VM can't get IP after reboot when SG rule is deleted.

This is incomplete. Please update with which version of openstack.

This sounds right. I think DHCP partially relies on the default egress security group rules (allows all egress IP traffic). We create special rules for the DHCP responses, but nothing to allow the DHCP request. Thanks for the report.

I'm going to mark it as confirmed, as I think the issue is legit, regardless of version. Please do add that info though.

I wonder if this is expected behaviour. Otherwise, how could a user configure security group rules if he/she really wants to block all traffic including DHCP requests from the VM?

Fair point. It'd be nice to know how the reference ML2+OVS backend behaves in this case.

before file the bug , we have test the same scenario with ML2+OVS and OVN, dhcp work well in OVS while NOT work with OVN .

I am able to reproduce this problem on devstack+ovn.

For the ML2+OVS+iptables firewall, the behavior is as follows:

After all SG rules are deleted (so the SG is empty), ingress/egress chains contain the following.

Some notes:
     1) DHCP (server-ip-matched -> client) traffic is allowed by default
     2) DHCP (client -> server) traffic is allowed by default
     3) DHCP spoofing by VM is prevented by default ! << this is interesting !

So, it appears DHCP rules are added no matter what - and I dont think the port-security-extension impacts that either.
(I need to verify that)

I will fix this bug and in the process bootstrap on ovn.

Chain neutron-openvswi-i8e221f95-9 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 172.17.1.2 anywhere udp spt:bootps dpt:bootpc
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */

Chain neutron-openvswi-o8e221f95-9 (2 references)
target prot opt source destination
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-openvswi-s8e221f95-9 all -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:bootps dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */

fix for this will likely be obsoleted by the native dhcp though...

Yes, it may be obsoleted, but I don't know what the timeline is for that exactly, so I think it's worth fixing now.

It seems like something we should be able to fix in the ACLs created by networking-ovn.

I am working on the fix and will update soon,

Reviewed: https://review.openstack.org/273272
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=5ff96cf7ca9a45524202d842d690c07b0b304cc1
Submitter: Jenkins
Branch: master

commit 5ff96cf7ca9a45524202d842d690c07b0b304cc1
Author: Ramu Ramamurthy <email address hidden>
Date: Wed Jan 27 17:38:13 2016 -0500

    Add a dhcp acl to allow dhcp-client to dhcp-server

    Currently there is only a dhcp acl for server to client.
    Add an acl to allow dhcp from client to server.

    Change-Id: Ia37cfaa2a3df0164a9ff4d98283680cd3875625a
    Closes-Bug: #1536028