Ubuntu Cloud Archive

DeviceManager's fill_dhcp_udp_checksums assumes IPv6 available

Series ussuri
Bug #1915480

Bug #1915480 reported by David Comay on 2021-02-12

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu Cloud Archive	New	Undecided	Unassigned
Ussuri	New	Undecided	Unassigned
Victoria	New	Undecided	Unassigned
neutron	Fix Released	Medium	Lajos Katona
neutron (Ubuntu)	Fix Released	Medium	Unassigned
Focal	Fix Released	Medium	Unassigned

Bug Description

The following code in DeviceManager's fill_dhcp_udp_checksums assumes IPv6 is always enabled:

iptables_mgr = iptables_manager.IptablesManager(use_ipv6=True,
namespace=namespace)

When iptables_mgr.apply() is later called, an attempt to add the UDP checksum rule for DHCP is done via iptables-save/iptables-restore and if IPv6 has been disabled on a hypervisor (eg, by setting `ipv6.disable=1` on the kernel command line) then an many-line error occurs in the DHCP agent logfile.

There should be a way of telling the agent that IPv6 is disabled and as such, it should ignore trying to set up the UDP checksum rule for IPv6. This can be easily achieved given that IptablesManager already has support for disabling it.

We've seen this on Rocky on Ubuntu Bionic but it appears the issue still exists on the master branch.

=================================
Ubuntu SRU details:

[Impact]

See above

[Test Plan]

Disable IPv6 on a hypervisor.
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
Deploy Openstack Ussuri or Victoria with one compute node, using the hypervisor which has IPv6 disabled as a neutron gateway.
Create a network which has a subnetwork with DHCP enabled. Eg:
openstack network create net1
openstack subnet create subnet1 --network net1 --subnet-range 192.0.2.0/24 --dhcp
Search the `/var/log/neutron/neutron-dhcp-agent.log` (with debug log enabled) and check if there are any `ip6tables-restore` commands. Eg:
sudo grep ip6tables-restore /var/log/neutron/neutron-dhcp-agent.log

[Where problems could occur]

Users which were relying on the setting to always be true could be affected.

See original description

Tags:

Jakub Libosvar (libosvar) on 2021-02-15

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2021-03-03:

Could you please check this proposal: https://review.opendev.org/c/openstack/neutron/+/778395
I added netutils.is_ipv6_enabled(), which should be used for all IptablesManager instance as I see

Changed in neutron:
assignee:	nobody → Lajos Katona (lajos-katona)

Revision history for this message

David Comay (comay) wrote on 2021-03-03:

Yes, looks like a good solution (glad to see `oslo.utils` has this function available already).

Lajos Katona (lajos-katona) on 2021-03-04

Changed in neutron:
status:	New → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-26: Fix included in openstack/neutron 18.0.0.0rc1

This issue was fixed in the openstack/neutron 18.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-13: Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/804496

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-13: Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/804499

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-23: Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804499
Committed: https://opendev.org/openstack/neutron/commit/6adfdd74f4ae4ca2426602c8041eab354975b3ac
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 6adfdd74f4ae4ca2426602c8041eab354975b3ac
Author: Alin-Gabriel Serdean <email address hidden>
Date: Fri Aug 13 11:43:02 2021 +0300

Trivial: check if ipv6 is available for IptablesManager

Conflicts:
neutron/agent/ovn/metadata/agent.py

To resolve conflict, rearrange alphabetically the imports from
oslo_utils.

    Change-Id: I3caf131041a852671a556b064c641fe34f8f5ed0
    Closes-Bug: #1915480
    (cherry picked from commit 6cf71cbd6a71b4849470874379877c7ca2a8fc25)

tags:

added: in-stable-victoria

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-23: Fix merged to neutron (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/804496
Committed: https://opendev.org/openstack/neutron/commit/b6a6065f9f90f83f80e3a3a997bf382b38763b29
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit b6a6065f9f90f83f80e3a3a997bf382b38763b29
Author: Alin-Gabriel Serdean <email address hidden>
Date: Fri Aug 13 11:13:20 2021 +0300

Trivial: check if ipv6 is available for IptablesManager

Conflicts:
neutron/agent/ovn/metadata/agent.py

To resolve conflict, rearrange alphabetically the imports from
oslo_utils.

    Change-Id: I3caf131041a852671a556b064c641fe34f8f5ed0
    Closes-Bug: #1915480
    (cherry picked from commit 6cf71cbd6a71b4849470874379877c7ca2a8fc25)

tags:

added: in-stable-ussuri

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-10: Fix included in openstack/neutron 16.4.1

This issue was fixed in the openstack/neutron 16.4.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-09-10: Fix included in openstack/neutron 17.2.1

This issue was fixed in the openstack/neutron 17.2.1 release.

Alin-Gabriel Serdean (alin-serdean) on 2021-09-16

no longer affects:

cloud-archive/victoria

Alin-Gabriel Serdean (alin-serdean) on 2021-09-17

description:

updated

Revision history for this message

Alin-Gabriel Serdean (alin-serdean) wrote on 2021-09-17:

#10

neutron-focal-ussuri.debdiff Edit (3.2 KiB, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2021-09-17:

#11

The attachment "neutron-focal-ussuri.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Revision history for this message

Alin-Gabriel Serdean (alin-serdean) wrote on 2021-09-17:

#12

neutron-focal-victoria.debdiff Edit (3.6 KiB, text/plain)

Mathew Hodson (mhodson) on 2021-09-21

Changed in neutron (Ubuntu):
importance:	Undecided → Medium
Changed in neutron (Ubuntu Focal):
importance:	Undecided → Medium

Alin-Gabriel Serdean (alin-serdean) on 2021-09-21

description:

updated

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2021-09-27:

#13

ussuri 16.4.1 will be included in https://bugs.launchpad.net/cloud-archive/+bug/1943712 and victoria 17.2.1 in https://bugs.launchpad.net/cloud-archive/+bug/1943711

Revision history for this message

Brian Murray (brian-murray) wrote on 2021-11-19:

#14

16.4.1 is included in focal-updates and hirsute has 18.0 so I'm setting this to Fix Released.

Changed in neutron (Ubuntu):
status:	New → Fix Released
Changed in neutron (Ubuntu Focal):
status:	New → Fix Released

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2022-11-30

Changed in neutron:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.