neutron

Efficiently mark packets related to metadata agent

Bug #1477553 reported by Bertrand Lallau on 2015-07-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Bertrand Lallau	neutron 7.0.0 "liberty"

Bug Description

Actually when metadata is enabled on L3 agent, the following is generated by L3 agent (only rules related to metadata are displayed in the following) :

sudo ip netns exec qrouter-cad6171a-aa76-4e24-bf6d-dbbfb276c47a iptables -S -t mangle
...
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffffffff
...

sudo ip netns exec qrouter-cad6171a-aa76-4e24-bf6d-dbbfb276c47a iptables -S -t nat
...
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
...

sudo ip netns exec qrouter-cad6171a-aa76-4e24-bf6d-dbbfb276c47a iptables -S -t filter
...
-A neutron-l3-agent-INPUT -m mark --mark 0x1 -j ACCEPT
-A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
...

The mark 0x1 set in MANGLE table could be more restrictive to avoid marking packets from external interfaces.

Tags:

Bertrand Lallau (bertrand-lallau) on 2015-07-23

Changed in neutron:
assignee:	nobody → Bertrand Lallau (bertrand-lallau)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-23: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/205064

Changed in neutron:
status:	New → In Progress

Revision history for this message

Carl Baldwin (carl-baldwin) wrote on 2015-08-03:

As stated, this isn't a bug; it is just a nit pick at the implementation. What is the bug? Are you hinting that this causes some undesirable behavior in the system (like allowing access to the metadata server through the external gateway port?) If so, state the undesirable behavior as a bug.

Changed in neutron:
status:	In Progress → Incomplete

Revision history for this message

Bertrand Lallau (bertrand-lallau) wrote on 2015-08-03:

Hi Carl,
There is no undesirable behavior in the system, packets could be marked more efficiently, thats's all.
Hence there is no bug, but implementation could be better.
regards,

OpenStack Infra (hudson-openstack) on 2015-08-21

Changed in neutron:
status:	Incomplete → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-01: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/205064
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f23eb3290a1943c12e0ffbfd812ff5443f57af3c
Submitter: Jenkins
Branch: master

commit f23eb3290a1943c12e0ffbfd812ff5443f57af3c
Author: Bertrand Lallau <email address hidden>
Date: Thu Jul 23 11:31:49 2015 +0200

Only mark metadata packets on internal interfaces

Currently iptables rules set on L3 agent with metadata_proxy enabled
mark all packets coming from all interfaces including external interfaces.

This change updates PREROUTING rules from MANGLE table to mark packets
only from internal interfaces.

Change-Id: I01549df7b99be84cd46b6f97a5fd62aec1f43275
Closes-Bug: #1477553

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-02: Fix proposed to neutron (feature/pecan)

Fix proposed to branch: feature/pecan
Review: https://review.openstack.org/219887

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-03: Fix merged to neutron (feature/pecan)

Download full text (12.9 KiB)

Reviewed: https://review.openstack.org/219887
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6f2849c91691a551447c2977ff0a1bead5d5d744
Submitter: Jenkins
Branch: feature/pecan

commit afd1983680aea739ef0e4b0ff2c07ab09c4a86fb
Author: armando-migliaccio <email address hidden>
Date: Tue Sep 1 15:45:50 2015 -0700

Catch errors on 'port not found' while deleting subnet

    In some circumstances (like the one triggered by the test_dhcp_ipv6 testcase)
    calls to deleting a port and calls to deleting subnets can happen in straight
    sequence.

    If this happens the execution of the operations can interleave leading
    to the subnet deletion to fail because the port has already gone. This patch
    ensures a missing port is handled correctly.

The method delete_subnet is ginormous and hence impossible to test at a unit
level without proper refactoring. That can happen with a follow-up patch.

Closes-bug: #1490832

Change-Id: I80c3733c93b2b66c2a1c4bc3bc24272afdd88b1f

commit e27299c124d89145bf1bc23f057e1b124204235e
Author: Ihar Hrachyshka <email address hidden>
Date: Tue Sep 1 11:22:39 2015 +0200

[rpc] pull: removed a hack to avoid object backport triggered

Since oslo.versionedobjects 0.8.0, the object is not backported if the
requested version is the same as the latest known.

