[Bug 1944424] Re: AppArmor causing HA routers to be in backup state on wallaby-focal
Liam Young
1944424 at bugs.launchpad.net
Wed Sep 22 11:06:55 UTC 2021
A patch was introduced [0] "..which sets the backup gateway
device link down by default. When the VRRP sets the master state in
one host, the L3 agent state change procedure will
do link up action for the gateway device.".
This change causes an issue when using keepalived 2.X (focal+) which
is fixed by patch [1] which adds a new 'no_track' option to all VIPs
and routes in keepalived's config file.
Patch [1] which fixed keepalived 2.X broke keepalived 1.X (<focal).
So patch [2] was added which adds a keepalived_use_no_track config
option which is set to True to control whether the 'no_track' option
is added to the keepalived config.
Finally, patchset [3] introduces automatic detection of the
keepalived version by adding a call to `keepalived --version`
but this is denied by the packages apparmor rules.
[0] https://review.opendev.org/c/openstack/neutron/+/707406
[1] https://review.opendev.org/c/openstack/neutron/+/721799
[2] https://review.opendev.org/c/openstack/neutron/+/745641
[3] https://review.opendev.org/c/openstack/neutron/+/757620
** Also affects: neutron (Ubuntu)
Importance: Undecided
Status: New
** Changed in: neutron (Ubuntu)
Status: New => Confirmed
** Changed in: charm-neutron-gateway
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/1944424
Title:
AppArmor causing HA routers to be in backup state on wallaby-focal
Status in OpenStack neutron-gateway charm:
Invalid
Status in neutron package in Ubuntu:
Confirmed
Bug description:
When preparing to test next openstack charms release we ran wallaby with ovs for the first time.
Deployment finishes ok but validation with rally/tempest/manual fails on VMs not to be accessible via FIP. It is the same bundle we use for ussuri-focal, just openstack source changed to wallaby.
I checked qrouter namespaces on n-g-w units and they are missing IPs from both internal and fip networks.
$ openstack server list
+--------------------------------------+------+--------+---------------------------------------+--------------------------------------------------------------+----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+------+--------+---------------------------------------+--------------------------------------------------------------+----------+
| a663daed-f83d-4261-8be8-c3b14a2119bc | i1 | ACTIVE | ubuntu-net=10.244.32.178, 172.16.0.46 | auto-sync/ubuntu-focal-20.04-amd64-server-20210907-disk1.img | m1.small |
+--------------------------------------+------+--------+---------------------------------------+--------------------------------------------------------------+----------+
$ openstack router list
+--------------------------------------+----------------------+--------+-------+----------------------------------+-------------+------+
| ID | Name | Status | State | Project | Distributed | HA |
+--------------------------------------+----------------------+--------+-------+----------------------------------+-------------+------+
| 3e66a884-44a6-4215-93ba-a0c36e4e11fe | provider-2734-router | ACTIVE | UP | 72760178d29d4a3d8bf6d089144e8b24 | False | True |
| 3efc0daa-b7aa-4a90-9aab-f2d2a337bf42 | lb-mgmt | ACTIVE | UP | 882abd3f409943d5aed21af227799297 | False | True |
+--------------------------------------+----------------------+--------+-------+----------------------------------+-------------+------+
$ juju ssh neutron-gateway/0
ubuntu at node5:~$ sudo ip netns exec qrouter-3e66a884-44a6-4215-93ba-a0c36e4e11fe ip a
...
2: ha-a9df6fef-2c at if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:f7:ca:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.194.217/18 brd 169.254.255.255 scope global ha-a9df6fef-2c
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fef7:cad9/64 scope link
valid_lft forever preferred_lft forever
3: qr-3f7f5df5-d6 at if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:57:79:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0
4: qg-751ef1ba-61 at if60: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fa:16:3e:a6:31:43 brd ff:ff:ff:ff:ff:ff link-netnsid 0
ubuntu at anorith-cpe-7e0cdf44-65ce-43a3-80c1-038eedab4085:~/pokus$ juju ssh neutron-gateway/1
ubuntu at node6:~$ sudo ip netns exec qrouter-3e66a884-44a6-4215-93ba-a0c36e4e11fe ip a
...
2: ha-731389f1-c5 at if60: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:c3:70:09 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 169.254.195.226/18 brd 169.254.255.255 scope global ha-731389f1-c5
valid_lft forever preferred_lft forever
inet6 fe80::f816:3eff:fec3:7009/64 scope link
valid_lft forever preferred_lft forever
3: qr-3f7f5df5-d6 at if61: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether fa:16:3e:57:79:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0
4: qg-751ef1ba-61 at if62: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fa:16:3e:a6:31:43 brd ff:ff:ff:ff:ff:ff link-netnsid 0
I am now running another test which would provide linkable logs and
yamls.
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-neutron-gateway/+bug/1944424/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list