Incorrect IPv6 lease entries cause DHCPNAKs from Dnsmasq in dual stack DHCPv6 stateful network configuration

Hi, can you give more info on what is causing the failure? Is it the v6 entry using a MAC instead of IAID, or missing the server DUID, or something else? Just trying to understand this better, but it does look like a problem. Thanks.

Hi Brian,

It's the v6 entry using a MAC instead of IAID and also v6 addresses being placed inside square brackets. The server DUID is included just fine, I omitted it in my paste, my apologies.

According to the DHCPv6 RFC 3315, The DHCP client creates the IAID and includes it in a solicit message to the DHCP server when requesting an address, so there is no way for use to determine the IAID before hand like we do for MAC addresses. There are three possible solutions that I see:

1.) Generate the IAID for the ports attached to instances like it's currently done for MAC addresses and find a way to make the instance OS aware of the IAIDs

2.) Extract the IAID from the initial DHCP Solicit message sent by the instances when negotiating an IPv6 address, store it and subsequently use it to generate IPv6 lease entries for the instances later.

3.) Filter out IPv6 addresses from being written to the lease file when a DHCP agent is restarted or moved from one node to the other.

So here's my take on the options you listed:

# 1 - there is not really a way for us to inject a value into the instance like this from neutron

# 2 - is the IAID known to dnsmasq after the solicit such that it could write it somewhere? although it seems difficult to get right.

# 3 - i guess this looks like the best option - don't write any IPv6 leases to the file on bootstrap

Do you want to work on this change?

Hi Brian,

I agree, option #1 seems impossible and #2 is complicated. #3 is the easiest, I'll have to confirm the effect of doing that on IPv6 and/or DHCPv6 and let you. But yes, I'm happy to work on this change.

Thanks
Dimeji

Fix proposed to branch: master
Review: https://review.openstack.org/630951

Reviewed: https://review.openstack.org/630951
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4747de23d80ab32eea073846221adf94987f755b
Submitter: Zuul
Branch: master

commit 4747de23d80ab32eea073846221adf94987f755b
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Mon Jan 14 18:47:21 2019 +0000

    Remove IPv6 addresses in dnsmasq leases file

    IPv6 address format in dnsmasq leases file is incorrect (correct format
    is described in bug description). This bad formatting generates the
    following error when initializing dnsmasq:
      dnsmasq[20603]: failed to parse lease database, invalid line: \
        1547121093 fa:16:3e:a0:3a:9a [fd5b:1fd5:8295:5339::43] * ...

    This patch removes the IPv6 addresses from the leases file, as proposed
    in the bug, because the DHCP agent does not have the IAID (identity
    association identifier) of each IPv6 address assigned.

    In case of agent restart, dnsmasq won't have any IPv6 address in the
    leases file, but the hosts file and the additional hosts file will
    contain all MAC/IPv6 previous assignations. When the IPv6 client sends
    a DHCPDISCOVER, dnsmasq will offer the same IPv6 address to this client.
    At the same time, the client will request to the server the same address:
      DHCPDISCOVER(tap2c14823a-e6) fa:16:3e:54:c6:8e
      DHCPOFFER(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPREQUEST(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPACK(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e \
        host-fd5b-1fd5-8295-5339--43

    Once dnsmasq updates the leases database, rewrites the leases file with the
    new IPv6 address (including the IAID) and the server DUID (if not present).

    Change-Id: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e
    Closes-Bug: #1722126

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/633200

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/633201

Reviewed: https://review.openstack.org/633201
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=828daf9f133c51fb18b0147760c5a2d4f3b9f663
Submitter: Zuul
Branch: stable/queens

commit 828daf9f133c51fb18b0147760c5a2d4f3b9f663
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Mon Jan 14 18:47:21 2019 +0000

    Remove IPv6 addresses in dnsmasq leases file

    IPv6 address format in dnsmasq leases file is incorrect (correct format
    is described in bug description). This bad formatting generates the
    following error when initializing dnsmasq:
      dnsmasq[20603]: failed to parse lease database, invalid line: \
        1547121093 fa:16:3e:a0:3a:9a [fd5b:1fd5:8295:5339::43] * ...

