Bug 1709366

Summary: Martian packages are logged on computes while VM is obtaining DHCP lease
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: python-os-vifAssignee: Rodolfo Alonso <ralonsoh>
Status: CLOSED NOTABUG QA Contact: Candido Campos <ccamposr>
Severity: low Docs Contact:
Priority: low    
Version: 13.0 (Queens)CC: amuller, astupnik, chrisw, gkadam, jjoyce, jschluet, njohnston, ralonsoh, scohen, slinaber, tvignaud, twilson, uemit.seren
Target Milestone: z7Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-30 14:24:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1699991    
Bug Blocks:    

Description Alex Stupnikov 2019-05-13 13:08:11 UTC 
Description of problem:

A customer with RHOSP 13 deployment reported a flood of log notifications about martian packages on compute logs. Sosreport contain a huge amount of the following messages (IP addresses and inbound device can be different):

  May 11 21:14:27 compute-11 kernel: IPv4: martian source 192.168.1.1 from 192.168.1.3, on dev qbr2d01def5-22
  May 11 21:14:27 compute-11 kernel: ll header: 00000000: ff ff ff ff ff ff 00 06 95 8c d6 37 08 06        ..............

Here are some observations from provided data:

- affected compute doesn't have IP addresses in 192.168.1.0/24 network and has default route;
- messages are logged for linux bridges that are used to connect instances NICs;
- only frames that are broadcasted on L2 are logged
- "firewall_driver=iptables_hybrid" is configured in "var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/openvswitch_agent.ini"
- I don't know if this issue can be reproduced in DVR environment.


I was able to reproduce this issue in our lab: similar messages were generated right after creating an instance and looked like initial DHCP packages.

I would like to note that:

- such kind of messages were enabled in TripleO two years ago: https://review.opendev.org/#/c/451250/
- there is related bug #1699991 in iptables_hybrid firewall driver assigned to Rodolfo Alonso.


Workaround: disable net.ipv4.conf.default.log_martians and net.ipv4.conf.all.log_martians flags on computes.
Comment 1 Rodolfo Alonso 2019-05-13 17:11:42 UTC 
Hello Alex:

I would wait until bug #1699991 is solved. I have submitted several patches to solve it up to Queens (https://review.opendev.org/#/c/655694/). Once the LB in between the TAP device and OVS doesn't reply to external ARPs, the problem will be mitigated or solved.

Regards.
Comment 2 Alex Stupnikov 2019-05-14 10:38:11 UTC 
Hello Rodolfo.

Thank you for the quick follow-up. I totally agree that it will be right to check if this bug will be fixed by specified patch.

Kind Regards, Alex S.