yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85636
[Bug 1916761] Re: [dvr] bound port permanent arp entries never deleted
This bug was fixed in the package neutron - 2:17.1.0+git2021012815.0fb63f7297-0ubuntu4~cloud0
---------------
neutron (2:17.1.0+git2021012815.0fb63f7297-0ubuntu4~cloud0) focal-wallaby; urgency=medium
.
* New update for the Ubuntu Cloud Archive.
.
neutron (2:17.1.0+git2021012815.0fb63f7297-0ubuntu4) hirsute; urgency=medium
.
* d/p/revert-dvr-remove-control-plane-arp-updates.patch: Cherry-picked
from https://review.opendev.org/c/openstack/neutron/+/777903 to prevent
permanent arp entries that never get deleted (LP: #1916761).
** Changed in: cloud-archive
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1916761
Title:
[dvr] bound port permanent arp entries never deleted
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive train series:
Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive victoria series:
Fix Released
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
Fix Released
Status in neutron source package in Focal:
Fix Released
Status in neutron source package in Groovy:
Fix Released
Status in neutron source package in Hirsute:
Fix Released
Bug description:
[Impact]
See original bug desription but in short commit b3a42cddc5 removed all
the arp management code in favour of using the arp_reponder but missed
the fact that DVR floating ips don't use the arp_responder. As a
result it was possible to end up with permanent arp entries in qrouter
namespaces such that if you created a new port with the same IP as
that of a previous port for which there is an arp entry, associating a
fip with that port would never be accessible until that arp entry was
manually deleted. This patch adds the reverted code back in.
[Test Plan]
* deploy Openstack Train/Ussuri/Victoria
* create port P1 with address A1 and create vm on node C1 with this port
* associate floating ip with P1 and ping it
* observe REACHABLE or PERMANENT arp entry for A1 in qrouter arp cache
* delete vm and port
* ensure arp entry for A1 in qrouter arp cache is deleted
* create port P2 with address A1 and create vm on node C1 with this port
* associate floating ip with P2 and ping it
[Where problems could occur]
No problems anticipated from re-introducing this code. Of course this
code uses RPC notifications and as a result will incur some extra amqp
load but is not anticipated to be a problem and it was not considered
a problem when the code existed prior to removal.
--------------------------------------------------------------------------
With Openstack Ussuri using dvr-snat I do the following:
* create port P1 with address A1 and create vm on node C1 with this port
* associate floating ip with P1 and ping it
* observe REACHABLE arp entry for A1 in qrouter arp cache
* so far so good
* restart the neutron-l3-agent
* observe REACHABLE arp entry for A1 is now PERMANENT
* delete vm and port
* create port P2 with address A1 and create vm on node C1 with this port
* vm is unreachable since arp cache contains PERMANENT entry for old port P1 mac/ip combo
If I don't restart the l3-agent, once I have deleted the port it's arp
entry does REACHABLE -> STALE and will either be replaced or timeout
as expected but once it is set to PERMANENT it will never disappear
which means any future use of that ip address (by a port with a
different mac) will not work until that entry is manually deleted.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1916761/+subscriptions
References