← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #68428

[Bug 1722584] [NEW] Return traffic from metadata service may get dropped by hypervisor due to wrong checksum

  Thread PreviousDate PreviousThread Next 
Public bug reported:

We have a problem with the metadata service not being responsive, when
the proxied in the router namespace on some of our networking nodes
after upgrading to Ocata (Running on CentOS 7.4, with the RDO packages).


Instance routes traffic to 169.254.169.254 to it's default gateway.
Default gateway is an OpenStack router in a namespace on a networking node.

- Traffic gets sent from the guest,
- to the router,
- iptables routes it to the metadata proxy service,
- response packet gets routed back, leaving the namespace
- Hypervisor gets the packet in
- Checksum of packet is wrong, and the packet gets dropped before putting it on the bridge


Based on the following bug https://bugs.launchpad.net/openstack-ansible/+bug/1483603, we found that adding the following iptable rule in the router namespace made this work again: 'iptables -t mangle -I POSTROUTING -p tcp --sport 9697 -j CHECKSUM --checksum-fill'

(NOTE: The rule from the 1st comment to the bug did solve access to the
metadata service, but the lack of precision introduced other problems
with the network)

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1722584

Title:
  Return traffic from metadata service may get dropped by hypervisor due
  to wrong checksum

Status in neutron:
  New

Bug description:
  We have a problem with the metadata service not being responsive, when
  the proxied in the router namespace on some of our networking nodes
  after upgrading to Ocata (Running on CentOS 7.4, with the RDO
  packages).

  
  Instance routes traffic to 169.254.169.254 to it's default gateway.
  Default gateway is an OpenStack router in a namespace on a networking node.

  - Traffic gets sent from the guest,
  - to the router,
  - iptables routes it to the metadata proxy service,
  - response packet gets routed back, leaving the namespace
  - Hypervisor gets the packet in
  - Checksum of packet is wrong, and the packet gets dropped before putting it on the bridge

  
  Based on the following bug https://bugs.launchpad.net/openstack-ansible/+bug/1483603, we found that adding the following iptable rule in the router namespace made this work again: 'iptables -t mangle -I POSTROUTING -p tcp --sport 9697 -j CHECKSUM --checksum-fill'

  (NOTE: The rule from the 1st comment to the bug did solve access to
  the metadata service, but the lack of precision introduced other
  problems with the network)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1722584/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next