[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-20 Thread Corey Bryant
** Changed in: cloud-archive/queens
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-18 Thread Launchpad Bug Tracker
This bug was fixed in the package neutron - 2:12.0.0-0ubuntu3

---
neutron (2:12.0.0-0ubuntu3) bionic; urgency=medium

  * d/p/refresh-router-objects-after-port-binding.patch: Cherry-picked
from upstream stable/queens branch (LP: #1759971).
  * d/p/use-cidr-during-tenant-network-rule-deletion.patch: Cherry-picked
from upstream stable/queens branch (LP: #1759956).

 -- Corey Bryant   Mon, 16 Apr 2018 16:06:25
-0400

** Changed in: neutron (Ubuntu Bionic)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-16 Thread Corey Bryant
** Description changed:

- TL;DR: ip -4 rule del priority  table  type unicast
- will delete the first matching rule it encounters: if there are two
- rules with the same priority it will just kill the first one it finds.
+ Ubuntu SRU details
+ --
+ [Impact]
+ See Original Description below.
+ 
+ [Test Case]
+ See Original Description below.
+ 
+ [Regression Potential]
+ Low. All patches have landed upstream in corresponding stable branches. 
+ 
+ Original Description
+ 
+ TL;DR: ip -4 rule del priority  table  type unicast will 
delete the first matching rule it encounters: if there are two rules with the 
same priority it will just kill the first one it finds.
  
  The original setup is described here:
  https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/1759918
  
  OpenStack Queens from UCA (xenial, GA kernel, deployed via OpenStack
  charms), 2 external subnets (one routed provider network), 2 tenant
  subnets all in the same address scope to trigger "fast exit".
  
  2 tenant networks attached (subnets 192.168.100.0/24 and
  192.168.200.0/24) to a DVR:
  
  # 2 rules as expected
  ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
- 0:  from all lookup local 
- 32766:  from all lookup main 
- 32767:  from all lookup default 
- 8:  from 192.168.100.0/24 lookup 16 
- 8:  from 192.168.200.0/24 lookup 16 
+ 0:  from all lookup local
+ 32766:  from all lookup main
+ 32767:  from all lookup default
+ 8:  from 192.168.100.0/24 lookup 16
+ 8:  from 192.168.200.0/24 lookup 16
  
  # remove 192.168.200.0/24 sometimes deletes an incorrect policy rule
  openstack router remove subnet pubrouter othertenantsubnet
  
  # ip route del contains the cidr
  2018-03-29 20:09:52.946 2083594 DEBUG neutron.agent.linux.utils [-] Running 
command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'ne
  tns', 'exec', 'fip-d0f008fc-dc45-4237-9ce0-a9e1977735eb', 'ip', '-4', 
'route', 'del', '192.168.200.0/24', 'via', '169.254.93.94', 'dev', 
'fpr-4f9ca9ef-3'
  ] create_process 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:92
  
  # ip rule delete is not that specific
  2018-03-29 20:09:53.195 2083594 DEBUG neutron.agent.linux.utils [-] Running 
command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 
'netns', 'exec', 'qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800', 'ip', '-4', 
'rule', 'del', 'priority', '8', 'table', '16', 'type', 'unicast'] create_pr
  ocess /usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:92
  
- 
  2018-03-29 20:15:59.210 2083594 DEBUG neutron.agent.linux.utils [-] Running 
command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 
'netns', 'exec', 'qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800', 'ip', '-4', 
'rule', 'show'] create_process 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:92
  2018-03-29 20:15:59.455 2083594 DEBUG neutron.agent.linux.utils [-] Running 
command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 
'netns', 'exec', 'qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800', 'ip', '-4', 
'rule', 'add', 'from', '192.168.100.0/24', 'priority', '8', 'table', '16', 
'type', 'unicast'] create_process 
/usr/lib/python2.7/dist-packages/neutron/agent/linux/utils.py:92
  
  
  
  ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
- 0:  from all lookup local 
- 32766:  from all lookup main 
- 32767:  from all lookup default 
- 8:  from 192.168.100.0/24 lookup 16 
- 8:  from 192.168.200.0/24 lookup 16 
+ 0:  from all lookup local
+ 32766:  from all lookup main
+ 32767:  from all lookup default
+ 8:  from 192.168.100.0/24 lookup 16
+ 8:  from 192.168.200.0/24 lookup 16
  
  # try to delete a rule manually to see what is going on
  
  ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule ; ip netns 
exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule del priority 8 
table 16 type unicast ; ip netns exec 
qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
- 0:  from all lookup local 
- 32766:  from all lookup main 
- 32767:  from all lookup default 
- 8:  from 192.168.100.0/24 lookup 16 
- 8:  from 192.168.200.0/24 lookup 16 
+ 0:  from all lookup local
+ 32766:  from all lookup main
+ 32767:  from all lookup default
+ 8:  from 192.168.100.0/24 lookup 16
+ 8:  from 192.168.200.0/24 lookup 16
  
- 0:  from all lookup local 
- 32766:  from all lookup main 
- 32767:  from all lookup default 
- 8:  from 192.168.200.0/24 lookup 16 
+ 0:  from all lookup local
+ 32766:  from all lookup main
+ 32767:  from all lookup default
+ 8:  from 192.168.200.0/24 lookup 16
  
