Bug 1836963 - [OVN][DVR] Impossible to ping internet addresses from vm with FIP
Summary: [OVN][DVR] Impossible to ping internet addresses from vm with FIP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ga
: 16.1 (Train on RHEL 8.2)
Assignee: Jakub Libosvar
QA Contact: Eran Kuris
URL:
Whiteboard:
: 1836964 (view as bug list)
Depends On: 1836976
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-18 14:52 UTC by Eran Kuris
Modified: 2023-12-15 17:56 UTC (History)
28 users (show)

Fixed In Version: ovn2.13-2.13.0-37.el8fdp.x86_64
Doc Type: Known Issue
Doc Text:
Because of a core OVN bug, virtual machines with floating IP (FIP) addresses cannot route to other networks in an ML2/OVN deployment with distributed virtual routing (DVR) enabled. Core OVN sets a bad next hop when routing SNAT IPv4 traffic from a VM with a floating ip with DVR enabled. Instead of the gateway IP, OVN sets the destination IP. As a result, the router sends an ARP request for an unknown IP instead of routing the request to the gateway. + Workaround: Before you deploy a new overcloud with ML2/OVN, disable DVR by setting `NeutronEnableDVR: false` in an environment file. If you have ML2/OVN in an existing deployment, complete the following steps: + 1) Set enable_distributed_floating_ips to 'False' in the `neutron.conf` file: + (undercloud) [stack@undercloud-0 ~]$ ansible -i /usr/bin/tripleo-ansible-inventory -m shell -b -a "crudini --set /var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/ml2_conf.ini ovn enable_distributed_floating_ip False" Controller + 2) Restart neutron server containers: + (undercloud) [stack@undercloud-0 ~]$ ansible -i /usr/bin/tripleo-ansible-inventory -m shell -b -a "podman restart neutron_api" Controller + 3) Centralize all of the FIP traffic through gateway nodes. Run the following command on any overcloud node: + $ export NB=$(sudo ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g' | sed -e 's/6642/6641/g') $ alias ovn-nbctl='sudo podman exec ovn_controller ovn-nbctl --db=$NB' $ for fip in $(ovn-nbctl --bare --columns _uuid find nat type=dnat_and_snat); do ovn-nbctl clear NAT $fip external_mac; done + When the fix is available in RHOSP 16.1.1, you can re-enable distributed FIP traffic: + 1) Set `enable_distributed_floating_ips` back to 'True' in the `neutron.conf` file: + (undercloud) [stack@undercloud-0 ~]$ ansible -i /usr/bin/tripleo-ansible-inventory -m shell -b -a "crudini --set /var/lib/config-data/puppet-generated/neutron/etc/neutron/plugins/ml2/ml2_conf.ini ovn enable_distributed_floating_ip True" Controller + 2) Restart neutron server containers: + (undercloud) [stack@undercloud-0 ~]$ ansible -i /usr/bin/tripleo-ansible-inventory -m shell -b -a "podman restart neutron_api" Controller + 3) Trigger the update in all of the FIPs. Run the following command on any overcloud node: + $ export NB=$(sudo ovs-vsctl get open . external_ids:ovn-remote | sed -e 's/\"//g' | sed -e 's/6642/6641/g') $ alias ovn-nbctl='sudo podman exec ovn_controller ovn-nbctl --db=$NB' $ for i in $(ovn-nbctl --bare --columns logical_port find nat type=dnat_and_snat); do ovn-nbctl set logical_switch_port $i up=false; done + [NOTE] Disabling DVR causes traffic to be centralized. All L3 traffic travels through the Controller/Networker nodes. This might affect scale, data plane performance, and throughput.
Clone Of: 1834433
: 1836998 1837558 (view as bug list)
Environment:
Last Closed: 2020-07-29 07:52:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 735613 0 None MERGED [OVN] OVN driver to adapt to enable_distributed_floating_ip changes 2021-02-19 14:19:09 UTC
Red Hat Issue Tracker OSP-29439 0 None None None 2023-10-06 20:08:21 UTC
Red Hat Product Errata RHBA-2020:3148 0 None None None 2020-07-29 07:53:16 UTC

Comment 1 Daniel Alvarez Sanchez 2020-05-18 14:55:24 UTC 
*** Bug 1836964 has been marked as a duplicate of this bug. ***
Comment 6 Jakub Libosvar 2020-06-10 13:08:26 UTC 
This is a tracker bug to make sure our images use the correct OVN version in openstack - setting ovn2.13-2.13.0-33.el7fdn to fixed in version although this bug is reported against python-networking-ovn
Comment 9 Allan Greentree 2020-06-22 19:11:31 UTC 
Hello, Just added customer case where they are asking when this fix will be released for RHOSP 16.1 on RHEL 8.1 ?

Thanks, Allan Greentree
Senior Technical Support Engineer
Red Hat OpenStack
Comment 22 Eran Kuris 2020-07-19 07:41:45 UTC 
Dont we need to move this bug to on_qa ?
Comment 25 Roman Safronov 2020-07-20 11:36:02 UTC 
Tested on puddle RHOS-16.1-RHEL-8-20200714.n.0 with ovn2.13-2.13.0-37.el8fdp.x86_64.

It is possible to ping internet ip addresses from a vm with floating ip.
Comment 27 errata-xmlrpc 2020-07-29 07:52:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148
Note You need to log in before you can comment on or make changes to this bug.