OpenStack Compute (nova)

Bridge port's hairpin mode not set after resuming a machine

Bug #1040537 reported by Björn Hagemeier on 2012-08-23

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	High	Yaguang Tang	OpenStack Compute (nova) 2012.2 "folsom"
Essex	Fix Released	Undecided	Unassigned	OpenStack Compute (nova) 2012.1.3
nova (Ubuntu)	Fix Released	Undecided	Unassigned
Precise	Fix Released	Undecided	Unassigned

Bug Description

Hi there,

after resuming a guest machine from suspend, the bridge port's hairpin mode is not set. This leads to the machine not being accessible from inside the cloud installation via it's assigned floating IP. As far as I understand, this was the reason why hairpin_mode has been introduced.

Looking at the code of nova/virt/libvirt/driver.py, I see that the resume() method invokes _create_domain() rather than _create_domain_and_network(). Only the latter of these enables hairpin_mode.

Being uncertain about the implications and correct fix for this bug, I thought I'd post it this way rather than providing a questionable fix.

My approach would be to alter resume_instance in nova/compute/manager.py and add the network information to the invocation of driver.resume().

I'd be happy to give more information if required. I found this problem in the Essex release. However, it can be verified in the current master.

Best regards,
Björn

Tags:

Related branches

lp:ubuntu/precise-proposed/nova

lp:ubuntu/precise-updates/nova

CVE References

Yaguang Tang (heut2008) on 2012-08-24

Changed in nova:
status:	New → Confirmed
assignee:	nobody → Yaguang Tang (heut2008)

Vish Ishaya (vishvananda) on 2012-08-24

Changed in nova:
milestone:	none → folsom-rc1
status:	Confirmed → Triaged
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-24: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/11925

Changed in nova:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-24: Fix merged to nova (master)

Reviewed: https://review.openstack.org/11925
Committed: http://github.com/openstack/nova/commit/ee7b56fd1902a8b16d555fe4680ba146ed3a9510
Submitter: Jenkins
Branch: master

commit ee7b56fd1902a8b16d555fe4680ba146ed3a9510
Author: Yaguang Tang <email address hidden>
Date: Fri Aug 24 23:05:29 2012 +0800

Ensure hairpin_mode is set whenever vifs is added to bridge.

    Fix the bug that when create a snapshot of an instance, the
    instance cann't ping it's floating ip.
    fix bug lp:1040537

Change-Id: I25aa1a323fa84e8c72f969cb56ada4dffa509150

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-26: Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/11986

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-29:

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/12123

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-09-04: Fix merged to nova (stable/essex)

Reviewed: https://review.openstack.org/12123
Committed: http://github.com/openstack/nova/commit/014fcbc06f55ea91a4e2c3a35df048cad3ae6684
Submitter: Jenkins
Branch: stable/essex

commit 014fcbc06f55ea91a4e2c3a35df048cad3ae6684
Author: Yaguang Tang <email address hidden>
Date: Sun Aug 26 09:58:09 2012 +0800

Ensure hairpin_mode is set whenever vifs is added to bridge.

    Fix the bug that when create a snapshot of an instance, the
    instance cann't ping it's floating ip.
    fix bug lp:1040537

Change-Id: I25aa1a323fa84e8c72f969cb56ada4dffa509150

tags:

added: in-stable-essex

Thierry Carrez (ttx) on 2012-09-19

Changed in nova:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in nova:
milestone:	folsom-rc1 → 2012.2

Yolanda Robla (yolanda.robla) on 2012-12-12

Changed in nova (Ubuntu):
status:	New → Fix Released

Revision history for this message

Brian Murray (brian-murray) wrote on 2013-05-09: Please test proposed package

Hello Björn, or anyone else affected,

Accepted nova into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e6912-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nova (Ubuntu Precise):
status:	New → Fix Committed
tags:	added: verification-needed

Revision history for this message

Yolanda Robla (yolanda.robla) wrote on 2013-05-16: Verification report.

Please find the attached test log from the Ubuntu Server Team's CI infrastructure. As part of the verification process for this bug, Nova has been deployed and configured across multiple nodes using precise-proposed as an installation source. After successful bring-up and configuration of the cluster, a number of exercises and smoke tests have be invoked to ensure the updated package did not introduce any regressions. A number of test iterations were carried out to catch any possible transient errors.

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/11925
Stable review: https://review.openstack.org/12123

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Revision history for this message

Yolanda Robla (yolanda.robla) wrote on 2013-05-16:

2012.1.3+stable-20130405-e52e6912-0ubuntu1.log Edit (111.3 KiB, text/plain)

Test coverage log.

Revision history for this message

Yolanda Robla (yolanda.robla) wrote on 2013-05-16:

Please Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the Jenkins links in the comments of the relevant upstream code-review(s):

Trunk review: https://review.openstack.org/11925
Stable review: https://review.openstack.org/12123

As per the provisional Micro Release Exception granted to this package by the Technical Board, we hope this contributes toward verification of this update.

Revision history for this message

Yolanda Robla (yolanda.robla) wrote on 2013-05-16:

#10

2012.1.3+stable-20130405-e52e6912-0ubuntu1.log Edit (111.3 KiB, text/plain)

Test coverage log.