Change-Id: Ia1e9aa77b75261e4b2d2b24f31250ce2a2f028a7

commit 7ea38a14bd32a3697b2cd72be4c947aa19378185
Author: Pavel Bondar <email address hidden>
Date: Fri Jul 24 11:50:26 2015 +0300

Enable py34 tests for pluggable ipam backend

    Enable neutron.tests.unit.db.test_ipam_pluggable_backend.
    It was disabled after extending ipam tests to run db_base_plugin tests,
    which are not py34 compatible yet.

Change-Id: I3ae491fa79d4c3311a86e98db3fb2f7d5926a0ba

commit a9b72392a14a114a364785cd268f0f50615f43b0
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Sep 1 04:25:00 2015 +0000

Updated from global requirements

Change-Id: Ie5ad70b0afbeb5502cc41f585f6a3f2942203369

commit 28e54ef089e8b3eca8e86992340530948aec12b7
Author: sridhargaddam <email address hidden>
Date: Thu Aug 27 09:49:28 2015 +0000

Fix import path in neutron-sanity-check for ml2_sriov opts

    neutron-sanity-check fails while importing ml2_sriov
    configuration. This patch fixes the import path and
    also includes a unit test to avoid such issues.

Closes-Bug: #1489374
Change-Id: I4265ee78be9e7f83e35c94187d4577b32005bef9

commit 61121c5f2af27e31092db7ac6947f796198410a8
Author: armando-migliaccio <email address hidden>
Date: Wed Jul 8 13:48:11 2015 -0700

Decentralize the managemement of service providers

    After the service split, some of the configuration, parsing and
    validation was kept in the neutron core; ultimately this needs to
    get closer to the services where it belongs.

    This patch starts from ProviderConfiguration and ServiceTypeManager
    classes, and aims at removing the hard-coded elements, like the list
    of known advanced services, so that in the long run we can make
    Neutron ea...

Reviewed:  https://review.openstack.org/219887
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6f2849c91691a551447c2977ff0a1bead5d5d744
Submitter: Jenkins
Branch:    feature/pecan

commit afd1983680aea739ef0e4b0ff2c07ab09c4a86fb
Author: armando-migliaccio <armamig@gmail.com>
Date:   Tue Sep 1 15:45:50 2015 -0700

Catch errors on 'port not found' while deleting subnet
    
    In some circumstances (like the one triggered by the test_dhcp_ipv6 testcase)
    calls to deleting a port and calls to deleting subnets can happen in straight
    sequence.
    
    If this happens the execution of the operations can interleave leading
    to the subnet deletion to fail because the port has already gone. This patch
    ensures a missing port is handled correctly.
    
    The method delete_subnet is ginormous and hence impossible to test at a unit
    level without proper refactoring. That can happen with a follow-up patch.
    
    Closes-bug: #1490832
    
    Change-Id: I80c3733c93b2b66c2a1c4bc3bc24272afdd88b1f

commit e27299c124d89145bf1bc23f057e1b124204235e
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Tue Sep 1 11:22:39 2015 +0200

[rpc] pull: removed a hack to avoid object backport triggered
    
    Since oslo.versionedobjects 0.8.0, the object is not backported if the
    requested version is the same as the latest known.
    
    Change-Id: Ia1e9aa77b75261e4b2d2b24f31250ce2a2f028a7

commit 7ea38a14bd32a3697b2cd72be4c947aa19378185
Author: Pavel Bondar <pbondar@infoblox.com>
Date:   Fri Jul 24 11:50:26 2015 +0300

Enable py34 tests for pluggable ipam backend
    
    Enable neutron.tests.unit.db.test_ipam_pluggable_backend.
    It was disabled after extending ipam tests to run db_base_plugin tests,
    which are not py34 compatible yet.
    
    Change-Id: I3ae491fa79d4c3311a86e98db3fb2f7d5926a0ba

commit a9b72392a14a114a364785cd268f0f50615f43b0
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Tue Sep 1 04:25:00 2015 +0000

Updated from global requirements
    
    Change-Id: Ie5ad70b0afbeb5502cc41f585f6a3f2942203369

commit 28e54ef089e8b3eca8e86992340530948aec12b7
Author: sridhargaddam <sridhar.gaddam@enovance.com>
Date:   Thu Aug 27 09:49:28 2015 +0000

Fix import path in neutron-sanity-check for ml2_sriov opts
    
    neutron-sanity-check fails while importing ml2_sriov
    configuration. This patch fixes the import path and
    also includes a unit test to avoid such issues.
    
