← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #72837

[Bug 1767422] Re: Neutron agent internal ports remain untagged for some time, which makes them trunk ports

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/564825
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=88f5e11d8bf820b0124be0f6ec3c2d96011592d9
Submitter: Zuul
Branch:    master

commit 88f5e11d8bf820b0124be0f6ec3c2d96011592d9
Author: Miguel Angel Ajo <majopela@xxxxxxxxxx>
Date:   Fri Apr 27 18:05:48 2018 +0200

    Avoid agents adding ports as trunk by default.
    
    Agent OVS interface code adds ports without a vlan tag,
    if neutron-openvswitch-agent fails to set the tag, or takes
    too long, the port will be a trunk port, receiving
    traffic from the external network or any other port
    sending traffic on br-int.
    
    Also, those kinds of ports are triggering a code path
    on the ovs-vswitchd revalidator thread which can eventually
    hog the CPU of the host (that's a bug under investigation [1])
    
    [1] https://bugzilla.redhat.com/show_bug.cgi?id=1558336
    
    Co-Authored-By: Slawek Kaplonski <skaplons@xxxxxxxxxx>
    Change-Id: I024bbbdf7059835b2f23c264b48478c71633a43c
    Closes-Bug: 1767422


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1767422

Title:
  Neutron agent internal ports remain untagged for some time, which
  makes them trunk ports

Status in neutron:
  Fix Released

Bug description:
  Neutron agent ports are added to br-int without any tag. That makes
  them trunk ports (receiving traffic for all VLANs) until neutron-
  openvswitch-agent will handle them.

  Sometimes the ports are left untagged forever, meaning that for
  example ha-router ha port will receive traffic directly from the
  external network (jumps to br-int to br-ex , and also back), or
  dnsmasq receives requests on the external network.

  Outgoing traffic is dropped in br-ex though..

  Vague details here (it's all we have so far):
  This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).

  This is also related to one security lp here:
  https://bugs.launchpad.net/bugs/1734320

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1767422/+subscriptions

References

  Thread PreviousDate PreviousThread Next