Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1575706

Summary: Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them
Product: Red Hat OpenStack Reporter: Miguel Angel Ajo <majopela>
Component: openstack-neutronAssignee: Miguel Angel Ajo <majopela>
Status: CLOSED EOL QA Contact: Toni Freger <tfreger>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 11.0 (Ocata)CC: amuller, chrisw, gkumar, jlibosva, majopela, nyechiel, srevivo
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-10.0.5-5.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1579400 (view as bug list) Environment:
Last Closed: 2018-06-22 12:37:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1558336, 1579400    

Description Miguel Angel Ajo 2018-05-07 17:01:43 UTC 
Description of problem:


Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-agent will handle them.

Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network.

Outgoing traffic is dropped in br-ex though..

Vague details here (it's all we have so far):
This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).

This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320


How reproducible:

100% if neutron-openvswitch-agent is down or broken

Steps to Reproduce:
1. stop neutron-openvswitch-agent
2. create a new router

Actual results:
The network node router ports will be inserted to br-int but left as untagged (trunk)


Expected results:
Ports are left on a dead vlan (4095) which will have no connectivity to other ports until they are finally tagged by agent.

Please note that such vlan is handled internally by openvswitch as a normal vlan and traffic could still happen over all local ports on 4095, although this is much less severe


Additional info:
This also serves as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1558336 where the issues becomes much worse were untagged ports exist in the system.
Comment 5 Scott Lewis 2018-06-22 12:37:37 UTC 
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828