Bug 1651936 - [RHOSP 13][DVR] Neutron doesn't configure multiple external subnets for one network properly
Summary: [RHOSP 13][DVR] Neutron doesn't configure multiple external subnets for one n...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: 13.0 (Queens)
Assignee: Rodolfo Alonso
QA Contact: Candido Campos
URL:
Whiteboard:
Depends On: 1651647
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-21 09:17 UTC by Alex Stupnikov
Modified: 2022-07-09 15:08 UTC (History)
5 users (show)

Fixed In Version: openstack-neutron-12.0.5-5.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1651647
Environment:
Last Closed: 2019-04-30 17:23:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1805456 0 None None None 2018-12-03 18:26:34 UTC
Red Hat Issue Tracker OSP-17501 0 None None None 2022-07-09 15:08:58 UTC
Red Hat Product Errata RHSA-2019:0935 0 None None None 2019-04-30 17:23:46 UTC

Description Alex Stupnikov 2018-11-21 09:17:21 UTC 
+++ This bug was initially created as a clone of Bug #1651647 +++

Description of problem:

It is possible to create two subnets for single external network and it looks like we support such kind of setup. However, it doesn't work properly: every DVR will have a single on-link route for ONLY ONE external subnet and will not have on-link route for another one.

As a result, there are two scenarios when routing doesn't work as it should:

- two instances with FIPs from different external subnets will have asymmetric traffic flows: if there is an on-link route for DST packet, it will be routed directly to another DVR. If not, packet will be routed to external router. As a result, if there is a stateful firewall on external router, this communication will be blocked.
- two instances with FIPs from the same external subnet could have suboptimal traffic flows if there are no on-link routes for this subnet. As a result, traffic will always go through external router, which could cause issues if router has protection against such kind of flows.

Here is an example output of routing table in fip-* namespace on compute node where single external network has two subnets: 10.0.0.0/24 and 10.0.1.0/24:

default via 10.0.0.1 dev fg-83ec5f16-be table 2852022899 
10.0.0.0/24 dev fg-83ec5f16-be proto kernel scope link src 10.0.0.225 
10.0.0.218 via 169.254.106.114 dev fpr-789f245b-1 
10.0.0.219 via 169.254.106.114 dev fpr-789f245b-1 
10.0.1.15 via 169.254.106.114 dev fpr-789f245b-1

As we can see, there are host routes for local FIPs, a single on-link route for 10.0.0.0/24 subnet and default route.


Additional information:

An upstream bug for legacy routers [1] was solved long time ago.

[1] https://bugs.launchpad.net/neutron/+bug/1312467
Comment 2 Rodolfo Alonso 2018-12-07 12:51:04 UTC 
Patch in review (for master branch): https://review.openstack.org/#/c/622449/
Comment 3 Alex Stupnikov 2019-02-25 15:37:34 UTC 
Hello Rodolfo.

Upstream fix seem to be merged. May I ask you about backport to RHOSP 13? Is it possible to backport this patch from master branch?

BR, Alex.
Comment 13 errata-xmlrpc 2019-04-30 17:23:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0935
Note You need to log in before you can comment on or make changes to this bug.