← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2088286] Re: external port created by neutron-vpnaas with ovn driver is not fully configured

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/936850
Committed: https://opendev.org/openstack/neutron/commit/bb2f8edaa80e5c9a8e558aba9b5bc3788233d687
Submitter: "Zuul (22348)"
Branch:    master

commit bb2f8edaa80e5c9a8e558aba9b5bc3788233d687
Author: Bodo Petermann <b.petermann@xxxxxxxxxxxx>
Date:   Mon Dec 2 16:24:02 2024 +0100

    Set IP/MAC address on VPNaaS gateway port (OVN)
    
    Fix an issue with missing route announcements for
    the VPN external port in a setup with OVN, BGP (ovn-bgp-agent)
    and VPNaaS. The ovn-bgp-agent won't annouce the address of
    the VPN gateway port if its OVN logical switch port only
    has address=[unknown].
    To set the address on the LSP explicitly, add the device owner
    network:vpn_router_gateway to the reasons to do so.
    
    Closes-Bug: #2088286
    Change-Id: Ic04833333a04064c2fbd7fb2700d35f2312aef7e


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2088286

Title:
  external port created by neutron-vpnaas with ovn driver is not fully
  configured

Status in neutron:
  Fix Released

Bug description:
  Hello

  We are deploying OpenStack/Neturon with OVN, BGP (ovn-bgp-agent) and
  VPNaaS and we encountered a problem - because of incomplete
  configuration of VPN services external port bgp agent isn't announcing
  it's address.

  Summary: external port created by neutron-vpnaas with ovn
  plugin/driver is not fully/properly configured and because of this
  ovn-bgp-agent won't announce/publish/configure routing path for this
  address.

  $ /var/lib/kolla/venv/bin/neutron-ovn-vpn-agent --version
  neutron-ovn-vpn-agent 24.0.2.dev42

  $ openstack network show public1
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | UP                                   |
  | availability_zone_hints   |                                      |
  | availability_zones        |                                      |
  | created_at                | 2024-09-06T15:48:18Z                 |
  | description               |                                      |
  | dns_domain                | None                                 |
  | id                        | ad8c81c1-08fd-4503-833f-912675d1c6d8 |
  | ipv4_address_scope        | None                                 |
  | ipv6_address_scope        | None                                 |
  | is_default                | False                                |
  | is_vlan_transparent       | None                                 |
  | mtu                       | 1500                                 |
  | name                      | public1                              |
  | port_security_enabled     | True                                 |
  | project_id                | 0cfa2dc8d9024b7fa0462a9be5d8b832     |
  | provider:network_type     | vlan                                 |
  | provider:physical_network | physnet1                             |
  | provider:segmentation_id  | 2                                    |
  | qos_policy_id             | None                                 |
  | revision_number           | 2                                    |
  | router:external           | External                             |
  | segments                  | None                                 |
  | shared                    | True                                 |
  | status                    | ACTIVE                               |
  | subnets                   | 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6 |
  | tags                      |                                      |
  | tenant_id                 | 0cfa2dc8d9024b7fa0462a9be5d8b832     |
  | updated_at                | 2024-09-06T15:48:19Z                 |
  +---------------------------+--------------------------------------+

  $ openstack subnet show 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6
  +----------------------+--------------------------------------+
  | Field                | Value                                |
  +----------------------+--------------------------------------+
  | allocation_pools     | 203.0.113.226-203.0.113.254          |
  | cidr                 | 203.0.113.224/27                     |
  | created_at           | 2024-09-06T15:48:19Z                 |
  | description          |                                      |
  | dns_nameservers      |                                      |
  | dns_publish_fixed_ip | None                                 |
  | enable_dhcp          | False                                |
  | gateway_ip           | 203.0.113.225                        |
  | host_routes          |                                      |
  | id                   | 306ea02d-a5ec-4c1b-bd2f-bff1a88750d6 |
  | ip_version           | 4                                    |
  | ipv6_address_mode    | None                                 |
  | ipv6_ra_mode         | None                                 |
  | name                 | public1                              |
  | network_id           | ad8c81c1-08fd-4503-833f-912675d1c6d8 |
  | project_id           | 0cfa2dc8d9024b7fa0462a9be5d8b832     |
  | revision_number      | 0                                    |
  | segment_id           | None                                 |
  | service_types        |                                      |
  | subnetpool_id        | None                                 |
  | tags                 |                                      |
  | updated_at           | 2024-09-06T15:48:19Z                 |
  +----------------------+--------------------------------------+

