OVN with distributed floating IPs doesn't work with Octavia as LB VIPs are not bound to any chassis
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
High
|
Daniel Alvarez |
Bug Description
When using OVN with distributed FIPs and Octavia, traffic to the LB VIP won't work as it's not bound to any chassis so flows aren't installed in any compute node.
We could have a way to add the external_mac only when the port is up (ie. bound to a chassis). When port is down and we assign a FIP to it, we'll be then falling back to the centralized routing case so traffic will go to the network node hosting the gateway for that FIP.
Changed in networking-ovn: | |
assignee: | nobody → Daniel Alvarez (dalvarezs) |
Changed in networking-ovn: | |
status: | New → In Progress |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/rocky) | #1 |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/queens) | #2 |
Fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master) | #3 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit c44d075269acb0b
Author: Daniel Alvarez <email address hidden>
Date: Wed Aug 29 15:58:05 2018 +0000
Set/unset external MAC addresses for NAT entry when port is up/down
When using distributed floating IPs, we set the external MAC
address and logical port fields regardless whether the LSP
is up. For the particular use of Octavia LB VIP, which doesn't
ever get bound, the floating IP associated to it will never
get the flows installed by ovn-controller.
This patch changes the mechanism so that the DNAT entries get
updated only on port up/down changes. If the port remains
down, the external_mac will be cleared and traffic to those
FIPs will still go through the centralized router.
When a port gets bound to a chassis, if DVR is enabled, the
mac_address field will be populated and traffic will go to
the compute node.
Closes-bug: #1789686
Change-Id: I0043984b4bb7b3
Signed-off-by: Daniel Alvarez <email address hidden>
Changed in networking-ovn: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/rocky) | #4 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 15f56a02efee8c6
Author: Daniel Alvarez <email address hidden>
Date: Wed Aug 29 15:58:05 2018 +0000
Set/unset external MAC addresses for NAT entry when port is up/down
When using distributed floating IPs, we set the external MAC
address and logical port fields regardless whether the LSP
is up. For the particular use of Octavia LB VIP, which doesn't
ever get bound, the floating IP associated to it will never
get the flows installed by ovn-controller.
This patch changes the mechanism so that the DNAT entries get
updated only on port up/down changes. If the port remains
down, the external_mac will be cleared and traffic to those
FIPs will still go through the centralized router.
When a port gets bound to a chassis, if DVR is enabled, the
mac_address field will be populated and traffic will go to
the compute node.
Closes-bug: #1789686
Change-Id: I0043984b4bb7b3
Signed-off-by: Daniel Alvarez <email address hidden>
(cherry picked from commit c44d075269acb0b
tags: | added: in-stable-rocky |
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/queens) | #5 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 517a691cf1d662e
Author: Daniel Alvarez <email address hidden>
Date: Wed Aug 29 15:58:05 2018 +0000
Set/unset external MAC addresses for NAT entry when port is up/down
When using distributed floating IPs, we set the external MAC
address and logical port fields regardless whether the LSP
is up. For the particular use of Octavia LB VIP, which doesn't
ever get bound, the floating IP associated to it will never
get the flows installed by ovn-controller.
This patch changes the mechanism so that the DNAT entries get
updated only on port up/down changes. If the port remains
down, the external_mac will be cleared and traffic to those
FIPs will still go through the centralized router.
When a port gets bound to a chassis, if DVR is enabled, the
mac_address field will be populated and traffic will go to
the compute node.
Conflicts:
networking
Closes-bug: #1789686
Change-Id: I0043984b4bb7b3
Signed-off-by: Daniel Alvarez <email address hidden>
(cherry picked from commit c44d075269acb0b
tags: | added: in-stable-queens |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 4.0.3 | #6 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 5.0.1 | #7 |
This issue was fixed in the openstack/
Changed in networking-ovn: | |
importance: | Undecided → Critical |
importance: | Critical → High |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 6.0.0.0b1 | #8 |
This issue was fixed in the openstack/
Lucas Alvares Gomes (lucasagomes) wrote : | #9 |
Re-opening this bug because the latest fix hasn't completed solved the problem as reported at https:/
Changed in networking-ovn: | |
status: | Fix Released → In Progress |
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (master) | #10 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 33fd553158a96b4
Author: Maciej Józefczyk <email address hidden>
Date: Wed May 15 09:41:33 2019 +0000
Do not set port addresses on LSP while port not bound
FIP that points to VIP port could not have addresses
specified [1]. Router pipeline will try to resolve
ARP requests internally from LSP instead looking for
actual MAC address from LSP where VIP exists at this moment.
Lets not set this address till the port is bound.
