neutron

IP allocation for stateless IPv6 does not filter on segment when fixed-ips contain a subnet_id

Bug #1864225 reported by Harald Jensås
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Harald Jensås

Bug Description

Network 45b993b2-5224-409e-9756-0be190a19cf5 with two segments and two subnets:

$ openstack network segment list --network provider -f yaml
- ID: 612f96f0-7682-49f7-bfc2-c52437f6e948
  Name: provider-segment1
  Network: 45b993b2-5224-409e-9756-0be190a19cf5
  Network Type: flat
  Segment: null
- ID: 9632dc77-d8d1-4d2b-afab-23568f1d475f
  Name: provider-segment2
  Network: 45b993b2-5224-409e-9756-0be190a19cf5
  Network Type: flat
  Segment: null

$ openstack subnet list --network provider -f yaml
- ID: 926269c1-b05e-4b48-bafe-6be8e9cbd12c
  Name: provider-subnet1
  Network: 45b993b2-5224-409e-9756-0be190a19cf5
  Subnet: dead:beef:1::/64
- ID: cdec94ce-8e3b-4c5b-aba2-13271f8b8b91
  Name: provider-subnet2
  Network: 45b993b2-5224-409e-9756-0be190a19cf5
  Subnet: dead:beef:2::/64

$ openstack subnet show -c segment_id -c ipv6_address_mode \
    -c ipv6_ra_mode -c address_mode provider-subnet1
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| ipv6_address_mode | dhcpv6-stateless |
| ipv6_ra_mode | dhcpv6-stateless |
| segment_id | 612f96f0-7682-49f7-bfc2-c52437f6e948 |
+-------------------+--------------------------------------+

$ openstack subnet show -c segment_id -c ipv6_address_mode \
    -c ipv6_ra_mode -c address_mode provider-subnet2
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| ipv6_address_mode | dhcpv6-stateless |
| ipv6_ra_mode | dhcpv6-stateless |
| segment_id | 9632dc77-d8d1-4d2b-afab-23568f1d475f |
+-------------------+--------------------------------------+

The two subnets have stateless address mode and are on different segments.

When creating port, openstack port create --network provider test-port1 ip allocation is deffered because segments are used and no host id is provided.

When creating a port with a subnet specified in fixed-ips the implicit address allocation for stateless subnets will allocate an address in both subnets.

$ openstack port create --network provider \
  --fixed-ip=subnet=provider-subnet1 test-port1 \
  -c fixed_ips -f yaml
fixed_ips:
- ip_address: dead:beef:1:0:f816:3eff:fe9f:4907
  subnet_id: 926269c1-b05e-4b48-bafe-6be8e9cbd12c
- ip_address: dead:beef:2:0:f816:3eff:fe9f:4907
  subnet_id: cdec94ce-8e3b-4c5b-aba2-13271f8b8b91

Upon trying to bind this port later as part of provisioning with Ironic, this fails because fixed_ips included invalid subnet.
---
Failed to provision instance 3340fad9-93a6-4915-a87f-5f79cb647e03: Failed to prepare to deploy: Unable to set binding:host_id for neutron port c83d24aa-4167-4d37-9d1a-833290d55d83. Error: Invalid input for operation: Failed to create port on network 94543fd0-3a89-4d15-ad0c-ee1da99a63a4, because fixed_ips included invalid subnet 9c463bf7-0d6b-498e-a8b5-2c6c8bef7b56
---

This happens because all subnets are returned as candidates when fixed_ips is specified, despite that host id is not included:
https://opendev.org/openstack/neutron/src/branch/master/neutron/objects/subnet.py#L330-L337
Then addresses for all stateless subnets in the candidates are allocated:
https://opendev.org/openstack/neutron/src/branch/master/neutron/db/ipam_pluggable_backend.py#L256

Bernard Cafarelli (bcafarel)
Changed in neutron:
importance: Undecided → High
status: New → Confirmed
tags: added: ipv6
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/709444

Changed in neutron:
assignee: nobody → Harald Jensås (harald-jensas)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/710546

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/710547

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.opendev.org/711192

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/709444
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7e09e72661b0b3a0f898c20d451e204aa7a17194
Submitter: Zuul
Branch: master

commit 7e09e72661b0b3a0f898c20d451e204aa7a17194
Author: Harald Jensås <email address hidden>
Date: Thu Feb 27 02:38:13 2020 +0100

    Filter subnets on fixed_ips segment

    For v6_stateless IP addresses for all stateless
    subnets within a network are implicitly included.

    When using segments implicitly allocating addresses
    across subnets on different segments is incorrect.
    IPs from subnets on differnt segments was allocated
    when no host binding information was available
    but a subnet_id in fixed_ips request was present.

    This change adds filtering based on segment_id when
    fixed_ips are used. If fixed_ips are not all on the
    same segment exception FixedIpsSubnetsNotOnSameSegment
    is raised.

    Related: rhbz#1803989
    Related-Bug: #1864333
    Related-Bug: #1865138
    Closes-Bug: #1864225
    Change-Id: I336ae76283f29dd226344fb454aaa0e4aac030ea

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/710546
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d3dc60408148cf16bc19cccb76b8652f980fa1c
Submitter: Zuul
Branch: master

commit 3d3dc60408148cf16bc19cccb76b8652f980fa1c
Author: Harald Jensås <email address hidden>
Date: Fri Feb 28 03:09:05 2020 +0100

    subnet create - segment aware auto-addr allocation

    When creating additional subnets with ipv6 auto-addressing
    ip allocation was added to existing ports without filtering
    on current allocation's segment.

    This adds fitering to only add auto-address allocation when
    the new subnet is on the same segment as the ports current
    ipam allocations.

