[Bug 1934912] Re: Router update fails for ports with allowed_address_pairs containg IP range in CIDR notation

Ubuntu Foundations Team Bug Bot 1934912 at bugs.launchpad.net
Thu Sep 30 12:32:56 UTC 2021 

The attachment "Debdiff for impish" seems to be a debdiff.  The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff.  If the attachment isn't a
patch, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe
the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issue please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1934912

Title:
  Router update fails for ports with allowed_address_pairs containg IP
  range in CIDR  notation

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive ussuri series:
  New
Status in Ubuntu Cloud Archive victoria series:
  New
Status in Ubuntu Cloud Archive wallaby series:
  New
Status in Ubuntu Cloud Archive xena series:
  New
Status in neutron:
  Fix Released
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Focal:
  New
Status in neutron source package in Hirsute:
  New
Status in neutron source package in Impish:
  New

Bug description:
  With https://review.opendev.org/c/openstack/neutron/+/792791 neutron build from branch `stable/train` fails to update routers with ports containing an `allowed_address_pair` containing an IP address range in CIDR notation, i.e.:
  ```
  openstack port show 135515bf-6cdf-45d7-affa-c775d2a43ce1 -f value -c allowed_address_pairs
  [{'mac_address': 'fa:16:3e:1e:c4:f1', 'ip_address': '192.168.0.0/16'}]
  ```

  I could not find definitive information on wether this is an allowed
  value for allowed_address_pairs, but at least the openstack/magnum
  project makes use of this.

  Once the above is set neutron-l3-agent logs errors shown in
  http://paste.openstack.org/show/807237/ and connection to all
  resources behind the router stop.

  Steps to reproduce:
  Set up openstack environment with neutron build from git branch stable/train with OVS, DVR and router HA in a multinode deployment on ubuntu bionic.

  Create a test environment:
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  ping <floating ip>

  Observe loss of ping after setting allowed_address_pairs.
  Revert https://review.opendev.org/c/openstack/neutron/+/792791 and redeploy neutron
  ping <floating ip>
  Observe reestablishment of the connection.

  Please let me know if you need any other information


  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  SRU:

  [Impact]
  VM with floating ip are unreachable from external

  [Test Case]
  Create a test environment on bionic ussuri
  openstack network create test
  openstack subnet create --network test --subnet-range 10.0.0.0/24 test
  openstack router create --ha --distributed test
  openstack router set --external-gateway <provider network> test
  openstack router add subnet test test
  openstack server create --image <test image> --flavor m1.small --security-group <default> --network test test
  openstack security group create icmp
  openstack security group rule create --protocol icmp --ingress icmp
  openstack server add security group test icmp
  openstack floating ip create <provider network>
  openstack server add floating ip test <floating ip>
  ping <floating ip>
  openstack port set --allowed-address ip-address=192.168.0.0/16 <instance port>
  openstack router set --disable <router>
  openstack router set --enable <router>
  ping <floating ip>

  # ping should be successful after router is enabled.

  [Regression Potential]
  The only possibilities for allowed_address_pair are either IP or a CIDR. There is no chance of garbage values since it is verified during port update with allowed_address_pair. The edge case of IP with CIDR notation like /32 are already covered in common_utils.is_cidr_host() function call. All the upstream CI builds until stable/ussuri are successful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1934912/+subscriptions

More information about the Ubuntu-sponsors mailing list