← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1916761] Re: [dvr] bound port permanent arp entries never deleted

 

This bug was fixed in the package neutron - 2:17.1.0+git2021012815.0fb63f7297-0ubuntu4~cloud0
---------------

 neutron (2:17.1.0+git2021012815.0fb63f7297-0ubuntu4~cloud0) focal-wallaby; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 neutron (2:17.1.0+git2021012815.0fb63f7297-0ubuntu4) hirsute; urgency=medium
 .
   * d/p/revert-dvr-remove-control-plane-arp-updates.patch: Cherry-picked
     from https://review.opendev.org/c/openstack/neutron/+/777903 to prevent
     permanent arp entries that never get deleted (LP: #1916761).


** Changed in: cloud-archive
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1916761

Title:
  [dvr] bound port permanent arp entries never deleted

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive train series:
  Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Released
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  Fix Released
Status in neutron source package in Focal:
  Fix Released
Status in neutron source package in Groovy:
  Fix Released
Status in neutron source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  See original bug desription but in short commit b3a42cddc5 removed all
  the arp management code in favour of using the arp_reponder but missed
  the fact that DVR floating ips don't use the arp_responder. As a
  result it was possible to end up with permanent arp entries in qrouter
  namespaces such that if you created a new port with the same IP as
  that of a previous port for which there is an arp entry, associating a
  fip with that port would never be accessible until that arp entry was
  manually deleted. This patch adds the reverted code back in.

  [Test Plan]

    * deploy Openstack Train/Ussuri/Victoria
    * create port P1 with address A1 and create vm on node C1 with this port
    * associate floating ip with P1 and ping it
    * observe REACHABLE or PERMANENT arp entry for A1 in qrouter arp cache
    * delete vm and port
    * ensure arp entry for A1 in qrouter arp cache is deleted
    * create port P2 with address A1 and create vm on node C1 with this port
    * associate floating ip with P2 and ping it

  [Where problems could occur]

  No problems anticipated from re-introducing this code. Of course this
  code uses RPC notifications and as a result will incur some extra amqp
  load but is not anticipated to be a problem and it was not considered
  a problem when the code existed prior to removal.

  --------------------------------------------------------------------------

  With Openstack Ussuri using dvr-snat I do the following:

    * create port P1 with address A1 and create vm on node C1 with this port
    * associate floating ip with P1 and ping it
    * observe REACHABLE arp entry for A1 in qrouter arp cache
    * so far so good
    * restart the neutron-l3-agent
    * observe REACHABLE arp entry for A1 is now PERMANENT
    * delete vm and port
    * create port P2 with address A1 and create vm on node C1 with this port
    * vm is unreachable since arp cache contains PERMANENT entry for old port P1 mac/ip combo

  If I don't restart the l3-agent, once I have deleted the port it's arp
  entry does REACHABLE -> STALE and will either be replaced or timeout
  as expected but once it is set to PERMANENT it will never disappear
  which means any future use of that ip address (by a port with a
  different mac) will not work until that entry is manually deleted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1916761/+subscriptions


References