Astara

ingress DHCP traffic to instances blocked without tenant secgroup rule

Bug #1531967 reported by Adam Gandelman on 2016-01-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Astara	Fix Released	Critical	Mark McClain	Astara mitaka-2 "m2"

Bug Description

Ingress traffic to tenant VMs from the router appliance is blocked by default by the tenant's security group. This also blocks DHCP traffic, causing tenant VMs failing to get their addresses. Our devstack plugin adds a security group rule [1] to deal with this, but its unrealistic to expect real world users to add these rules just to get a functional network setup. We need to open this traffic up automatically, either via astara-orchestrator or astara-neutron.

[1] https://git.openstack.org/cgit/openstack/astara/tree/devstack/plugin.sh#n325

Tags:

Adam Gandelman (gandelman-a) on 2016-01-07

Changed in astara:
importance:	Undecided → Critical
milestone:	none → mitaka-2

Mark McClain (markmcclain) on 2016-01-07

Changed in astara:
assignee:	nobody → Mark McClain (markmcclain)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-12: Fix proposed to astara-neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/266586

Changed in astara:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-18: Fix merged to astara-neutron (master)

Reviewed: https://review.openstack.org/266586
Committed: https://git.openstack.org/cgit/openstack/astara-neutron/commit/?id=a1b3e6dd1a5336009c274083c2a25c2285d379e6
Submitter: Jenkins
Branch: master

commit a1b3e6dd1a5336009c274083c2a25c2285d379e6
Author: Mark McClain <email address hidden>
Date: Tue Jan 12 16:48:50 2016 -0500

allow DHCP from router interfaces

    This fix adds the router interfaces as allowed source addresses for
    DHCP. This supports the Astara appliance case where DHCP is running
    within the same appliance providing routing.

Change-Id: Ic4db49dc39a524b6c1557b9423496a1eb5d87843
Closes-Bug:1531967

Changed in astara:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-25: Fix proposed to astara-neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/272269

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-02: Fix merged to astara-neutron (stable/liberty)

Reviewed: https://review.openstack.org/272269
Committed: https://git.openstack.org/cgit/openstack/astara-neutron/commit/?id=811a7e1467f74684b6e3dc6283a1d89cd101da85
Submitter: Jenkins
Branch: stable/liberty

commit 811a7e1467f74684b6e3dc6283a1d89cd101da85
Author: Adam Gandelman <email address hidden>
Date: Mon Jan 25 13:00:02 2016 -0800

allow DHCP from router interfaces

    This fix adds the router interfaces as allowed source addresses for
    DHCP. This supports the Astara appliance case where DHCP is running
    within the same appliance providing routing.

Backported from commit 1b3e6dd1a5336009c274083c2a25c2285d379e6

Change-Id: Ic4db49dc39a524b6c1557b9423496a1eb5d87843
Closes-Bug:1531967

tags:

added: in-stable-liberty

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.