neutron

Port in some type of device_owner should not allow update IP address

Bug #1796824 reported by LIU Yulong
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Wishlist
LIU Yulong

Bug Description

Some L3 ports can now be directly modify the IP address, but there are some type of device_owner, for instance network:router_centralized_snat, should not allow to change the IP address, otherwise it will make things really complicated.

Step to reproduce, update dvr router network:router_centralized_snat port directly:
$ openstack port show 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f
+-----------------------+-------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | node3 |
| binding_profile | |
| binding_vif_details | datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2018-09-19T09:48:58Z |
| data_plane_status | None |
| description | |
| device_id | 867e1473-4495-4513-8759-dee4cb1b9cef |
| device_owner | network:router_centralized_snat |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.188.13', subnet_id='0bbb326f-91c7-4030-9425-bc994a25db84' |
| id | 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f |
| ip_address | None |
| mac_address | fa:16:3e:1e:01:f8 |
| name | |
| network_id | f5c2435f-4096-4b91-8211-e3e22e08233a |
| option_name | None |
| option_value | None |
| port_security_enabled | False |
| project_id | |
| qos_policy_id | None |
| revision_number | 266 |
| security_group_ids | |
| status | ACTIVE |
| subnet_id | None |
| tags | |
| trunk_details | None |
| updated_at | 2018-10-02T06:46:46Z |
+-----------------------+-------------------------------------------------------------------------------+
$ openstack port set --fixed-ip subnet=0bbb326f-91c7-4030-9425-bc994a25db84,ip-address=192.168.188.100 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f

$ openstack port unset --fixed-ip subnet=0bbb326f-91c7-4030-9425-bc994a25db84,ip-address=192.168.188.13 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f

$ openstack port show 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f
+-----------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | node3 |
| binding_profile | |
| binding_vif_details | datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2018-09-19T09:48:58Z |
| data_plane_status | None |
| description | |
| device_id | 867e1473-4495-4513-8759-dee4cb1b9cef |
| device_owner | network:router_centralized_snat |
| dns_assignment | None |
| dns_name | None |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.188.100', subnet_id='0bbb326f-91c7-4030-9425-bc994a25db84' |
| id | 85ffe5a3-4332-4864-8ea5-5b13f3c7f63f |
| ip_address | None |
| mac_address | fa:16:3e:1e:01:f8 |
| name | |
| network_id | f5c2435f-4096-4b91-8211-e3e22e08233a |
| option_name | None |
| option_value | None |
| port_security_enabled | False |
| project_id | |
| qos_policy_id | None |
| revision_number | 270 |
| security_group_ids | |
| status | ACTIVE |
| subnet_id | None |
| tags | |
| trunk_details | None |
| updated_at | 2018-10-09T08:27:55Z |
+-----------------------+--------------------------------------------------------------------------------+

Nothing happened in L3 agent side.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

It looks as some change in API behavior so IMO it should be discussed on drivers meeting.

tags: added: l3-dvr-backlog rfe
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/608909

Changed in neutron:
assignee: nobody → LIU Yulong (dragon889)
status: New → In Progress
Revision history for this message
Brian Haley (brian-haley) wrote :

Part of this looks related to another bug you filed, https://bugs.launchpad.net/neutron/+bug/1795222

And you explain what you mean by "complicated" ? I can understand how this could impact running instances, but I'm not sure that's a reason to not allow it.

Revision history for this message
LIU Yulong (dragon889) wrote :

@Brian, it's different from bug 1795222, 1795222 is to notify after reset the router external gateway IP address.
This one is to restrict some device_owner type of ports to change the IP address, for instance dvr router centralized_snat port.

Why it is complicated, it's because the L3 agent side does not handle the 'network:router_centralized_snat' port IP change for dvr router. If try to allow the IP change for these type of ports, seems we need a lot of work to do, such as change the qr- or sg- device IP address, change the iptables rules, change the route rules etc. And IMO, such IP change for these port is not so much useful, and even it is sometimes not visible to the normal user.

Revision history for this message
Swaminathan Vasudevan (swaminathan-vasudevan) wrote :

Yes I agree.

Changed in neutron:
importance: Undecided → Medium
Revision history for this message
LIU Yulong (dragon889) wrote :

The fix here: https://review.openstack.org/#/c/608909/ is trying to disable some L3 related port to update the IP address. Since the snat (router gateway) IP address is related to the public network IPs, so I think change the router_gateway IP can still let it pass.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.openstack.org/612969

Revision history for this message
Miguel Lavalle (minsel) wrote :

Let's discuss this one during tomorrow's drivers meeting

tags: added: rfe-triaged
removed: rfe
Miguel Lavalle (minsel)
Changed in neutron:
importance: Medium → Wishlist
Revision history for this message
Miguel Lavalle (minsel) wrote :

This RFE was approved during today's drivers meeting. Please note the following guideline from the discussion: this is approved "as far as its scope is only device_owner types which are specific to the reference implementation"

tags: added: rfe-approved
removed: rfe-triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.openstack.org/612969
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=cd2c69890b042b0aa3df07de2c53f294e04a390d
Submitter: Zuul
Branch: master

commit cd2c69890b042b0aa3df07de2c53f294e04a390d
Author: LIU Yulong <email address hidden>
Date: Wed Oct 24 17:39:36 2018 +0800

    Add shim extension l3-port-ip-change-not-allowed

    Change-Id: I3578ef48432792aca25acf7c30413d79a0fd4065
    Closes-Bug: #1796824

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 1.21.0

This issue was fixed in the openstack/neutron-lib 1.21.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/608909
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=20f8271b6b8aa3a8a0bfdf3a0df5fe689ddc5c65
Submitter: Zuul
Branch: master

commit 20f8271b6b8aa3a8a0bfdf3a0df5fe689ddc5c65
Author: LIU Yulong <email address hidden>
Date: Tue Oct 9 17:21:31 2018 +0800

    Prevent some L3 ports change IP address

    Some L3 ports can directly modify the IP address now,
    but there are some types of device_owner, for instance
    network:router_centralized_snat, should not allow to
    change the IP address, otherwise it will increase L3
    agent code complexity.

    Since router public gateway port is related to the
    external network, and this port can be used for some
    service, like VPN. So after this patch we will only
    allow the gateway port to update the IP address
    directly, aka device_owner network:router_gateway.

    The following l3 router ports will not be allowed to
    directly update the IP address:
      network:ha_router_replicated_interface
      network:router_centralized_snat
      network:router_ha_interface
      network:router_interface
      network:router_interface_distributed

    Remove one unit test case since it will not occur in
    neutron.

    Change-Id: I2890a71abc82cb781b601afb879bdcca10e39257
    Closes-Bug: #1796824

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.0.0b1

This issue was fixed in the openstack/neutron 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.