yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1773999] [NEW] Allowed Address Pairs doesn’t work after neutron-port update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Boris <boris.maeck@xxxxxxx>
Date: Tue, 29 May 2018 15:01:13 -0000
Reply-to: Bug 1773999 <1773999@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Before the patch of https://review.openstack.org/#/c/550676/ it was possible to mitigate the issue of allowed-address pairs and DVR by neutron-port update. 
After applying the patch above, reachability of the virtual IP is only given for around 20 to 30 seconds until the ARP cache is timed out. Since it doesn’t seem that the GARP is reaching other DVR routers, then the local one, to update the ARP entry all router namespaces.

Steps to reproduce:
1.	Create two networks with one subnet each and connect them to a router
2.	Spawn three instances on, three different (DVR enabled) compute nodes. Two in the same subnet, one in the other.
3.	Install and enable keepalived on the instances which are in the same subnet
4.	Start a ping from the third instance in different subnet to the virtual IP
5.	Failover from the active to the standby instance
6.	Ping will stop
7.	Neutron port-update --allowed-address-pair ip_address=<ip> <port-id>
8.	Ping will start for 20 – 30 seconds and stop
9.	After sending a port update ping will work for some seconds again

When reverting the patch, ping will stay stable after a neutron port-
update.

** Affects: neutron
     Importance: Undecided
     Assignee: Boris (boris-maeck)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1773999

Title:
  Allowed Address Pairs doesn’t work after neutron-port update

Status in neutron:
  In Progress

Bug description:
  Before the patch of https://review.openstack.org/#/c/550676/ it was possible to mitigate the issue of allowed-address pairs and DVR by neutron-port update. 
  After applying the patch above, reachability of the virtual IP is only given for around 20 to 30 seconds until the ARP cache is timed out. Since it doesn’t seem that the GARP is reaching other DVR routers, then the local one, to update the ARP entry all router namespaces.

  Steps to reproduce:
  1.	Create two networks with one subnet each and connect them to a router
  2.	Spawn three instances on, three different (DVR enabled) compute nodes. Two in the same subnet, one in the other.
  3.	Install and enable keepalived on the instances which are in the same subnet
  4.	Start a ping from the third instance in different subnet to the virtual IP
  5.	Failover from the active to the standby instance
  6.	Ping will stop
  7.	Neutron port-update --allowed-address-pair ip_address=<ip> <port-id>
  8.	Ping will start for 20 – 30 seconds and stop
  9.	After sending a port update ping will work for some seconds again

  When reverting the patch, ping will stay stable after a neutron port-
  update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1773999/+subscriptions

Follow ups

[Bug 1773999] Re: Allowed Address Pairs doesn’t work after neutron-port update
From: OpenStack Infra, 2018-06-18