yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2004238] Re: OVN metadata use the same IP as LB health monitor

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2004238@xxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Feb 2023 14:31:17 -0000
Reply-to: Bug 2004238 <2004238@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/873426
Committed: https://opendev.org/openstack/ovn-octavia-provider/commit/54d96ca07237dff8bccdaf4a9d5492f9103ea261
Submitter: "Zuul (22348)"
Branch:    master

commit 54d96ca07237dff8bccdaf4a9d5492f9103ea261
Author: Fernando Royo <froyo@xxxxxxxxxx>
Date:   Fri Feb 10 19:18:09 2023 +0100

    Avoid use of ovn metadata port IP for HM checks
    
    For every backend IP in the load balancer for which health
    check is configured, a new row in the Service_Monitor table
    is created and according to that ovn-controller will
    periodically sends out the service monitor packets.
    
    In this patch we create a new port for this purpose,
    instead of use the ovn_metadata_port to configure the
    backends in the field ip_port_mappings, this mapping is
    the info used to be translated to Service_Monitor
    entries (more details [1]).
    
    [1] https://github.com/ovn-org/ovn/blob/24cd3267c452f6b687e8c03344693709b1c7ae9f/northd/ovn-northd.8.xml#L1431
    
    Closes-Bug: #2004238
    Change-Id: I11c4d9671eee002b15080d055a18a4d3f4d7c540


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2004238

Title:
  OVN metadata use the same IP as LB health monitor

Status in neutron:
  Fix Released

Bug description:
  Recently I ran into an issue that instances are unable to get
  metadata, after a few debugs I found out the issue to be the LB health
  monitor is replying the arp request for OVN metadata agent's IP
  causing the request going to metadata agent actually being sent to
  another MAC address.

  Seems to related to https://bugs.launchpad.net/bugs/1956034, but that
  bug is closed by mistake.

  Form sb_db logical flow dump I found the bellow flow

  _uuid : df93e919-c7f5-4d04-be6f-796e175e266f
  actions : "eth.dst = eth.src; eth.src = 5e:69:e7:47:38:7b; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = 5e:69:e7:47:38:7b; arp.tpa = arp.spa; arp.spa = 10.0.0.2; outport = inport; flags.loopback = 1; output;"
  controller_meter : []
  external_ids : {source="northd.c:7971", stage-hint="5b11468a", stage-name=ls_in_arp_rsp}
  logical_datapath : f714c506-3043-4366-8065-d6af4d2a08de
  logical_dp_group : []
  match : "arp.tpa == 10.0.0.2 && arp.op == 1"
  pipeline : ingress
  priority : 110
  table_id : 18
  tags : {}
  hash : 0

  Priority 110 flow with this action should be from the LB health
  monitor according to ovn-northd doc [1]

  Where as ovn-metadata agent also uses the same IP (10.0.0.2)

  +-------------------------+---------------------------------------------------------------------------------------------+
  | Field | Value |
  +-------------------------+---------------------------------------------------------------------------------------------+
  | admin_state_up | UP |
  | allowed_address_pairs | |
  | binding_host_id | |
  | binding_profile | |
  | binding_vif_details | |
  | binding_vif_type | unbound |
  | binding_vnic_type | normal |
  | created_at | 2023-01-17T08:04:35Z |
  | data_plane_status | None |
  | description | |
  | device_id | ovnmeta-5640d643-e490-46b3-a724-0478aef3722e |
  | device_owner | network:distributed |
  | device_profile | None |
  | dns_assignment | fqdn='host-10-0-0-2.infra.cloudnative.tw.', hostname='host-10-0-0-2', ip_address='10.0.0.2' |
  | dns_domain | |
  | dns_name | |
  | extra_dhcp_opts | |
  | fixed_ips | ip_address='10.0.0.2', subnet_id='3000b8bf-f687-406d-b000-55d38f365e33' |
  | id | c1ba8ceb-6f02-48e6-9da3-3cb9b628b771 |
  | ip_allocation | None |
  | mac_address | fa:16:3e:7c:b8:1c |
  | name | |
  | network_id | 5640d643-e490-46b3-a724-0478aef3722e |
  | numa_affinity_policy | None |
  | port_security_enabled | False |
  | project_id | 2fbc86f895ed4ef1ad036b7e4a068b50 |
  | propagate_uplink_status | None |
  | qos_network_policy_id | None |
  | qos_policy_id | None |
  | resource_request | None |
  | revision_number | 2 |
  | security_group_ids | |
  | status | DOWN |
  | tags | |
  | trunk_details | None |
  | updated_at | 2023-01-17T08:04:36Z |
  +-------------------------+---------------------------------------------------------------------------------------------+

  This causes all packet that should be going to 10.0.0.2 (metadata
  agent) actually being sent to 5e:69:e7:47:38:7b MAC address which is
  incorrect.

  Expected result:

  OVN LB health monitor sending arp replies to an unused IP, or reserved
  a port with an IP specifically for health monitor.

  [1] https://www.ovn.org/support/dist-docs/ovn-northd.8.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2004238/+subscriptions
References

[Bug 2004238] [NEW] OVN metadata use the same IP as LB health monitor
From: Ching Kuo, 2023-01-31