traffic gets sent from the guest,
- to the router,
- iptables routes it to the metadata proxy service,
- response packet gets routed back, leaving the namespace
- Hypervisor gets the packet in
- Checksum of packet is wrong, and the packet gets dropped before putting it on the bridge

Based on the following bug https://bugs.launchpad.net/openstack-ansible/+bug/1483603, we found that adding the following iptable rule in the router namespace made this work again: 'iptables -t mangle -I POSTROUTING -p tcp --sport 9697 -j CHECKSUM --checksum-fill'

(NOTE: The rule from the 1st comment to the bug did solve access to the metadata service, but the lack of precision introduced other problems with the network)

See original description
Brian Haley (brian-haley)
Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/510989

Changed in neutron:
assignee: nobody → Brian Haley (brian-haley)
status: Confirmed → In Progress
Revision history for this message
Brian Haley (brian-haley) wrote : Re: Return traffic from metadata service may get dropped by hypervisor due to wrong checksum

Can you see if that patch fixes the problem for you?

Revision history for this message
Trygve Vea (trygve-vea-gmail) wrote :

As the hardware that were affected by this are in use in production, testing this is not something I can just do - I'm afraid.

I want to add that we discovered that this problem is triggered by a combination of running Linux 3.10.0-693.2.2.el7.x86_64 (CentOS 7) and Cisco B200 M2 blades.

I am not sure if it's fair to call this a bug in Neutron, but the workaround in the initial bug report is still valid. We also discovered that similar workaround can be applied in the dhcp-namespaces to fix DNS (which is also broken in the abovementioned setup)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/510989
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ed1c3b021751273e427d47fcf544c56bdabf97bb
Submitter: Zuul
Branch: master

commit ed1c3b021751273e427d47fcf544c56bdabf97bb
Author: Brian Haley <email address hidden>
Date: Tue Oct 10 14:36:33 2017 -0400

    Checksum-fill proxied metadata replies

    Sometimes a proxied metadata reply can be dropped by
    the hypervisor because of an invalid checksum. Always
    fill-in the checksum just like we do for DHCP replies.

    Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266
    Closes-bug: #1722584

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/531879

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.0.0b3

This issue was fixed in the openstack/neutron 12.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/531879
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b0c7a641439c2a61ce90e36f5b8bc46e60e669ef
Submitter: Zuul
Branch: stable/pike

commit b0c7a641439c2a61ce90e36f5b8bc46e60e669ef
Author: Brian Haley <email address hidden>
Date: Tue Oct 10 14:36:33 2017 -0400

    Checksum-fill proxied metadata replies

    Sometimes a proxied metadata reply can be dropped by
    the hypervisor because of an invalid checksum. Always
    fill-in the checksum just like we do for DHCP replies.

    Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266
    Closes-bug: #1722584
    (cherry picked from commit ed1c3b021751273e427d47fcf544c56bdabf97bb)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.3

This issue was fixed in the openstack/neutron 11.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/654645

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/654645
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b1b8a438fe3cdc422b8deb61548f47d383ee2fe8
Submitter: Zuul
Branch: master

commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8
Author: Brian Haley <email address hidden>
Date: Mon Apr 22 18:53:45 2019 -0400

    Revert iptables TCP checksum-fill code

    To fix bug 1722584 we inserted a checksum-fill rule for
    metadata proxy replies. Recent kernels have disabled
    this support for TCP because it was invalid, and
    supposedly not doing anything, so let's get ahead of
    things and remove the code.

    Kernel mailing list discussion is at
    https://lore.kernel.org/patchwork/patch/824819/

    Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

    Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
    Related-bug: #1722584

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/656357

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/656358

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/656359

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/656359
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=31320156e464d27d8dfb9df82777b92e9eed1e2c
Submitter: Zuul
Branch: stable/queens

commit 31320156e464d27d8dfb9df82777b92e9eed1e2c
Author: Brian Haley <email address hidden>
Date: Mon Apr 22 18:53:45 2019 -0400

    Revert iptables TCP checksum-fill code

    To fix bug 1722584 we inserted a checksum-fill rule for
    metadata proxy replies. Recent kernels have disabled
    this support for TCP because it was invalid, and
    supposedly not doing anything, so let's get ahead of
    things and remove the code.

