[Neutron/Nova] Need to fix attaching a vip port on VMs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Incomplete
|
Medium
|
Rodolfo Alonso |
Bug Description
From https:/
Community had raised a fix in A release. But nova can still attach the vip port on VM without failure, even the vip port can not be used..
We can repro it in Neutron A release and OVN based deployment, relied on #2018529. I think we miss this case as following steps.
repo steps
=================
1. create a portA(we treat it as a vip port)
neutron port-show vip
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| created_at | 2024-01-
| description | |
| device_id | |
| device_owner | |
| dns_assignment | {"ip_address": "66.66.66.254", "hostname": "host-66-
| dns_domain | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "975480c3-
| id | bb00f200-
| mac_address | fa:16:3e:52:38:d3 |
| name | vip |
| network_id | e7ad862c-
| port_security_
| project_id | a08affebce0540b
| revision_number | 1 |
| security_groups | c9aca5a2-
| status | DOWN |
| tags | |
| tenant_id | a08affebce0540b
| updated_at | 2024-01-
+------
2. create another portB with address-pair portA's ip-mac.
neutron port-create testnet --allowed-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| created_at | 2024-01-
| description | |
| device_id | |
| device_owner | |
| dns_assignment | {"ip_address": "66.66.66.228", "hostname": "host-66-
| dns_domain | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "975480c3-
| id | 2f773e8a-
| mac_address | fa:16:3e:ac:b0:21 |
| name | vip-sub |
| network_id | e7ad862c-
| port_security_
| project_id | a08affebce0540b
| revision_number | 1 |
| security_groups | c9aca5a2-
| status | DOWN |
| tags | |
| tenant_id | a08affebce0540b
| updated_at | 2024-01-
+------
3. create a instance X with portB(success as expect)
We see the portB had been used and updated as follow:
neutron port-show vip-sub
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | compute-1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "connectivity": "l2", "bound_drivers": {"0": "ovn"}} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2024-01-
| description | |
| device_id | 82639c68-
| device_owner | compute:nova |
| dns_assignment | {"ip_address": "66.66.66.228", "hostname": "vip-test1", "fqdn": "vip-test1.
| dns_domain | |
| dns_name | vip-test1 |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "975480c3-
| id | 2f773e8a-
| mac_address | fa:16:3e:ac:b0:21 |
| name | vip-sub |
| network_id | e7ad862c-
| port_security_
| project_id | a08affebce0540b
| revision_number | 4 |
| security_groups | c9aca5a2-
| status | ACTIVE |
| tags | |
| tenant_id | a08affebce0540b
| updated_at | 2024-01-
+------
4. attach portA into instance X.
On Step 4, we saw the interface status is DOWN, but nova won't block the attach-interface request.
+------
| Property | Value |
+------
| ip_address | 66.66.66.254 |
| mac_addr | fa:16:3e:52:38:d3 |
| net_id | e7ad862c-
| port_id | bb00f200-
| port_state | DOWN |
| tag | - |
+------
And neutron doesn't realized portA is an virtual type port, try to bind it on VM, which is not right.
neutron port-show vip
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | compute-1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "connectivity": "l2", "bound_drivers": {"0": "ovn"}} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| created_at | 2024-01-
| description | |
| device_id | 82639c68-
| device_owner | compute:nova |
| dns_assignment | {"ip_address": "66.66.66.254", "hostname": "vip-test1", "fqdn": "vip-test1.
| dns_domain | |
| dns_name | vip-test1 |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "975480c3-
| id | bb00f200-
| mac_address | fa:16:3e:52:38:d3 |
| name | vip |
| network_id | e7ad862c-
| port_security_
| project_id | a08affebce0540b
| revision_number | 3 |
| security_groups | c9aca5a2-
| status | DOWN |
| tags | |
| tenant_id | a08affebce0540b
| updated_at | 2024-01-
+------
The reason why I leave this bug in Neutron is OVN and Neutron seems not sync the port type 'Virtual'. So Fix(https:/
And OVN won't update the port type before the vip port usage from southdb to northdb. But actually, Neutron can realize the port would be Virtual type.
So this does look like a bug.
When I put a little debug in validate_ port_binding_ and_virtual_ port() I can see the port being checked, but the port type (from OVN perspective) is not constants. LSP_TYPE_ VIRTUAL, but "", so the operation succeeds.
Not exactly sure what needs to change yet.