1291492 – Unfriendly behavior of IP filtering for VXLAN with EXCLUDE_SERVERS

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1291492 - Unfriendly behavior of IP filtering for VXLAN with EXCLUDE_SERVERS

Summary: Unfriendly behavior of IP filtering for VXLAN with EXCLUDE_SERVERS

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-packstack
Sub Component:
Version:	Juno
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	trunk
Assignee:	Ivan Chavero
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-15 00:23 UTC by Etsuji Nakai
Modified:	2017-06-18 06:26 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-18 06:26:38 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Etsuji Nakai 2015-12-15 00:23:19 UTC

Description of problem:

Neutron plugin(neutron_350.py) try to set IP filtering for VXLAN tunneling packets for peer compute/controller nodes. This works when you install all nodes at once.

However, in the following scenario, it doesn't work.

1) Install controller node and compute node #1, for example.
2) Add a new compute node #2 while adding the existing nodes to EXCLUDE_SERVERS.

In this case, packstack doesn't touch the existing nodes (since they are in EXCLUDE_SERVERS) and it fails to collect IP addresses of the existing nodes. As a result, it fails to configure the IP filtering for the new node #2 with the following error.

ERROR : "Couldn't detect ipaddress of interface eth1 on node 10.0.2.13"

The same issue has been reported for RDO.

https://bugzilla.redhat.com/show_bug.cgi?id=1254389

I confirmed it with RHEL-OSP7, too.

Version-Release number of selected component (if applicable):

# rpm -qa | grep packstack
openstack-packstack-puppet-2015.1-0.11.dev1589.g1d6372f.el7ost.noarch
openstack-packstack-2015.1-0.11.dev1589.g1d6372f.el7ost.noarch

How reproducible:

Steps to Reproduce:
1. Install controller node and compute node #1 using OVS VXLAN tunneling. Especially, specifying the option "CONFIG_NEUTRON_OVS_TUNNEL_IF=ethX"

2. Install new compute node #2 while adding the existing nodes to EXCLUDE_SERVERS

Actual results:

ERROR : "Couldn't detect ipaddress of interface eth1 on node 10.0.2.13"

Expected results:

This is a tricky problem. We expect that the IP filtering will be configured as:

On node#2: tunneling packets from controller and compute node#1 are accepted.
On node#1: tunneling packets from controller and compute node#2 are accepted.
On Controller: tunneling packets from compute node#1 and compute node#2 are accepted.

But this can never be achieved because packstack cannot modify the IP filtering of the existing nodes to accept packets from node#2 because they are in EXCLUDE_SERVERS.

Additional info:

To resolve this tricky issue, I'd like to propose a new option of packstack which allows to configure IP filtering with subnets instead of specific IP addresses. By using subnets for IP filtering, you don't need to re-modify IP filtering of the existing nodes.

I submitted the patch to the upstream. Please take a look at and review it.

https://review.openstack.org/#/c/257033/

Comment 3 Christopher Brown 2017-06-17 17:17:15 UTC

This looks stale and either needs updating or closing.

Note You need to log in before you can comment on or make changes to this bug.