  $ openstack port list --network ad8c81c1-08fd-4503-833f-912675d1c6d8 --long
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+
  | ID                                   | Name                                        | MAC Address       | Fixed IP Addresses                                                           | Status | Security Groups | Device Owner               | Tags |
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+
  | 1dc2b248-1d21-44ff-923f-2405f9f28f4e |                                             | fa:16:3e:3e:97:10 | ip_address='203.0.113.228', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | N/A    | None            | network:floatingip         |      |
  | 71a1d9eb-11bb-4278-979b-6a1d83e87ecc |                                             | fa:16:3e:15:5e:b5 | ip_address='203.0.113.229', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  | 7398b975-552a-408f-8289-25e52d5cb8fc |                                             | fa:16:3e:e7:dd:5d | ip_address='203.0.113.252', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  | ccbb42e0-3258-4ade-a5e6-c873ca0530b7 |                                             | fa:16:3e:97:9d:d7 |                                                                              | DOWN   | None            | network:distributed        |      |
  | e6a43606-2ea3-4967-9aa2-967c800cbdbe |                                             | fa:16:3e:4e:e9:d8 | ip_address='203.0.113.243', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+
  $ openstack vpn service create --router router_vpn test_vpn_service
  +----------------+--------------------------------------+
  | Field          | Value                                |
  +----------------+--------------------------------------+
  | Description    |                                      |
  | Flavor         | None                                 |
  | ID             | 0d8436f0-6cc5-4af5-84f7-10b54ac99784 |
  | Name           | test_vpn_service                     |
  | Project        | 0cfa2dc8d9024b7fa0462a9be5d8b832     |
  | Router         | 30e448d5-078e-40fe-9418-901f8195b6cb |
  | State          | True                                 |
  | Status         | PENDING_CREATE                       |
  | Subnet         | None                                 |
  | external_v4_ip | 203.0.113.246                        |
  | external_v6_ip | None                                 |
  | project_id     | 0cfa2dc8d9024b7fa0462a9be5d8b832     |
  +----------------+--------------------------------------+

  $ openstack vpn ipsec site connection create --peer-id 1.2.3.4 --peer-address 1.2.3.4 --psk 1234 --vpnservice test_vpn_service --ikepolicy ikepolicy --ipsecpolicy ipsecpolicy test_vpn_tunnel --peer-endpoint-group west-peer-epg --local-endpoint-group local_network
  +--------------------------+----------------------------------------------------+
  | Field                    | Value                                              |
  +--------------------------+----------------------------------------------------+
  | Authentication Algorithm | psk                                                |
  | Description              |                                                    |
  | ID                       | ca7f63dc-685f-4f9d-bc23-47c7b5b1c577               |
  | IKE Policy               | 1457dc12-c1ec-4574-8985-9e93dcf06f56               |
  | IPSec Policy             | c68d172f-220f-455c-b46c-b9ff8b9e46e4               |
  | Initiator                | bi-directional                                     |
  | Local Endpoint Group ID  | 0f7f645c-8ae9-4dc8-a286-40afabbc2dd7               |
  | Local ID                 |                                                    |
  | MTU                      | 1500                                               |
  | Name                     | test_vpn_tunnel                                    |
  | Peer Address             | 1.2.3.4                                            |
  | Peer CIDRs               |                                                    |
  | Peer Endpoint Group ID   | 842cc6e8-d124-4258-b9d8-8b901d06cd97               |
  | Peer ID                  | 1.2.3.4                                            |
  | Pre-shared Key           | 1234                                               |
  | Project                  | 0cfa2dc8d9024b7fa0462a9be5d8b832                   |
  | Route Mode               | static                                             |
  | State                    | True                                               |
  | Status                   | PENDING_CREATE                                     |
  | VPN Service              | 0d8436f0-6cc5-4af5-84f7-10b54ac99784               |
  | dpd                      | {'action': 'hold', 'interval': 30, 'timeout': 120} |
  | project_id               | 0cfa2dc8d9024b7fa0462a9be5d8b832                   |
  +--------------------------+----------------------------------------------------+

