Neutron remote security group does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Hang Yang |
Bug Description
Steps to reproduce the issue using Neutron Rocky with OVS:
# create bastion-sec-grp to allow ssh from anywhere
openstack security group create bastion-sec-grp
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp
# create application-sec-grp
openstack security group create application-sec-grp
# Allow ssh to egress from the bastion group to the application group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp
# Allow ssh to ingress to the application group from the bastion group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp
# create servers and associate with security groups
openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server
openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server
After boot, bastion-server and application-server are landed on different HVs and we can ssh to bastion-server but cannot ssh to application-server from there. Neutron debug log from application-
2020-02-05 22:57:05,825 DEBUG [neutron.
Suspect this is related to: https:/
tags: | added: ovs-fw sg-fw |
Changed in neutron: | |
importance: | Undecided → High |
tags: | added: neutron-proactive-backport-potential |
tags: | added: sts |
tags: | removed: neutron-proactive-backport-potential |
Fix proposed to branch: master /review. opendev. org/707248
Review: https:/