← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1924765] [NEW] [ovn] fip assignment to instance via router with snat disabled is broken

 

Public bug reported:

Ubuntu: 20.04
OpenStack: Ussuri
Networking: OVN (20.03.x)

Network topology:

Geneve overlay network for project networks, router has snat disabled
and the project network and the external network are all in the same
address scope and subnet pool.  OVN routers are simply acting as L3
routers and instances on the project network can be directly accessed by
the address assigned to their port (with appropriate route configuration
in the outside of openstack world).

Issue:

Its possible to create and then associate a floating IP on the external
network with an instance attached to the project network - however this
does not work - access to the instance via the FIP is broken, as is
access to its fixed IP (when this worked OK before).

Thoughts:

The concept of a FIP is very much NAT centric, and in the described
configuration NAT is very much disabled.  This idea seems to have worked
way back in icehouse, however does not work at Ussuri.  If this is not a
supported network model, the association of the FIP to the instance
should error with an appropriate message that NAT is not supported to
the in-path router to the external network.

** Affects: neutron
     Importance: Undecided
         Status: New

** Affects: neutron (Ubuntu)
     Importance: Undecided
         Status: New

** Summary changed:

- [ovn] fip assignment to router with snat disabled broken
+ [ovn] fip assignment to instance via router with snat disabled is broken

** Description changed:

+ Ubuntu: 20.04
+ OpenStack: Ussuri
+ Networking: OVN (20.03.x)
+ 
  Network topology:
  
  Geneve overlay network for project networks, router has snat disabled
  and the project network and the external network are all in the same
  address scope and subnet pool.  OVN routers are simply acting as L3
  routers and instances on the project network can be directly accessed by
  the address assigned to their port (with appropriate route configuration
  in the outside of openstack world).
  
  Issue:
  
  Its possible to create and then associate a floating IP on the external
  network with an instance attached to the project network - however this
  does not work - access to the instance via the FIP is broken, as is
  access to its fixed IP (when this worked OK before).
  
  Thoughts:
  
  The concept of a FIP is very much NAT centric, and in the described
  configuration NAT is very much disabled.  This idea seems to have worked
  way back in icehouse, however does not work at Ussuri.  If this is not a
  supported network model, the association of the FIP to the instance
  should error with an appropriate message that NAT is not supported to
  the in-path router to the external network.

** Also affects: neutron
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1924765

Title:
  [ovn] fip assignment to instance via router with snat disabled is
  broken

Status in neutron:
  New
Status in neutron package in Ubuntu:
  New

Bug description:
  Ubuntu: 20.04
  OpenStack: Ussuri
  Networking: OVN (20.03.x)

  Network topology:

  Geneve overlay network for project networks, router has snat disabled
  and the project network and the external network are all in the same
  address scope and subnet pool.  OVN routers are simply acting as L3
  routers and instances on the project network can be directly accessed
  by the address assigned to their port (with appropriate route
  configuration in the outside of openstack world).

  Issue:

  Its possible to create and then associate a floating IP on the
  external network with an instance attached to the project network -
  however this does not work - access to the instance via the FIP is
  broken, as is access to its fixed IP (when this worked OK before).

  Thoughts:

  The concept of a FIP is very much NAT centric, and in the described
  configuration NAT is very much disabled.  This idea seems to have
  worked way back in icehouse, however does not work at Ussuri.  If this
  is not a supported network model, the association of the FIP to the
  instance should error with an appropriate message that NAT is not
  supported to the in-path router to the external network.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1924765/+subscriptions


Follow ups