neutron

Neighbor table entry for router missing with Linux bridge + L3HA + L2 population

Bug #1523031 reported by Matt Kassawara
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
neutron
Expired
High
Unassigned

Bug Description

Using Linux bridge, L3HA, and L2 population on Liberty, the neighbor table (ip neigh show) on the compute node lacks an entry for the router IP address. For example, using a router with 172.16.1.1 and instance with 172.16.1.4:

On the node with the L3 agent containing the router:

# ip neigh show
169.254.192.1 dev vxlan-476 lladdr fa:16:3e:9b:d5:6f PERMANENT
10.4.30.11 dev eth1 lladdr bc:76:4e:04:3c:59 REACHABLE
10.4.11.11 dev eth0 lladdr bc:76:4e:04:d0:75 REACHABLE
172.16.1.4 dev vxlan-466 lladdr fa:16:3e:ad:44:df PERMANENT
10.4.30.31 dev eth1 lladdr bc:76:4e:05:1f:5f STALE
10.4.11.31 dev eth0 lladdr bc:76:4e:04:38:4c STALE
10.4.30.1 dev eth1 lladdr bc:76:4e:04:41:62 STALE
10.4.11.1 dev eth0 lladdr bc:76:4e:04:77:72 DELAY
172.16.1.2 dev vxlan-466 lladdr fa:16:3e:a0:83:a5 PERMANENT

# ip netns exec qrouter-1521b4b1-7de9-4ed0-be19-69ac02ccf520 ping 172.16.1.4
PING 172.16.1.4 (172.16.1.4) 56(84) bytes of data.
...

On the node with the instance:

# ip neigh show
172.16.1.2 dev vxlan-466 lladdr fa:16:3e:a0:83:a5 PERMANENT
10.4.11.1 dev eth0 lladdr bc:76:4e:04:77:72 DELAY
172.16.1.3 dev vxlan-466 lladdr fa:16:3e:41:3b:de PERMANENT
10.4.30.1 dev eth1 lladdr bc:76:4e:04:41:62 STALE
10.4.11.12 dev eth0 lladdr bc:76:4e:05:e2:f8 STALE
10.4.30.12 dev eth1 lladdr bc:76:4e:05:76:d1 STALE
10.4.11.41 dev eth0 lladdr bc:76:4e:05:e3:6a STALE
10.4.11.11 dev eth0 lladdr bc:76:4e:04:d0:75 REACHABLE
10.4.30.11 dev eth1 lladdr bc:76:4e:04:3c:59 STALE

172.16.1.2 and 172.16.1.3 belong to DHCP agents. I can access the instance from within both DHCP agent namespaces.

On the node with the instance, I manually add a neighbor entry for the router:

# ip neigh replace 172.16.1.1 lladdr fa:16:3e:0a:d4:39 dev vxlan-466 nud permanent

On the node with the L3 agent containing the router:

# ip netns exec qrouter-1521b4b1-7de9-4ed0-be19-69ac02ccf520 ping 172.16.1.4
64 bytes from 172.16.1.4: icmp_seq=1 ttl=64 time=2.21 ms
64 bytes from 172.16.1.4: icmp_seq=2 ttl=64 time=45.9 ms
64 bytes from 172.16.1.4: icmp_seq=3 ttl=64 time=1.23 ms
64 bytes from 172.16.1.4: icmp_seq=4 ttl=64 time=0.975 ms

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
milestone: none → mitaka-2
Sean M. Collins (scollins)
tags: added: linuxbridge
Matt Kassawara (ionosphere80)
tags: added: l2-pop l3-ha
Revision history for this message
Assaf Muller (amuller) wrote :

After talking to Matt on IRC, the effect of this bug is that L3 HA + l2pop + LB is completely broken: This bug breaks connectivity between VMs and their router.

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium
yuxingw (yuxingw)
Changed in neutron:
assignee: nobody → yuxingw (yuxingw)
assignee: yuxingw (yuxingw) → nobody
Revision history for this message
Assaf Muller (amuller) wrote :

Matt did a lot of great isolation work, and found that with L3 HA + l2pop + OVS agent the L2 pop mech driver does send fdb info about the HA router ports:

http://paste.openstack.org/show/482246/

In that paste you can see that for HA router port 172.16.1.1, MAC fa:16:3e:1d:c6:5a, it's being sent and received. Also for the same MAC you can see two entries in table 20. Once learned via regular MAC learning (Via the flow in table 10), and once with l2pop. This is normal operation using the OVS agent.

