L3 agent allows multiple gateway ports in fip namespace
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | neutron |
High
|
Brian Haley | ||
Bug Description
At the end of deleting a GW port for a router, l3_dvr_db.py will look
for any more router gw ports on the external network. If there are
none, then it calls delete_
should fan out to all l3 agents on all compute nodes [2]. Each agent
should then delete the port [3].
In some cases, the fip namespace and the gateway port are not deleted.
I don't know where things are going wrong. This seems pretty
straight-forward. Do some agents miss the fanout? We know at least
some of them are getting the fanout. So, it is definitely being sent.
When I checked, the port had been deleted from the database. The fact
that a new one is created supports this because if one existed in the DB
already then it would be returned.
[1] https:/
[2] https:/
[3] https:/
| Changed in neutron: | |
| importance: | Undecided → High |
| status: | New → Confirmed |
| tags: | added: l3-dvr-backlog l3-ipam-dhcp |
| description: | updated |
| Carl Baldwin (carl-baldwin) wrote : | #1 |
Fix proposed to branch: master
Review: https:/
| Changed in neutron: | |
| assignee: | nobody → Carl Baldwin (carl-baldwin) |
| status: | Confirmed → In Progress |
| Changed in neutron: | |
| milestone: | none → newton-2 |
| Changed in neutron: | |
| assignee: | Carl Baldwin (carl-baldwin) → Brian Haley (brian-haley) |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 537e2f540a5c4ce
Author: Carl Baldwin <email address hidden>
Date: Thu Jun 30 01:19:38 2016 +0000
DVR: Ensure that only one fg device can exist at a time in fip ns
Change-Id: I3e78c8d497f918
Closes-Bug: #1597561
| Changed in neutron: | |
| status: | In Progress → Fix Released |
| tags: | added: mitaka-backport-potential |
Fix proposed to branch: stable/mitaka
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/mitaka
commit c72a2404f6aa3d5
Author: Carl Baldwin <email address hidden>
Date: Thu Jun 30 01:19:38 2016 +0000
DVR: Ensure that only one fg device can exist at a time in fip ns
Change-Id: I3e78c8d497f918
Closes-Bug: #1597561
(cherry picked from commit 537e2f540a5c4ce
| tags: | added: in-stable-mitaka |
Fix proposed to branch: stable/liberty
Review: https:/
This issue was fixed in the openstack/neutron 9.0.0.0b2 development milestone.
| tags: | added: neutron-proactive-backport-potential |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit 9d4f49782735174
Author: Carl Baldwin <email address hidden>
Date: Thu Jun 30 01:19:38 2016 +0000
DVR: Ensure that only one fg device can exist at a time in fip ns
Closes-Bug: #1597561
(cherry picked from commit 537e2f540a5c4ce
Conflicts:
neutron/
Change-Id: I3e78c8d497f918
| tags: | added: in-stable-liberty |
This issue was fixed in the openstack/neutron 7.1.2 release.
This issue was fixed in the openstack/neutron 8.2.0 release.
| tags: | removed: mitaka-backport-potential neutron-proactive-backport-potential |
I'm marking this High because of what happens when there are multiple fg ports in the fip namespace. Because DVR uses proxy_arp on the fg port, having two of them with the same route to the external network makes the host essentially reply to any arp request on the subnet, receive the traffic, and then spit it right back out the other fg interface.
This happens because proxy_arp works by responding to any arp request for an IP address it thinks it can route to on another interface. With two fg interfaces with the same route, it thinks it can always route the packet to another interface, regardless of the IP address.
With one of these fip namespaces on the network, it manifests as a performance degradation because traffic passes through an extra host. With two or three, things get really ugly. These hosts can form a routing loop and packets go round and round until TTL expires. Yikes!