neutron

OVS agent is not removing VLAN tags before tunnels when configured with native OF interface

Bug #1622017 reported by Brent Eagles
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
IWAMOTO Toshihiro
neutron newton-rc1 "rc1"

Bug Description

In investigating an MTU issue, an accounted-for overhead of 4 bytes was discovered. A spurious 802.1q header was discovered using tcpdump when attempting to connect to a guest via floating IP. The tenant network type is VXLAN and the VXLAN endpoints themselves are on a VLAN. This issue effectively breaks communication with guests via floating ip for some system configurations.

The test system is configured with a default global_physnet_mtu of 1500 and inspection of the router namespace confirms that the tenant network's router interface has been automatically configured to with an MTU of 1450. Ping was used to test. e.g. ping -M do -s 1422 192.0.2.58 (1422 is the maximum that should fit in the 1450 MTU without fragmentation).

With the system configured as described, "ping -s 1420 <floating ip>" fails.

tcpdump on the controller reveals:

root@overcloud-controller-0 heat-admin]# tcpdump -vvv -e -i any icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:32:49.163223 P 52:54:00:01:09:3c (oui Unknown) ethertype IPv4 (0x0800), length 1464: (tos 0x0, ttl 64, id 37535, offset 0, flags [DF], proto ICMP (1), length 1448)
    192.0.2.1 > 192.0.2.58: ICMP echo request, id 16083, seq 1, length 1428
18:32:49.163340 In 00:00:00:00:00:00 (oui Ethernet) ethertype IPv4 (0x0800), length 592: (tos 0xc0, ttl 64, id 4395, offset 0, flags [none], proto ICMP (1), length 576)
    overcloud-controller-0.tenant.localdomain > overcloud-controller-0.tenant.localdomain: ICMP overcloud-novacompute-0.tenant.localdomain unreachable - need to frag (mtu 1500), length 556
        (tos 0x0, ttl 64, id 22077, offset 0, flags [DF], proto UDP (17), length 1502)
    overcloud-controller-0.tenant.localdomain.51706 > overcloud-novacompute-0.tenant.localdomain.4789: [no cksum] VXLAN, flags [I] (0x08), vni 36

Adjusting the ping size to allow for a 4 byte header (e.g. ping -s 1418 <floating ip>) succeeds.

Using an alternate tcpdump command to get information from the VXLAN traffic, reveals unusual extra 802.1q header with a vlan ID of 0:
[root@overcloud-controller-0 heat-admin]# tcpdump -vvv -n -e -i any udp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:36:48.095985 Out 56:13:19:d8:af:27 ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 64, id 22088, offset 0, flags [DF], proto UDP (17), length 1500)
    172.16.0.5.51706 > 172.16.0.10.4789: [no cksum] VXLAN, flags [I] (0x08), vni 36
fa:16:3e:99:37:ce > fa:16:3e:06:65:6f, ethertype 802.1Q (0x8100), length 1464: vlan 0, p 0, ethertype IPv4, (tos 0x0, ttl 63, id 37541, offset 0, flags [DF], proto ICMP (1), length 1446)
    192.0.2.1 > 192.168.2.101: ICMP echo request, id 16422, seq 1, length 1426
18:36:48.097861 P ea:0c:37:f7:69:5e ethertype 802.1Q (0x8100), length 1520: vlan 50, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 22354, offset 0, flags [DF], proto UDP (17), length 1500)
    172.16.0.10.50337 > 172.16.0.5.4789: [no cksum] VXLAN, flags [I] (0x08), vni 36

The flow table is similar to (this was taken from the compute node, not the controller but the br-tun flow tables follow the same form with only different values for local segment IDs)

