neutron

Unbound ports floating ip not working with address scopes in DVR HA

Bug #1753434 reported by Bartosz Bezak
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Miguel Lavalle

Bug Description

using latest build stable Pike

This commit properly addressed problem of unbound ports centralized floating Ips - https://git.openstack.org/cgit/openstack/neutron/commit/?id=8b4bb9c0b057da175f2d773f8257de3e571aed4e

However traffic towards unbound port (Octavia Pike VIP) when using address scopes is getting blocked in snat namespace:
Chain neutron-l3-agent-scope (1 references)
 pkts bytes target prot opt in out source destination
   23 1612 DROP all -- any sg-775c0432-f1 anywhere anywhere mark match ! 0x4010000/0xffff0000

It is working properly with centralized router HA with address scopes, and with DVR HA without address scopes.

Michal Nasiadka (mnasiadka)
Changed in neutron:
status: New → Confirmed
Miguel Lavalle (minsel)
Changed in neutron:
assignee: nobody → Miguel Lavalle (minsel)
Ihar Hrachyshka (ihar-hrachyshka)
tags: added: l3-dvr-backlog l3-ha
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Let me check.
Do you have more info on how to reproduce this issue.

Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

With Address scopes you don't need floatingIP. You can directly pass in the traffic. The traffic should be flowing through the FIP Namespace.
If you could give me more information on your test setup and how to reproduce this. It would be useful.

Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Sorry let me take it back. Since it is for unbound floatingIP that traffic should be flowing through the SNAT Namespace.
Yes as you mentioned if the 'sg-' traffic is blocked, then you may not get any traffic from the subnet associated ports to the SNAT Namespace.
This need to be evaluated.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/558012

Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Just an update, I tried to test this scenario on both the CVR and DVR and I am seeing the same behavior.
It would be great if you can provide more info on reproducing the steps in here.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/558012
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7c4da6fb756189e6afc1c699e06ce74488c61d45
Submitter: Zuul
Branch: master

commit 7c4da6fb756189e6afc1c699e06ce74488c61d45
Author: Swaminathan Vasudevan <email address hidden>
Date: Fri Mar 30 16:00:40 2018 -0700

    DVR: Avoid address scope rules for dvr_no_external agents

    All FloatingIP for DVR_NO_EXTERNAL agents will be configured
    in the SNAT Namespace. So there is no need to configure the
    address scope related routes in the router namespace when the
    agent is configured as DVR_NO_EXTERNAL.

    Change-Id: I009dae9e7f485641f2f19dce8dd575da04bfb044
    Related-Bug: #1753434

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/613705

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/613706

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/queens)

Reviewed: https://review.openstack.org/613705
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f916a3ebd1e654221bdb65af37e70ec55d673883
Submitter: Zuul
Branch: stable/queens

commit f916a3ebd1e654221bdb65af37e70ec55d673883
Author: Swaminathan Vasudevan <email address hidden>
Date: Fri Mar 30 16:00:40 2018 -0700

    DVR: Avoid address scope rules for dvr_no_external agents

    All FloatingIP for DVR_NO_EXTERNAL agents will be configured
    in the SNAT Namespace. So there is no need to configure the
    address scope related routes in the router namespace when the
    agent is configured as DVR_NO_EXTERNAL.

    Change-Id: I009dae9e7f485641f2f19dce8dd575da04bfb044
    Related-Bug: #1753434
    (cherry picked from commit 7c4da6fb756189e6afc1c699e06ce74488c61d45)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/613706
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bdbcf5653afbea500394dd8b0a3a423f9e1eeed3
Submitter: Zuul
Branch: stable/pike

commit bdbcf5653afbea500394dd8b0a3a423f9e1eeed3
Author: Swaminathan Vasudevan <email address hidden>
Date: Fri Mar 30 16:00:40 2018 -0700

    DVR: Avoid address scope rules for dvr_no_external agents

    All FloatingIP for DVR_NO_EXTERNAL agents will be configured
    in the SNAT Namespace. So there is no need to configure the
    address scope related routes in the router namespace when the
    agent is configured as DVR_NO_EXTERNAL.

    Change-Id: I009dae9e7f485641f2f19dce8dd575da04bfb044
    Related-Bug: #1753434
    (cherry picked from commit 7c4da6fb756189e6afc1c699e06ce74488c61d45)

tags: added: in-stable-pike
Brian Haley (brian-haley)
Changed in neutron:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.