When using LB, you can see in this paste:
http://paste.openstack.org/show/482242/

That the l2pop server side code is not sending an fdb entry about the HA router port.

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

Further investigation reveals inconsistency with reproducing this issue. When it occurs, the router port remains in the 'BUILD' state instead of changing to 'ACTIVE' which prevents the l2pop code from distributing the fdb entry to L2 agents.

Ihar Hrachyshka (ihar-hrachyshka)
Changed in neutron:
milestone: none → mitaka-3
importance: Undecided → High
tags: added: liberty-backport-potential
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: mitaka-3 → mitaka-rc1
Manjeet Singh Bhatia (manjeet-s-bhatia)
Changed in neutron:
assignee: nobody → Manjeet Singh Bhatia (manjeet-s-bhatia)
Manjeet Singh Bhatia (manjeet-s-bhatia)
Changed in neutron:
assignee: Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody
Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

amuller : I want to work on this. is two node devstack enough to test this out ?

Changed in neutron:
assignee: nobody → Manjeet Singh Bhatia (manjeet-s-bhatia)
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

At least three... two nodes with the L3 agent and one compute node.

Revision history for this message
Manjeet Singh Bhatia (manjeet-s-bhatia) wrote :

ok I have two node devstack one has everything q-svc, q-l3, compute and second node q-l3, q-meta and ovs. logically i have two l3 servers. is that ok or i should add one more network node ?

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

This bug involves the Linux bridge agent, not OVS.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: mitaka-rc1 → newton-1
Jesse Pretorius (jesse-pretorius)
no longer affects: openstack-ansible/liberty
Revision history for this message
Tore Anderson (toreanderson) wrote :

Is this bug fixed in Mitaka, or am I just lucky to not be able to reproduce it here?

Setup is as follows:

Router: .1, :1
DHCP agent 1: .2, :913b
DHCP agent 2: .3, :36a9
Instance: .4, :1296

On the network node running the active L3 agent and a DHCP agent, I see:

$ ip neigh show dev vxlan-65601
2a02:c0:4f0:1600:f816:3eff:fe5c:1296 lladdr fa:16:3e:5c:12:96 PERMANENT
2a02:c0:4f0:1600:f816:3eff:feb4:36a9 lladdr fa:16:3e:b4:36:a9 PERMANENT
192.168.0.4 lladdr fa:16:3e:5c:12:96 PERMANENT
192.168.0.3 lladdr fa:16:3e:b4:36:a9 PERMANENT

On the network node running a passive L3 agent and another DHCP agent:

$ ip neigh show dev vxlan-65601
2a02:c0:4f0:1600:f816:3eff:fe5c:1296 lladdr fa:16:3e:5c:12:96 PERMANENT
2a02:c0:4f0:1600:f816:3eff:feb4:36a9 lladdr fa:16:3e:b4:36:a9 PERMANENT
192.168.0.4 lladdr fa:16:3e:5c:12:96 PERMANENT
192.168.0.3 lladdr fa:16:3e:b4:36:a9 PERMANENT

On the compute node hosting the instance:

$ ip neigh show dev vxlan-65601
2a02:c0:4f0:1600:f816:3eff:feb4:36a9 lladdr fa:16:3e:b4:36:a9 PERMANENT
2a02:c0:4f0:1600:f816:3eff:fe31:913b lladdr fa:16:3e:31:91:3b PERMANENT
2a02:c0:4f0:1600::1 lladdr fa:16:3e:dd:b4:8c PERMANENT
192.168.0.1 lladdr fa:16:3e:c6:57:9f PERMANENT
192.168.0.2 lladdr fa:16:3e:31:91:3b PERMANENT
192.168.0.3 lladdr fa:16:3e:b4:36:a9 PERMANENT

Multicast doesn't work between the compute node and the two network nodes, and in any case "ip -d link show dev vxlan-65601" does not mention "group" at all.