    Kernel mailing list discussion is at
    https://lore.kernel.org/patchwork/patch/824819/

    Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

    Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
    Related-bug: #1722584
    (cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/656358
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=04e995be9898ceaa009344509dc16ca7f589d814
Submitter: Zuul
Branch: stable/rocky

commit 04e995be9898ceaa009344509dc16ca7f589d814
Author: Brian Haley <email address hidden>
Date: Mon Apr 22 18:53:45 2019 -0400

    Revert iptables TCP checksum-fill code

    To fix bug 1722584 we inserted a checksum-fill rule for
    metadata proxy replies. Recent kernels have disabled
    this support for TCP because it was invalid, and
    supposedly not doing anything, so let's get ahead of
    things and remove the code.

    Kernel mailing list discussion is at
    https://lore.kernel.org/patchwork/patch/824819/

    Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

    Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
    Related-bug: #1722584
    (cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/656357
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dde99aa719d623b4cc20b2f850ea9f519da85a87
Submitter: Zuul
Branch: stable/stein

commit dde99aa719d623b4cc20b2f850ea9f519da85a87
Author: Brian Haley <email address hidden>
Date: Mon Apr 22 18:53:45 2019 -0400

    Revert iptables TCP checksum-fill code

    To fix bug 1722584 we inserted a checksum-fill rule for
    metadata proxy replies. Recent kernels have disabled
    this support for TCP because it was invalid, and
    supposedly not doing anything, so let's get ahead of
    things and remove the code.

    Kernel mailing list discussion is at
    https://lore.kernel.org/patchwork/patch/824819/

    Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

    Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
    Related-bug: #1722584
    (cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)

tags: added: in-stable-stein
Edward Hope-Morley (hopem)
description: updated
description: updated
summary: - Return traffic from metadata service may get dropped by hypervisor due
- to wrong checksum
+ [SRU] Return traffic from metadata service may get dropped by hypervisor
+ due to wrong checksum
Corey Bryant (corey.bryant)
no longer affects: cloud-archive/ocata
Corey Bryant (corey.bryant)
Changed in neutron (Ubuntu Bionic):
importance: Undecided → High
status: New → Triaged
Changed in neutron (Ubuntu Cosmic):
importance: Undecided → High
status: New → Triaged
Changed in neutron (Ubuntu Disco):
importance: Undecided → High
status: New → Triaged
Changed in neutron (Ubuntu Eoan):
importance: Undecided → High
status: New → Triaged
Corey Bryant (corey.bryant)
description: updated
Revision history for this message
Edward Hope-Morley (hopem) wrote :

iiuc the kernel commit that actually mitigate the impact of this issue is that landed in https://github.com/torvalds/linux/commit/10568f6c5761db24249c610c94d6e44d5505a0ba which is available from 4.19 onwards

Edward Hope-Morley (hopem)
tags: added: sts sts-sru-needed
Revision history for this message
Trygve Vea (trygve-vea-gmail) wrote :

Since I originally submitted this bug, I feel like I should weigh in on the regression potential.

I believe the regression potential is very limited to non-existing. We have since found out that what we experienced was an unfortunate regression in a network driver that took place when we performed a kernel upgrade, and a OpenStack release upgrade at the same time.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This is fixed in last week's eoan/train snapshot.

Changed in neutron (Ubuntu Eoan):
status: Triaged → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

This isn't included in the latest point releases for queens, rocky, and stein so we'll need to SRU the cherry-picked patches.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've uploaded new versions of neutron with this patch to bionic, cosmic, and disco unapproved queues where they are awaiting review by the Ubuntu SRU team.

https://launchpad.net/ubuntu/disco/+queue?queue_state=1&queue_text=neutron
https://launchpad.net/ubuntu/cosmic/+queue?queue_state=1&queue_text=neutron
https://launchpad.net/ubuntu/bionic/+queue?queue_state=1&queue_text=neutron

Edward Hope-Morley (hopem)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Trygve, or anyone else affected,

Accepted neutron into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:13.0.3-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in neutron (Ubuntu Cosmic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello Trygve, or anyone else affected,

Accepted neutron into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:rocky-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-rocky-needed to verification-rocky-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-rocky-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-rocky-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Trygve, or anyone else affected,

Accepted neutron into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:12.0.6-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in neutron (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Trygve, or anyone else affected,

Accepted neutron into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:14.0.2-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in neutron (Ubuntu Disco):
status: Triaged → Fix Committed
tags: added: verification-needed-disco
Revision history for this message
James Page (james-page) wrote :

Hello Trygve, or anyone else affected,

Accepted neutron into stein-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:stein-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-stein-needed to verification-stein-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-stein-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-stein-needed
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Disco verified using [Test Case]

