neutron

enable_isolated_metadata_proxy should be called only when enable_isolated_metadata enabled

Bug #1159015 reported by yong sheng gong
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
yong sheng gong
neutron 2013.2 "havana"
Grizzly
Fix Released
Medium
Gary Kotton
neutron 2013.1.2

Bug Description

now the enable_isolated_metadata_proxy is always called no matter what is the enable_isolated_metadata option value.
In fact, if enable_isolated_metadata=False, the proxy should not work according to code:
1. def _output_opts_file(self) in dhcp.py:
        """Write a dnsmasq compatible options file."""
           ...

            host_routes = ["%s,%s" % (hr.destination, hr.nexthop)
                           for hr in subnet.host_routes]
            subnet_dhcp_ip = subnet_to_interface_ip[subnet.id]
            # Add host routes for isolated network segments
            enable_metadata = (
                self.conf.enable_isolated_metadata
                and not subnet.gateway_ip
                and subnet.ip_version == 4)

            if enable_metadata:
                host_routes.append(
                    '%s/32,%s' % (METADATA_DEFAULT_IP, subnet_dhcp_ip)
                )
   So if enable_isolated_metadata, dnsmasq will use host router to lead 169.254.169.254 traffic of VM to IP of dnsmasq is listensing.
2. def setup(self, network, reuse_existing=False): in dhcp_agent.py
        """Create and initialize a device for network's DHCP on this host."""
        device_id = self.get_device_id(network)
        port = self.plugin.get_dhcp_port(network.id, device_id)

        interface_name = self.get_interface_name(network, port)

        if self.conf.use_namespaces:
            namespace = NS_PREFIX + network.id
        else:
            namespace = None

        if ip_lib.device_exists(interface_name,
                                self.root_helper,
                                namespace):
            if not reuse_existing:
                raise exceptions.PreexistingDeviceFailure(
                    dev_name=interface_name)

            LOG.debug(_('Reusing existing device: %s.'), interface_name)
        else:
            self.driver.plug(network.id,
                             port.id,
                             interface_name,
                             port.mac_address,
                             namespace=namespace)
        ip_cidrs = []
        for fixed_ip in port.fixed_ips:
            subnet = fixed_ip.subnet
            net = netaddr.IPNetwork(subnet.cidr)
            ip_cidr = '%s/%s' % (fixed_ip.ip_address, net.prefixlen)
            ip_cidrs.append(ip_cidr)

        if (self.conf.enable_isolated_metadata and
            self.conf.use_namespaces):
            ip_cidrs.append(METADATA_DEFAULT_IP)

so we are adding '169.254.169.254/%d' % METADATA_DEFAULT_PREFIX (16) to dhcp tap device.

the metadata_proxy process should not be called if self.conf.enable_isolated_metadata is false.

See original description
Tags: l3-ipam-dhcp
Revision history for this message
yong sheng gong (gongysh) wrote :

more information:
gongysh@controlnode:~$ sudo ip netns exec qdhcp-2b48970b-443e-4e9a-95ae-af8b52d5e099 ip addr
18: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
23: tap129fb738-09: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:f3:38:60 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.4/24 brd 10.0.1.255 scope global tap129fb738-09
    inet 169.254.169.254/16 brd 169.254.255.255 scope global tap129fb738-09
    inet6 fe80::f816:3eff:fef3:3860/64 scope link
       valid_lft forever preferred_lft forever

yong sheng gong (gongysh)
description: updated
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

Hi Yong,

In my setup I have metadata proxies instances too associated with networks even if isolated metadata are disabled:

root 3857 0.0 0.7 98188 22980 ? S 12:43 0:00 /usr/bin/python /usr/local/bin/quantum-ns-metadata-proxy --pid_file=/opt/stack/data/quantum/external/pids/9cddeecf-be26-4a00-8236-3968bd6267cb.pid --network_id=9cddeecf-be26-4a00-8236-3968bd6267cb --state_path=/opt/stack/data/quantum --metadata_port=80 --debug --verbose

This is something I noted a while ago and forgot to report, but I thought it was minor because the metadata IP and the DHCP option were not configured in the net namespace.

