Attached port with disabled security does not work properly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Incomplete
|
Undecided
|
Kevin Benton |
Bug Description
When I attach port with disabled security to a vm, I am not able to use this port.
Steps to reproduce:
1. Create port and disable security:
neutron port-create --name test-sec-group --no-security-
neutron port-update <port_id> --port-
2. Attach port to vm
nova interface-attach <server_id> --port-id <port_id>
After this steps I am unable to use this port on the vm (for example obtain dhcp lease). The cause that I identified is that after this steps the iptables on the host with vm is not configured properly. I can't see rules that should be there:
-A neutron-
-A neutron-
-A neutron-
When I add this rules manually, everything works fine.
Another scenario when everything works fine: change steps order - create port, attach it and then disable security.
My environment:
* Openstack mitaka on centos 7
* neutron version: neutron-8.2.0
* nova version: nova-13.1.1
Changed in neutron: | |
assignee: | nobody → Kevin Benton (kevinbenton) |
status: | New → Triaged |
I just did some testing locally and looked at the code. When a port is created with port security disabled, the OVS agent will not inform the firewall driver at all about the port so no iptables rules will be created. So those rules missing should not prevent traffic from flowing since there shouldn't be any iptables rules on the filtering bridge. I tested this on my development VM and the workflow works fine.
Can you please run an 'iptables-save | grep <first 5 chars of port UUID>' so we can see if there are somehow some other rules interfering with traffic?