Test output:

root@juju-7eb0ae-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:14.0.2-0ubuntu1 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-7eb0ae-lp1722584-sru-5:~# sudo ip netns exec qrouter-88cd871f-b3a5-4ee9-8c53-cc6a5f2eb9d1 iptables -t mangle -S| grep 9697
root@juju-7eb0ae-lp1722584-sru-5:~#

tags: added: verification-done-disco
removed: verification-needed-disco
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:14.0.2-0ubuntu1

---------------
neutron (2:14.0.2-0ubuntu1) disco; urgency=medium

  * New upstream release for OpenStack Stein (LP: #1831754).
  * d/p/bug1826419.patch: Dropped. Fixed upstream in 14.0.2.
  * d/p/revert-iptables-tcp-checksum-fill-code.patch: Dropped. Fixed
    upstream in 14.0.2.

neutron (2:14.0.1-0ubuntu2) disco; urgency=medium

  * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
    from upstream to revert invalid use of iptables -j CHECKSUM
    (LP: #1722584).

 -- Sahid Orentino Ferdjaoui <email address hidden> Wed, 03 Jul 2019 16:22:58 +0200

Changed in neutron (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Xenial+Rocky verified using [Test Case]

Test output:

root@juju-92f0c2-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:14.0.2-0ubuntu1~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-92f0c2-lp1722584-sru-5:~# sudo ip netns exec qrouter-32ea60b2-ac9b-4a16-8933-63818eb71568 iptables -t mangle -S| grep 9697
root@juju-92f0c2-lp1722584-sru-5:~#

tags: added: verification-rocky-done
removed: verification-rocky-needed
Revision history for this message
Edward Hope-Morley (hopem) wrote :

oops sorry ^^ should be stein not rocky

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Xenial+Stein verified using [Test Case]

Test output:

root@juju-92f0c2-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:14.0.2-0ubuntu1~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-92f0c2-lp1722584-sru-5:~# sudo ip netns exec qrouter-32ea60b2-ac9b-4a16-8933-63818eb71568 iptables -t mangle -S| grep 9697
root@juju-92f0c2-lp1722584-sru-5:~#

tags: added: verification-rocky-needed verification-stein-done
removed: verification-rocky-done verification-stein-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package neutron - 2:14.0.2-0ubuntu1~cloud0
---------------

 neutron (2:14.0.2-0ubuntu1~cloud0) bionic-stein; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 neutron (2:14.0.2-0ubuntu1) disco; urgency=medium
 .
   * New upstream release for OpenStack Stein (LP: #1831754).
   * d/p/bug1826419.patch: Dropped. Fixed upstream in 14.0.2.
   * d/p/revert-iptables-tcp-checksum-fill-code.patch: Dropped. Fixed
     upstream in 14.0.2.
 .
 neutron (2:14.0.1-0ubuntu2) disco; urgency=medium
 .
   * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
     from upstream to revert invalid use of iptables -j CHECKSUM
     (LP: #1722584).

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Cosmic verified with [Test Case]

Test output:

root@juju-c36d25-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:13.0.3-0ubuntu2 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-c36d25-lp1722584-sru-5:~# ip netns exec qrouter-01a2b5a1-582e-420f-8838-b7928436797f iptables -t mangle -S| grep 9697
root@juju-c36d25-lp1722584-sru-5:~#

tags: added: verification-done-cosmic
removed: verification-needed-cosmic
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Xenial+Rocky verified using [Test Case]

Test output:

root@juju-7320a7-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:13.0.3-0ubuntu2~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-7320a7-lp1722584-sru-5:~# ip netns exec qrouter-be78d1c5-1fed-4853-8428-ca228153c669 iptables -t mangle -S| grep '\--sport 9697 -j CHECKSUM --checksum-fill'
root@juju-7320a7-lp1722584-sru-5:~#

tags: added: verification-rocky-done
removed: verification-rocky-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote : Please test proposed package

Hello Trygve, or anyone else affected,

Accepted neutron into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-queens-needed
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Bionic (Queens) verified using [Test Case]

Test output:

root@juju-eabc2c-lp1722584-sru-5:~# dpkg -l| grep neutron-l3-agent
ii neutron-l3-agent 2:12.0.6-0ubuntu2 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-eabc2c-lp1722584-sru-5:~# sudo ip netns exec qrouter-7952203a-0305-433c-8dc4-a7c6af1beb26 iptables -t mangle -S| grep '\--sport 9697 -j CHECKSUM --checksum-fill'
root@juju-eabc2c-lp1722584-sru-5:~#

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Edward Hope-Morley (hopem) wrote :

Xenial Queens verified using [Test Case]

