yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24386
[Bug 1391059] [NEW] Assign gateway IP to LB VIP would disrupt traffic
Public bug reported:
A neutron network directly connected to a hardware router will have a
gateway IP which does not have a neutron port. While gateway of a
neutron network connected to a neutron router has a neutron port. In our
production, there were multiple incidences when user successfully
configured network gateway IP not associated with a neutron port as a
load balancer VIP. In such scenario, traffic from VM destined outside
the network may go to the LB VIP instead. And WAN traffic may not be
able to reach VM in this network.
Neutron server should not allow clients to configure a gateway IP as LB
VIP, even if this gateway IP is not associated with a neutron port.
The following steps in devstack simulate our production scenario which gateway of a neutron network does not have a port, using
ubuntu 14.04
devstack master e6165e80bab0c06035a0b7002200bcbcfe4e62ab
neutron master 49234a824c16164a56cbfbf644490d07bb22e241
python-neutronclient master 9ed73c04aaaedcd8757d1f3ff99669276f069c72
$ neutron net-create net-test
Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 5463f934-ed66-49b4-b4c6-2769ecd19b12 |
| name | net-test |
:
$ neutron subnet-create --name subnet-test net-test --enable_dhcp=True --gateway=10.33.101.129 10.33.101.128/25
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "10.33.101.130", "end": "10.33.101.254"} |
| cidr | 10.33.101.128/25 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.33.101.129 |
| host_routes | |
| id | fc1f55de-9c4d-4d2b-8934-e54690fd80f9 |
:
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-1
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 6495b5e4-0bf0-45e4-b706-9b5939b3d035 | vm-test-1 | ACTIVE | - | Running | net-test=10.33.101.130 |
| 274c0da6-403e-42da-9d07-58022f298814 | vm-test-2 | ACTIVE | - | Running | net-test=10.33.101.132 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron lb-pool-create --lb-method ROUND_ROBIN --name lb-test --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9
$ neutron lb-member-create --address 10.33.101.130 --protocol-port 80 lb-test
$ neutron lb-member-create --address 10.33.101.132 --protocol-port 80 lb-test
$ neutron lb-vip-create --name vip-test --address 10.33.101.129 --protocol-port 80 --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9 lb-test
$ neutron lb-vip-list
+--------------------------------------+----------+---------------+----------+----------------+--------+
| id | name | address | protocol | admin_state_up | status |
+--------------------------------------+----------+---------------+----------+----------------+--------+
| 95dbf2b6-205c-40de-a8a6-f8a7bc34ecda | vip-test | 10.33.101.129 | TCP | True | ACTIVE |
+--------------------------------------+----------+---------------+----------+----------------+--------+
For neutron network which gateway IP is associated with a neutron port, neutron raises IpAddressInUse exception, and does not allow user to configure gateway IP as LB VIP, as this gateway IP is already used by another port.
$ neutron lb-vip-create --name vip-test --address 192.168.55.1 --protocol-port 80 --protocol TCP --subnet-id e609183f-c423-4916-be22-bbd2f981e534 lb-test
Unable to complete operation for network 5c614a70-ff72-48c4-a6e7-925df96e168c. The IP address 192.168.55.1 is in use.
neutron/db/db_base_plugin_v2.py
391 def _test_fixed_ips_for_port(self, context, network_id, fixed_ips,
392 device_owner):
:
432 if 'ip_address' in fixed:
433 # Ensure that the IP's are unique
434 if not NeutronDbPluginV2._check_unique_ip(context, network_id,
435 subnet_id,
436 fixed['ip_address']):
437 raise n_exc.IpAddressInUse(net_id=network_id,
438 ip_address=fixed['ip_address'])
** Affects: neutron
Importance: Undecided
Assignee: Pauline Yeung (yeungp)
Status: In Progress
** Tags: api lbaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1391059
Title:
Assign gateway IP to LB VIP would disrupt traffic
Status in OpenStack Neutron (virtual network service):
In Progress
Bug description:
A neutron network directly connected to a hardware router will have a
gateway IP which does not have a neutron port. While gateway of a
neutron network connected to a neutron router has a neutron port. In
our production, there were multiple incidences when user successfully
configured network gateway IP not associated with a neutron port as a
load balancer VIP. In such scenario, traffic from VM destined outside
the network may go to the LB VIP instead. And WAN traffic may not be
able to reach VM in this network.
Neutron server should not allow clients to configure a gateway IP as
LB VIP, even if this gateway IP is not associated with a neutron port.
The following steps in devstack simulate our production scenario which gateway of a neutron network does not have a port, using
ubuntu 14.04
devstack master e6165e80bab0c06035a0b7002200bcbcfe4e62ab
neutron master 49234a824c16164a56cbfbf644490d07bb22e241
python-neutronclient master 9ed73c04aaaedcd8757d1f3ff99669276f069c72
$ neutron net-create net-test
Created a new network:
+-----------------+--------------------------------------+
| Field | Value |
+-----------------+--------------------------------------+
| admin_state_up | True |
| id | 5463f934-ed66-49b4-b4c6-2769ecd19b12 |
| name | net-test |
:
$ neutron subnet-create --name subnet-test net-test --enable_dhcp=True --gateway=10.33.101.129 10.33.101.128/25
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "10.33.101.130", "end": "10.33.101.254"} |
| cidr | 10.33.101.128/25 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.33.101.129 |
| host_routes | |
| id | fc1f55de-9c4d-4d2b-8934-e54690fd80f9 |
:
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-1
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 6495b5e4-0bf0-45e4-b706-9b5939b3d035 | vm-test-1 | ACTIVE | - | Running | net-test=10.33.101.130 |
| 274c0da6-403e-42da-9d07-58022f298814 | vm-test-2 | ACTIVE | - | Running | net-test=10.33.101.132 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
$ neutron lb-pool-create --lb-method ROUND_ROBIN --name lb-test --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9
$ neutron lb-member-create --address 10.33.101.130 --protocol-port 80 lb-test
$ neutron lb-member-create --address 10.33.101.132 --protocol-port 80 lb-test
$ neutron lb-vip-create --name vip-test --address 10.33.101.129 --protocol-port 80 --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9 lb-test
$ neutron lb-vip-list
+--------------------------------------+----------+---------------+----------+----------------+--------+
| id | name | address | protocol | admin_state_up | status |
+--------------------------------------+----------+---------------+----------+----------------+--------+
| 95dbf2b6-205c-40de-a8a6-f8a7bc34ecda | vip-test | 10.33.101.129 | TCP | True | ACTIVE |
+--------------------------------------+----------+---------------+----------+----------------+--------+
For neutron network which gateway IP is associated with a neutron port, neutron raises IpAddressInUse exception, and does not allow user to configure gateway IP as LB VIP, as this gateway IP is already used by another port.
$ neutron lb-vip-create --name vip-test --address 192.168.55.1 --protocol-port 80 --protocol TCP --subnet-id e609183f-c423-4916-be22-bbd2f981e534 lb-test
Unable to complete operation for network 5c614a70-ff72-48c4-a6e7-925df96e168c. The IP address 192.168.55.1 is in use.
neutron/db/db_base_plugin_v2.py
391 def _test_fixed_ips_for_port(self, context, network_id, fixed_ips,
392 device_owner):
:
432 if 'ip_address' in fixed:
433 # Ensure that the IP's are unique
434 if not NeutronDbPluginV2._check_unique_ip(context, network_id,
435 subnet_id,
436 fixed['ip_address']):
437 raise n_exc.IpAddressInUse(net_id=network_id,
438 ip_address=fixed['ip_address'])
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1391059/+subscriptions
Follow ups
References