Indeed, the metadata IP is not configured in the network namespace:

salvatore@ubuntu:~/git/devstack$ sudo ip netns exec qdhcp-9cddeecf-be26-4a00-8236-3968bd6267cb ip addr show
39: tapc7b19be6-91: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:8a:3e:21 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 brd 10.0.0.255 scope global tapc7b19be6-91
    inet6 fe80::f816:3eff:fe8a:3e21/64 scope link
       valid_lft forever preferred_lft forever
40: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

And the 121 option is not configured:

salvatore@ubuntu:~/git/devstack$ cat /opt/stack/data/quantum/dhcp/9cddeecf-be26-4a00-8236-3968bd6267cb/opts
tag:tag0,option:router,10.0.0.1

Can you explain how comes that the metadata IP is configured in your network namespace? Also, do you have the 121 option configured?

Mark McClain (markmcclain)
tags: added: grizzly-backport-potential l3-ipam-dhcp
Changed in quantum:
status: New → Incomplete
Revision history for this message
yong sheng gong (gongysh) wrote :

what do u mean by 121 option?

Revision history for this message
yong sheng gong (gongysh) wrote :

And also metadata proxy is always needed if the user does not want metadata at all. config-drive is an alternative for metadata service.

Revision history for this message
yong sheng gong (gongysh) wrote :

dhcp_agent.ini:
enable_isolated_metadata = False

root 25321 1 0 08:22 ? 00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/etc/quantum/data/external/pids/0b7805ac-f0ae-4bbb-8dd4-75d30d196a61.pid --network_id=0b7805ac-f0ae-4bbb-8dd4-75d30d196a61 --state_path=/etc/quantum/data --metadata_port=80 --debug --verbose --log-file=quantum-ns-metadata-proxy-0b7805ac-f0ae-4bbb-8dd4-75d30d196a61.log --log-dir=/home/gongysh/logs
root 25563 1 0 08:22 ? 00:00:00 python /usr/bin/quantum-ns-metadata-proxy --pid_file=/etc/quantum/data/external/pids/b8525b9a-f522-4603-a092-5d3f89af28af.pid --network_id=b8525b9a-f522-4603-a092-5d3f89af28af --state_path=/etc/quantum/data --metadata_port=80 --debug --verbose --log-file=quantum-ns-metadata-proxy-b8525b9a-f522-4603-a092-5d3f89af28af.log --log-dir=/home/gongysh/logs

according to my analysis in Bug Description, these two proxies cannot work at all.

dhcp_agent.ini
enable_isolated_metadata = True

sudo ip netns exec qdhcp-b8525b9a-f522-4603-a092-5d3f89af28af ip addr
38: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
40: tapf738b936-8d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether fa:16:3e:48:3c:be brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.2/24 brd 10.0.2.255 scope global tapf738b936-8d
    inet 169.254.169.254/16 brd 169.254.255.255 scope global tapf738b936-8d
    inet6 fe80::f816:3eff:fe48:3cbe/64 scope link
       valid_lft forever preferred_lft forever

Changed in quantum:
assignee: nobody → yong sheng gong (gongysh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/26431

Changed in quantum:
status: Incomplete → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/26431
Committed: http://github.com/openstack/quantum/commit/a397df38c748d482ece18e164084a589d7f2d362
Submitter: Jenkins
Branch: master

commit a397df38c748d482ece18e164084a589d7f2d362
Author: gongysh <email address hidden>
Date: Tue Apr 9 09:11:32 2013 +0800

    Don't run metadata proxy when it is not needed

    Bug #1159015

    Change-Id: I6063e75525a2a727d063bb1745c897ac8c4ba3e8

Changed in quantum:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/28938

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (stable/grizzly)

Reviewed: https://review.openstack.org/28938
Committed: http://github.com/openstack/quantum/commit/e97fdc40a0a432197928571e6c38a631177ee451
Submitter: Jenkins
Branch: stable/grizzly

commit e97fdc40a0a432197928571e6c38a631177ee451
Author: gongysh <email address hidden>
Date: Tue Apr 9 09:11:32 2013 +0800

    Don't run metadata proxy when it is not needed

    Bug #1159015

    Change-Id: I6063e75525a2a727d063bb1745c897ac8c4ba3e8
    (cherry picked from commit a397df38c748d482ece18e164084a589d7f2d362)

tags: added: in-stable-grizzly
Gary Kotton (garyk)
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Alan Pevec (apevec)
tags: removed: in-stable-grizzly
Thierry Carrez (ttx)
Changed in neutron:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.