DHCP Agent should not release DHCP lease when client ID is not set on port
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Brian Haley |
Bug Description
DHCP agent has a really strict enforcement of client ID, which is part of the DHCP extra options. If a VM advertises a client ID, DHCP agent will automatically release it's lease whenever *any* other port is updated/deleted. This happens even if no client ID is set on the port.
When reload_
https:/
v4_leases = set()
for (k, v) in cur_leases.items():
# IPv4 leases have a MAC, IPv6 ones do not, so we must ignore
if netaddr.
# treat '*' as None, see note in _read_leases_
if client_id is '*':
new_leases = set()
for port in self.network.ports:
for alloc in port.fixed_ips:
# If an entry is in the leases or host file(s), but doesn't have
# a fixed IP on a corresponding neutron port, consider it stale.
if not entries_to_release:
return
It was observed in one example of a released lease, its entries looked like:
new_leases (from port DB)
(u'10.81.96.186', u'fa:16:
old_leases (from hosts file)
('10.81.96.186', 'fa:16:
v4_leases (from leases file - updated by dnsmasq when VM requests)
('10.81.96.186', 'fa:16:
Therefore the entries_to_release did not have that IP, MAC filtered out. The client_id in v4_leases entry was coming from a Windows VM, which faces a bug that prevents it from disabling client ID. entries_to_release in fact had some 50+ entries like that, causing a storm of DHCPRELEASE.
This can cause issues where when the VM later asks to renew its lease when the expiry period is coming up (I think about halfway thru), dnsmasq sends an DHCP NAK and the lease is re-negotiated and existing networking connections can get disrupted. It also just causes DHCP agent to do unneccessary work, releasing a ton of leases when it technically shouldn't.
Setting the client ID in the port's DHCP extra opts is not an good solution:
1. In some cases, like Windows VMs, the client ID is advertised as the MAC by default. In fact, there is a Windows bug which prevents you from even turning this off: https:/
Linux VMs dont have this on by default, when I checked, but they may be enabled in some templates unknown to users
2. End users will usually just be deploying a VM, with the port being auto created by Nova. They don't know or need to know about advanced networking concepts like DHCP client IDs.
3. We can't expect everyone to modify their existing app templates, or end users to make API calls, to update ports everytime they deploy a VM
So, client ID should only be enforced, and leases released, if it's actually set on the port DB's DHCP extra Opts. In that case it means someone knows what they are doing, and we want to check for a mismatch.
If its None, I suspect in 99.9999% of cases the operator does not know or care about client ID field.
Changed in neutron: | |
assignee: | nobody → Arjun Baindur (abaindur) |
description: | updated |
description: | updated |
description: | updated |
Changed in neutron: | |
status: | Incomplete → In Progress |
Changed in neutron: | |
status: | In Progress → Triaged |
importance: | Undecided → Medium |
Changed in neutron: | |
status: | Triaged → In Progress |
Changed in neutron: | |
assignee: | Arjun Baindur (abaindur) → Brian Haley (brian-haley) |
Testing out a fix where we parse the entries_to_release set, and filter out entries where a client ID is set, but the same (IP, MAC) combo in the port DB set (new_leases) has a client ID of None.