neutron

Bug #1715734
Comment #5

Comment 5 for bug 1715734

Revision history for this message

James Denton (james-denton) wrote on 2017-09-08:

Further investigation shows there is some inconsistency between Linux distributions in regards to the version of arping that may be installed. Ubuntu uses arping that supports -s (mac)/-S (ip), while openSUSE and CentOS appear to use the iputils-arping version that uses -s (ip).

What I have found is that the behavior differs between those versions, even with the same arguments. In this openSUSE environment, here is the interface that mimics what a router interface looks like with a floating IP:

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:23:3c:64 brd ff:ff:ff:ff:ff:ff
    inet 10.254.254.11/24 brd 10.254.254.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet 10.254.254.89/32 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe23:3c64/64 scope link
       valid_lft forever preferred_lft forever

In these examples, I've mimicked the existing arping syntax Neutron uses. The following command with openSUSE generates an unsolicited ARP REPLY:

linux-p625:/home/jdenton # arping -A -I eth1 -c 1 -w 1.5 10.254.254.89
ARPING 10.254.254.89 from 10.254.254.89 eth1
Sent 1 probes (1 broadcast(s))
Received 0 response(s)

09:28:24.842357 08:00:27:23:3c:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Reply 10.254.254.89 is-at 08:00:27:23:3c:64, length 28

While the -U flag results in an ARP REQUEST (using the /32 as the source):

linux-p625:/home/jdenton # arping -U -I eth1 -c 1 -w 1.5 10.254.254.89
ARPING 10.254.254.89 from 10.254.254.89 eth1
Sent 1 probes (1 broadcast(s))
Received 0 response(s)

09:31:38.674689 08:00:27:23:3c:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.254.89 (ff:ff:ff:ff:ff:ff) tell 10.254.254.89, length 28

In either case, the neighbor table ought to be updated appropriately. The behavior on CentOS was exactly the same.

In Ubuntu 16.04 LTS the behavior is as described in the initial bug report. Both the -A and -U flags result in ARP REQUESTS, and both are sourced from the primary interface IP -- not the floating IP. Therefore, the neighbor cache is not updated properly.

Ubuntu (w/ default arping):

sudo arping -A -I enp0s8 -c 1 -w 1.5 10.254.254.88

>> 09:48:18.034725 08:00:27:06:62:2e > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.254.88 tell 10.254.254.10, length 28

sudo arping -U -I enp0s8 -c 1 -w 1.5 10.254.254.88

>> 09:49:08.030762 08:00:27:06:62:2e > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.254.88 (ff:ff:ff:ff:ff:ff) tell 10.254.254.10, length 28

-----

Remediation:

I was able to install the iputils-arping package on the Ubuntu host, which resulted in expected behavior that is consistent with the Linux distros.

jdenton@ubuntu:~/neutron$ sudo apt install iputils-arping
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libnet1
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
  arping
The following NEW packages will be installed:
  iputils-arping
0 upgraded, 1 newly installed, 1 to remove and 127 not upgraded.
Need to get 26.6 kB of archives.
After this operation, 24.6 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 iputils-arping amd64 3:20121221-5ubuntu2 [26.6 kB]
Fetched 26.6 kB in 0s (124 kB/s)
(Reading database ... 89532 files and directories currently installed.)
Removing arping (2.14-1) ...
Processing triggers for man-db (2.7.5-1) ...
Selecting previously unselected package iputils-arping.
(Reading database ... 89521 files and directories currently installed.)
Preparing to unpack .../iputils-arping_3%3a20121221-5ubuntu2_amd64.deb ...
Unpacking iputils-arping (3:20121221-5ubuntu2) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up iputils-arping (3:20121221-5ubuntu2) ...
Setcap worked! arping is not suid!

jdenton@ubuntu:~/neutron$ sudo arping -A -I enp0s8 -c 1 -w 1.5 10.254.254.88
ARPING 10.254.254.88 from 10.254.254.88 enp0s8
Sent 1 probes (1 broadcast(s))
Received 0 response(s)

>> 09:50:52.270463 08:00:27:06:62:2e > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Reply 10.254.254.88 is-at 08:00:27:06:62:2e, length 28

jdenton@ubuntu:~/neutron$ sudo arping -U -I enp0s8 -c 1 -w 1.5 10.254.254.88
ARPING 10.254.254.88 from 10.254.254.88 enp0s8
Sent 1 probes (1 broadcast(s))
Received 0 response(s)

>> 09:51:15.375974 08:00:27:06:62:2e > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.254.254.88 (ff:ff:ff:ff:ff:ff) tell 10.254.254.88, length 28

This fix here appears to be requiring the iputils-arping package and uninstalling arping. No Neutron code patch may be necessary.

I appreciate any feedback on how to proceed.