← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1391059] [NEW] Assign gateway IP to LB VIP would disrupt traffic

 

Public bug reported:

A neutron network directly connected to a hardware router will have a
gateway IP which does not have a neutron port.  While gateway of a
neutron network connected to a neutron router has a neutron port. In our
production, there were multiple incidences when user successfully
configured network gateway IP not associated with a neutron port as a
load balancer VIP. In such scenario, traffic from VM destined outside
the network may go to the LB VIP instead. And WAN traffic may not be
able to reach VM in this network.

Neutron server should not allow clients to configure a gateway IP as LB
VIP, even if this gateway IP is not associated with a neutron port.


The following steps in devstack simulate our production scenario which gateway of a neutron network does not have a port, using
    ubuntu 14.04
    devstack master e6165e80bab0c06035a0b7002200bcbcfe4e62ab
    neutron master 49234a824c16164a56cbfbf644490d07bb22e241
    python-neutronclient master 9ed73c04aaaedcd8757d1f3ff99669276f069c72


$ neutron net-create net-test
Created a new network:
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | 5463f934-ed66-49b4-b4c6-2769ecd19b12 |
| name            | net-test                             |
:

$ neutron subnet-create --name subnet-test net-test --enable_dhcp=True --gateway=10.33.101.129 10.33.101.128/25
Created a new subnet:
+-------------------+----------------------------------------------------+
| Field             | Value                                              |
+-------------------+----------------------------------------------------+
| allocation_pools  | {"start": "10.33.101.130", "end": "10.33.101.254"} |
| cidr              | 10.33.101.128/25                                   |
| dns_nameservers   |                                                    |
| enable_dhcp       | True                                               |
| gateway_ip        | 10.33.101.129                                      |
| host_routes       |                                                    |
| id                | fc1f55de-9c4d-4d2b-8934-e54690fd80f9               |
:

$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-1
$ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-2
$ nova list
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| ID                                   | Name      | Status | Task State | Power State | Networks               |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+
| 6495b5e4-0bf0-45e4-b706-9b5939b3d035 | vm-test-1 | ACTIVE | -          | Running     | net-test=10.33.101.130 |
| 274c0da6-403e-42da-9d07-58022f298814 | vm-test-2 | ACTIVE | -          | Running     | net-test=10.33.101.132 |
+--------------------------------------+-----------+--------+------------+-------------+------------------------+

$ neutron lb-pool-create --lb-method ROUND_ROBIN --name lb-test --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9
$ neutron lb-member-create --address 10.33.101.130 --protocol-port 80 lb-test
$ neutron lb-member-create --address 10.33.101.132 --protocol-port 80 lb-test
$ neutron lb-vip-create --name vip-test --address 10.33.101.129 --protocol-port 80 --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9 lb-test
$ neutron lb-vip-list
+--------------------------------------+----------+---------------+----------+----------------+--------+
| id                                   | name     | address       | protocol | admin_state_up | status |
+--------------------------------------+----------+---------------+----------+----------------+--------+
| 95dbf2b6-205c-40de-a8a6-f8a7bc34ecda | vip-test | 10.33.101.129 | TCP      | True           | ACTIVE |
+--------------------------------------+----------+---------------+----------+----------------+--------+


For neutron network which gateway IP is associated with a neutron port, neutron raises IpAddressInUse exception, and does not allow user to configure gateway IP as LB VIP, as this gateway IP is already used by another port.

$ neutron lb-vip-create --name vip-test --address 192.168.55.1 --protocol-port 80 --protocol TCP --subnet-id e609183f-c423-4916-be22-bbd2f981e534 lb-test
Unable to complete operation for network 5c614a70-ff72-48c4-a6e7-925df96e168c. The IP address 192.168.55.1 is in use.

neutron/db/db_base_plugin_v2.py
 391     def _test_fixed_ips_for_port(self, context, network_id, fixed_ips,
 392                                  device_owner):
 :
 432             if 'ip_address' in fixed:
 433                 # Ensure that the IP's are unique
 434                 if not NeutronDbPluginV2._check_unique_ip(context, network_id,
 435                                                           subnet_id,
 436                                                           fixed['ip_address']):
 437                     raise n_exc.IpAddressInUse(net_id=network_id,
 438                                                ip_address=fixed['ip_address'])

** Affects: neutron
     Importance: Undecided
     Assignee: Pauline Yeung (yeungp)
         Status: In Progress


** Tags: api lbaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1391059

Title:
  Assign gateway IP to LB VIP would disrupt traffic

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  A neutron network directly connected to a hardware router will have a
  gateway IP which does not have a neutron port.  While gateway of a
  neutron network connected to a neutron router has a neutron port. In
  our production, there were multiple incidences when user successfully
  configured network gateway IP not associated with a neutron port as a
  load balancer VIP. In such scenario, traffic from VM destined outside
  the network may go to the LB VIP instead. And WAN traffic may not be
  able to reach VM in this network.

  Neutron server should not allow clients to configure a gateway IP as
  LB VIP, even if this gateway IP is not associated with a neutron port.

  
  The following steps in devstack simulate our production scenario which gateway of a neutron network does not have a port, using
      ubuntu 14.04
      devstack master e6165e80bab0c06035a0b7002200bcbcfe4e62ab
      neutron master 49234a824c16164a56cbfbf644490d07bb22e241
      python-neutronclient master 9ed73c04aaaedcd8757d1f3ff99669276f069c72

  
  $ neutron net-create net-test
  Created a new network:
  +-----------------+--------------------------------------+
  | Field           | Value                                |
  +-----------------+--------------------------------------+
  | admin_state_up  | True                                 |
  | id              | 5463f934-ed66-49b4-b4c6-2769ecd19b12 |
  | name            | net-test                             |
  :

  $ neutron subnet-create --name subnet-test net-test --enable_dhcp=True --gateway=10.33.101.129 10.33.101.128/25
  Created a new subnet:
  +-------------------+----------------------------------------------------+
  | Field             | Value                                              |
  +-------------------+----------------------------------------------------+
  | allocation_pools  | {"start": "10.33.101.130", "end": "10.33.101.254"} |
  | cidr              | 10.33.101.128/25                                   |
  | dns_nameservers   |                                                    |
  | enable_dhcp       | True                                               |
  | gateway_ip        | 10.33.101.129                                      |
  | host_routes       |                                                    |
  | id                | fc1f55de-9c4d-4d2b-8934-e54690fd80f9               |
  :

  $ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-1
  $ nova boot --image cc58808c-5f2c-4133-8177-4568d3e9ad83 --flavor m1.tiny --nic net-id=5463f934-ed66-49b4-b4c6-2769ecd19b12 vm-test-2
  $ nova list
  +--------------------------------------+-----------+--------+------------+-------------+------------------------+
  | ID                                   | Name      | Status | Task State | Power State | Networks               |
  +--------------------------------------+-----------+--------+------------+-------------+------------------------+
  | 6495b5e4-0bf0-45e4-b706-9b5939b3d035 | vm-test-1 | ACTIVE | -          | Running     | net-test=10.33.101.130 |
  | 274c0da6-403e-42da-9d07-58022f298814 | vm-test-2 | ACTIVE | -          | Running     | net-test=10.33.101.132 |
  +--------------------------------------+-----------+--------+------------+-------------+------------------------+

  $ neutron lb-pool-create --lb-method ROUND_ROBIN --name lb-test --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9
  $ neutron lb-member-create --address 10.33.101.130 --protocol-port 80 lb-test
  $ neutron lb-member-create --address 10.33.101.132 --protocol-port 80 lb-test
  $ neutron lb-vip-create --name vip-test --address 10.33.101.129 --protocol-port 80 --protocol TCP --subnet-id fc1f55de-9c4d-4d2b-8934-e54690fd80f9 lb-test
  $ neutron lb-vip-list
  +--------------------------------------+----------+---------------+----------+----------------+--------+
  | id                                   | name     | address       | protocol | admin_state_up | status |
  +--------------------------------------+----------+---------------+----------+----------------+--------+
  | 95dbf2b6-205c-40de-a8a6-f8a7bc34ecda | vip-test | 10.33.101.129 | TCP      | True           | ACTIVE |
  +--------------------------------------+----------+---------------+----------+----------------+--------+

  
  For neutron network which gateway IP is associated with a neutron port, neutron raises IpAddressInUse exception, and does not allow user to configure gateway IP as LB VIP, as this gateway IP is already used by another port.

  $ neutron lb-vip-create --name vip-test --address 192.168.55.1 --protocol-port 80 --protocol TCP --subnet-id e609183f-c423-4916-be22-bbd2f981e534 lb-test
  Unable to complete operation for network 5c614a70-ff72-48c4-a6e7-925df96e168c. The IP address 192.168.55.1 is in use.

  neutron/db/db_base_plugin_v2.py
   391     def _test_fixed_ips_for_port(self, context, network_id, fixed_ips,
   392                                  device_owner):
   :
   432             if 'ip_address' in fixed:
   433                 # Ensure that the IP's are unique
   434                 if not NeutronDbPluginV2._check_unique_ip(context, network_id,
   435                                                           subnet_id,
   436                                                           fixed['ip_address']):
   437                     raise n_exc.IpAddressInUse(net_id=network_id,
   438                                                ip_address=fixed['ip_address'])

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1391059/+subscriptions


Follow ups

References