← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #69988

[Bug 1722584] Re: Return traffic from metadata service may get dropped by hypervisor due to wrong checksum

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/510989
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ed1c3b021751273e427d47fcf544c56bdabf97bb
Submitter: Zuul
Branch:    master

commit ed1c3b021751273e427d47fcf544c56bdabf97bb
Author: Brian Haley <bhaley@xxxxxxxxxx>
Date:   Tue Oct 10 14:36:33 2017 -0400

    Checksum-fill proxied metadata replies
    
    Sometimes a proxied metadata reply can be dropped by
    the hypervisor because of an invalid checksum.  Always
    fill-in the checksum just like we do for DHCP replies.
    
    Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266
    Closes-bug: #1722584


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1722584

Title:
  Return traffic from metadata service may get dropped by hypervisor due
  to wrong checksum

Status in neutron:
  Fix Released

Bug description:
  We have a problem with the metadata service not being responsive, when
  the proxied in the router namespace on some of our networking nodes
  after upgrading to Ocata (Running on CentOS 7.4, with the RDO
  packages).

  
  Instance routes traffic to 169.254.169.254 to it's default gateway.
  Default gateway is an OpenStack router in a namespace on a networking node.

  - Traffic gets sent from the guest,
  - to the router,
  - iptables routes it to the metadata proxy service,
  - response packet gets routed back, leaving the namespace
  - Hypervisor gets the packet in
  - Checksum of packet is wrong, and the packet gets dropped before putting it on the bridge

  
  Based on the following bug https://bugs.launchpad.net/openstack-ansible/+bug/1483603, we found that adding the following iptable rule in the router namespace made this work again: 'iptables -t mangle -I POSTROUTING -p tcp --sport 9697 -j CHECKSUM --checksum-fill'

  (NOTE: The rule from the 1st comment to the bug did solve access to
  the metadata service, but the lack of precision introduced other
  problems with the network)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1722584/+subscriptions

References

  Thread PreviousDate PreviousThread Next