    This patch removes the IPv6 addresses from the leases file, as proposed
    in the bug, because the DHCP agent does not have the IAID (identity
    association identifier) of each IPv6 address assigned.

    In case of agent restart, dnsmasq won't have any IPv6 address in the
    leases file, but the hosts file and the additional hosts file will
    contain all MAC/IPv6 previous assignations. When the IPv6 client sends
    a DHCPDISCOVER, dnsmasq will offer the same IPv6 address to this client.
    At the same time, the client will request to the server the same address:
      DHCPDISCOVER(tap2c14823a-e6) fa:16:3e:54:c6:8e
      DHCPOFFER(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPREQUEST(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPACK(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e \
        host-fd5b-1fd5-8295-5339--43

    Once dnsmasq updates the leases database, rewrites the leases file with the
    new IPv6 address (including the IAID) and the server DUID (if not present).

    Change-Id: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e
    Closes-Bug: #1722126
    (cherry picked from commit 4747de23d80ab32eea073846221adf94987f755b)

Reviewed: https://review.openstack.org/633200
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=18f2cea730ae1dcc8c5c557078ab29acb89a356d
Submitter: Zuul
Branch: stable/rocky

commit 18f2cea730ae1dcc8c5c557078ab29acb89a356d
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Mon Jan 14 18:47:21 2019 +0000

    Remove IPv6 addresses in dnsmasq leases file

    IPv6 address format in dnsmasq leases file is incorrect (correct format
    is described in bug description). This bad formatting generates the
    following error when initializing dnsmasq:
      dnsmasq[20603]: failed to parse lease database, invalid line: \
        1547121093 fa:16:3e:a0:3a:9a [fd5b:1fd5:8295:5339::43] * ...

    This patch removes the IPv6 addresses from the leases file, as proposed
    in the bug, because the DHCP agent does not have the IAID (identity
    association identifier) of each IPv6 address assigned.

    In case of agent restart, dnsmasq won't have any IPv6 address in the
    leases file, but the hosts file and the additional hosts file will
    contain all MAC/IPv6 previous assignations. When the IPv6 client sends
    a DHCPDISCOVER, dnsmasq will offer the same IPv6 address to this client.
    At the same time, the client will request to the server the same address:
      DHCPDISCOVER(tap2c14823a-e6) fa:16:3e:54:c6:8e
      DHCPOFFER(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPREQUEST(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e
      DHCPACK(tap2c14823a-e6) fd5b:1fd5:8295:5339::43 fa:16:3e:54:c6:8e \
        host-fd5b-1fd5-8295-5339--43

    Once dnsmasq updates the leases database, rewrites the leases file with the
    new IPv6 address (including the IAID) and the server DUID (if not present).

    Change-Id: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e
    Closes-Bug: #1722126
    (cherry picked from commit 4747de23d80ab32eea073846221adf94987f755b)

This issue was fixed in the openstack/neutron 14.0.0.0b2 development milestone.

This issue was fixed in the openstack/neutron 13.0.3 release.

This issue was fixed in the openstack/neutron 12.0.6 release.

Fix proposed to branch: master
Review: https://review.opendev.org/762874

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/762874
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by "Gaudenz Steinlin <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/795186
Reason: Merged into https://review.opendev.org/c/openstack/neutron/+/762874

Reviewed: https://review.opendev.org/c/openstack/neutron/+/762874
Committed: https://opendev.org/openstack/neutron/commit/6bc1c00d66ced82dd142739790222e8408684696
Submitter: "Zuul (22348)"
Branch: master

commit 6bc1c00d66ced82dd142739790222e8408684696
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/799067

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/799068

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/799069

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/neutron/+/799070

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/c/openstack/neutron/+/799071

