Reviewed: https://review.openstack.org/564825 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=88f5e11d8bf820b0124be0f6ec3c2d96011592d9 Submitter: Zuul Branch: master
commit 88f5e11d8bf820b0124be0f6ec3c2d96011592d9 Author: Miguel Angel Ajo <[email protected]> Date: Fri Apr 27 18:05:48 2018 +0200 Avoid agents adding ports as trunk by default. Agent OVS interface code adds ports without a vlan tag, if neutron-openvswitch-agent fails to set the tag, or takes too long, the port will be a trunk port, receiving traffic from the external network or any other port sending traffic on br-int. Also, those kinds of ports are triggering a code path on the ovs-vswitchd revalidator thread which can eventually hog the CPU of the host (that's a bug under investigation [1]) [1] https://bugzilla.redhat.com/show_bug.cgi?id=1558336 Co-Authored-By: Slawek Kaplonski <[email protected]> Change-Id: I024bbbdf7059835b2f23c264b48478c71633a43c Closes-Bug: 1767422 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1767422 Title: Neutron agent internal ports remain untagged for some time, which makes them trunk ports Status in neutron: Fix Released Bug description: Neutron agent ports are added to br-int without any tag. That makes them trunk ports (receiving traffic for all VLANs) until neutron- openvswitch-agent will handle them. Sometimes the ports are left untagged forever, meaning that for example ha-router ha port will receive traffic directly from the external network (jumps to br-int to br-ex , and also back), or dnsmasq receives requests on the external network. Outgoing traffic is dropped in br-ex though.. Vague details here (it's all we have so far): This also becomes an issue (still under investigation) with the ovs-vswitchd agent and the revalidator thread (the thread that will check the kernel datapath flows under some circumstances to get stuck, for some reason it slows down a lot while analyzing trunk ports, eventually crashing the node on CPU usage). This is also related to one security lp here: https://bugs.launchpad.net/bugs/1734320 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1767422/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
