yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1484690] [NEW] Incorrect metadata proxy route via router ip

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Cedric Brandily <1484690@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Aug 2015 20:39:25 -0000
Reply-to: Bug 1484690 <1484690@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

A change [1] injected a direct route to metadata ip through a subnet's
default gateway to avoid Windows mac resolution[2].

Such change breaks the following usecase (typically used to separate admin/management traffic and user traffic):
  
    enable metadata on dhcp agents
    disable metadata on l3 agents
    create a subnet subnet-usr with a gateway and bind it to a router
    create a subnet subnet-adm without a gateway
    create VMs with an interface on each subnet

because VMs get from subnet-adm the route:

 destination=169.254.169.254,nexthop=dhcp-ip

and from subnet-usr the route:

 destination=169.254.169.254,nexthop=router-ip

so VMs have 2 routes to 169.254.169.254:

  if they use subnet-run route then they get no response (metadata disabled on routers)
  if they use subnet-nsb route then they get a response (metadata enabled on dhcps)


[1] https://review.openstack.org/187431
[2] https://bugs.launchpad.net/neutron/+bug/1460793

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: l3-ipam-dhcp

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1484690

Title:
  Incorrect metadata proxy route via router ip

Status in neutron:
  New

Bug description:
  A change [1] injected a direct route to metadata ip through a subnet's
  default gateway to avoid Windows mac resolution[2].

  Such change breaks the following usecase (typically used to separate admin/management traffic and user traffic):
    
      enable metadata on dhcp agents
      disable metadata on l3 agents
      create a subnet subnet-usr with a gateway and bind it to a router
      create a subnet subnet-adm without a gateway
      create VMs with an interface on each subnet

  because VMs get from subnet-adm the route:

   destination=169.254.169.254,nexthop=dhcp-ip

  and from subnet-usr the route:

   destination=169.254.169.254,nexthop=router-ip

  so VMs have 2 routes to 169.254.169.254:

    if they use subnet-run route then they get no response (metadata disabled on routers)
    if they use subnet-nsb route then they get a response (metadata enabled on dhcps)

  
  [1] https://review.openstack.org/187431
  [2] https://bugs.launchpad.net/neutron/+bug/1460793

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1484690/+subscriptions

Follow ups

[Bug 1484690] Re: Incorrect metadata proxy route via router ip
From: Cedric Brandily, 2015-10-05