[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation
Steve Langasek
1934912 at bugs.launchpad.net
Fri Oct 8 21:57:03 UTC 2021
Hello Jan, or anyone else affected,
Accepted neutron into hirsute-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/neutron/2:18.1.1-0ubuntu2 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
hirsute to verification-done-hirsute. If it does not fix the bug for
you, please add a comment stating that, and change the tag to
verification-failed-hirsute. In either case, without details of your
testing we will not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Changed in: neutron (Ubuntu Hirsute)
Status: New => Fix Committed
** Tags added: verification-needed verification-needed-hirsute
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934912
Title:
Router update fails for ports with allowed_address_pairs containg IP
range in CIDR notation
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive ussuri series:
Fix Committed
Status in Ubuntu Cloud Archive victoria series:
Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
Fix Committed
Status in Ubuntu Cloud Archive xena series:
New
Status in neutron:
Fix Released
Status in neutron package in Ubuntu:
New
Status in neutron source package in Focal:
New
Status in neutron source package in Hirsute:
Fix Committed
Status in neutron source package in Impish:
New
Bug description:
With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
```
openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
[{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
```
I could not find definitive information on wether this is an allowed
value for allowed_address_pairs, but at least the openstack/magnum
project makes use of this.
Once the above is set neutron-l3-agent logs errors shown in
http://paste.openstack.org/show/807237/ and connection to all
resources behind the router stop.
Steps to reproduce:
Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.
Create a test environment:
openstack network create test
openstack subnet create --network test --subnet-range 10.0.0.0/24 test
openstack router create --ha --distributed test
openstack router set --external-gateway <provider network> test
openstack router add subnet test test
openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
openstack security group create icmp
openstack security group rule create --protocol icmp --ingress icmp
openstack server add security group test icmp
openstack floating ip create <provider network>
openstack server add floating ip test <floating ip>
ping <floating ip>
openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
ping <floating ip>
Observe loss of ping after setting allowed_address_pairs.
Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
ping <floating ip>
Observe reestablishment of the connection.
Please let me know if you need any other information
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SRU:
[Impact]
VM with floating ip are unreachable from external
[Test Case]
Create a test environment on bionic ussuri
openstack network create test
openstack subnet create --network test --subnet-range 10.0.0.0/24 test
openstack router create --ha --distributed test
openstack router set --external-gateway <provider network> test
openstack router add subnet test test
openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
openstack security group create icmp
openstack security group rule create --protocol icmp --ingress icmp
openstack server add security group test icmp
openstack floating ip create <provider network>
openstack server add floating ip test <floating ip>
ping <floating ip>
openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
openstack router set --disable <router>
openstack router set --enable <router>
ping <floating ip>
# ping should be successful after router is enabled.
[Regression Potential]
The only possibilities for allowed_address_pair are either IP or a CIDR. There is no chance of garbage values since it is verified during port update with allowed_address_pair. The edge case of IP with CIDR notation like /32 are already covered in common_utils.is_cidr_host() function call. All the upstream CI builds until stable/ussuri are successful.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1934912/+subscriptions
More information about the Ubuntu-sponsors
mailing list