[root@overcloud-novacompute-0 ml2]# ovs-ofctl -O OpenFlow13 dump-flows br-tun
OFPST_FLOW reply (OF1.3) (xid=0x2):
 cookie=0xb13175655506ca2e, duration=11.785s, table=0, n_packets=0, n_bytes=0, priority=1,in_port=1 actions=goto_table:2
 cookie=0xb13175655506ca2e, duration=10.955s, table=0, n_packets=0, n_bytes=0, priority=1,in_port=2 actions=goto_table:4
 cookie=0xb13175655506ca2e, duration=11.783s, table=0, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xb13175655506ca2e, duration=11.781s, table=2, n_packets=0, n_bytes=0, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=goto_table:20
 cookie=0xb13175655506ca2e, duration=11.779s, table=2, n_packets=0, n_bytes=0, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=goto_table:22
 cookie=0xb13175655506ca2e, duration=11.778s, table=3, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xb13175655506ca2e, duration=10.677s, table=4, n_packets=0, n_bytes=0, priority=1,tun_id=0x24 actions=push_vlan:0x8100,set_field:4097->vlan_vid,goto_table:10
 cookie=0xb13175655506ca2e, duration=11.777s, table=4, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xb13175655506ca2e, duration=11.776s, table=6, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xb13175655506ca2e, duration=11.774s, table=10, n_packets=0, n_bytes=0, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xb13175655506ca2e,OXM_OF_VLAN_VID[],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->OXM_OF_VLAN_VID[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:OXM_OF_IN_PORT[]),output:1
 cookie=0xb13175655506ca2e, duration=11.772s, table=20, n_packets=0, n_bytes=0, priority=0 actions=goto_table:22
 cookie=0xb13175655506ca2e, duration=10.680s, table=22, n_packets=0, n_bytes=0, priority=1,dl_vlan=1 actions=pop_vlan,set_field:0x24->tun_id,output:2
 cookie=0xb13175655506ca2e, duration=11.771s, table=22, n_packets=0, n_bytes=0, priority=0 actions=drop

On a hunch, the same trials were performed with the openvswitch agents on the controller and compute nodes configured to use the ovs-ofctl OF interface. ping -s 1422 192.0.2.58 as well as ssh to the guests and copies of large amount of data are now possible. The same tcpdump command shows that the extra 802.1q information is not present:

#with ofctl instead of native
[root@overcloud-controller-0 ml2]# tcpdump -vvv -n -e -i any udp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:10:31.570425 Out 56:13:19:d8:af:27 ethertype IPv4 (0x0800), length 1512: (tos 0x0, ttl 64, id 22104, offset 0, flags [DF], proto UDP (17), length 1496)
    172.16.0.5.51706 > 172.16.0.10.4789: [no cksum] VXLAN, flags [I] (0x08), vni 36
fa:16:3e:99:37:ce > fa:16:3e:06:65:6f, ethertype IPv4 (0x0800), length 1460: (tos 0x0, ttl 63, id 37549, offset 0, flags [DF], proto ICMP (1), length 1446)
    192.0.2.1 > 192.168.2.101: ICMP echo request, id 19062, seq 1, length 1426
19:10:31.572143 P ea:0c:37:f7:69:5e ethertype 802.1Q (0x8100), length 1520: vlan 50, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 22370, offset 0, flags [DF], proto UDP (17), length 1500)
    172.16.0.10.50337 > 172.16.0.5.4789: [no cksum] VXLAN, flags [I] (0x08), vni 36

The flow table is also different, using strip_vlan instead of pop_vlan (as well as other obvious differences)

[root@overcloud-novacompute-0 ml2]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
 cookie=0xb4814c0ff5ea6fd4, duration=2095.101s, table=0, n_packets=115156, n_bytes=8744100, idle_age=546, priority=1,in_port=1 actions=resubmit(,2)
 cookie=0xb4814c0ff5ea6fd4, duration=2094.475s, table=0, n_packets=346419, n_bytes=274503223, idle_age=546, priority=1,in_port=2 actions=resubmit(,4)
 cookie=0xb4814c0ff5ea6fd4, duration=2095.100s, table=0, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=drop
 cookie=0xb4814c0ff5ea6fd4, duration=2095.099s, table=2, n_packets=115155, n_bytes=8744058, idle_age=546, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
 cookie=0xb4814c0ff5ea6fd4, duration=2095.099s, table=2, n_packets=1, n_bytes=42, idle_age=1263, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
 cookie=0xb4814c0ff5ea6fd4, duration=2095.098s, table=3, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=drop
 cookie=0xb4814c0ff5ea6fd4, duration=2094.227s, table=4, n_packets=346419, n_bytes=274503223, idle_age=546, priority=1,tun_id=0x24 actions=mod_vlan_vid:1,resubmit(,10)
 cookie=0xb4814c0ff5ea6fd4, duration=2095.097s, table=4, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=drop
 cookie=0xb4814c0ff5ea6fd4, duration=2095.097s, table=6, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=drop
 cookie=0xb4814c0ff5ea6fd4, duration=2095.096s, table=10, n_packets=346419, n_bytes=274503223, idle_age=546, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xb4814c0ff5ea6fd4,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
 cookie=0xb4814c0ff5ea6fd4, duration=2095.096s, table=20, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=resubmit(,22)
 cookie=0xb4814c0ff5ea6fd4, duration=2094.235s, table=22, n_packets=1, n_bytes=42, idle_age=1263, dl_vlan=1 actions=strip_vlan,set_tunnel:0x24,output:2
 cookie=0xb4814c0ff5ea6fd4, duration=2095.086s, table=22, n_packets=0, n_bytes=0, idle_age=2095, priority=0 actions=drop