Yolanda Robla (yolanda.robla) on 2013-05-16

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-05-16:

#11

This bug was fixed in the package nova - 2012.1.3+stable-20130423-e52e6912-0ubuntu1

---------------
nova (2012.1.3+stable-20130423-e52e6912-0ubuntu1) precise-proposed; urgency=low

  * Resynchronize with stable/essex (e52e6912) (LP: #1089488):
    - [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [3bf5a58] snat rule too broad for some network configurations LP: 1048765
    - [efaacda] DOS by allocating all fixed ips LP: 1125468
    - [b683ced] Add nosehtmloutput as a test dependency.
    - [45274c8] Nova unit tests not running, but still passing for stable/essex
      LP: 1132835
    - [e02b459] vnc unit-test fixes
    - [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
    - [243d516] No authentication on block device used for os-volume_boot
      LP: 1069904
    - [80fefe5] use_single_default_gateway does not function correctly
      (LP: #1075859)
    - [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
      attached (LP: #1079745)
    - [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
      slow (LP: #1062314)
    - [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
      fixed_ip (LP: #1017633)
    - [20f98c5] failed to allocate fixed ip because old deleted one exists
      (LP: #996482)
    - [75f6922] snapshot stays in saving state if the vm base image is deleted
      (LP: #921774)
    - [1076699] lock files may be removed in error dues to permissions issues
      (LP: #1051924)
    - [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
    - [4eebe76] At termination, LXC rootfs is not always unmounted before
      rmtree() is called (LP: #1046313)
    - [47dabb3] Heavily loaded nova-compute instances don't sent reports
      frequently enough (LP: #1045152)
    - [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
    - [4ac2dcc] nova usage-list returns wrong usage (LP: #1043999)
    - [014fcbc] Bridge port's hairpin mode not set after resuming a machine
      (LP: #1040537)
    - [2f35f8e] Nova flavor ephemeral space size reported incorrectly
      (LP: #1026210)
  * Dropped, superseeded by new snapshot:
    - debian/patches/CVE-2013-0335.patch: [48e81f1]
    - debian/patches/CVE-2013-1838.patch: [efaacda]
    - debian/patches/CVE-2013-1664.patch: [c0a10db]
    - debian/patches/CVE-2013-0208.patch: [243d516]
-- Yolanda <email address hidden> Mon, 22 Apr 2013 12:37:08 +0200

This bug was fixed in the package nova - 2012.1.3+stable-20130423-e52e6912-0ubuntu1

---------------
nova (2012.1.3+stable-20130423-e52e6912-0ubuntu1) precise-proposed; urgency=low

* Resynchronize with stable/essex (e52e6912) (LP: #1089488):
    - [48e81f1] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [3bf5a58] snat rule too broad for some network configurations LP: 1048765
    - [efaacda] DOS by allocating all fixed ips LP: 1125468
    - [b683ced] Add nosehtmloutput as a test dependency.
    - [45274c8] Nova unit tests not running, but still passing for stable/essex
      LP: 1132835
    - [e02b459] vnc unit-test fixes
    - [87361d3] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [e98928c] VNC proxy can be made to connect to wrong VM LP: 1125378
    - [c0a10db] DoS through XML entity expansion (CVE-2013-1664) LP: 1100282
    - [243d516] No authentication on block device used for os-volume_boot
      LP: 1069904
    - [80fefe5] use_single_default_gateway does not function correctly
      (LP: #1075859)
    - [bd10241] Essex 2012.1.3 : Error deleting instance with 2 Nova Volumes
      attached (LP: #1079745)
    - [86a5937] do_refresh_security_group_rules in nova.virt.firewall is very
      slow (LP: #1062314)
    - [ae9c5f4] deallocate_fixed_ip attempts to update an already deleted
      fixed_ip (LP: #1017633)
    - [20f98c5] failed to allocate fixed ip because old deleted one exists
      (LP: #996482)
    - [75f6922] snapshot stays in saving state if the vm base image is deleted
      (LP: #921774)
    - [1076699] lock files may be removed in error dues to permissions issues
      (LP: #1051924)
    - [40c5e94] ensure_default_security_group() does not call sgh (LP: #1050982)
    - [4eebe76] At termination, LXC rootfs is not always unmounted before
      rmtree() is called (LP: #1046313)
    - [47dabb3] Heavily loaded nova-compute instances don't sent reports
      frequently enough (LP: #1045152)
    - [b375b4f] When attach volume lost attach when node restart (LP: #1004791)
    - [4ac2dcc] nova usage-list returns  wrong usage (LP: #1043999)
    - [014fcbc] Bridge port's hairpin mode not set after resuming a machine
      (LP: #1040537)
    - [2f35f8e] Nova flavor ephemeral space size reported incorrectly
      (LP: #1026210)
  * Dropped, superseeded by new snapshot:
    - debian/patches/CVE-2013-0335.patch: [48e81f1]
    - debian/patches/CVE-2013-1838.patch: [efaacda]
    - debian/patches/CVE-2013-1664.patch: [c0a10db]
    - debian/patches/CVE-2013-0208.patch: [243d516]
 -- Yolanda <yolanda.robla@canonical.com>   Mon, 22 Apr 2013 12:37:08 +0200

Changed in nova (Ubuntu Precise):
status:	Fix Committed → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2013-05-16: Update Released

#12

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.