neutron

Neutron should not add ARP entry for allowed-address-pair-fixed-ip in DVR router

Bug #1608400 reported by He Qing
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Swaminathan Vasudevan

Bug Description

When we set a fixed IP as allowed-address-pair IP, Neutron will notify l3-agent to add permanent ARP entry for this IP in DVR router namespace. But if we set the same IP to multiple ports as allowed-address-pair IP, ARP entry with same IP but different MAC will be added multiple times.In the end, the ARP entry will always lead us to last port that set the fixed IP as allowed-address-pair.This makes VRRP application goes wrong.

This was noticed when deploying Octavia on Active/Standby mode.

How to reproduce:
1.Launch 2 VMs,vm-1 and vm-2, which connected to a DVR router.
2.Create an allowed-address-pair port
 Neutron port-create --name demo-port demo-net

3.Set allowed-address-pair for vm-1 and vm-2, use fixed IP of demo-port
 neutron port-update --allowed-address-pair ip_address=10.0.0.29 3c8fac1c-4b1b-4258-8b18-8d74eebb48e4
 neutron port-update --allowed-address-pair ip_address=10.0.0.29 a8b36d75-89ff-41d6-b891-fb65b7be88b4

4.Check ARP table of the DVR router.The ARP entry will always lead to 10.0.0.21(vm-1).
[root@R1Network1 ~]# ip netns exec qrouter-4832ea04-cfa1-4c43-9ca9-e916b5fd1c28 arp -n
Address HWtype HWaddress Flags Mask Iface
10.0.0.2 ether fa:16:3e:78:91:99 CM qr-2451ce9e-fa
10.0.0.21 ether fa:16:3e:a7:7d:7a CM qr-2451ce9e-fa *
10.0.0.29 ether fa:16:3e:a7:7d:7a CM qr-2451ce9e-fa *
10.0.0.20 ether fa:16:3e:16:da:45 CM qr-2451ce9e-fa *
10.0.0.3 ether fa:16:3e:bc:92:e9 CM qr-2451ce9e-fa

He Qing (tsinghe-7)
Changed in neutron:
assignee: nobody → Heqing (tsinghe-7)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/349774

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by He Qing (<email address hidden>) on branch: master
Review: https://review.openstack.org/349774
Reason: I was not thought through of this.

He Qing (tsinghe-7)
Changed in neutron:
assignee: He Qing (tsinghe-7) → nobody
Swaminathan Vasudevan (swaminathan-vasudevan)
tags: added: l3-dvr-backlog
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/550676

Changed in neutron:
assignee: nobody → Swaminathan Vasudevan (swaminathan-vasudevan)
Swaminathan Vasudevan (swaminathan-vasudevan)
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/550676
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fbe308bdc12191c187343b5ef103dea9af738380
Submitter: Zuul
Branch: master

commit fbe308bdc12191c187343b5ef103dea9af738380
Author: Swaminathan Vasudevan <email address hidden>
Date: Wed Mar 7 19:03:42 2018 -0800

    DVR: Fix allowed_address_pair IP, ARP table update by neutron agent

    Allowed_address_pair IP when associated with a network port will
    inherit the services MAC.
    Right now the ARP entry is updated with the last MAC that it is
    associated with. But when allowed_address_pair IPs are used in
    the context of VRRP the MAC keeps switching between the MASTER
    and SLAVE. VRRP instance sends out GARP, but the ARP entry in the
    router namespace is not getting updated based on the GARP.

    This might cause the VRRP IP and the service using the IP to fail.

    Since we having been adding the ARP entry with NUD state as
    PERMANENT, the ARP entries are set for ever and does not adopt the
    GARP sent out by the VRRP instance.

    This will cause instances associated with DVR routers to have a
    service interruption.

    So the proposed patch will add the ARP entry for the Allowed address
    pair with NUD for 'REACHABLE'.
    This allows the Allowed_address_pair IP MAC to be updated on the
    fly.

    Change-Id: I43c3471f5d259e8c2ee1685398a06a4680c0bfcd
    Closes-Bug: #1608400

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/554724

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/554729

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/554724
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6e27b7de8bfd0a5e0bd34eb53047d61d702211e5
Submitter: Zuul
Branch: stable/queens

commit 6e27b7de8bfd0a5e0bd34eb53047d61d702211e5
Author: Swaminathan Vasudevan <email address hidden>
Date: Wed Mar 7 19:03:42 2018 -0800

    DVR: Fix allowed_address_pair IP, ARP table update by neutron agent

    Allowed_address_pair IP when associated with a network port will
    inherit the services MAC.
    Right now the ARP entry is updated with the last MAC that it is
    associated with. But when allowed_address_pair IPs are used in
    the context of VRRP the MAC keeps switching between the MASTER
    and SLAVE. VRRP instance sends out GARP, but the ARP entry in the
    router namespace is not getting updated based on the GARP.

    This might cause the VRRP IP and the service using the IP to fail.

    Since we having been adding the ARP entry with NUD state as
    PERMANENT, the ARP entries are set for ever and does not adopt the
    GARP sent out by the VRRP instance.

    This will cause instances associated with DVR routers to have a
    service interruption.

    So the proposed patch will add the ARP entry for the Allowed address
    pair with NUD for 'REACHABLE'.
    This allows the Allowed_address_pair IP MAC to be updated on the
    fly.

    Change-Id: I43c3471f5d259e8c2ee1685398a06a4680c0bfcd
    Closes-Bug: #1608400
    (cherry-picked from commit fbe308bdc12191c187343b5ef103dea9af738380)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/554729
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=34b7213ee37d80ef1844f0bf8baae3fca1535038
Submitter: Zuul
Branch: stable/pike

commit 34b7213ee37d80ef1844f0bf8baae3fca1535038
Author: Swaminathan Vasudevan <email address hidden>
Date: Wed Mar 7 19:03:42 2018 -0800

    DVR: Fix allowed_address_pair IP, ARP table update by neutron agent

    Allowed_address_pair IP when associated with a network port will
    inherit the services MAC.
    Right now the ARP entry is updated with the last MAC that it is
    associated with. But when allowed_address_pair IPs are used in
    the context of VRRP the MAC keeps switching between the MASTER
    and SLAVE. VRRP instance sends out GARP, but the ARP entry in the
    router namespace is not getting updated based on the GARP.

    This might cause the VRRP IP and the service using the IP to fail.

    Since we having been adding the ARP entry with NUD state as
    PERMANENT, the ARP entries are set for ever and does not adopt the
    GARP sent out by the VRRP instance.

    This will cause instances associated with DVR routers to have a
    service interruption.

    So the proposed patch will add the ARP entry for the Allowed address
    pair with NUD for 'REACHABLE'.
    This allows the Allowed_address_pair IP MAC to be updated on the
    fly.

    Change-Id: I43c3471f5d259e8c2ee1685398a06a4680c0bfcd
    Closes-Bug: #1608400
    (cherry-picked from commit fbe308bdc12191c187343b5ef103dea9af738380)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 13.0.0.0b1

This issue was fixed in the openstack/neutron 13.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.4

This issue was fixed in the openstack/neutron 11.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 12.0.2

This issue was fixed in the openstack/neutron 12.0.2 release.

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Brian Haley (brian-haley)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
Arjun Baindur (abaindur) wrote :

This patch was reverted due to https://bugs.launchpad.net/neutron/+bug/1773999

Does that mean this issue is still valid? Is there a fix available or a new bug to track it?

Revision history for this message
Yusuf Güngör (yusuf2) wrote :

I think this issue is still valid.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.