  # ^^ 192.168.100.0/24 rule got deleted instead of 192.168.200.0/24
  
  # add the rule back manually
  ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule add from 
192.168.100.0/24 priority 8 table 16 type unicast
  
  # 

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-16 Thread Corey Bryant
** Also affects: neutron (Ubuntu Bionic)
   Importance: Undecided
   Status: Confirmed

** Also affects: neutron (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: neutron (Ubuntu Artful)
   Status: New => Triaged

** Changed in: neutron (Ubuntu Artful)
   Importance: Undecided => Medium

** Changed in: neutron (Ubuntu Bionic)
   Status: Confirmed => Triaged

** Changed in: neutron (Ubuntu Bionic)
   Importance: Undecided => Medium

** Also affects: cloud-archive
   Importance: Undecided
   Status: New

** Also affects: cloud-archive/queens
   Importance: Undecided
   Status: New

** Also affects: cloud-archive/pike
   Importance: Undecided
   Status: New

** Changed in: cloud-archive/pike
   Status: New => Triaged

** Changed in: cloud-archive/queens
   Status: New => Triaged

** Changed in: cloud-archive/pike
   Importance: Undecided => Medium

** Changed in: cloud-archive/queens
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-07 Thread OpenStack Infra
Reviewed:  https://review.openstack.org/559257
Committed: 
https://git.openstack.org/cgit/openstack/neutron/commit/?id=0224dcfea4ffeaac6cbcec7464887e7538e49091
Submitter: Zuul
Branch:stable/pike

commit 0224dcfea4ffeaac6cbcec7464887e7538e49091
Author: Dmitrii Shcherbakov 
Date:   Thu Mar 29 17:32:01 2018 -0400

Use cidr during tenant network rule deletion

If a distributed router has interfaces on multiple tenant networks, with
'fast exit' functionality policy based rules are created in qrouter
namespace for every tenant network subnet and 'from ' is included
into an 'ip rule' command invocation.

When a port on a tenant network is deleted 'from ' part is not
included and a first rule matching specified parameters gets deleted.

For example with the following layout

ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
8:  from 192.168.100.0/24 lookup 16
8:  from 192.168.200.0/24 lookup 16

and neutron l3 agent will use this command

ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
del priority 8 table 16 type unicast

and 192.168.100.0/24 rule will get deleted even if you actually removed
a port on 192.168.200.0.

This results in an extra rule present and not cleaned up and the right
rule removed. It is only recreated if a router is disabled and enabled
again.

additional changes:

1) Floating IP rules are identified by priority only as implemented
currently - for this reason this change adds fixed_ip to the rule
removal code. Rule priorities are 32-bit values in iproute2 so,
in theory, those should be not be used to cover IPv6.

2) IP protocol information for 'from all' rules is currently
derived from link-local address IP version. The same approach
is preserved by using version-specific /0 addresses without
changing the API provided by ip_lib.

Change-Id: I0ea626e17771be223a1fbdf21792c90f3e9c
Closes-Bug: #1759956
(cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)


** Tags added: in-stable-pike

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-06 Thread OpenStack Infra
Reviewed:  https://review.openstack.org/559256
Committed: 
https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb9ec1afb6545def3130952008ee7f20dbaafd2c
Submitter: Zuul
Branch:stable/queens

commit fb9ec1afb6545def3130952008ee7f20dbaafd2c
Author: Dmitrii Shcherbakov 
Date:   Thu Mar 29 17:32:01 2018 -0400

Use cidr during tenant network rule deletion

If a distributed router has interfaces on multiple tenant networks, with
'fast exit' functionality policy based rules are created in qrouter
namespace for every tenant network subnet and 'from ' is included
into an 'ip rule' command invocation.

When a port on a tenant network is deleted 'from ' part is not
included and a first rule matching specified parameters gets deleted.

For example with the following layout

ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip rule
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
8:  from 192.168.100.0/24 lookup 16
8:  from 192.168.200.0/24 lookup 16

and neutron l3 agent will use this command

ip netns exec qrouter-4f9ca9ef-303b-4082-abbc-e50782d9b800 ip -4 rule\
del priority 8 table 16 type unicast

and 192.168.100.0/24 rule will get deleted even if you actually removed
a port on 192.168.200.0.

This results in an extra rule present and not cleaned up and the right
rule removed. It is only recreated if a router is disabled and enabled
again.

additional changes:

1) Floating IP rules are identified by priority only as implemented
currently - for this reason this change adds fixed_ip to the rule
removal code. Rule priorities are 32-bit values in iproute2 so,
in theory, those should be not be used to cover IPv6.

2) IP protocol information for 'from all' rules is currently
derived from link-local address IP version. The same approach
is preserved by using version-specific /0 addresses without
changing the API provided by ip_lib.

Change-Id: I0ea626e17771be223a1fbdf21792c90f3e9c
Closes-Bug: #1759956
(cherry picked from commit 81db328b2df08f2b4adcc80104cf05ad8966c019)


** Tags added: in-stable-queens

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1759956] Re: [dvr][fast-exit] incorrect policy rules get deleted when a distributed router has ports on multiple tenant networks

2018-04-05 Thread Dmitrii Shcherbakov
Affects pike and queens UCA packages.

** Also affects: neutron (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: neutron (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1759956

Title:
  [dvr][fast-exit] incorrect policy rules get deleted when a distributed
  router has ports on multiple tenant networks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1759956/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs