yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1767422] [NEW] Neutron agent internal ports remain untagged for some time, which makes them trunk ports

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Miguel Angel Ajo <majopela@xxxxxxxxxx>
Date: Fri, 27 Apr 2018 15:57:08 -0000
Reply-to: Bug 1767422 <1767422@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Neutron agent ports are added to br-int without any tag. That makes them
trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-
agent will handle them.

Sometimes the ports are left untagged forever, meaning that for example
ha-router ha port will send and receive traffic directly on the external
network (jumps to br-int to br-ex , and also back), or dnsmasq starts
handling dhcp requests on the external network.


Vague details here (it's all we have so far):
This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).


This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320

** Affects: neutron
     Importance: High
     Assignee: Miguel Angel Ajo (mangelajo)
         Status: New

** Changed in: neutron
   Importance: Undecided => High

** Changed in: neutron
     Assignee: (unassigned) => Miguel Angel Ajo (mangelajo)

** Changed in: neutron
    Milestone: None => rocky-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1767422

Title:
  Neutron agent internal ports remain untagged for some time, which
  makes them trunk ports

Status in neutron:
  New

Bug description:
  Neutron agent ports are added to br-int without any tag. That makes
  them trunk ports (receiving traffic for all VLANs) until neutron-
  openvswitch-agent will handle them.

  Sometimes the ports are left untagged forever, meaning that for
  example ha-router ha port will send and receive traffic directly on
  the external network (jumps to br-int to br-ex , and also back), or
  dnsmasq starts handling dhcp requests on the external network.

  
  Vague details here (it's all we have so far):
  This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).

  
  This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1767422/+subscriptions

Follow ups

[Bug 1767422] Re: Neutron agent internal ports remain untagged for some time, which makes them trunk ports
From: OpenStack Infra, 2018-05-10