yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1626010] [NEW] Connectivity problem on trunk parent with MAC reuse and openvswitch firewall driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bence Romsics <bence.romsics@xxxxxxxxxxxx>
Date: Wed, 21 Sep 2016 09:24:52 -0000
Reply-to: Bug 1626010 <1626010@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

It seems we have a case where the openvswitch firewall driver and a use
of trunks interferes with each other. I tried using the parent's MAC
address for a subport. Like this:

 openstack network create net0
 openstack network create net1
 openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0
 openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1
 openstack port create --network net0 port0
 parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
 openstack port create --network net1 --mac-address "$parent_mac" port1
 openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
 openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0

Then all packets are lost on the trunk's parent port:

 $ openstack server show vm0 | egrep addresses.*net0
 | addresses                            | net0=10.0.4.6                                                  |
 $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6
 WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
 PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data.
 
 --- 10.0.4.6 ping statistics ---
 3 packets transmitted, 0 received, 100% packet loss, time 2016ms

If I change the firewall_driver to noop and redo the same I have
connectivity.

If I still have the openvswitch firewall_driver but I don't explicitly
set the subport MAC, but let neutron automatically assign one, then
again I have connectivity.

devstack version: 81d89cf
neutron version: 60010a8

relevant parts of local.conf:

 [[local|localrc]]
 enable_service neutron-api
 enable_service neutron-l3
 enable_service neutron-agent
 enable_service neutron-dhcp
 enable_service neutron-metadata-agent
 
 [[post-config|$NEUTRON_CONF]]
 [DEFAULT]
 service_plugins = router,trunk
 
 [[post-config|$NEUTRON_PLUGIN_CONF]]
 [securitygroup]
 firewall_driver = openvswitch

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1626010

Title:
  Connectivity problem on trunk parent with MAC reuse and openvswitch
  firewall driver

Status in neutron:
  New

Bug description:
  It seems we have a case where the openvswitch firewall driver and a
  use of trunks interferes with each other. I tried using the parent's
  MAC address for a subport. Like this:

   openstack network create net0
   openstack network create net1
   openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0
   openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1
   openstack port create --network net0 port0
   parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
   openstack port create --network net1 --mac-address "$parent_mac" port1
   openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
   openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0

  Then all packets are lost on the trunk's parent port:

   $ openstack server show vm0 | egrep addresses.*net0
   | addresses                            | net0=10.0.4.6                                                  |
   $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6
   WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
   PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data.
   
   --- 10.0.4.6 ping statistics ---
   3 packets transmitted, 0 received, 100% packet loss, time 2016ms

  If I change the firewall_driver to noop and redo the same I have
  connectivity.

  If I still have the openvswitch firewall_driver but I don't explicitly
  set the subport MAC, but let neutron automatically assign one, then
  again I have connectivity.

  devstack version: 81d89cf
  neutron version: 60010a8

  relevant parts of local.conf:

   [[local|localrc]]
   enable_service neutron-api
   enable_service neutron-l3
   enable_service neutron-agent
   enable_service neutron-dhcp
   enable_service neutron-metadata-agent
   
   [[post-config|$NEUTRON_CONF]]
   [DEFAULT]
   service_plugins = router,trunk
   
   [[post-config|$NEUTRON_PLUGIN_CONF]]
   [securitygroup]
   firewall_driver = openvswitch

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1626010/+subscriptions
Follow ups

[Bug 1626010] Re: OVS Firewall cannot handle non unique MACs
From: OpenStack Infra, 2017-07-21