Enable arp_accept for all interfaces

OpenStack heavily relies on gratuitous ARP updates when moving floating
IP addresses between devices. When a floating IP moves, Neutron L3 agent
issues a burst of gratuitous ARP packets that should update any existing
ARP table entries on all nodes that belong to the same network segment.

Due to locktime kernel behavior, some gratuitous ARP packets may be
ignored [1], rendering ARP table entries broken for some time. Due to a
kernel bug [2], the time may be as long as hours, depending on other
traffic flowing to the node.

With the current EL7 kernel, the only way to make sure that nodes honor
all sent gratuitous ARP updates is to set arp_accept to 1; this will
disable locktime mechanism for the packets sent by Neutron L3 agent, and
will make sure ARP tables are always updated.

[1] https://patchwork.ozlabs.org/patch/762732/
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1450203

Conflicts:
	puppet/services/kernel.yaml

Related-Bug: #1690165
Change-Id: I863b240e0ab4c4d5bb844f91b607fd0937d5cedf
(cherry picked from commit 804fd3427e)
(cherry picked from commit 0b6ce86e7a)
This commit is contained in:
Ihar Hrachyshka 2017-05-23 18:13:28 -07:00
parent dd42fe9555
commit 307735cf67
2 changed files with 11 additions and 0 deletions

View File

@ -39,6 +39,8 @@ outputs:
value: 5
net.ipv4.tcp_keepalive_time:
value: 5
net.ipv4.conf.all.arp_accept:
value: 1
net.nf_conntrack_max:
value: 500000
net.netfilter.nf_conntrack_max:

View File

@ -0,0 +1,9 @@
---
other:
- |
All nodes now enable ``arp_accept`` sysctl setting to help with honoring
gratuitous ARP packets in their ARP tables. While sources of gratuitous ARP
packets are diverse, this comes especially useful for Neutron floating IP
addresses that roam between devices, and for which Neutron L3 agent sends
gratuitous ARP packets to update all network nodes about IP address new
locations.