Cannot enable DVR and IPv6 simultaneously
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | neutron |
Medium
|
Brian Haley | ||
| | Juno |
Medium
|
Carl Baldwin | ||
Bug Description
While testing out the devstack change to support IPv6, https:/
I have these two things enabled in local.conf:
Q_DVR_MODE=dvr_snat
IP_VERSION=4+6
After locally fixing lib/neutron to teach it about the DVR snat- namespace (another bug to be filed for that), stack.sh was able to complete, but the l3-agent wasn't very happy:
Stderr: '' execute /opt/stack/
2014-09-30 12:53:47.511 21778 DEBUG neutron.
2014-09-30 12:53:47.641 21778 ERROR neutron.
Command: ['sudo', '/usr/local/
Exit code: 2
Stdout: ''
Stderr: 'arping: unknown host fd00::1\n'
2014-09-30 12:53:47.643 21778 ERROR neutron.
Command: ['sudo', '/usr/local/
Exit code: 2
Stdout: ''
Stderr: 'arping: unknown host fd00::1\n'
2014-09-30 12:53:48.682 21778 ERROR neutron.
Command: ['sudo', '/usr/local/
Exit code: 255
Stdout: ''
Stderr: 'Error: argument "33629468293358
2014-09-30 12:53:48.683 21778 ERROR neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
2014-09-30 12:53:48.683 21778 TRACE neutron.
Ignore the ARP failures, there's already an upstream patch proposed for that.
The fix for now might just be to ignore IPv6 addresses in the SNAT code, we can look at optimizations later, but need to get this working so we can enable both at the same time.
There are other errors that this then triggers, so devstack isn't very usable until you turn one off.
| Changed in neutron: | |
| assignee: | nobody → Brian Haley (brian-haley) |
| tags: | added: l3-dvr-backlog |
| Changed in neutron: | |
| importance: | Undecided → Medium |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Rajeev Grover (rajeev-grover) |
| status: | New → In Progress |
| tags: | added: ipv6 |
| OpenStack Infra (hudson-openstack) wrote : | #2 |
Fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Brian Haley (brian-haley) |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Rajeev Grover (rajeev-grover) |
| OpenStack Infra (hudson-openstack) wrote : | #3 |
Fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Xu Han Peng (xuhanp) |
| Changed in neutron: | |
| assignee: | Xu Han Peng (xuhanp) → Brian Haley (brian-haley) |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Xu Han Peng (xuhanp) |
| Changed in neutron: | |
| assignee: | Xu Han Peng (xuhanp) → Rajeev Grover (rajeev-grover) |
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Xu Han Peng (xuhanp) |
| Changed in neutron: | |
| assignee: | Xu Han Peng (xuhanp) → Rajeev Grover (rajeev-grover) |
| OpenStack Infra (hudson-openstack) wrote : | #4 |
Fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Xu Han Peng (xuhanp) |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit deffbbfdfef57f7
Author: Xu Han Peng <email address hidden>
Date: Wed Dec 10 14:07:42 2014 +0800
Fix IPv6 RA security group rule for DVR
Current IPv6 RA security group rule doesn't work for
DVR because the code only allows RA from device_owner
is network:
router interface is network:
This fix fixes the RA rule to allow RA from DVR router
interface, so router advertisement from DVR RADVD can
pass to VM.
Co-Authored-By: Baodong (Robert) Li <email address hidden>
Change-Id: Idd1324c653dcb1
Partial-Bug: 1376325
| Changed in neutron: | |
| assignee: | Xu Han Peng (xuhanp) → Rajeev Grover (rajeev-grover) |
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Brian Haley (brian-haley) |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Rajeev Grover (rajeev-grover) |
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Xu Han Peng (xuhanp) |
| Changed in neutron: | |
| assignee: | Xu Han Peng (xuhanp) → Brian Haley (brian-haley) |
| Changed in neutron: | |
| assignee: | Brian Haley (brian-haley) → Rajeev Grover (rajeev-grover) |
| Changed in neutron: | |
| assignee: | Rajeev Grover (rajeev-grover) → Brian Haley (brian-haley) |
| OpenStack Infra (hudson-openstack) wrote : | #6 |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 727417e71ed155c
Author: Xu Han Peng <email address hidden>
Date: Wed Dec 3 14:58:34 2014 +0800
Fix DVR flow problems for IPv6 subnet
This code fixes DVR flow problems by changing proto='ip' to
proto='ipv6' and changing nw_dst to ipv6_dst.
When DVR is enabled, RADVD is spawned by l3 agent on each compute
node. This code also prevent IPv6 Router Advertisement from
sending to other compute nodes.
Change-Id: Id94acd85ea124e
Closes-Bug: 1398244
Closes-Bug: 1398627
Partial-Bug: 1376325
| OpenStack Infra (hudson-openstack) wrote : | #7 |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 7eb23f662cd62f2
Author: rajeev <email address hidden>
Date: Wed Nov 12 11:25:55 2014 -0500
Add index generation for IPv6 rules for DVR
For IPv6 support with DVR the index used for rule priority and
route table needs to be generated such that the index is 32 bits
or less but greater than the system generated rule entries.
For IPv4 the numeric value of the network is used as the index.
For IPv6 the 30 bit xor-folded crc32 of the cidr is used.
Values smaller than system generated entries are extended into
the range freed up because of xor-folding.
For code modularity, index generation is wrapped into a helper
method.
Partial-bug: #1376325
Change-Id: I4bcde80257ef5f
| OpenStack Infra (hudson-openstack) wrote : | #8 |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 4d774ef13cc4292
Author: Brian Haley <email address hidden>
Date: Mon Nov 24 21:33:20 2014 -0500
Add address family to 'ip rule' calls
Without an address family, 'ip rule' won't work with IPv6
arguments because it assumes IPv4. This causes the l3-agent
to throw an error when adding a rule in DVR mode.
Also changed these functions to be more symmetrical and take the
same arguments, which required a little tweaking, but it looks
much cleaner now.
Change-Id: I85718d8d6ffcf3
Closes-bug: #1376325
| Changed in neutron: | |
| status: | In Progress → Fix Committed |
| Changed in neutron: | |
| milestone: | none → kilo-2 |
| status: | Fix Committed → Fix Released |
Fix proposed to branch: stable/juno
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit edf0aab9169b435
Author: Xu Han Peng <email address hidden>
Date: Wed Dec 10 14:07:42 2014 +0800
Fix IPv6 RA security group rule for DVR
Current IPv6 RA security group rule doesn't work for
DVR because the code only allows RA from device_owner
is network:
router interface is network:
This fix fixes the RA rule to allow RA from DVR router
interface, so router advertisement from DVR RADVD can
pass to VM.
Co-Authored-By: Baodong (Robert) Li <email address hidden>
Change-Id: Idd1324c653dcb1
Partial-Bug: 1376325
Cherry-
| tags: | added: in-stable-juno |
| Changed in neutron: | |
| milestone: | kilo-2 → 2015.1.0 |
Fix proposed to branch: master
Review: https:/