  
  $ openstack port list --network ad8c81c1-08fd-4503-833f-912675d1c6d8 --long
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+
  | ID                                   | Name                                        | MAC Address       | Fixed IP Addresses                                                           | Status | Security Groups | Device Owner               | Tags |
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+
  | 1dc2b248-1d21-44ff-923f-2405f9f28f4e |                                             | fa:16:3e:3e:97:10 | ip_address='203.0.113.228', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | N/A    | None            | network:floatingip         |      |
  | 3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 | vpn-gw-30e448d5-078e-40fe-9418-901f8195b6cb | fa:16:3e:e5:e0:69 | ip_address='203.0.113.246', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:vpn_router_gateway |      |
  | 71a1d9eb-11bb-4278-979b-6a1d83e87ecc |                                             | fa:16:3e:15:5e:b5 | ip_address='203.0.113.229', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  | 7398b975-552a-408f-8289-25e52d5cb8fc |                                             | fa:16:3e:e7:dd:5d | ip_address='203.0.113.252', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  | ccbb42e0-3258-4ade-a5e6-c873ca0530b7 |                                             | fa:16:3e:97:9d:d7 |                                                                              | DOWN   | None            | network:distributed        |      |
  | e6a43606-2ea3-4967-9aa2-967c800cbdbe |                                             | fa:16:3e:4e:e9:d8 | ip_address='203.0.113.243', subnet_id='306ea02d-a5ec-4c1b-bd2f-bff1a88750d6' | ACTIVE | None            | network:router_gateway     |      |
  +--------------------------------------+---------------------------------------------+-------------------+------------------------------------------------------------------------------+--------+-----------------+----------------------------+------+

  routing table on gateway/network node:
  203.0.113.228 dev vrf1d63891f-e7 scope link
  203.0.113.243 dev vrf1d63891f-e7 scope link
  203.0.113.252 dev vrf1d63891f-e7 scope link
  203.0.113.229 dev vrf1d63891f-e7 scope link

  $ ovn-nbctl lsp-list `ovn-nbctl ls-list | grep ad8c81c1-08fd-4503-833f-912675d1c6d8 | cut -f1 -d\ ` | while read a b; do echo -n "$b "; ovn-nbctl lsp-get-addresses $a; done
  (3d2dbb2a-b004-4955-a4ca-4d4a88d2f702) unknown
  (71a1d9eb-11bb-4278-979b-6a1d83e87ecc) fa:16:3e:15:5e:b5 203.0.113.229/27
  (7398b975-552a-408f-8289-25e52d5cb8fc) fa:16:3e:e7:dd:5d 203.0.113.252/27
  (ccbb42e0-3258-4ade-a5e6-c873ca0530b7) fa:16:3e:97:9d:d7
  (e6a43606-2ea3-4967-9aa2-967c800cbdbe) fa:16:3e:4e:e9:d8 203.0.113.243/27
  (provnet-5aa931a9-ac56-4144-ab7d-c61819a46c2a) unknown

  3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 (vpn-
  gw-30e448d5-078e-40fe-9418-901f8195b6cb) stands out from other ports,
  has no addresses

  $ ovn-nbctl lsp-set-addresses 3d2dbb2a-b004-4955-a4ca-4d4a88d2f702 "fa:16:3e:e5:e0:69 203.0.113.246/27"
  $ ovn-nbctl lsp-list `ovn-nbctl ls-list | grep ad8c81c1-08fd-4503-833f-912675d1c6d8 | cut -f1 -d\ ` | while read a b; do echo -n "$b "; ovn-nbctl lsp-get-addresses $a; done
  (3d2dbb2a-b004-4955-a4ca-4d4a88d2f702) fa:16:3e:e5:e0:69 203.0.113.246/27
  (71a1d9eb-11bb-4278-979b-6a1d83e87ecc) fa:16:3e:15:5e:b5 203.0.113.229/27
  (7398b975-552a-408f-8289-25e52d5cb8fc) fa:16:3e:e7:dd:5d 203.0.113.252/27
  (ccbb42e0-3258-4ade-a5e6-c873ca0530b7) fa:16:3e:97:9d:d7
  (e6a43606-2ea3-4967-9aa2-967c800cbdbe) fa:16:3e:4e:e9:d8 203.0.113.243/27
  (provnet-5aa931a9-ac56-4144-ab7d-c61819a46c2a) unknown

  routing table after:
  203.0.113.228 dev vrf1d63891f-e7 scope link
  203.0.113.243 dev vrf1d63891f-e7 scope link
  203.0.113.246 dev vrf1d63891f-e7 scope link
  203.0.113.252 dev vrf1d63891f-e7 scope link
  203.0.113.229 dev vrf1d63891f-e7 scope link

  And now it's possible for tunnel to connect.

  I tried to identify code of ovn driver/plugin in neutron-vpnaas
  responsible for external port allocation, but I wasn't able to find
  it.

  
  --
  Tomek Orzechowski

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2088286/+subscriptions



References