    Closes-Bug: #1489374
    Change-Id: I4265ee78be9e7f83e35c94187d4577b32005bef9

commit 61121c5f2af27e31092db7ac6947f796198410a8
Author: armando-migliaccio <armamig@gmail.com>
Date:   Wed Jul 8 13:48:11 2015 -0700

Decentralize the managemement of service providers
    
    After the service split, some of the configuration, parsing and
    validation was kept in the neutron core; ultimately this needs to
    get closer to the services where it belongs.
    
    This patch starts from ProviderConfiguration and ServiceTypeManager
    classes, and aims at removing the hard-coded elements, like the list
    of known advanced services, so that in the long run we can make
    Neutron easier to plug with external services.
    
    Partial-bug: #1473110
    
    Depends-on: I44edcceba37ac58efcc0a53c9d1f835d9530344a
    Depends-on: I8924234aadf786801ffc100d7daa27acc145a195
    Change-Id: Ia4cad678e6c722ca05821dbdbf05d61523246a86

commit d97c327894951f26e221ae3c2f09452386a9fba3
Author: Henry Gessau <gessau@cisco.com>
Date:   Mon Aug 31 23:12:07 2015 -0400

Remove requirements.txt for decomposed plugins/drivers
    
    They serve no purpose.
    
    Related-Blueprint: core-vendor-decomposition
    https://blueprints.launchpad.net/neutron/+spec/core-vendor-decomposition
    
    Change-Id: I05a433bdbd9ab803252ba02fd51cdfcda8fef88e

commit e2fa9012fac98fb52cfaa0d342d455a95fdcf6e8
Author: Cedric Brandily <zzelle@gmail.com>
Date:   Mon Aug 31 16:40:14 2015 +0200

Correct neutron-ns-metadata-proxy command when watch_log is False
    
    Neutron[1] uses the option --metadata_proxy_watch_log=false to disable
    log watch[2] in neutron-ns-metadata-proxy instances but should use the
    option --nometadata_proxy_watch_log. It implies that
    neutron-ns-metadata-proxy instances fail to start.
    
    This changes updates neutron[1] to use the correct option.
    
    The change also corrects associated functional tests[2], indeed
    metadata_proxy_watch_log option has no effect if a log_file/dir is
    defined for the agent running the neutron-ns-metadata-proxy.
    
    [1] neutron.agent.common.config
    [2] could be done by setting metadata_proxy_watch_log = false
    [3] neutron.tests.functional.agent.test_l3_agent
    
    Closes-Bug: #1490594
    Change-Id: Iaec4a78847d802234c99514313440fd7c14bc554

commit 8200439fa0f797e814cfa1f51d5cf7a86d42f4a0
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Wed Aug 26 17:12:59 2015 +0200

Split SR-IOV configuration file into driver and agent pieces
    
    This is the same as we do for linuxbridge or openvswitch. We should not
    expose server-only configuration options to the agent, and vice versa.
    
    DocImpact
    Closes-Bug: #1489060
    Change-Id: Ie1eda925e051f85d53ad9624d6617d095cf8c7be

commit 99c9af8f7ab7c38816d4873f3b10f77364f811c4
Author: Cedric Brandily <zzelle@gmail.com>
Date:   Thu Jul 23 00:35:36 2015 +0200

Python 3: use a hash to sort dictionaries
    
    Dictionaries are unorderable in py3K. This change defines the method
    safe_sort_key[1] which could be used a sort function for list of
    dictionaries and non-dictionaries.
    
    [1] neutron.common.utils
    
    Change-Id: I9c9fae53bb3ac5b8611c92164c9630c82c2d0ceb
    Blueprint: neutron-python3

commit 275936261cdb830a6390c669eb9ecd4c43e350b4
Author: gong yong sheng <gong.yongsheng@99cloud.net>
Date:   Mon Aug 31 16:48:46 2015 +0800

Remove duplicated codes in two test cases
    
    Change-Id: Icc36af93a6d648ba46388be270f9c7b6082d0ef1

commit 4251f7dfa968c41c8eb3df90d16a80b67b7b43d0
Author: armando-migliaccio <armamig@gmail.com>
Date:   Fri Aug 28 16:01:31 2015 -0700

Fix misnomer on network attribute
    
    admin_status_up is not a network attribute; admin_state_up is.
    
