Description of problem: Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-agent will handle them. Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network. Outgoing traffic is dropped in br-ex though.. Vague details here (it's all we have so far): This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage). This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320 How reproducible: 100% if neutron-openvswitch-agent is down or broken Steps to Reproduce: 1. stop neutron-openvswitch-agent 2. create a new router Actual results: The network node router ports will be inserted to br-int but left as untagged (trunk) Expected results: Ports are left on a dead vlan (4095) which will have no connectivity to other ports until they are finally tagged by agent. Please note that such vlan is handled internally by openvswitch as a normal vlan and traffic could still happen over all local ports on 4095, although this is much less severe Additional info: This also serves as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1558336 where the issues becomes much worse were untagged ports exist in the system.
OSP11 is now retired, see details at https://access.redhat.com/errata/product/191/ver=11/rhel---7/x86_64/RHBA-2018:1828