yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2018599] Re: Disable config option use_random_fully does not work

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2018599@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2023 17:09:23 -0000
Reply-to: Bug 2018599 <2018599@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/883239
Committed: https://opendev.org/openstack/neutron/commit/a612346146db2f9e70a23af55eb7502655666940
Submitter: "Zuul (22348)"
Branch:    master

commit a612346146db2f9e70a23af55eb7502655666940
Author: Alexander <shishebarov.a@xxxxxxxxxxx>
Date:   Mon May 15 19:16:20 2023 +0300

    Fix not working use_random_fully config option
    
    Fixed bug when config option  use_random_fully is
    set to False all routers accept one configured
    by l3 agent with iptables "--random-fully" option.
    Also added storing of use iptables --random-fully
    config option to "_random_fully" class variable
    of IptablesManager to reduce checks of iptables
    version by instances of this class.
    
    Closes-Bug: #2018599
    
    Change-Id: Ia12fc0a3d4812a0aba816b49dec60a7dcfaf0623


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2018599

Title:
  Disable config option use_random_fully does not work

Status in neutron:
  Fix Released

Bug description:
  Summary.
  We use neutron ml2/ovs plugin. Version of neutron is Ussuri. We set config option use_random_fully=false.
  After reboot neutron-l3-agent only one router configured without iptables option "--random-fully" in SNAT configuration, all other routers, including newly created ones, continue to be configured with option "--random-fully"

  How to reproduce.

  1) Create 2 routers in different projectes.
  2) Create 2 floating ip and allocate them to this routers.
  3) Set use_random_fully=false in section [agent] of neutron l3-agent config.
  4) Reboot l3-agent
  As result one router will be configured without --random-fully option, another one with it. And newly created routers with floating ip also will be configured with --random-fully

  Reason of this behavior.

  For configuration routers(linux namespaces) l3 agent creats separate instance of IptablesManager class witch have property for check of usage random-fully option
  https://github.com/openstack/neutron/blob/stable/ussuri/neutron/agent/linux/iptables_manager.py#L494

  Step 1.
  When neutron l3 agent call this property first time on first instance of IptablesManager, this property sets to class variable _random_fully value True,
  https://github.com/openstack/neutron/blob/stable/ussuri/neutron/agent/linux/iptables_manager.py#L499
  then check configuration and set instance variable _random_fully value False and return False.
  https://github.com/openstack/neutron/blob/stable/ussuri/neutron/agent/linux/iptables_manager.py#L502-L505

  Step 2.
  After neutron l3 agent calls on second instance of IptablesManager property random_fully.
  And on line
  https://github.com/openstack/neutron/blob/stable/ussuri/neutron/agent/linux/iptables_manager.py#L495
  according to MRO algorithm founded variable _random_fully in class not in instance.

  On previous step that variable was set to True. So property returns True.
  As result we have one router configured correctly, and all the others not(according to config).

  We need to disable the use of "--random-full" option, as this is
  critical for some applications.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2018599/+subscriptions

References

[Bug 2018599] [NEW] Disable config option use_random_fully does not work
From: Alexander Shishebarov, 2023-05-05