[1] https:/
Change-Id: I36261701be3935
Closes-Bug: #1789686
Changed in networking-ovn: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/stein) | #11 |
Fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/rocky) | #12 |
Fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-ovn (stable/queens) | #13 |
Fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/stein) | #14 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit fe366e0992c5f26
Author: Maciej Józefczyk <email address hidden>
Date: Wed May 15 09:41:33 2019 +0000
Do not set port addresses on LSP while port not bound
FIP that points to VIP port could not have addresses
specified [1]. Router pipeline will try to resolve
ARP requests internally from LSP instead looking for
actual MAC address from LSP where VIP exists at this moment.
Lets not set this address till the port is bound.
[1] https:/
Change-Id: I36261701be3935
Closes-Bug: #1789686
(cherry picked from commit 33fd553158a96b4
tags: | added: in-stable-stein |
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/rocky) | #15 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit f8864483767e0da
Author: Maciej Józefczyk <email address hidden>
Date: Wed May 15 09:41:33 2019 +0000
Do not set port addresses on LSP while port not bound
FIP that points to VIP port could not have addresses
specified [1]. Router pipeline will try to resolve
ARP requests internally from LSP instead looking for
actual MAC address from LSP where VIP exists at this moment.
Lets not set this address till the port is bound.
[1] https:/
Change-Id: I36261701be3935
Closes-Bug: #1789686
(cherry picked from commit 33fd553158a96b4
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-ovn (stable/queens) | #16 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 7248a54f669effc
Author: Maciej Józefczyk <email address hidden>
Date: Wed May 15 09:41:33 2019 +0000
Do not set port addresses on LSP while port not bound
FIP that points to VIP port could not have addresses
specified [1]. Router pipeline will try to resolve
ARP requests internally from LSP instead looking for
actual MAC address from LSP where VIP exists at this moment.
Lets not set this address till the port is bound.
[1] https:/
Change-Id: I36261701be3935
Closes-Bug: #1789686
(cherry picked from commit 33fd553158a96b4
tags: | added: networking-ovn-proactive-backport-potential |
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 7.0.0.0b1 | #17 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 4.0.4 | #18 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (master) | #19 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 5e72ea104cba1c3
Author: Lucas Alvares Gomes <email address hidden>
Date: Wed Aug 7 13:47:55 2019 +0100
Add support for virtual port type
This patch adds support for "virtual" port type following the work in
core OVN [0].
Currently there are two main usages for this type of port:
* Octavia: For creating the logical port for the virtual IP.
* VRRP [1]
Upon adding an IP address to the allowed_
Neutron's port, networking-ovn will look if that IP matches with the IP
of another existing port in the same network. If so, networking-ovn will
updating the matching port accordingly setting its type to "virtual"
and adding the required options in the OVN database.
The patch also accounts for other situations such as:
* Creating the VIP port after the parents (the ones with the IP in the
allowed_
* When updating removing/adding allowed_
ports are also updated.
* When deleting a parent port the virtual ports are also updated.
The code removes the type "virtual" from a virtual port whenever there's
no parents left (in case of deletion or editing allowed_
making it an ordinary port again.
The patch also keeps the logic introduced by
33fd553158a
not support the virtual port type (> 2.12) making it backward compatible.
[0]
https:/
[1]
https:/
Closes-Bug: #1840449
Related-Bug: #1789686
Change-Id: I0b01b764413d17
Signed-off-by: Lucas Alvares Gomes <email address hidden>
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/train) | #20 |
Related fix proposed to branch: stable/train
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/train) | #21 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 07df2a6bf8acb58
Author: Lucas Alvares Gomes <email address hidden>
Date: Wed Aug 7 13:47:55 2019 +0100
Add support for virtual port type
This patch adds support for "virtual" port type following the work in
core OVN [0].
Currently there are two main usages for this type of port:
* Octavia: For creating the logical port for the virtual IP.
* VRRP [1]
Upon adding an IP address to the allowed_
Neutron's port, networking-ovn will look if that IP matches with the IP
of another existing port in the same network. If so, networking-ovn will
updating the matching port accordingly setting its type to "virtual"
and adding the required options in the OVN database.
The patch also accounts for other situations such as:
* Creating the VIP port after the parents (the ones with the IP in the
allowed_
* When updating removing/adding allowed_
ports are also updated.
* When deleting a parent port the virtual ports are also updated.
The code removes the type "virtual" from a virtual port whenever there's
no parents left (in case of deletion or editing allowed_
making it an ordinary port again.
The patch also keeps the logic introduced by
33fd553158a
not support the virtual port type (> 2.12) making it backward compatible.
