IPVS setup fails with openvswitch firewall driver, works with iptables_hybrid

Bug #1863091 reported by Dr. Jens Harbott
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
New
Undecided
Unassigned

Bug Description

We have some IPVS setup deployed according to https://cloudbau.github.io/openstack/loadbalancing/networking/ipvs/2017/03/20/ipvs-direct-routing-on-top-of-openstack.html which stopped working after upgrading from Queens to Rocky and switching from the iptables_hybrid firewall driver to the native openvswitch firewall driver.

The issue can be resolved by reverting to the iptables_hybrid driver on the compute-node hosting the LB instance.

This is on Ubuntu Bionic using the Rocky UCA, Neutron version 13.0.6-0ubuntu1~cloud0.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Can You described in more details why it stopped working? On https://cloudbau.github.io/openstack/loadbalancing/networking/ipvs/2017/03/20/ipvs-direct-routing-on-top-of-openstack.html I see that port_security has to be disabled for ipvs-loadbalancer, was it like that for ports when openvswitch fw driver was used? Where exactly traffic was dropped?

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

@Slawek: That is actually a good question, that article was written against a linuxbridging setup. For our OVS deployment, we did not have port_security disabled, just added the VIP to allowed_address_pair on the LB and the servers.

tcpdump shows that the initial SYN/ACK handshake is completed successfully, but the first data packet is dropped on the way from the client to the LB. So this sounds similar to the appendix in the blog post, as it would match the firewall on the LB still having the connection in half-open tracking state.

The question now is whether this is the expected behaviour that iptables_hybrid firewalling is stateless while openvswitch native fw is stateful?

Or is it maybe even a bug (security issue?) that this setup works with iptables_hybrid and we should expect to get broken by an upcoming fix there?

Revision history for this message
LIU Yulong (dragon889) wrote :

If the mode was DR (direct routing), the LVS server and real server may have some config in different.
The LVS server (frontend) should disable the security group and port_security.
The real server (backend) should add allowed address pair with VIP, and set this VIP to the lo device.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.