Security groups may not work on neutron+CentOS due to wrong sysctl.conf settings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
Critical
|
Aleksandr Didenko | ||
5.1.x |
Fix Committed
|
High
|
Dennis Dmitriev | ||
6.0.x |
Fix Released
|
Critical
|
Aleksandr Didenko |
Bug Description
api: '1.0'
astute_sha: ef8aa0fd0e3ce20
auth_required: true
build_id: 2014-12-03_01-07-36
build_number: '48'
feature_groups:
- mirantis
- experimental
fuellib_sha: a3043477337b4a0
fuelmain_sha: 7626c5aeedcde77
nailgun_sha: 500e36d08a45dbb
ostf_sha: 64cb59c681658a7
production: docker
release: 5.1.1
Steps to reproduce:
1) Deploy HA env on CentOS with neutron-vlan
2) Create security group with custom rules
3) Run 'sysctl -p' on compute nodes
4) Start instances and check if your rules work
Actual result: they do not work. iptables also shows zero counters for bridge devices on compute node:
iptables -L -n -v | grep PHYSDEV
Similar bugs:
https:/
https:/
So the problem is caused by the following sysctl settings we have in /etc/sysctl.conf file for CentOS:
# Disable netfilter on bridges.
net.bridge.
net.bridge.
net.bridge.
After usual boot, when 'bridge' kernel module is loaded, it sets those net.bridge.
tags: | added: release-notes |
tags: | added: in progress |
tags: |
added: in-progress removed: in progress |
Fix proposed to branch: master /review. openstack. org/140401
Review: https:/