[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation

OpenStack Infra 1934912 at bugs.launchpad.net
Thu Sep 30 16:12:32 UTC 2021 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/811498
Committed: https://opendev.org/openstack/neutron/commit/4300619ad1a79170dc8f218cd15cb5146498f66a
Submitter: "Zuul (22348)"
Branch:    stable/victoria

commit 4300619ad1a79170dc8f218cd15cb5146498f66a
Author: Slawek Kaplonski <skaplons at redhat.com>
Date:   Thu Jul 8 15:53:39 2021 +0200

    [DVR] Set arp entries only for single IPs given as allowed addr pair
    
    In allowed address pairs of the port there can be given not single IP
    address but whole CIDR. In such case ARP entries for IPs from such
    cidr will not be added in the DVR router namespace.
    
    Closes-Bug: #1934912
    Change-Id: I7bdefea943379125f93b116bb899446b874d9505
    (cherry picked from commit 19375b3e78ad6b635793b716e5ecabd53dc73a76)


** Changed in: cloud-archive/victoria
       Status: New => Fix Committed

** Changed in: cloud-archive/ussuri
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1934912

Title:
  Router update fails for ports with allowed_address_pairs containg IP
  range in CIDR  notation

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  New
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Focal:
  New
Status in neutron source package in Hirsute:
  New
Status in neutron source package in Impish:
  New

Bug description:
  With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
  ```
  openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
  [{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
  ```

  I could not find definitive information on wether this is an allowed
  value for allowed_address_pairs, but at least the openstack/magnum
  project makes use of this.

  Once the above is set neutron-l3-agent logs errors shown in
  http://paste.openstack.org/show/807237/ and connection to all
  resources behind the router stop.

  Steps to reproduce:
  Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.

  Create a test environment:
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  ping <floating ip>

  Observe loss of ping after setting allowed_address_pairs.
  Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
  ping <floating ip>
  Observe reestablishment of the connection.

  Please let me know if you need any other information


  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  SRU:

  [Impact]
  VM with floating ip are unreachable from external

  [Test Case]
  Create a test environment on bionic ussuri
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  openstack router set --disable <router>
  openstack router set --enable <router>
  ping <floating ip>

  # ping should be successful after router is enabled.

  [Regression Potential]
  The only possibilities for allowed_address_pair are either IP or a CIDR. There is no chance of garbage values since it is verified during port update with allowed_address_pair. The edge case of IP with CIDR notation like /32 are already covered in common_utils.is_cidr_host() function call. All the upstream CI builds until stable/ussuri are successful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1934912/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list