Test output:

root@juju-2587ed-lp1722584-sru-5:~# dpkg -l | grep neutron-l3-agent
ii neutron-l3-agent 2:12.0.6-0ubuntu2~cloud0 all Neutron is a virtual network service for Openstack - l3 agent
root@juju-2587ed-lp1722584-sru-5:~# sudo ip netns exec qrouter-120cf0e7-5349-4896-ac54-1035ca92c1b0 iptables -t mangle -S| grep '\--sport 9697 -j CHECKSUM --checksum-fill'
root@juju-2587ed-lp1722584-sru-5:~#

tags: added: verification-done verification-queens-done
removed: verification-needed verification-queens-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:13.0.3-0ubuntu2

---------------
neutron (2:13.0.3-0ubuntu2) cosmic; urgency=medium

  * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
    from upstream to revert invalid use of iptables -j CHECKSUM
    (LP: #1722584).

neutron (2:13.0.3-0ubuntu1) cosmic; urgency=medium

  * New stable point release for OpenStack Rocky (LP: #1830695).
  * d/p/Spawn-metadata-proxy-on-dvr-ha-standby-routers.patch:
    Dropped. Fixed upstream in 13.0.3.
  * d/p/bug1823038.patch: Dropped. Fixed upstream in 13.0.3.
  * d/p/fix-KeyError-in-OVS-firewall.patch: Dropped. Fixed upstream in 13.0.3.
  * d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch:
    Dropped. Fixed upstream in 13.0.3.
  * d/p/bug1826419.patch: Rebased to the last version published upstream.

 -- Corey Bryant <email address hidden> Mon, 17 Jun 2019 13:23:45 -0400

Changed in neutron (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:12.0.6-0ubuntu2

---------------
neutron (2:12.0.6-0ubuntu2) bionic; urgency=medium

  * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
    from upstream to revert invalid use of iptables -j CHECKSUM
    (LP: #1722584).

 -- Corey Bryant <email address hidden> Mon, 17 Jun 2019 13:30:49 -0400

Changed in neutron (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote : Update Released

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package neutron - 2:13.0.3-0ubuntu2~cloud0
---------------

 neutron (2:13.0.3-0ubuntu2~cloud0) bionic-rocky; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 neutron (2:13.0.3-0ubuntu2) cosmic; urgency=medium
 .
   * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
     from upstream to revert invalid use of iptables -j CHECKSUM
     (LP: #1722584).
 .
 neutron (2:13.0.3-0ubuntu1) cosmic; urgency=medium
 .
   * New stable point release for OpenStack Rocky (LP: #1830695).
   * d/p/Spawn-metadata-proxy-on-dvr-ha-standby-routers.patch:
     Dropped. Fixed upstream in 13.0.3.
   * d/p/bug1823038.patch: Dropped. Fixed upstream in 13.0.3.
   * d/p/fix-KeyError-in-OVS-firewall.patch: Dropped. Fixed upstream in 13.0.3.
   * d/p/set-initial-ha-router-state-in-neutron-keepalived-st.patch:
     Dropped. Fixed upstream in 13.0.3.
   * d/p/bug1826419.patch: Rebased to the last version published upstream.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for neutron has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package neutron - 2:12.0.6-0ubuntu2~cloud0
---------------

 neutron (2:12.0.6-0ubuntu2~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 neutron (2:12.0.6-0ubuntu2) bionic; urgency=medium
 .
   * d/p/revert-iptables-tcp-checksum-fill-code.patch: Cherry-picked
     from upstream to revert invalid use of iptables -j CHECKSUM
     (LP: #1722584).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.opendev.org/719909

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/pike)

Reviewed: https://review.opendev.org/719909
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8f280339096ed702928f704fd20543ce4370c0d4
Submitter: Zuul
Branch: stable/pike

commit 8f280339096ed702928f704fd20543ce4370c0d4
Author: Brian Haley <email address hidden>
Date: Mon Apr 22 18:53:45 2019 -0400

    Revert iptables TCP checksum-fill code

    To fix bug 1722584 we inserted a checksum-fill rule for
    metadata proxy replies. Recent kernels have disabled
    this support for TCP because it was invalid, and
    supposedly not doing anything, so let's get ahead of
    things and remove the code.

    Kernel mailing list discussion is at
    https://lore.kernel.org/patchwork/patch/824819/

    Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

    Depends-On: https://review.opendev.org/#/c/725213/
    Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
    Related-bug: #1722584
    (cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)
    (cherry picked from commit 31320156e464d27d8dfb9df82777b92e9eed1e2c)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.