f5-openstack-lbaasv2-driver icon indicating copy to clipboard operation
f5-openstack-lbaasv2-driver copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

lbaas-member-create doesn't fail if address already in use by other partition

Open alonsocamaro opened this issue 8 years ago • 2 comments

Agent Version

9.0.2

Operating System

Mirantis 9

OpenStack Release

Mitaka

Description

The following command succeeds


root@node-1:~# neutron lbaas-member-create  --subnet int --address 10.0.3.111 --protocol-port 80 test-lbaasv2-pool
Created a new member:
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| address        | 10.0.3.111                           |
| admin_state_up | True                                 |
| id             | e333af5a-11f4-4bd8-9a61-26faee2281a9 |
| name           |                                      |
| protocol_port  | 80                                   |
| subnet_id      | 1369bdf7-06b1-44cf-b7e8-6f75ac0805ad |
| tenant_id      | 1bcf7ba13bcb496196d72f481bfebb5c     |
| weight         | 1                                    |
+----------------+--------------------------------------+

but it shouldn't because the member cannot be created, from /var/log/audit Sep 2 06:11:52 bigip1 notice icrd_child[19350]: 01420002:5: AUDIT - pid=19350 user=admin folder=/Common module=(tmos)# status=[0107003a:3: Pool member node (/Project_1bcf7ba13bcb496196d72f481bfebb5c/10.0.3.110) and existing node (/Common/10.0.3.110) cannot use the same IP Address (10.0.3.110).] cmd_data=modify ltm pool /Project_1bcf7ba13bcb496196d72f481bfebb5c/test-lbaasv2-pool { members add { /Project_1bcf7ba13bcb496196d72f481bfebb5c/10.0.3.110:80 { address 10.0.3.110 } } }

alonsocamaro avatar Sep 02 '16 13:09 alonsocamaro

The lbaas-member-create command should create an IP address that has a route domain as a suffix so that the IP address in /Common and /Project_1bcf7ba13bcb496196d72f481bfebb5c are distinct.

The address from /Common should be 10.0.3.111%0 and the address from /Project_1bcf7ba13bcb496196d72f481bfebb5c should be something like 10.0.3.111%

Will investigate.

richbrowne avatar Sep 07 '16 15:09 richbrowne

Hi Rich

When I triggered the error my setting use_namespaces is set to False so I was not expecting to have different routing domains.

I would like to clarify if when using LBaaS with an F5 the LBaaS driver needs to have exclusive access / be the only one creating configurations in the F5. In other words, is it possible to use the LBaaS and create other configurations by other means? (ie: manual/heat).

I would find very restrictive If the LBaaS requires exclusive access to service creation. I would find it very restrictive too if LBaaS requires exclusive access to a given routing domain.

Please comment on the expected behavior

Regardles If LBaaS does or doesn't require exclusive access to create services, I also find that the error should be catched-up instead of reporting success

Many thanks

alonsocamaro avatar Sep 14 '16 09:09 alonsocamaro