Set ip_nonlocal_bind to 1 for HA routers and DVR snat

Set nonlocal_bind to 1 to allow starting applications in both routers (like ipsec from vpnaas). nonlocal_bin 0 prevens us from starting ipsec in both routers simulteniously as process can't bind to non existing address which was worarkunded in [1] by setting dependency on python process during failover. This revert [2] completely, which was partially reverted by [3]. [1] https://review.opendev.org/c/openstack/neutron-vpnaas/+/823904 [2] https://review.opendev.org/393886 [3] https://review.opendev.org/c/openstack/neutron/+/752360 Related-Bug: 1999761 Change-Id: I18a15aa3ca745b2b794610350f538d02575ccbe0 (cherry picked from commit 25ec6e7e4f)
2022-12-09 14:15:04 +00:00 · 2022-12-09 14:15:04 +00:00 · 57c7d836cb
commit 57c7d836cb
parent 5b5dd7f7a7
4 changed files with 16 additions and 12 deletions
--- a/neutron/agent/l3/dvr_snat_ns.py
+++ b/neutron/agent/l3/dvr_snat_ns.py
@ -30,9 +30,9 @@ class SnatNamespace(namespaces.Namespace):

    def create(self):
        super(SnatNamespace, self).create()
-        # This might be an HA router namespaces and it should not have
-        # ip_nonlocal_bind enabled
-        ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 0)
+        # Set nonlocal_bind to 1 to allow setup applications in HA mode
+        # for example ipsec from VPNaaS
+        ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 1)
        # Set nf_conntrack_tcp_loose to 0 to ensure mid-stream
        # TCP conversations aren't taken over by SNAT
        cmd = ['net.netfilter.nf_conntrack_tcp_loose=0']
--- a/neutron/agent/l3/ha_router.py
+++ b/neutron/agent/l3/ha_router.py
@ -51,9 +51,13 @@ THROTTLER_MULTIPLIER = 1.5
 class HaRouterNamespace(namespaces.RouterNamespace):
    """Namespace for HA router.

-    This namespace sets the ip_nonlocal_bind to 0 for HA router namespaces.
-    It does so to prevent sending gratuitous ARPs for interfaces that got VIP
-    removed in the middle of processing.
+    This namespace sets the ip_nonlocal_bind to 1 for HA router namespaces.
+    It allows to setup applications on both routers simulteniously like
+    ipsec from VPNaaS which speed up theirs failover. And let failover work
+    for VPNaaS even when python is down.
+    It is safe to set ip_nonlocal_bind to 1 as we use keepalived > 1.2.20
+    and we do not set GARP from python code anymore. More details may be
+    found in related bug #1639315.
    It also disables ipv6 forwarding by default. Forwarding will be
    enabled during router configuration processing only for the primary node.
    It has to be disabled on all other nodes to avoid sending MLD packets
@ -61,8 +65,8 @@ class HaRouterNamespace(namespaces.RouterNamespace):
    """
    def create(self):
        super(HaRouterNamespace, self).create(ipv6_forwarding=False)
-        # HA router namespaces should not have ip_nonlocal_bind enabled
-        ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 0)
+        # HA router namespaces should have ip_nonlocal_bind enabled
+        ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 1)
        # Linux should not automatically assign link-local addr for HA routers
        # They are managed by keepalived
        ip_wrapper = ip_lib.IPWrapper(namespace=self.name)
--- a/neutron/tests/functional/agent/l3/test_dvr_router.py
+++ b/neutron/tests/functional/agent/l3/test_dvr_router.py
@ -2219,7 +2219,7 @@ class TestDvrRouter(DvrRouterTestFramework, framework.L3AgentTestFramework):
        # here.
        src_machine.assert_no_ping(machine_diff_scope.ip)

-    def test_dvr_snat_namespace_has_ip_nonlocal_bind_disabled(self):
+    def test_dvr_snat_namespace_has_ip_nonlocal_bind_enabled(self):
        self.agent.conf.agent_mode = 'dvr_snat'
        router_info = self.generate_dvr_router_info(
            enable_ha=True, enable_snat=True)
@ -2234,7 +2234,7 @@ class TestDvrRouter(DvrRouterTestFramework, framework.L3AgentTestFramework):
                    "This kernel doesn't support %s in network namespaces." % (
                        ip_lib.IP_NONLOCAL_BIND))
            raise
-        self.assertEqual(0, ip_nonlocal_bind_value)
+        self.assertEqual(1, ip_nonlocal_bind_value)

    def test_dvr_router_fip_namespace_routes(self):
        """Test to validate the floatingip namespace subnets routes."""
--- a/neutron/tests/functional/agent/l3/test_ha_router.py
+++ b/neutron/tests/functional/agent/l3/test_ha_router.py
@ -337,7 +337,7 @@ class L3HATestCase(framework.L3AgentTestFramework):
        self.agent._process_updated_router(router1.router)
        self.wait_until_ha_router_has_state(router1, 'primary')

-    def test_ha_router_namespace_has_ip_nonlocal_bind_disabled(self):
+    def test_ha_router_namespace_has_ip_nonlocal_bind_enabled(self):
        router_info = self.generate_router_info(enable_ha=True)
        router = self.manage_router(self.agent, router_info)
        try:
@ -350,7 +350,7 @@ class L3HATestCase(framework.L3AgentTestFramework):
                    "This kernel doesn't support %s in network namespaces." % (
                        ip_lib.IP_NONLOCAL_BIND))
            raise
-        self.assertEqual(0, ip_nonlocal_bind_value)
+        self.assertEqual(1, ip_nonlocal_bind_value)

    @testtools.skipUnless(netutils.is_ipv6_enabled(), "IPv6 is not enabled")
    def test_ha_router_addr_gen_mode(self):