yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95129
[Bug 2092971] [NEW] Metadata service does not work when port security is disabled
Public bug reported:
While I was experimenting with metadata service I discovered that ovn
metadata agent fails to spawn a haproxy service when port security is
disabled.
This happens because here [1] we look into vif_port mac column for an IP
address. However, when port security is disabled, OVN will set it to
[unknown]. As per OVN documentation [2] this column is not guranteed to
contain MAC and IPs
mac: set of strings
This column is a misnomer as it may contain MAC addresses
and IP addresses.
Example of a VIF port with security disabled (I am omiting some
columns/data):
_uuid : 43a5e506-2361-4cdb-a2fb-2ce0636cf34a
chassis : 5f37d656-e7ab-4ea9-8a9a-52633fb2b43e
datapath : ef68b5d5-a133-4dcd-98ba-6aac76dcf148
external_ids : {"neutron:cidrs"="2001:db8:0:1:f816:3eff:feef:f2ad/64", .....}
logical_port : "19b7a707-4762-400b-9fd9-6e90cf5bfbde"
mac : [unknown]
port_security : []
type : ""
When the port security is enabled the mac column looks like this:
mac : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
port_security : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
It appears that more reliable way of getting an IP would be extracting
it from external_ids column under the neutron:cidrs key.
This eventually just manifests as this[3] log in the agents logs.
[1]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L619-L622
[2] https://man7.org/linux/man-pages/man5/ovn-
sb.5.html#Port_Binding_TABLE
[3]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L627-L630
** Affects: neutron
Importance: Undecided
Status: New
** Tags: low-hanging-fruit
** Description changed:
While I was experimenting with metadata service I discovered that ovn
metadata agent fails to spawn a haproxy service when port security is
disabled.
This happens because here [1] we look into vif_port mac column for an IP
address. However, when port security is disabled, OVN will set it to
[unknown]. As per OVN documentation [2] this column is not guranteed to
contain MAC and IPs
- mac: set of strings
- This column is a misnomer as it may contain MAC addresses
- and IP addresses.
+ mac: set of strings
+ This column is a misnomer as it may contain MAC addresses
+ and IP addresses.
- Example of a VIF port with security disabled (I am omiting some columns/data):
+ Example of a VIF port with security disabled (I am omiting some
+ columns/data):
+
_uuid : 43a5e506-2361-4cdb-a2fb-2ce0636cf34a
chassis : 5f37d656-e7ab-4ea9-8a9a-52633fb2b43e
datapath : ef68b5d5-a133-4dcd-98ba-6aac76dcf148
external_ids : {"neutron:cidrs"="2001:db8:0:1:f816:3eff:feef:f2ad/64", .....}
logical_port : "19b7a707-4762-400b-9fd9-6e90cf5bfbde"
mac : [unknown]
port_security : []
type : ""
+ When the port security is enabled the mac column looks like this:
- When the port security is enabled the mac column looks like this:
mac : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
port_security : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
It appears that more reliable way of getting an IP would be extracting
it from external_ids column under the neutron:cidrs key.
This eventually just manifests as this[3] log in the agents logs.
[1]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L619-L622
[2] https://man7.org/linux/man-pages/man5/ovn-
sb.5.html#Port_Binding_TABLE
[3]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L627-L630
** Tags added: low-hanging-fruit
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2092971
Title:
Metadata service does not work when port security is disabled
Status in neutron:
New
Bug description:
While I was experimenting with metadata service I discovered that ovn
metadata agent fails to spawn a haproxy service when port security is
disabled.
This happens because here [1] we look into vif_port mac column for an
IP address. However, when port security is disabled, OVN will set it
to [unknown]. As per OVN documentation [2] this column is not
guranteed to contain MAC and IPs
mac: set of strings
This column is a misnomer as it may contain MAC addresses
and IP addresses.
Example of a VIF port with security disabled (I am omiting some
columns/data):
_uuid : 43a5e506-2361-4cdb-a2fb-2ce0636cf34a
chassis : 5f37d656-e7ab-4ea9-8a9a-52633fb2b43e
datapath : ef68b5d5-a133-4dcd-98ba-6aac76dcf148
external_ids : {"neutron:cidrs"="2001:db8:0:1:f816:3eff:feef:f2ad/64", .....}
logical_port : "19b7a707-4762-400b-9fd9-6e90cf5bfbde"
mac : [unknown]
port_security : []
type : ""
When the port security is enabled the mac column looks like this:
mac : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
port_security : ["fa:16:3e:ef:f2:ad 2001:db8:0:1:f816:3eff:feef:f2ad"]
It appears that more reliable way of getting an IP would be extracting
it from external_ids column under the neutron:cidrs key.
This eventually just manifests as this[3] log in the agents logs.
[1]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L619-L622
[2] https://man7.org/linux/man-pages/man5/ovn-
sb.5.html#Port_Binding_TABLE
[3]
https://github.com/openstack/neutron/blob/0c29e730db2629c084de0c114a0d1e8e6939ac25/neutron/agent/ovn/metadata/agent.py#L627-L630
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2092971/+subscriptions
