Created a loadbalancer and a listener with protocol tcp protocol_port 1025 and allowed_cidr 0.0.0.0/0, the listener ends up in provisioning status as ERROR.
Error message in Octavia worker log
neutronclient.common.exceptions.Conflict: Security group rule already exists
This is a very edge case only when protocol port is 1025 (same as peer port which is hardcoded to constants.HAPROXY_BASE_PEER_PORT i.e, 1025) and allowed_cidr is explicitly set to 0.0.0.0/0.
Corresponding upstream story link: https:/ /storyboard. openstack. org/#!/ story/2009117
Created a loadbalancer and a listener with protocol tcp protocol_port 1025 and allowed_cidr 0.0.0.0/0, the listener ends up in provisioning status as ERROR.
Error message in Octavia worker log common. exceptions. Conflict: Security group rule already exists
neutronclient.
This is a very edge case only when protocol port is 1025 (same as peer port which is hardcoded to constants. HAPROXY_ BASE_PEER_ PORT i.e, 1025) and allowed_cidr is explicitly set to 0.0.0.0/0.
Reproducer:
openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
openstack loadbalancer listener create --name lb1-listener --protocol tcp --protocol-port 1025 --allowed-cidr 0.0.0.0/0 lb1
openstack loadbalancer listener show lb1-listener lb1
The culprit is [1] where the allowed_cidr for peer port should handle both None and 0.0.0.0/0 as 0.0.0.0/0 is the default value.
Tested on: Ubuntu Focal Ussuri Octavia packages
Fix available in Upstream until stable/train (not part of any point release) /review. opendev. org/c/openstack /octavia/ +/804485
https:/
[1] https:/ /opendev. org/openstack/ octavia/ src/commit/ b89c929c12fb262 f59ba320a37f2a5 bf4109df98/ octavia/ network/ drivers/ neutron/ allowed_ address_ pairs.py# L150-L178