1579400 – Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them

Bug 1579400 - Neutron agents attach untagged ports to br-int, which will be trunk port if neutron-openvswitch-agent never handles them

Summary: Neutron agents attach untagged ports to br-int, which will be trunk port if n...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	z9
Target Release:	10.0 (Newton)
Assignee:	Assaf Muller
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Depends On:	1575706
Blocks:	1558336
TreeView+	depends on / blocked

Reported:	2018-05-17 14:30 UTC by Miguel Angel Ajo
Modified:	2022-07-09 12:01 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-neutron-9.4.1-23.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1575706
Environment:
Last Closed:	2018-09-17 16:52:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-17300	0	None	None	None	2022-07-09 12:01:26 UTC
Red Hat Product Errata	RHSA-2018:2715	0	None	None	None	2018-09-17 16:53:55 UTC

Description Miguel Angel Ajo 2018-05-17 14:30:51 UTC

Clone for OSP10
+++ This bug was initially created as a clone of Bug #1575706 +++

Description of problem:


Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron-openvswitch-agent will handle them.

Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network.

Outgoing traffic is dropped in br-ex though..

Vague details here (it's all we have so far):
This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage).

This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320


How reproducible:

100% if neutron-openvswitch-agent is down or broken

Steps to Reproduce:
1. stop neutron-openvswitch-agent
2. create a new router

Actual results:
The network node router ports will be inserted to br-int but left as untagged (trunk)


Expected results:
Ports are left on a dead vlan (4095) which will have no connectivity to other ports until they are finally tagged by agent.

Please note that such vlan is handled internally by openvswitch as a normal vlan and traffic could still happen over all local ports on 4095, although this is much less severe


Additional info:
This also serves as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1558336 where the issues becomes much worse were untagged ports exist in the system.

Comment 10 Alex McLeod 2018-09-03 07:57:28 UTC

Hi there,

If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field.

The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to -.

Thanks,
Alex

Comment 13 errata-xmlrpc 2018-09-17 16:52:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2715

Note You need to log in before you can comment on or make changes to this bug.