lxd subnet setup by juju will interfere with openstack instance traffic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
High
|
Unassigned | ||
2.0 |
Won't Fix
|
Undecided
|
Unassigned | ||
nova-compute (Juju Charms Collection) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
the LXD bridge subnet setup by juju will interfere with openstack instance traffic
When juju configures lxd, it sets up an IPv4 subnet from 10.0.0.0/8 in container/
This network configuration (ultimately written into /etc/default/
root@unsecretiv
Chain POSTROUTING (policy ACCEPT 1472 packets, 145K bytes)
pkts bytes target prot opt in out source destination
1476 145K neutron-
1476 145K neutron-
4 240 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
These POSTROUTING rules are applied to instance traffic including tenant GRE networks. Though the traffic still goes into the GRE tunnel because this rule is POSTROUTING, the traffic is masqueraded to the compute servers IP and will never make it back to the instance.
The instance traffic being routed externally will not work, and it also breaks the metadata service so the instance will not come up correctly and the issue can be hard to debug.
See also the same issue caused by libvirt-bin's default network in #1387390
Using this method to configure a network will never be safe, for the same reason lxd recently removed all default network configuration out of the box.
Given the lxd containers are mostly bridged by juju, do we even need to configure this default subnet? It will work fine without it in bridged mode, as it does in the default out of the box configuration. I have no idea if juju can somehow use these non-bridged interfaces, but even if it can I think that this setup needs to be explicitly configured manually.
How to test:
(1) Setup an openstack installation (tested setup was juju 2.0-beta11-
(2) Check which subnet the lxd containers are configured for, in my case it was simply 10.0.0.0/8 but can vary because of the detection code if you are using 10.0.0.0/8 subnets. Setup a GRE tenant network with this subnet.
(3) Setup a router for this tenant network, optionally create and connect an external network (not strictly necessary but hard to test/debug/observe without)
(4) Boot a new instance, observe the instance cannot contact metadata service. If you tcpdump the qrouter namespaces qg interface or the compute host, you will see the traffic is coming from the compute node's IP and not the instance's
description: | updated |
description: | updated |
tags: | added: network |
Changed in juju-core: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: 2.0 |
Changed in juju-core: | |
milestone: | none → 2.0.0 |
affects: | juju-core → juju |
Changed in juju: | |
milestone: | 2.0.0 → none |
milestone: | none → 2.0.0 |
Changed in juju: | |
assignee: | nobody → Richard Harding (rharding) |
Changed in juju: | |
milestone: | 2.0.0 → 2.1.0 |
Changed in juju: | |
milestone: | 2.1.0 → 2.0.1 |
Changed in nova-compute (Juju Charms Collection): | |
status: | New → Invalid |
tags: | added: uosci |
Changed in juju: | |
milestone: | 2.0.1 → none |
The requirement to configure the internal bridge for LXD + MAAS seems superfluous as Trent points out that all LXD containers get bridged to underlying network segments anyway.