neutron

Bug #1512645
Comment #11

Comment 11 for bug 1512645

Revision history for this message

Sreenivas (sreenivas-pothukanoori) wrote on 2016-04-12:

#11

Hi,

Please find below my observations while working on the bug. Ping to the additional interface is not working because of below reasons.

1. Security group not attached to additional interface.
By design(open stack it seems like additional interfaces will not inherit security groups applied on primary interface. Security group are specific to an interface. If additional interfaces have to be configured with security group there is a provision to do so using the below command.

neutron port-create --security-group default, mysecgrp mydemonet

Observations:
1. Security groups can be assigned to VM or to a port ( only at the time of creating port ).
2. Security groups configured at VM level are applied to all VNIC’s active at that instant.
3. Any new port can be configured with custom SG in addition to DSG only at the time of port creation.
4. VM level security groups not inherited by new port. This may be a design intent or constraints. This means that any new port created will only get assigned to DSG by default and not
any other custom SG created and assigned to the VM prior to creating this new port.
i.e. The new port need not inherit custom security group.

While working on the bug we found below observation which is linked to the bug reported. For the additional interface to get IP, the interface should be configured at OS level.

2. Additional interface not coming up in instance.
This seems to be configuration issue at the Image level. The instance image should be configured for multiple interfaces. We think the initial Image originator tried was configured for a single NIC interface. Even if we add multiple interfaces from orchestration level(OpenStack) the VM Image is still configured for single NIC interface. Image is configured for multiple interfaces following below procedure.

In /etc/network/interfaces/
auto eth1
iface eth1 inet dhcp

reboot or restart network services.

Observations:
• seems to be VM image issue. The VM image should be configured to support multiple NIC interfaces.

Based on the above observations I think the issue reported may not be a bug. The behavior is as per open stack design intent.

Please let me know if we can go ahead and close this bug as the behavior observed is as per open stack design.

Hi,

Please find below my observations while working on the bug. Ping to the additional interface is not working because of below reasons.
 
1. Security group not attached to additional interface.
By design(open stack  it seems like additional interfaces will not inherit security groups applied on primary interface. Security group are specific to an interface. If additional interfaces have to be configured with security group there is a provision to do so using the below command.
 
neutron port-create --security-group default, mysecgrp mydemonet

Observations:
1.       Security groups can be assigned to  VM or to a port ( only at the time of creating port ).
2.       Security groups configured at VM level are applied to all VNIC’s active at that instant.
3.       Any new port can be configured with custom SG in addition to DSG only at the time of port creation.
4.       VM level security groups not inherited by new port. This may be a design intent or constraints.  This means that any new port created will only get assigned to  DSG by default and  not 
           any other custom SG created and assigned to the VM prior to creating this new port.
           i.e. The new port need not inherit custom security group.

While working on the bug we found below observation which is linked to the bug reported. For the additional interface to get IP, the interface should be configured at OS level.

2. Additional interface not coming up in instance. 
This seems to be configuration issue at the Image level. The instance image should be configured for multiple interfaces. We think the initial Image originator tried was configured for a single NIC interface. Even if we add multiple interfaces from orchestration level(OpenStack) the VM Image is still configured for single NIC interface. Image is configured for multiple interfaces following below procedure.
 
In /etc/network/interfaces/
auto eth1
iface eth1 inet dhcp
 
reboot or restart network services.

Observations:
•	seems to be VM image issue. The VM image should be configured to support multiple NIC interfaces.

Based on the above observations I think the issue reported may not be a bug. The behavior is as per open stack design intent.

Please let me know if we can go ahead and close this bug as the behavior observed is as per open stack design.