← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1947993] [NEW] Non HA router - missing iptables rule for redirect metadata queries to haproxy

 

Public bug reported:

In case of the non-HA routers (dvr and legacy) neutron-l3-agent sends
notifications AFTER_CREATE and AFTER_UPDATE of the router. Metadata
driver is subscribed to those notifications to prepare haproxy in the
router's namespace:
https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/metadata/driver.py#L281
and
https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/metadata/driver.py#L294

The difference between those 2 functions is that in after_router_added there is called apply_metadata_nat_rules() to configure nat rules in the iptables in qrouter namespace.
In after_router_update function nat rules aren't created.

And that can cause issue when processing router in _process_added_router() will fail: https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/l3/agent.py#L626 thus notification AFTER_CREATE router will not be called and nat rules will not be created.
Router will be processed again in next iteration by L3 agent, but this time router_info is already in the agent's router_info cache so it will be treated as updated router. Because of that haproxy will be started but NAT rules will never be created and metadata for instances will not be available.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: New


** Tags: l3-dvr-backlog

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1947993

Title:
  Non HA router - missing iptables rule for redirect metadata queries to
  haproxy

Status in neutron:
  New

Bug description:
  In case of the non-HA routers (dvr and legacy) neutron-l3-agent sends
  notifications AFTER_CREATE and AFTER_UPDATE of the router. Metadata
  driver is subscribed to those notifications to prepare haproxy in the
  router's namespace:
  https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/metadata/driver.py#L281
  and
  https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/metadata/driver.py#L294

  The difference between those 2 functions is that in after_router_added there is called apply_metadata_nat_rules() to configure nat rules in the iptables in qrouter namespace.
  In after_router_update function nat rules aren't created.

  And that can cause issue when processing router in _process_added_router() will fail: https://github.com/openstack/neutron/blob/8353c2adba08f9e7d5ed61589daef81aaf275fb3/neutron/agent/l3/agent.py#L626 thus notification AFTER_CREATE router will not be called and nat rules will not be created.
  Router will be processed again in next iteration by L3 agent, but this time router_info is already in the agent's router_info cache so it will be treated as updated router. Because of that haproxy will be started but NAT rules will never be created and metadata for instances will not be available.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1947993/+subscriptions



Follow ups