neutron

Bug #1762736
Comment #5

Comment 5 for bug 1762736

Revision history for this message

Nikita Gerasimov (nikita-gerasimov) wrote on 2018-04-24:

Unfortunately bug 1720205 at least it's origin not fixed at all. Yes, there is could be workaround for HA net, but DHCP/DNS ports are unpredictable and depends from dynamic infrastructure.
With current fix servers still could communicate only with local agents.

### ifconfig -a
eth0 Link encap:Ethernet HWaddr FA:16:3E:13:1D:EB
          inet addr:192.168.100.11 Bcast:192.168.100.255 Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe13:1deb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:8950 Metric:1
          RX packets:93 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:13755 (13.4 KiB) TX bytes:12957 (12.6 KiB)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:112 (112.0 B) TX bytes:112 (112.0 B)

### route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 192.168.100.2 255.255.255.255 UGH 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
### cat /etc/resolv.conf
search openstacklocal
nameserver 192.168.100.3
nameserver 192.168.100.2
nameserver 192.168.100.4
### ping -c 5 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes

--- 192.168.100.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### pinging nameservers
#### ping -c 5 192.168.100.3
PING 192.168.100.3 (192.168.100.3): 56 data bytes

--- 192.168.100.3 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
#### ping -c 5 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.352 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.196 ms
64 bytes from 192.168.100.2: seq=2 ttl=64 time=0.153 ms
64 bytes from 192.168.100.2: seq=3 ttl=64 time=0.195 ms
64 bytes from 192.168.100.2: seq=4 ttl=64 time=0.137 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.137/0.206/0.352 ms
#### ping -c 5 192.168.100.4
PING 192.168.100.4 (192.168.100.4): 56 data bytes

--- 192.168.100.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
### uname -a
Linux cirros 3.2.0-80-virtual #116-Ubuntu SMP Mon Mar 23 17:28:52 UTC 2015 x86_64 GNU/Linux

So we rally need to pass traffic in both directions. But for security reason we have to check sg-chains before other rules.

### ifconfig -a
eth0      Link encap:Ethernet  HWaddr FA:16:3E:13:1D:EB  
          inet addr:192.168.100.11  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fe13:1deb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:8950  Metric:1
          RX packets:93 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13755 (13.4 KiB)  TX bytes:12957 (12.6 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:112 (112.0 B)  TX bytes:112 (112.0 B)

### route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0
169.254.169.254 192.168.100.2   255.255.255.255 UGH   0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
### cat /etc/resolv.conf
search openstacklocal
nameserver 192.168.100.3
nameserver 192.168.100.2
nameserver 192.168.100.4
### ping -c 5 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes

So we rally need to pass traffic in both directions. But for security reason we have to check sg-chains before other rules.