← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation

 

This bug was fixed in the package neutron - 2:16.4.1-0ubuntu2

---------------
neutron (2:16.4.1-0ubuntu2) focal; urgency=medium

  * d/p/lp1934912-set-arp-entries-only-for-single-ip.patch: Cherry-pick
    upstream patch (LP: #1934912)

neutron (2:16.4.1-0ubuntu1) focal; urgency=medium

  [ Corey Bryant ]
  * d/p/revert-rely-on-worker-count-for-hashring-caching.patch: Dropped.
    Fixed upstream by https://review.opendev.org/c/openstack/neutron/+/800679
    in the 16.4.1 stable release.

  [ Chris MacNaughton ]
  * New stable point release for OpenStack Ussuri (LP: #1943712).
  * d/p/provide-integer-argument-to-arping.patch: Removed after
    inclusion in upstream release.

 -- Chris MacNaughton <chris.macnaughton@xxxxxxxxxx>  Fri, 01 Oct 2021
06:56:50 +0000

** Changed in: neutron (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934912

Title:
  Router update fails for ports with allowed_address_pairs containg IP
  range in CIDR  notation

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  Fix Released
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  Fix Released
Status in neutron source package in Focal:
  Fix Released
Status in neutron source package in Hirsute:
  Fix Committed
Status in neutron source package in Impish:
  Fix Released

Bug description:
  With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
  ```
  openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
  [{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
  ```

  I could not find definitive information on wether this is an allowed
  value for allowed_address_pairs, but at least the openstack/magnum
  project makes use of this.

  Once the above is set neutron-l3-agent logs errors shown in
  http://paste.openstack.org/show/807237/ and connection to all
  resources behind the router stop.

  Steps to reproduce:
  Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.

  Create a test environment:
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  ping <floating ip>

  Observe loss of ping after setting allowed_address_pairs.
  Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
  ping <floating ip>
  Observe reestablishment of the connection.

  Please let me know if you need any other information


  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  SRU:

  [Impact]
  VM with floating ip are unreachable from external

  [Test Case]
  Create a test environment on bionic ussuri
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  openstack router set --disable <router>
  openstack router set --enable <router>
  ping <floating ip>

  # ping should be successful after router is enabled.

  [Regression Potential]
  The only possibilities for allowed_address_pair are either IP or a CIDR. There is no chance of garbage values since it is verified during port update with allowed_address_pair. The edge case of IP with CIDR notation like /32 are already covered in common_utils.is_cidr_host() function call. All the upstream CI builds until stable/ussuri are successful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1934912/+subscriptions



References