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799067
Committed: https://opendev.org/openstack/neutron/commit/2ede99559b32d608efef3f2c2272262a4b776f23
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 2ede99559b32d608efef3f2c2272262a4b776f23
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89
    (cherry picked from commit 6bc1c00d66ced82dd142739790222e8408684696)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799068
Committed: https://opendev.org/openstack/neutron/commit/f9b1f05def90f755947198e2adba24ea8f8a952b
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit f9b1f05def90f755947198e2adba24ea8f8a952b
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89
    (cherry picked from commit 6bc1c00d66ced82dd142739790222e8408684696)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799069
Committed: https://opendev.org/openstack/neutron/commit/e0748a58efe6fdb2931047dffa267fa4e2d54615
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit e0748a58efe6fdb2931047dffa267fa4e2d54615
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89
    (cherry picked from commit 6bc1c00d66ced82dd142739790222e8408684696)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799070
Committed: https://opendev.org/openstack/neutron/commit/229ecdd0083c3999da19a8a6be7526c98f51393f
Submitter: "Zuul (22348)"
Branch: stable/train

commit 229ecdd0083c3999da19a8a6be7526c98f51393f
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    This backport contains some test fixes to make the tests work with
    Python 2.7 and the PEP8 N322 check.

    Changed file: neutron/tests/unit/agent/linux/test_dhcp.py

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89
    (cherry picked from commit 6bc1c00d66ced82dd142739790222e8408684696)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/799071
Committed: https://opendev.org/openstack/neutron/commit/7f63139424adcbbc18cdbf1b0fa3efa3b0fd3f45
Submitter: "Zuul (22348)"
Branch: stable/stein

commit 7f63139424adcbbc18cdbf1b0fa3efa3b0fd3f45
Author: Gaudenz Steinlin <email address hidden>
Date: Mon Nov 16 17:41:18 2020 +0100

    Copy existing IPv6 leases to generated lease file

    Because the DHCP agent does not know the IAID (identity association
    identifier) of assigned IPv6 addresses it's not possible to generate the
    lease file including IPv6 leases. Because of this IPv6 addresses are
    excluded when generating the lease file in case of DHCP agent restarts.
    This causes DHCPv6 clients to fail to RENEW their lease and to go
    through a full address discovery cycle with possible short connectivity
    disruption.

    This commit copies the existing IPv6 leaes from an already existing
    lease file if present. While this does not allow for DHCP agent
    failover, this is still better than just skipping the IPv6 addresses.

    A lease file without the IPv6 addresses is still generated if an agent
    is migrated to a different host.

    This commit complements the fix implemented in
    Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e which just skips the IPv6
    leases as otherwise the lease file would be invalid and all leases would
    be lost. It does not change the behavior for still valid IPv4 leases.

    With this issue fixed an additional fix is required to not loose DHCPv6
    leases when the agent restarts dnsmasq. Currently the DHCP agent
    regenerates all configuration files on restart. This means that DHCPv6
    leases are lost as they can't be regenerated. This changes the agent to
    only delete the config files if the agent's ports are also removed.

    Closes-Bug: #1722126
    Related-Change: Ib1b2f284ab81f1c4af7b08b5257b45a3f6e79c3e

    This backport contains some test fixes to make the tests work with
    Python 2.7 and the PEP8 N322 check.

    Changed file:
        neutron/tests/unit/agent/linux/test_dhcp.py

    Conflicts:
        neutron/agent/linux/dhcp.py

    Change-Id: I40761b30563749251b9d74731bbe7a80a124da89
    (cherry picked from commit 6bc1c00d66ced82dd142739790222e8408684696)

This issue was fixed in the openstack/neutron 16.4.0 release.

This issue was fixed in the openstack/neutron 17.2.0 release.

This issue was fixed in the openstack/neutron 18.1.0 release.

This issue was fixed in the openstack/neutron 19.0.0.0rc1 release candidate.

This issue was fixed in the openstack/neutron stein-eol release.

This issue was fixed in the openstack/neutron train-eol release.