Juniper Openstack

with software simple gateway and default security group ping on floating IP is working only on local compute node

Bug #1736972 reported by Sorin Toderica on 2017-12-07

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.2	Fix Committed	High	Hari Prasad Killi	Juniper Openstack r3.2.9.0
R4.0	Won't Fix	High	Nagendra E S	Juniper Openstack r4.0.4.0
R4.1	Fix Committed	Undecided	Nagendra E S	Juniper Openstack r4.1.2.0
R5.0	Fix Committed	Undecided	Nagendra E S	Juniper Openstack r5.0.1
Trunk	Fix Committed	Undecided	Nagendra E S	Juniper Openstack r5.1.0

Bug Description

I'm using OpenContrail 3.2.6.0 and Openstack 2.3.1 (Mitaka).
The problem is also reproducing with 3.2.8.0 and Openstack Newton.

I have a default setup with 2 compute nodes, and install a software simple gateway on one compute node. I also have only the default security group and two VMs created in one virtual network. Also have a public network for floating IP. Each VM is distributed on different compute nodes and each VM uses its own floating IP.
I'm able to ping only the IP of the VM that is running on the compute node where the vgw was installed.
The ping of floating IP for the second VM will be discarded on second compute node due to "Flow Action Drop" reason of dropstats command.

One flow is present from that ping between a PC and the VM, but the action of the flow is D(SG) - discard due security group.

We have a work around for this bug. Going in the security group and change the IPV4 Ingress rule - which has "default" set as Address (the default security group)and we change this with 0.0.0.0/0 and the ping starts to work.

Tags:

Revision history for this message

Sorin Toderica (stoderica) wrote on 2017-12-13:

Seems that with default security group rules the normal behavior is that ping to floating IPs will not work. New rules need to be added to enable this (for public subnet) or to change the "default" with 0.0.0.0/0 in default security group IPV4 ingress rule.
So the bug is in fact about FIP's are pinged by default for VMs running on vgw compute node.

Also the security group and FIP will not work correctly on at all on that particular compute node.

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-12-19: [Review update] R3.2

Review in progress for https://review.opencontrail.org/38460
Submitter: Sorin Toderica (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-01-11: A change has been merged

#11

Reviewed: https://review.opencontrail.org/38460
Committed: http://github.com/Juniper/contrail-controller/commit/a4071328fbbf96f2974ee847aa8b108a910a027e
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit a4071328fbbf96f2974ee847aa8b108a910a027e
Author: Sorin Toderica <email address hidden>
Date: Tue Dec 19 09:01:49 2017 -0500

If I install a software simple gateway (vgw) on a compute node and create in one virtual network 2 virtual machines, each of them with default security group and attach a floating IP to each of those 2 VMs I can ping by default the VM which runs on the compute node where the vgw was installed but cannot ping the VM which is runing on the second compute node.
The normal behavior should be that by default (as long as in the security default rule the ingress rule uses the default security group as "Address" instead of 0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the vgw interface - which is an interface of type INET and sub-type SIMPLE_GATEWAY. After these changes the security group rules will be respected for floating IPs on both compute nodes.

Change-Id: If8d43bfb7c580e47445054f97380bd3c4df7a0ea
Closes-Bug: #1736972

Jeba Paulaiyan (jebap) on 2018-03-13

tags:	added: vrouter
tags:	added: contrail-control removed: vrouter

Sachin Bansal (sbansal) on 2018-03-19

Changed in opencontrail:
assignee:	nobody → Hari Prasad Killi (haripk)

Revision history for this message

Nagendra E S (esnagendra) wrote on 2018-07-02:

#12

needs commit from r3.2 to other branches.

Changed in opencontrail:
assignee:	Hari Prasad Killi (haripk) → Nagendra E S (esnagendra)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-07-23: [Review update] master

#13

Review in progress for https://review.opencontrail.org/44838
Submitter: Nagendra E S (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-07-23: A change has been merged

#14

Reviewed: https://review.opencontrail.org/44838
Committed: http://github.com/Juniper/contrail-controller/commit/9cec5ddfbf58ea4d13b0648bed3763575ad48574
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 9cec5ddfbf58ea4d13b0648bed3763575ad48574
Author: Nagendra E S <email address hidden>
Date: Fri Jul 6 10:44:17 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: If05f3b61471a95f6b123be7f86ff2cdbb9d011eb
Partial-Bug: #1736972

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-07-24: [Review update] R5.0

#15

Review in progress for https://review.opencontrail.org/44884
Submitter: Nagendra E S (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-07-26: A change has been merged

#16

Reviewed: https://review.opencontrail.org/44884
Committed: http://github.com/Juniper/contrail-controller/commit/108c0419335556cfbf531ea5f4a0ef9f49dc78e5
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 108c0419335556cfbf531ea5f4a0ef9f49dc78e5
Author: Nagendra E S <email address hidden>
Date: Fri Jul 6 10:44:17 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: If05f3b61471a95f6b123be7f86ff2cdbb9d011eb
Partial-Bug: #1736972
(cherry picked from commit 9cec5ddfbf58ea4d13b0648bed3763575ad48574)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-08-13: [Review update] R4.1

#17

Review in progress for https://review.opencontrail.org/45521
Submitter: Nagendra E S (<email address hidden>)

Nagendra E S (esnagendra) on 2018-08-13

Changed in opencontrail:
status:	New → Won't Fix

Sudheendra Rao (sudheendra-k) on 2018-08-15

no longer affects:

opencontrail

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-08-21: A change has been merged

#18

Reviewed: https://review.opencontrail.org/45521
Committed: http://github.com/Juniper/contrail-controller/commit/f32b4d5b78c00f323b240126f8f9487408476f1e
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit f32b4d5b78c00f323b240126f8f9487408476f1e
Author: Nagendra E S <email address hidden>
Date: Fri Aug 3 18:46:37 2018 +0530

If I install a software simple gateway (vgw) on a compute
node and create in one virtual network 2 virtual machines,
each of them with default security group and attach a
floating IP to each of those 2 VMs I can ping by default
the VM which runs on the compute node where the vgw was
installed but cannot ping the VM which is runing on the
second compute node.
The normal behavior should be that by default (as long
as in the security default rule the ingress rule uses
the default security group as "Address" instead of
0.0.0.0/0 the ping on floating IPs should not work.
Code needs to be added to treat the special case of the
vgw interface - which is an interface of type INET and
sub-type SIMPLE_GATEWAY. After these changes the security
group rules will be respected for floating IPs on both
compute nodes.

Cherry-Pick from review:
https://review.opencontrail.org/#/c/38460/

Change-Id: I417897106f2bad039f74826200bb8c877c89b1a7
Partial-Bug: #1736972

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.