[0]
https:/
[1]
https:/
Conflicts:
Closes-Bug: #1840449
Related-Bug: #1789686
Change-Id: I0b01b764413d17
Signed-off-by: Lucas Alvares Gomes <email address hidden>
(cherry picked from commit 5e72ea104cba1c3
tags: | added: in-stable-train |
tags: | removed: networking-ovn-proactive-backport-potential |
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/stein) | #22 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/rocky) | #23 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/queens) | #24 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/stein) | #25 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/stein) | #26 |
Change abandoned by Brian Haley (<email address hidden>) on branch: stable/stein
Review: https:/
Reason: See https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/rocky) | #27 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/rocky) | #28 |
Change abandoned by Brian Haley (<email address hidden>) on branch: stable/rocky
Review: https:/
Reason: See https:/
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to networking-ovn (stable/queens) | #29 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Change abandoned on networking-ovn (stable/queens) | #30 |
Change abandoned by Brian Haley (<email address hidden>) on branch: stable/queens
Review: https:/
Reason: See https:/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 6.0.1 | #31 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-ovn 5.1.0 | #32 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/rocky) | #33 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit 32eb8c3f0171c45
Author: Lucas Alvares Gomes <email address hidden>
Date: Wed Aug 7 13:47:55 2019 +0100
Add support for virtual port type
This patch adds support for "virtual" port type following the work in
core OVN [0].
Currently there are two main usages for this type of port:
* Octavia: For creating the logical port for the virtual IP.
* VRRP [1]
Upon adding an IP address to the allowed_
Neutron's port, networking-ovn will look if that IP matches with the IP
of another existing port in the same network. If so, networking-ovn will
updating the matching port accordingly setting its type to "virtual"
and adding the required options in the OVN database.
The patch also accounts for other situations such as:
* Creating the VIP port after the parents (the ones with the IP in the
allowed_
* When updating removing/adding allowed_
ports are also updated.
* When deleting a parent port the virtual ports are also updated.
The code removes the type "virtual" from a virtual port whenever there's
no parents left (in case of deletion or editing allowed_
making it an ordinary port again.
The patch also keeps the logic introduced by
33fd553158a
not support the virtual port type (> 2.12) making it backward compatible.
[0]
https:/
[1]
https:/
Closes-Bug: #1840449
Related-Bug: #1789686
Signed-off-by: Lucas Alvares Gomes <email address hidden>
(cherry picked from commit 5e72ea104cba1c3
Conflicts:
Change-Id: I0b01b764413d17
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/stein) | #34 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 1e789a02715cbfa
Author: Lucas Alvares Gomes <email address hidden>
Date: Wed Aug 7 13:47:55 2019 +0100
Add support for virtual port type
This patch adds support for "virtual" port type following the work in
core OVN [0].
Currently there are two main usages for this type of port:
* Octavia: For creating the logical port for the virtual IP.
* VRRP [1]
Upon adding an IP address to the allowed_
Neutron's port, networking-ovn will look if that IP matches with the IP
of another existing port in the same network. If so, networking-ovn will
updating the matching port accordingly setting its type to "virtual"
and adding the required options in the OVN database.
The patch also accounts for other situations such as:
* Creating the VIP port after the parents (the ones with the IP in the
allowed_
* When updating removing/adding allowed_
ports are also updated.
* When deleting a parent port the virtual ports are also updated.
The code removes the type "virtual" from a virtual port whenever there's
no parents left (in case of deletion or editing allowed_
making it an ordinary port again.
The patch also keeps the logic introduced by
33fd553158a
not support the virtual port type (> 2.12) making it backward compatible.
[0]
https:/
[1]
https:/
Closes-Bug: #1840449
Related-Bug: #1789686
Signed-off-by: Lucas Alvares Gomes <email address hidden>
(cherry picked from commit 5e72ea104cba1c3
Conflicts:
Change-Id: I0b01b764413d17
OpenStack Infra (hudson-openstack) wrote : Related fix merged to networking-ovn (stable/queens) | #35 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 9f14ee2b735a172
Author: Lucas Alvares Gomes <email address hidden>
Date: Wed Aug 7 13:47:55 2019 +0100
Add support for virtual port type
This patch adds support for "virtual" port type following the work in
core OVN [0].
Currently there are two main usages for this type of port:
* Octavia: For creating the logical port for the virtual IP.
* VRRP [1]
Upon adding an IP address to the allowed_
Neutron's port, networking-ovn will look if that IP matches with the IP
of another existing port in the same network. If so, networking-ovn will
updating the matching port accordingly setting its type to "virtual"
and adding the required options in the OVN database.
The patch also accounts for other situations such as:
* Creating the VIP port after the parents (the ones with the IP in the
allowed_
* When updating removing/adding allowed_
ports are also updated.
* When deleting a parent port the virtual ports are also updated.
The code removes the type "virtual" from a virtual port whenever there's
no parents left (in case of deletion or editing allowed_
making it an ordinary port again.
The patch also keeps the logic introduced by
33fd553158a
not support the virtual port type (> 2.12) making it backward compatible.
[0]
https:/
[1]
https:/
Had to fix a bug in a previous cherry-pick that broke a port_type
check in ovn_client.py, https:/
Closes-Bug: #1840449
Related-Bug: #1789686
Signed-off-by: Lucas Alvares Gomes <email address hidden>
(cherry picked from commit 5e72ea104cba1c3
Conflicts:
Change-Id: I0b01b764413d17
Fix proposed to branch: stable/rocky /review. openstack. org/601292
Review: https:/