yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1934912@xxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Sep 2021 09:59:32 -0000
Reply-to: Bug 1934912 <1934912@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/800059
Committed: https://opendev.org/openstack/neutron/commit/19375b3e78ad6b635793b716e5ecabd53dc73a76
Submitter: "Zuul (22348)"
Branch:    master

commit 19375b3e78ad6b635793b716e5ecabd53dc73a76
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Jul 8 15:53:39 2021 +0200

    [DVR] Set arp entries only for single IPs given as allowed addr pair
    
    In allowed address pairs of the port there can be given not single IP
    address but whole CIDR. In such case ARP entries for IPs from such
    cidr will not be added in the DVR router namespace.
    
    Closes-Bug: #1934912
    Change-Id: I7bdefea943379125f93b116bb899446b874d9505


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934912

Title:
  Router update fails for ports with allowed_address_pairs containg IP
  range in CIDR  notation

Status in neutron:
  Fix Released

Bug description:
  With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
  ```
  openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
  [{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
  ```

  I could not find definitive information on wether this is an allowed
  value for allowed_address_pairs, but at least the openstack/magnum
  project makes use of this.

  Once the above is set neutron-l3-agent logs errors shown in
  http://paste.openstack.org/show/807237/ and connection to all
  resources behind the router stop.

  Steps to reproduce:
  Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.

  Create a test environment:
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  ping <floating ip>

  Observe loss of ping after setting allowed_address_pairs.
  Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
  ping <floating ip>
  Observe reestablishment of the connection.

  Please let me know if you need any other information

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1934912/+subscriptions

References

[Bug 1934912] [NEW] Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation
From: Jan Horstmann, 2021-07-07