    Related: rhbz#1803989
    Related-Bug: #1864225
    Related-Bug: #1865138
    Closes-Bug: #1864333
    Change-Id: I75ae14c64db076434ca9897ba9a6d97702e233ad

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/710547
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f987486febb9fbe88232bb9139508981b92147f1
Submitter: Zuul
Branch: master

commit f987486febb9fbe88232bb9139508981b92147f1
Author: Harald Jensås <email address hidden>
Date: Fri Feb 28 22:55:13 2020 +0100

    Deny delete last slaac subnet with allocation on segment

    When a port has only one IP allocation on auto-allocation
    subnet which is associated with a segment, do not allow
    the delete of the subnet. Raise SubnetInUse exception instead.

    Related: rhbz#1803989
    Related-Bug: #1864225
    Related-Bug: #1864333
    Closes-Bug: #1865138
    Change-Id: I9fb0f05ede42afa1a349635b1936028edf540a1f

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/711192
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c8f2a309836e152c4f08cc8e5735409f992177af
Submitter: Zuul
Branch: master

commit c8f2a309836e152c4f08cc8e5735409f992177af
Author: Harald Jensås <email address hidden>
Date: Wed Mar 4 10:41:35 2020 +0100

    Reno only - Make stateless allocation segment aware

    This add's a releasenote for changes:
     * https://review.opendev.org/709444
     * https://review.opendev.org/710546
     * https://review.opendev.org/710547

    Related-Bug: #1864225
    Related-Bug: #1864333
    Related-Bug: #1865138
    Change-Id: Idc7819340b37bee8ae7841d14d0143fb18ac362a

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/714092

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/714093

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/714094

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/714095

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/714092
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=16687e39b698bd2d95d343b403fa861de0b6648c
Submitter: Zuul
Branch: stable/train

commit 16687e39b698bd2d95d343b403fa861de0b6648c
Author: Harald Jensås <email address hidden>
Date: Thu Feb 27 02:38:13 2020 +0100

    Filter subnets on fixed_ips segment

    For v6_stateless IP addresses for all stateless
    subnets within a network are implicitly included.

    When using segments implicitly allocating addresses
    across subnets on different segments is incorrect.
    IPs from subnets on differnt segments was allocated
    when no host binding information was available
    but a subnet_id in fixed_ips request was present.

    This change adds filtering based on segment_id when
    fixed_ips are used. If fixed_ips are not all on the
    same segment exception FixedIpsSubnetsNotOnSameSegment
    is raised.

    Related: rhbz#1803989
    Related-Bug: #1864333
    Related-Bug: #1865138
    Closes-Bug: #1864225
    Change-Id: I336ae76283f29dd226344fb454aaa0e4aac030ea
    (cherry picked from commit 7e09e72661b0b3a0f898c20d451e204aa7a17194)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/714093
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c4264b7ded8e5ac3cf5d96eebf5f170d5ea5f9ad
Submitter: Zuul
Branch: stable/train

commit c4264b7ded8e5ac3cf5d96eebf5f170d5ea5f9ad
Author: Harald Jensås <email address hidden>
Date: Fri Feb 28 03:09:05 2020 +0100

    subnet create - segment aware auto-addr allocation

    When creating additional subnets with ipv6 auto-addressing
    ip allocation was added to existing ports without filtering
    on current allocation's segment.

    This adds fitering to only add auto-address allocation when
    the new subnet is on the same segment as the ports current
    ipam allocations.

    Related: rhbz#1803989
    Related-Bug: #1864225
    Related-Bug: #1865138
    Closes-Bug: #1864333
    Change-Id: I75ae14c64db076434ca9897ba9a6d97702e233ad
    (cherry picked from commit 3d3dc60408148cf16bc19cccb76b8652f980fa1c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/714094
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=259049e25e6bb3cfb84fc75972456c548d00ed9e
Submitter: Zuul
Branch: stable/train

commit 259049e25e6bb3cfb84fc75972456c548d00ed9e
Author: Harald Jensås <email address hidden>
Date: Fri Feb 28 22:55:13 2020 +0100

    Deny delete last slaac subnet with allocation on segment

    When a port has only one IP allocation on auto-allocation
    subnet which is associated with a segment, do not allow
    the delete of the subnet. Raise SubnetInUse exception instead.

    Related: rhbz#1803989
    Related-Bug: #1864225
    Related-Bug: #1864333
    Closes-Bug: #1865138
    Change-Id: I9fb0f05ede42afa1a349635b1936028edf540a1f
    (cherry picked from commit f987486febb9fbe88232bb9139508981b92147f1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/714095
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=26ddb076b848e1585582fcee635fbdea337bfde5
Submitter: Zuul
Branch: stable/train

commit 26ddb076b848e1585582fcee635fbdea337bfde5
Author: Harald Jensås <email address hidden>
Date: Wed Mar 4 10:41:35 2020 +0100

    Reno only - Make stateless allocation segment aware

    This add's a releasenote for changes:
     * https://review.opendev.org/709444
     * https://review.opendev.org/710546
     * https://review.opendev.org/710547

    Related-Bug: #1864225
    Related-Bug: #1864333
    Related-Bug: #1865138
    Change-Id: Idc7819340b37bee8ae7841d14d0143fb18ac362a
    (cherry picked from commit c8f2a309836e152c4f08cc8e5735409f992177af)

Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/751194

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/751195

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/751197

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/751198

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/751201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: stable/queens
Review: https://review.opendev.org/751202

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/stein)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/751194
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/stein
Review: https://review.opendev.org/751195
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/rocky)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/751197
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/rocky
Review: https://review.opendev.org/751198
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/queens)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/751201
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/751202
Reason: It seems like there is more dependencies for that patch and I don't think we really need to backport it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.