neutron

  1. Bug #1945306
  2. Comment #1

Comment 1 for bug 1945306

Revision history for this message
Bence Romsics (bence-romsics) wrote : Re: north-south traffic not working when VM and main router are not on the same host

I think I'm able to reproduce this on master (neutron commit ae4d8a0c20). I used a two-host ml2/ovs devstack setup:

devstack0 - all in one
local.conf excerpt:

[[local|localrc]]
Q_DVR_MODE=dvr_snat
[[post-config|/etc/neutron/neutron.conf]]
[DEFAULT]
router_distributed = True
l3_ha = True
l3_ha_net_cidr = 169.254.192.0/18
max_l3_agents_per_router = 2
[[post-config|/etc/neutron/plugins/ml2/ml2_conf.ini]]
enable_distributed_routing = True
l2_population = True
[[post-config|/etc/neutron/l3_agent.ini]]
[DEFAULT]
agent_mode = dvr_snat
ha_vrrp_auth_password = password
ha_vrrp_health_check_interval = 0

devstack0a - compute
local.conf excerpt:

[[local|localrc]]
Q_DVR_MODE=dvr
[[post-config|/etc/neutron/neutron.conf]]
[DEFAULT]
router_distributed = True
[[post-config|/etc/neutron/plugins/ml2/ml2_conf.ini]]
[agent]
enable_distributed_routing = True
l2_population = True
[[post-config|/etc/neutron/l3_agent.ini]]
[DEFAULT]
agent_mode = dvr

Then opened up the default security group totally:

project_id="$( openstack project show "$OS_PROJECT_NAME" | awk '/ id / { print $4 }' )"
default_sg_id="$( neutron security-group-list --tenant-id "$project_id" | awk '/ default / { print $2 }' )"
openstack security group rule list "$default_sg_id"
openstack security group rule list "$default_sg_id" | egrep -w None | egrep -wv 'None.*None.*None' | awk '{ print $2 }' | xargs -r openstack security group rule delete
neutron security-group-rule-create --direction ingress --ethertype IPv4 "$default_sg_id"
neutron security-group-rule-create --direction ingress --ethertype IPv6 "$default_sg_id"
openstack security group rule list "$default_sg_id"

devstack's default router1 was indeed in dvr+l3ha mode:

$ openstack router show router1 -f table -c ha -c distributed
+-------------+-------+
| Field | Value |
 +-------------+-------+
| distributed | True |
| ha | True |
 +-------------+-------+

Booted a vm on the connected private network:
$ openstack server create --image cirros-0.5.2-x86_64-disk --flavor cirros256 --nic net-id=private --availability-zone :devstack0a vm0 --wait

Took its address and pinged it:
$ openstack server show vm0 -f yaml -c addresses
$ sudo ip netns exec snat-$( openstack router show router1 -f value -c id ) ping -c3 10.0.0.55

And got no response.

While pinging on the relevant subnet's sg interface tcpdump got this:
$ sudo ip netns exec snat-$( openstack router show router1 -f value -c id ) tcpdump -i sg-7a37d0b0-e6 -n -vvv
tcpdump: listening on sg-7a37d0b0-e6, link-type EN10MB (Ethernet), capture size 262144 bytes
^C13:03:57.204512 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.55 tell 10.0.0.45, length 28
13:03:58.228329 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.55 tell 10.0.0.45, length 28
13:03:59.252240 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.55 tell 10.0.0.45, length 28
13:04:00.276460 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.55 tell 10.0.0.45, length 28
13:04:01.300116 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.55 tell 10.0.0.45, length 28

5 packets captured
5 packets received by filter
0 packets dropped by kernel