System details follow:

System info: CentOS Linux release 7.2.1511 (Core)
Kernel version: 3.10.0-327.28.3.el7.x86_6
System is a tripleo deployment using a network isolation type network environment (see docs for details)
Deployment command line:
openstack overcloud deploy --templates ./tripleo-heat-templates
   -e ~/tripleo-heat-templates/environments/network-isolation.yaml
   -e ~/tripleo-heat-templates/environments/net-single-nic-with-vlans.yaml
   -e ~/for_net_isolation.yaml
All templates "stock" except for last, contains:
parameter_defaults:
  EC2MetadataIp: 192.0.2.1
  ControlPlaneDefaultRoute: 192.0.2.1

OpenStack packages

openvswitch.x86_64 2.5.0-2.el7 @delorean-newton-testing
openstack-neutron-openvswitch.noarch
                                 1:9.0.0-0.20160907193737.dc6508a.el7.centos
                                                        @delorean
[root@overcloud-controller-0 ~]# ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Mar 18 2016 15:00:11
DB Schema 7.12.1

[root@overcloud-controller-0 ~]# ovs-ofctl --version
ovs-ofctl (Open vSwitch) 2.5.0
Compiled Mar 18 2016 15:00:11
OpenFlow versions 0x1:0x4

python-ryu-common.noarch 4.3-2.el7 @delorean-newton-testing
python2-ryu.noarch 4.3-2.el7 @delorean-newton-testing

Tags: ovs
Assaf Muller (amuller)
tags: added: ovs
Changed in neutron:
importance: Undecided → High
milestone: none → newton-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/368553

Changed in neutron:
assignee: nobody → IWAMOTO Toshihiro (iwamoto)
status: New → In Progress
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Hi Brent,

thanks for detailed report.

Could you test with https://review.openstack.org/368553 ?

Revision history for this message
Brent Eagles (beagles) wrote :

Thank you Toshihiro-san.

I tested your first patch set "as-is" and it didn't seem to work. I included the change suggested by another reviewer and it did appear to resolve the issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/369470

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/368553
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4361f7543f984cf5f09c0c7070ac6b0f22f3b6b1
Submitter: Jenkins
Branch: master

commit 4361f7543f984cf5f09c0c7070ac6b0f22f3b6b1
Author: IWAMOTO Toshihiro <email address hidden>
Date: Mon Sep 12 14:36:18 2016 +0900

    of_interface: Use vlan_tci instead of vlan_vid

    To pop VLAN tags in learn action generated flows, vlan_tci should
    be used instead of vlan_vid. Otherwise, VLAN tags with VID=0 are
    left.

    Change-Id: Ie38ab860424f6e2e2448abac82c428dae3a8a544
    Closes-bug: #1622017

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.0.0.0rc1

This issue was fixed in the openstack/neutron 9.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/369470
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/413475

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/369470
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/413475
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=92199dbd83a1a5a9c02cb2d9e2651d3f285b611e
Submitter: Jenkins
Branch: master

commit 92199dbd83a1a5a9c02cb2d9e2651d3f285b611e
Author: IWAMOTO Toshihiro <email address hidden>
Date: Wed Dec 21 16:54:46 2016 +0900

    of_interface: Revert patching ryu

    To handle the mentioned bug, commit 4361f754 patched a internal data
    structure of ryu, which was a necessary evil at the time of the commit.
    The data has been added in ryu-4.7 and the patch is no longer needed.

    Change-Id: I0ecf1841dd84ab40e919e8e0817806a75b9aa9de
    Related-bug: #1622017

Revision history for this message
Brent Eagles (beagles) wrote :

Reverting this assumes that the target platforms will all have the updated ryu package (CentOS at the moment does not). Would it have been possible to check the ryu version or the existence of the required field instead and only add if required?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.