[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
To clarify my previous comment, this is not an issue with the packaging, it is a bug in OVS. I removed it from quantum RC1 as there was not code that needed to be committed to quantum to fix the issue, simply that distros needed to create new packages with the fix. Again, here is the OVS change: http://openvswitch.org/cgi- bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=53e6421bc83918ac2d00ba5516f205fa7e394140 According to the OVS team, without the change, the connection tracking logic using by IPtables gets confused if a packet passes through multiple linux network namespaces on the same host. The reason for this confusion is that OVS is not properly clearing some of the fields in the skb header, meaning the connection tracking ignores this packet, so iptables functionality that relies on this (in particular DNAT and SNAT) do not work. From the OVS commit message: It's possible that packets that are sent on internal devices (from the OVS perspective) have already traversed the local IP stack. After they go through the internal device, they will again travel through the IP stack which may get confused by the presence of existing information in the skb. The problem can be observed when switching between namespaces. This clears out that information to avoid problems but deliberately leaves other metadata alone. This is to provide maximum flexibility in chaining together OVS and other Linux components. Unfortunately, this is actually fairly common given that the quantum l3-agent uses namespaces to implement multiple quantum routers on the same box, and uses IPtables within each namespace to perform SNAT/DNAT for floating ips and external network access. Above I mention why users are ALWAYS going to hit this bug in single node developer installs, since they typically test the reachability of VMs via floating IPs. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
** Branch linked: lp:~gandelman-a/ubuntu/quantal/openvswitch/lp1044318 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
This bug was fixed in the package openvswitch - 1.4.2+git20120612-9ubuntu3 --- openvswitch (1.4.2+git20120612-9ubuntu3) quantal; urgency=low * debian/patches/lp1044318-Reset-upper-layer-protocol-info.patch: Cherry picked upstream patch to avoid critical issues with SNAT/DNAT when OVS is chained with other Linux components. May be dropped with 1.4.3 upload. (LP: #1044318) -- Adam Gandelman ad...@canonical.com Fri, 07 Sep 2012 12:12:03 -0700 ** Changed in: openvswitch (Ubuntu) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
** Branch linked: lp:ubuntu/openvswitch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
** Description changed: Note: OVS from before 1.5, which includes the default versions shipped with 12.04 and Fedora 17, has a bug that causes it not to work correctly with floating IPs when the person contacting the floating IP is on the same box as quantum-l3-agent. While not very likely to happen in a production setup, this is fairly common in simple development environments. For example, let's say you create an external network 40.0.0.0/24 for floating IPs. If you then assign br-ex the IP 40.0.0.1, you should be able to reach all of your VMs with floating IPs, but it won't work because of this bug. Oddly, it will often appear to work if you use ping, but in reality you are pining the IP address in the router namespace, not the VM. We believe the following OVS commit it required for this to work properly: http://openvswitch.org/cgi- bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=53e6421bc83918ac2d00ba5516f205fa7e394140 We are looking at creating a new stable release on the 1.4.x branch to include this change and plan to work with distros to get it pulled into their packages. + + [IMPACT] + The connection tracking logic using by IPtables gets confused if a packet passes through multiple linux network namespaces on the same host. The reason for this confusion is that OVS is not properly clearing some of the fields in the skb header, meaning the connection tracking ignores this packet, so iptables functionality that relies on this (in particular DNAT and SNAT) do not work. + + In particular, the use of OVS by OpenStack Quantum is critically + affected by this bug. + + [FIX] + The issue has been fixed upstream as of 1.4.3. A minimal 5-liner that clears the appropriate metadata from the skb header. The patch has been cherry-picked and fix released in the current Ubuntu dev. release (12.10). + + [REGRESSION POTENTIAL] + Minimal. Simple patch that has been cherry-picked from the currentl upstream stable release of Openvswitch (1.4.3). ** Summary changed: - pre-1.5 OVS has trouble with floating ips when pinging from the same box + [SRU] pre-1.5 OVS has trouble with floating ips when pinging from the same box -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: [SRU] pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
** Changed in: openvswitch (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
removing from milestone for quantum, as this is a purely packaging issue. ** Changed in: quantum Milestone: folsom-rc1 = None -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1044318] Re: pre-1.5 OVS has trouble with floating ips when pinging from the same box
** Also affects: openvswitch (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvswitch in Ubuntu. https://bugs.launchpad.net/bugs/1044318 Title: pre-1.5 OVS has trouble with floating ips when pinging from the same box To manage notifications about this bug go to: https://bugs.launchpad.net/quantum/+bug/1044318/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
