← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #62500

[Bug 1658460] Re: Duplicate metadata iptables rules in HA router

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/423804
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1257a3f203aacfbbe16c1afa79893b8b990a1a57
Submitter: Jenkins
Branch:    master

commit 1257a3f203aacfbbe16c1afa79893b8b990a1a57
Author: Quan Tian <tianquan@xxxxxxxxxx>
Date:   Sun Jan 22 16:49:24 2017 +0800

    Don't add duplicate metadata rules after router update
    
    For a HA router, when it's updated, the l3 agents which are standby
    always call the after_router_added method, then duplicate metadata
    rules are added to iptables table. Althrough these rules will not be
    applied to system because of the _weed_out_duplicates method, they will
    grow linearly with router update operations.
    
    Because these metadata rules are added once router is added to the agent
    and will not be cleaned until router is removed, calling the add_rule
    method in after_router_updated is a waste.
    
    This patch removes adding metadata rules in after_router_updated.
    
    Change-Id: I6650f1071499ed6cabd936bb0fb36b32a4b60bca
    Closes-Bug: #1658460


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1658460

Title:
  Duplicate metadata iptables rules in HA router

Status in neutron:
  Fix Released

Bug description:
  For a HA router, when it's updated, the l3 agents which are standby
  would always call the after_router_added method, due to that only the
  active node spawn monitored metadata proxy. Then duplicate metadata
  rules are added to iptables table. Althrough these rules will not be
  applied to system because of the _weed_out_duplicates method, they
  will grow linearly with router update operations. For example, 10
  updates result in 4*10 duplicate rules.

  How to reproduce:
  1. create a ha router
  2. update the router in anyway, ex: do router-gateway-set and router-gateway-clear repeatedly
  3. on standby l3 agents, you can see the warnings:
  2017-01-22 15:53:47.632 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  2017-01-22 15:53:47.633 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  2017-01-22 15:53:47.634 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -p tcp -m tcp --dport 9697 -j DROP
  2017-01-22 15:53:47.634 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-INPUT -m mark --mark 0x1/0xffff -j ACCEPT
  2017-01-22 15:53:47.635 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff
  2017-01-22 15:53:47.636 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1/0xffff
  2017-01-22 15:53:47.637 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
  2017-01-22 15:53:47.637 WARNING neutron.agent.linux.iptables_manager [-] Duplicate iptables rule detected. This may indicate a bug in the the iptables rule generation code. Line: -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -i qr-+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
  4. the warnings grow linearly with router update times.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1658460/+subscriptions

References

  Thread PreviousDate PreviousThread Next