Duplicated ARP responses from ovnmetadata namespaces
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ovn (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Unassigned | ||
Impish |
Fix Released
|
High
|
Unassigned |
Bug Description
When OpenStack instances are connected to an external network, an ovn-etadata-
network. Because the ovn-metadata namespace has interfaces with the same mac address in all computers, external switches might ARP query for the IP
and receive multiple responses in different ports triggering network error alerts.
[ubuntu@
ARPING 10.5.150.0
42 bytes from fa:16:3e:d3:10:01 (10.5.150.0): index=0 time=1.678 msec
42 bytes from fa:16:3e:d3:10:01 (10.5.150.0): index=1 time=2.143 msec
--- 10.5.150.0 statistics ---
1 packets transmitted, 2 packets received, 0% unanswered (1 extra)
rtt min/avg/max/std-dev = 1.678/1.
Reproducer: https:/
Related branches
- James Page: Pending requested
-
Diff: 1036 lines (+972/-0)10 files modifieddebian/changelog (+17/-0)
debian/patches/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch (+54/-0)
debian/patches/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch (+36/-0)
debian/patches/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch (+47/-0)
debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0)
debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0)
debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+188/-0)
debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0)
debian/patches/lp-1943266-pinctrl-Don-t-send-gARPs-for-localports.patch (+111/-0)
debian/patches/series (+8/-0)
- James Page: Pending requested
-
Diff: 701 lines (+662/-1)6 files modifieddebian/changelog (+8/-0)
debian/patches/lp-1914988-tests-Make-certificate-generation-extendable.patch (+213/-0)
debian/patches/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch (+153/-0)
debian/patches/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch (+138/-0)
debian/patches/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch (+145/-0)
debian/patches/series (+5/-1)
description: | updated |
description: | updated |
description: | updated |
Changed in ovn (Ubuntu Focal): | |
status: | New → Triaged |
status: | Triaged → In Progress |
importance: | Undecided → High |
Changed in ovn (Ubuntu Hirsute): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in ovn (Ubuntu Impish): | |
status: | Triaged → Fix Released |
importance: | High → Undecided |
affects: | networking-ovn → ubuntu-translations |
no longer affects: | ubuntu-translations |
Changed in ovn (Ubuntu): | |
importance: | Undecided → High |
Changed in ovn (Ubuntu Impish): | |
importance: | Undecided → High |
I`m posting this as a bug because I believe that the ovn-metadata namespace does not need
and should not be reachable from any other host other than the compute itself.
This traffic could easily be blocked with a OpenFlow rule.