    Change-Id: Iccdfb3d32ee59f5c475bb72801814ae5aaa2fc0c

commit 40f1c8d691f2738246c8c5a427e5600d508f5e95
Author: Carl Baldwin <carl.baldwin@hp.com>
Date:   Tue Aug 11 15:21:25 2015 +0000

Refactor IpRouteCommand to allow using it without a device
    
    Routing tables are not tied to devices (though routes are), so it
    makes sense to be able to use IpRouteCommand without a device.
    
    Change-Id: I95806eb5823820092d91ec53d9e65c8d7f56f5f5
    Partially-Implements: blueprint address-scopes

commit 8bc1411f0f7240a913a0627980771f3c75977f7d
Author: Praveen Kumar SM <praveen-sm.kumar@hp.com>
Date:   Fri Aug 28 02:00:23 2015 -0700

Fixed the typo in the doc string of the class SubnetPoolReader
    
    Closes-Bug: #1489788
    
    Change-Id: I9fb4563354efaf4e34f9169098dba4e42c489b73

commit 7c39642f3640d7b9a3a6a789b5e2f4d3f0cc6837
Author: Eugene Nikanorov <enikanorov@mirantis.com>
Date:   Thu Aug 27 16:34:32 2015 +0400

Add flows to tunnel bridge with proper cookie.
    
    Without that fix flows applied to br-tun through
    DeferredOVSBridge are created without cookie.
    That results in l2pop flows being deleted in the process of
    cleanup of stale flows.
    
    Solution is to add cookie to all add/mod-flows of OVSBrigde
    class in the method do_action_flows.
    Also, agent_uuid_stamp moved to a proper place - into the
    base OVSBridge class as storing attributes in Mixing was
    just a wrong code design.
    
    Change-Id: Ic09a0dbc04fc5da38d30e1392cf2ea27d576040c
    Closes-Bug: #1489372

commit c28b8a5ca6ddf1def9b74d4ceb98b9c7b192d696
Author: gong yong sheng <gong.yongsheng@99cloud.net>
Date:   Tue Aug 25 16:21:39 2015 +0800

Add policy and policy rule belongs check
    
    before updating and deletion of a qos rule under a policy,
    we check if the qos is binding to the policy to avoid users
    operating on policy rules binding to other policy.
    
    Change-Id: I04723fa9dd37409cb211c35e701f352419b2d6fa
    Closes-bug: #1485993

commit b292e197ff8fde50823717263ae0b13fc66c980b
Author: Miguel Angel Ajo <mangelajo@redhat.com>
Date:   Fri Aug 21 14:40:05 2015 +0200

Process update_network in the openvswitch agent
    
    This will allow ports with attributes related to the network to be
    updated as necessary. Initially QoS extension which is able to
    attach a network policy to the port.
    
    Another approach would be sending updates to every single port
    on a network, but that doesn't scale well for networks with lots
    of ports.
    
    Change-Id: Ie28297840b5702a920142af02dd17b10775d76ca
    Partially-Implements: blueprint ml2-qos
    Closes-Bug: 1486028

commit 81b266f2f7c16ae39eaa53381a35f02784216458
Author: John Davidge <jodavidg@cisco.com>
Date:   Thu Aug 13 23:08:47 2015 +0100

Fix DBDuplicateEntry when creating port with fixed_ips on PD subnet
    
    Creating a port on a prefix delegation enabled subnet with a fixed ip
    list containing only the subnet id will cause a DBDuplicateEntry error.
    This is because the subnet is not treated as an ipv6 auto address subnet
    as it should be by _test_fixed_ips_for_port in ipam_non_pluggable_backend.py
    
    All IPV6 PD subnets are auto address subnets, so the additional check was
    unnecessary and incorrect in this case.
    
    This patch changes the condition for appending the subnet id to the
    fixed_ip_set so that PD subnets are treated the same as auto address
    subnets. Also includes a unit test to catch this failure.
    
