Floating IPs not removed on rfp interface in qrouter

With the Floating IPs remaining on rfp- interface, definitely an issue. A VM pinging another floating IP - the reply is NOT from the VM, but the qrouter namespace that is actually responding locally

VMA with FIP 10.4.253.32 and fixed IP 172.16.198.250 tries to ping VMB (10.4.254.43) which I manually removed from rfp device. I see ping being NATT'd and going out rfp, as well as 2 ICMP replies:

root@barney:~# ip netns exec qrouter-37176403-cfb0-478d-b51c-971d89597cf5 tcpdump -l -evvvnn -i any host 10.4.254.43

14:50:38.404521 In fa:16:3e:82:08:39 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 31859, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.198.250 > 10.4.254.43: ICMP echo request, id 26843, seq 11, length 64
14:50:38.404573 Out 76:2f:be:73:9b:fc ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 31859, offset 0, flags [DF], proto ICMP (1), length 84)
    10.4.254.32 > 10.4.254.43: ICMP echo request, id 26843, seq 11, length 64
14:50:38.404590 In b2:63:de:da:b5:48 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 62, id 31859, offset 0, flags [DF], proto ICMP (1), length 84)
    10.4.254.32 > 10.4.254.43: ICMP echo request, id 26843, seq 11, length 64
14:50:38.404904 Out 76:2f:be:73:9b:fc ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 16514, offset 0, flags [none], proto ICMP (1), length 84)
    10.4.254.43 > 10.4.254.32: ICMP echo reply, id 26843, seq 11, length 64
14:50:38.404930 In b2:63:de:da:b5:48 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 62, id 16514, offset 0, flags [none], proto ICMP (1), length 84)
    10.4.254.43 > 10.4.254.32: ICMP echo reply, id 26843, seq 11, length 64
14:50:38.404939 Out fa:16:3e:42:a2:ec ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 61, id 16514, offset 0, flags [none], proto ICMP (1), length 84)
    10.4.254.43 > 172.16.198.250: ICMP echo reply, id 26843, seq 11, length 64

When I ping VMC, 10.4.153.41, which still has IP on rfp, looks like qrouter is generating ICMP reply internally. This explains why ping appears to work but ssh does not:

root@barney:~# ip netns exec qrouter-37176403-cfb0-478d-b51c-971d89597cf5 tcpdump -l -evvvnn -i any host 10.4.253.41

14:48:16.131074 In fa:16:3e:82:08:39 ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 40544, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.198.250 > 10.4.253.41: ICMP echo request, id 24022, seq 10, length 64
14:48:16.131134 Out fa:16:3e:42:a2:ec ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 5429, offset 0, flags [none], proto ICMP (1), length 84)
    10.4.253.41 > 172.16.198.250: ICMP echo reply, id 24022, seq 10, length 64

Not sure if it's DVR only issue (I saw some connectivity issues via FIP from its own instance in fullstack environment lately), so added general l3 tag too.

This looks specific to DVR since the legacy code is the only place where we'd actually add the IP to a device, DVR just adds rules and routes now.

I'll have to trace the code, since on the restart of the l3-agent we should be going through code like add_floating_ip() where it could make sure to remove any remnants, or there might be a better place somewhere called only once at startup. Xagent - I remember on IRC you saying you were playing with some patches, feel free to share them if you found something that works.

Yeah, I added following to scan_fip_ports() function in dvr_fip_ns.py:

            existing_cidrs = [addr['cidr'] for addr in device.addr.list()]
            fip_cidrs = [c for c in existing_cidrs if
                         common_utils.is_cidr_host(c)]
            for fip_cidr in fip_cidrs:
                device.delete_addr_and_conntrack_state(fip_cidr)

That is inside the if device.exists() block. Not sure if that's really the right place to add it - this technically needs to be done just once.

On the other hand, looks like this function returns whenever it has a fip_count > 0 and only gets invoked on startup/when a router is created/updated first time with a gateway port? So maybe this is the best place to leave it in

Fix proposed to branch: master
Review: https://review.openstack.org/451859

Reviewed: https://review.openstack.org/451859
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f84ce9a57ceaf6f931ca51e028bac64c93835d91
Submitter: Jenkins
Branch: master

commit f84ce9a57ceaf6f931ca51e028bac64c93835d91
Author: Brian Haley <email address hidden>
Date: Wed Mar 29 16:44:57 2017 -0400

    Remove stale floating IP addresses from rfp devices

    Old versions of the DVR code used to configure floating
    IP addresses directly on the rfp-* devices in the
    qrouter namespace. This was changed in Mitaka to use
    routes, but these stale floating IP addresses were
    never cleaned-up when the l3-agent was restarted.

    Add a check for these addresses and remove them at
    startup if they exist. This can be removed in a cycle
    since once they are cleaned they will not be added
    back by the agent.

    Change-Id: Id512d213cd7ee11da913a4e4b0da20c3ad5420b0
    Closes-bug: #1675187

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/453663

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/453664

This issue was fixed in the openstack/neutron 11.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/453663
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0d1387c418c9540e28d977ff7d77f0cb7e8eb8b8
Submitter: Jenkins
Branch: stable/ocata

commit 0d1387c418c9540e28d977ff7d77f0cb7e8eb8b8
Author: Brian Haley <email address hidden>
Date: Wed Mar 29 16:44:57 2017 -0400

    Remove stale floating IP addresses from rfp devices

    Old versions of the DVR code used to configure floating
    IP addresses directly on the rfp-* devices in the
    qrouter namespace. This was changed in Mitaka to use
    routes, but these stale floating IP addresses were
    never cleaned-up when the l3-agent was restarted.

    Add a check for these addresses and remove them at
    startup if they exist. This can be removed in a cycle
    since once they are cleaned they will not be added
    back by the agent.

    Change-Id: Id512d213cd7ee11da913a4e4b0da20c3ad5420b0
    Closes-bug: #1675187
    (cherry picked from commit f84ce9a57ceaf6f931ca51e028bac64c93835d91)

Reviewed: https://review.openstack.org/453664
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a1186b9ddcc111a27a11a61b4e39101f9c80e67d
Submitter: Jenkins
Branch: stable/newton

commit a1186b9ddcc111a27a11a61b4e39101f9c80e67d
Author: Brian Haley <email address hidden>
Date: Wed Mar 29 16:44:57 2017 -0400

    Remove stale floating IP addresses from rfp devices

    Old versions of the DVR code used to configure floating
    IP addresses directly on the rfp-* devices in the
    qrouter namespace. This was changed in Mitaka to use
    routes, but these stale floating IP addresses were
    never cleaned-up when the l3-agent was restarted.

    Add a check for these addresses and remove them at
    startup if they exist. This can be removed in a cycle
    since once they are cleaned they will not be added
    back by the agent.

    Change-Id: Id512d213cd7ee11da913a4e4b0da20c3ad5420b0
    Closes-bug: #1675187
    (cherry picked from commit f84ce9a57ceaf6f931ca51e028bac64c93835d91)

This issue was fixed in the openstack/neutron 9.4.0 release.

This issue was fixed in the openstack/neutron 10.0.2 release.