yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1773999] Re: Allowed Address Pairs doesn’t work after neutron-port update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1773999@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Jun 2018 21:56:22 -0000
Reply-to: Bug 1773999 <1773999@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/572168
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f98f239a15d68344f84ca755dd8a55698d528b1c
Submitter: Zuul
Branch:    master

commit f98f239a15d68344f84ca755dd8a55698d528b1c
Author: Swaminathan Vasudevan <SVasudevan@xxxxxxxx>
Date:   Mon Jun 4 16:57:00 2018 +0000

    Revert "DVR: Fix allowed_address_pair IP, ARP table update by neutron agent"
    
    This reverts commit fbe308bdc12191c187343b5ef103dea9af738380.
    
    This does not help the ARP update for the unbound Allowed-address-pair
    IP, since the temporary ARP update (NUD: reachable) goes to incomplete
    state when the router tries to re-ARP for the IP, before it responds to
    a VM, since DVR routers does not allow the ARP requests to flow through
    the br-tun.
    
    Closes-bug: #1773999
    
    Change-Id: I9977c8cbbbc1e68565249e7f80c59319fe967300


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1773999

Title:
  Allowed Address Pairs doesn’t work after neutron-port update

Status in neutron:
  Fix Released

Bug description:
  Before the patch of https://review.openstack.org/#/c/550676/ it was possible to mitigate the issue of allowed-address pairs and DVR by neutron-port update. 
  After applying the patch above, reachability of the virtual IP is only given for around 20 to 30 seconds until the ARP cache is timed out. Since it doesn’t seem that the GARP is reaching other DVR routers, then the local one, to update the ARP entry all router namespaces.

  Steps to reproduce:
  1.	Create two networks with one subnet each and connect them to a router
  2.	Spawn three instances on, three different (DVR enabled) compute nodes. Two in the same subnet, one in the other.
  3.	Install and enable keepalived on the instances which are in the same subnet
  4.	Start a ping from the third instance in different subnet to the virtual IP
  5.	Failover from the active to the standby instance
  6.	Ping will stop
  7.	Neutron port-update --allowed-address-pair ip_address=<ip> <port-id>
  8.	Ping will start for 20 – 30 seconds and stop
  9.	After sending a port update ping will work for some seconds again

  When reverting the patch, ping will stay stable after a neutron port-
  update.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1773999/+subscriptions

References

[Bug 1773999] [NEW] Allowed Address Pairs doesn’t work after neutron-port update
From: Boris, 2018-05-29