yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46857
[Bug 1549443] [NEW] Port Security does not consistently update nova iptables
Public bug reported:
I have created a network with port security set to enabled. I have set
--no-security-group and --port_security_enabled=False on the port
however the iptables on the hypervisor is not consistently set.
I have 2 VM on this hypervisors:
VM1:
tap0cc26c65-d1
VM2:
tap672dbe42-10
Dump of iptables save:
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-INPUT -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-i1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i1fe43774-e -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i1fe43774-e -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i1fe43774-e -p icmp -j RETURN
-A neutron-openvswi-i1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i85e24fb1-6 -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p icmp -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o1fe43774-e -j neutron-openvswi-s1fe43774-e
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o1fe43774-e -j RETURN
-A neutron-openvswi-o1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j neutron-openvswi-s85e24fb1-6
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j RETURN
-A neutron-openvswi-o85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe43774-e -s 10.1.50.200/32 -m mac --mac-source FA:16:3E:05:6F:A4 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s1fe43774-e -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-s85e24fb1-6 -s 10.1.50.201/32 -m mac --mac-source FA:16:3E:73:89:67 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s85e24fb1-6 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i1fe43774-e
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
VM1 passes traffic just fine, VM2 does not because no rule is added.
I manually added these rules and traffic passes just fine:
iptables -A neutron-openvswi-INPUT -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-out tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
Here are the port-show for each:
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 672dbe42-10bb-4196-80ad-70a81488ad51
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | f4037cdd-e1ab-4e84-88e0-ef94f1b95b39 |
| device_owner | compute:None |
| dns_assignment | {"hostname": "host-8XXXXXX", "ip_address": "8.XXXXXX, "fqdn": "host-8-XXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXX"} |
| id | 672dbe42-10bb-4196-80ad-70a81488ad51 |
| mac_address | fa:16:3e:4a:18:df |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 0cc26c65-d1d7-45b1-a974-43fafc28a1ec
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | 1bf1e985-d317-4a7c-81c5-4dc32c889274 |
| device_owner | compute:zone1 |
| dns_assignment | {"hostname": "host-8-XXXXXXX2", "ip_address": "8.XXXXXX", "fqdn": "host-8XXXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXXXX"} |
| id | 0cc26c65-d1d7-45b1-a974-43fafc28a1ec |
| mac_address | fa:16:3e:4a:ab:45 |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1549443
Title:
Port Security does not consistently update nova iptables
Status in neutron:
New
Bug description:
I have created a network with port security set to enabled. I have
set --no-security-group and --port_security_enabled=False on the port
however the iptables on the hypervisor is not consistently set.
I have 2 VM on this hypervisors:
VM1:
tap0cc26c65-d1
VM2:
tap672dbe42-10
Dump of iptables save:
-A INPUT -j neutron-openvswi-INPUT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-openvswi-OUTPUT
-A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
-A neutron-filter-top -j neutron-openvswi-local
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct traffic from the VM interface to the security group chain." -j neutron-openvswi-sg-chain
-A neutron-openvswi-FORWARD -m physdev --physdev-out tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-INPUT -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-INPUT -m physdev --physdev-in tap0cc26c65-d1 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-i1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i1fe43774-e -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i1fe43774-e -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i1fe43774-e -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i1fe43774-e -p icmp -j RETURN
-A neutron-openvswi-i1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-i85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i85e24fb1-6 -s 10.1.51.1/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p tcp -m tcp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p udp -m udp -m multiport --dports 1:65535 -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m set --match-set NIPv4a5bf8991-231c-43db-9dd0- src -j RETURN
-A neutron-openvswi-i85e24fb1-6 -p icmp -j RETURN
-A neutron-openvswi-i85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o1fe43774-e -j neutron-openvswi-s1fe43774-e
-A neutron-openvswi-o1fe43774-e -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o1fe43774-e -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o1fe43774-e -j RETURN
-A neutron-openvswi-o1fe43774-e -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o1fe43774-e -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j neutron-openvswi-s85e24fb1-6
-A neutron-openvswi-o85e24fb1-6 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o85e24fb1-6 -j RETURN
-A neutron-openvswi-o85e24fb1-6 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o85e24fb1-6 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s1fe43774-e -s 10.1.50.200/32 -m mac --mac-source FA:16:3E:05:6F:A4 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s1fe43774-e -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-s85e24fb1-6 -s 10.1.50.201/32 -m mac --mac-source FA:16:3E:73:89:67 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s85e24fb1-6 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap85e24fb1-61 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o85e24fb1-6
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i1fe43774-e
-A neutron-openvswi-sg-chain -m physdev --physdev-in tap1fe43774-ef --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-o1fe43774-e
-A neutron-openvswi-sg-chain -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
COMMIT
VM1 passes traffic just fine, VM2 does not because no rule is added.
I manually added these rules and traffic passes just fine:
iptables -A neutron-openvswi-INPUT -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-out tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
iptables -A neutron-openvswi-FORWARD -m physdev --physdev-in tap672dbe42-10 --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
Here are the port-show for each:
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 672dbe42-10bb-4196-80ad-70a81488ad51
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | f4037cdd-e1ab-4e84-88e0-ef94f1b95b39 |
| device_owner | compute:None |
| dns_assignment | {"hostname": "host-8XXXXXX", "ip_address": "8.XXXXXX, "fqdn": "host-8-XXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXX"} |
| id | 672dbe42-10bb-4196-80ad-70a81488ad51 |
| mac_address | fa:16:3e:4a:18:df |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
root@xxxxxxxxxxxxxxxxxxxxxx.cin1 > neutron port-show 0cc26c65-d1d7-45b1-a974-43fafc28a1ec
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osc-1031.prd.cin1 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | 1bf1e985-d317-4a7c-81c5-4dc32c889274 |
| device_owner | compute:zone1 |
| dns_assignment | {"hostname": "host-8-XXXXXXX2", "ip_address": "8.XXXXXX", "fqdn": "host-8XXXXXX.openstacklocal."} |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "b3409c40-d6e2-461a-8722-8e5e52624d52", "ip_address": "8.XXXXXXX"} |
| id | 0cc26c65-d1d7-45b1-a974-43fafc28a1ec |
| mac_address | fa:16:3e:4a:ab:45 |
| name | |
| network_id | 0270175b-6c53-40ca-bb9e-22e2635cdaeb |
| port_security_enabled | False |
| security_groups | |
| status | ACTIVE |
| tenant_id | 42858ac565df4bf8aec64f871fe7e955 |
+-----------------------+--------------------------------------------------------------------------------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1549443/+subscriptions
Follow ups