It all seems to work just fine, but since it's not "supposed to" per this bug, I'm kind of wary of putting it into production until I fully understand why.

Running openstack-neutron-*-8.0.0-1.el7.noarch, for what it's worth.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-1 → newton-2
Revision history for this message
Miguel Alejandro Cantu (miguel-cantu) wrote :

I think I'm running into this problem in my hyper-converged environment with two network nodes. This is ultimately effecting our network architecture in our production environment(we also see this behavior there). We keep seeing multiple router interfaces getting stuck at the "BUILD" state. I'm not sure if it's because l2pop is not sending that fdb entry, but right now I'm not spinning up any instances..just making networks and attaching them to routers. Is there a way I could check to see if this is a problem with a lack of an FDB entry right now?. In the meantime...I think it's safe to say that my problem is related to this bug.
Below is a summary of the relevant environment configurations in my environment.

Two network nodes with these configurations in l3_agent.ini:
# HA failover
ha_confs_path = /var/lib/neutron/ha_confs
ha_vrrp_advert_int = 2
ha_vrrp_auth_password = 498d3d5737ca7273167c8badee533e9f2cf18e4db30676450
ha_vrrp_auth_type = PASS
handle_internal_only_routers = False
send_arp_for_ha = 3

in plugins/ml2/ml2_conf.ini:
mechanism_drivers = linuxbridge,l2population
l2_population = True

in plugins/ml2/linuxbridge_agent.ini:
[linux_bridge]

physical_interface_mappings = flat:eth12,vlan:eth11

# Linux bridge agent VXLAN networks
[vxlan]

enable_vxlan = True
vxlan_group = 239.1.1.1
# VXLAN local tunnel endpoint
local_ip = 172.29.243.52
l2_population = True

# Agent
[agent]
prevent_arp_spoofing = False

# Security groups
[securitygroup]
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
enable_security_group = True

Like stated above, when we create our private tenant networks, then attach them to the router, some of them stay in the BUILD state until we bounce them(bring them down, then back up). Sometimes, the router gateway interfaces stay in the BUILD state too. Bouncing the interface doesn't always bring it back up the first time. Sometimes we have to bounce it multiple times before it finally reports as being "ACTIVE".
Keep in mind this is in an environment with 10 or so subnets being created rapidly. We are creating a pair of routers and many subnets using Ansible. All of this is done within the span of 30 seconds. Maybe we are creating them too fast?

Anyway, maybe someone here could help me figure out a workaround for now? Unfortunately, this isn't acceptable for our production environment.

Many thanks, and if there is anything I can do to help out with this bug please hit me up in IRC.

Revision history for this message
Miguel Alejandro Cantu (miguel-cantu) wrote :

Turns out when I disable L2pop, my problem still persist. When I disable L3HA, my problem goes away. So my problem is with the l3ha vrrp driver.

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

I'm fairly certain the L3HA driver contains a bug (perhaps a race condition) that prevents changing the router state to active. The issue doesn't appear every time I create a router.

Revision history for this message
Miguel Alejandro Cantu (miguel-cantu) wrote :

I've posted a new bug related to the issue I'm seeing since it is different from this bug:
https://bugs.launchpad.net/neutron/+bug/1590845

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-2 → newton-3
Manjeet Singh Bhatia (manjeet-s-bhatia)
Changed in neutron:
assignee: Manjeet Singh Bhatia (manjeet-s-bhatia) → nobody
Jesse Pretorius (jesse-pretorius)
no longer affects: openstack-ansible
no longer affects: openstack-ansible/trunk
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-3 → newton-rc1
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-rc1 → ocata-1
Ihar Hrachyshka (ihar-hrachyshka)
tags: removed: liberty-backport-potential
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-1 → ocata-2
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-2 → ocata-3
Dilip Renkila (dilip-renkila278)
Changed in neutron:
assignee: nobody → Dilip Renkila (dilip-renkila278)
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-3 → ocata-rc1
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

Status of this issue is unclear.

Changed in neutron:
milestone: ocata-rc1 → none
assignee: Dilip Renkila (dilip-renkila278) → nobody
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.