2119137 – [ovn] two subnets with the same cidr can be connected to one router

Bug 2119137 - [ovn] two subnets with the same cidr can be connected to one router

Summary: [ovn] two subnets with the same cidr can be connected to one router

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z1
Target Release:	17.0
Assignee:	Fernando Royo
QA Contact:	Eran Kuris
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-17 16:34 UTC by Eduardo Olivares
Modified:	2023-01-25 12:30 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-neutron-18.4.1-0.20221128170741.5258354.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-25 12:30:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1987666	None	None	None	2022-08-25 13:54:14 UTC
OpenStack gerrit	859143	None	master: MERGED	neutron: Check subnet overlapping after add router interface (I7cec8b53e72e7abf34012906e6adfecf079525af)	2022-12-05 20:31:15 UTC
OpenStack gerrit	863852	None	stable/wallaby: MERGED	neutron: Check subnet overlapping after add router interface (I7cec8b53e72e7abf34012906e6adfecf079525af)	2022-12-05 20:31:20 UTC
Red Hat Issue Tracker	OSP-18244	None	None	None	2022-08-17 16:38:07 UTC
Red Hat Product Errata	RHSA-2023:0275	None	None	None	2023-01-25 12:30:47 UTC

Description Eduardo Olivares 2022-08-17 16:34:10 UTC

Description of problem:
This bug was originally reproduced using tobiko tests, but I will only describe the manual scenario that reproduces it, which is much simpler.

When two subnets with the same cidr are connected to a router, the second request should fail with an error like this:
BadRequest: resources._ipv4_gateway_interface: Bad router request: Cidr 10.100.130.0/24 of subnet 41626435-77b8-4858-9594-a6709e2de5c5 overlaps with cidr 10.100.130.0/24 of subnet cd6566de-add9-4129-9f5e-5b99cc57194c


This error is often correctly raised.
However, when I executed the following script, the error was not raised (i.e., neutron/ovn failed to validate the cidr values connected to the routers 10/10 times) because the requests to connect the subnets to the router are sent simultaneously:
https://paste.opendev.org/show/blkPHUW6frFhQXd6zTVQ/


The following networks, subnets and routers were created:
https://paste.opendev.org/show/bm364v1oWR5u4gqLfn6P/
As you can see in this link, all the routers have two interfaces with the same IP, which should be forbidden.



Please find neutron server logs here: https://transfer.sh/TcQ5Gp/router-bug.tgz

The following ovn commands, which finish successfully, are an example of this issue:
$ grep -r "AddLRouterPortCommand.*4b9683ad-9e78-45a1-aa75-a0e0575e98bc" router-bug/
router-bug/controller-0/server.log:2022-08-17 15:58:17.237 16 DEBUG ovsdbapp.backend.ovs_idl.transaction [req-e2f84ac2-aba1-4728-b7c7-22dbf9e7acc1 - - - - -] Running txn n=1 command(idx=0): AddLRouterPortCommand(name=lrp-698f593d-6a88-4cb5-b2ed-584a4abe6194, lrouter=neutron-4b9683ad-9e78-45a1-aa75-a0e0575e98bc, may_exist=True, columns={'mac': 'fa:16:3e:2e:5a:16', 'networks': ['10.100.1.1/24'], 'external_ids': {'neutron:revision_number': '3', 'neutron:subnet_ids': 'a4753d81-6f10-4ab8-8434-1e2a23cb5437', 'neutron:network_name': 'neutron-0ac64f2f-655d-4ace-b53b-cd40846e16d0', 'neutron:router_name': '4b9683ad-9e78-45a1-aa75-a0e0575e98bc'}, 'options': {}}) do_commit /usr/lib/python3.9/site-packages/ovsdbapp/backend/ovs_idl/transaction.py:90
router-bug/controller-1/server.log.1:2022-08-17 15:58:17.526 20 DEBUG ovsdbapp.backend.ovs_idl.transaction [req-80efe883-2d16-4143-ab01-c7fb384778b0 - - - - -] Running txn n=1 command(idx=0): AddLRouterPortCommand(name=lrp-a7bc0bbe-b3e6-4ba8-b4f9-f9606df8a8fe, lrouter=neutron-4b9683ad-9e78-45a1-aa75-a0e0575e98bc, may_exist=True, columns={'mac': 'fa:16:3e:26:9c:d9', 'networks': ['10.100.1.1/24'], 'external_ids': {'neutron:revision_number': '3', 'neutron:subnet_ids': 'cf4cc59c-e9c8-49cc-bc38-a86e22566669', 'neutron:network_name': 'neutron-6bfefc85-bed7-4f9a-88ee-c3ffce748d63', 'neutron:router_name': '4b9683ad-9e78-45a1-aa75-a0e0575e98bc'}, 'options': {}}) do_commit /usr/lib/python3.9/site-packages/ovsdbapp/backend/ovs_idl/transaction.py:90




Version-Release number of selected component (if applicable):
RHOS-17.0-RHEL-9-20220808.n.1

How reproducible:
The provided script reproduced it 10/10 times

Steps to Reproduce:
1. run the following script: https://paste.opendev.org/show/blkPHUW6frFhQXd6zTVQ/

Comment 15 errata-xmlrpc 2023-01-25 12:30:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack Platform 17.0 (openstack-neutron) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0275

Note You need to log in before you can comment on or make changes to this bug.