    Change-Id: I8ad499467a09133258b1e9e40db736d4e1ae62f3
    Closes-Bug: 1484379

commit cbeee7da500114d289f4cfc6b5e1ddaf8d5c8acf
Author: rossella <rsblendido@suse.com>
Date:   Sat Aug 15 12:30:29 2015 +0000

SimpleInterfaceMonitor handle case when ofport is an empty set
    
    ofport is usually an integer but when a port is not ready
    ofport is an empty set.
    This patch makes SimpleInterfaceMonitor handle that case too.
    
    Change-Id: I91611d73e8d5551fc458082ce021cbeb5123a6f2
    Closes-bug: #1485206

commit f3d18ad67b5b091ccaeffae82b72d2d2ff0c270a
Author: huangpengtao <huangpengtao@huawei.com>
Date:   Wed Aug 26 00:01:33 2015 +0800

Use directly neutron.common.constants constants in l3_dvr_db
    
    l3_dvr_db defines local constants referencing nonlocal[1]
    constants but uses local and nonlocal constants. This change
    unifies the code by removing local constants and
    using [1] constants.
    
    [1] in neutron.common.constants module
    
    Change-Id: I6548c8eb2a434967b37910e39fa79a883da4e280

commit e649dc2681f5b365fb3169973cd213f0a8b72860
Author: Cedric Brandily <zzelle@gmail.com>
Date:   Tue Aug 18 00:17:34 2015 +0200

Remove out-of-tree vendor VIF_TYPE_* constants
    
    VIF_TYPE_* constants[1] defines all vif types BUT vendor ones are only
    used by out-of-tree vendor code. This changes removes out-of-tree
    VIF_TYPE_* constants (dependant changes define them in their out-of-tree
    repo).
    
    [1] in neutron.extensions.portbindings
    
    Closes-Bug: #1486279
    Depends-On: I58d19aefb38d22b75df6231594de099d9a822c9e
    Depends-On: I6d4a62399e21204038145363445d356dfb1bfe89
    Depends-On: Iad7f549ae909358af308e32c543ba8eb072ff9d3
    Depends-On: I68d765457fc45b5e2f72922809033188d4992cdd
    Change-Id: I39fc344361c21332b947f21f157d4f2a27caad48

commit a2f1c69d4cf952e8ed36ef3df139bc216127c9c5
Author: Brian Haley <brian.haley@hp.com>
Date:   Fri Aug 21 17:21:44 2015 -0400

Defer freeing of conntrack zone ids until allocation fails
    
    Instead of freeing the conntrack zone ids from removed ports
    right before allocating a new one, wait until there is an
    allocation error.  This removes the overhead from the initial
    zone id creation.  Since there are 64K zone ids we might not
    ever need to clean stale ones anyway.
    
    Change-Id: Ie2d33f8d4650b7798d4ffdeb3ea79cc1092d6c2c

commit f23eb3290a1943c12e0ffbfd812ff5443f57af3c
Author: Bertrand Lallau <bertrand.lallau@thalesgroup.com>
Date:   Thu Jul 23 11:31:49 2015 +0200

Only mark metadata packets on internal interfaces
    
    Currently iptables rules set on L3 agent with metadata_proxy enabled
    mark all packets coming from all interfaces including external interfaces.
    
    This change updates PREROUTING rules from MANGLE table to mark packets
    only from internal interfaces.
    
    Change-Id: I01549df7b99be84cd46b6f97a5fd62aec1f43275
    Closes-Bug: #1477553

commit 2621940ded76b30333beb3369bb4214301ee7d78
Author: Joe Mills <joe@midokura.com>
Date:   Mon Aug 17 04:08:32 2015 +0000

Add network to SubnetContext
    
    The network context is useful in the subnet context so that mechanism
    drivers can access information such as the provider network type.
    
    Closes-Bug: #1481882
    Signed-off-by: Joe Mills<joe@midokura.com>
    
    Change-Id: I718c80512af0f2a43855efb16c2c0da69ef6b741

tags:

added: in-feature-pecan

Thierry Carrez (ttx) on 2015-09-03

Changed in neutron:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in neutron:
milestone:	liberty-3 → 7.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.