yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1578132] [NEW] allowed-address-pairs only update ipset on one compute node

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: yujie <yujie@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 04 May 2016 09:41:55 -0000
Reply-to: Bug 1578132 <1578132@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

1. Two vms run on the same network but different compute nodes.
     vm1(100.100.100.3) on CN1
     vm2(100.100.100.4) on CN2
2. both vms bind to securitygroup sg1, sg1 has two rules:
     a) egress: all protocol, 0.0.0.0/0
     b) ingress: all protocol, remote sg: sg1
3. vm1 and vm2 could ping each other successfully as we expect.
4. update port belong to vm1 by using:   neutron port-update 4d436802-fa9f-4552-97ee-7626f691b8ca  --allowed-address-pairs type=dict list=true ip_address=100.100.100.10
5. change IP of vm1 to 100.100.100.10.     Now vm2 could ping vm1 successfully, but vm1 could not ping vm2.

Then check the ipset on CN1:   ipset list
Name: NETIPv4f766bf09-a5fa-4901-9
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16880
References: 1
Members:
100.100.100.3
100.100.100.10
100.100.100.4

Check ipset on CN2: ipset list
Name: NETIPv4f766bf09-a5fa-4901-9
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16848
References: 1
Members:
100.100.100.4
100.100.100.3

If add the IP (100.100.100.10) to IPSET NETIPv4f766bf09-a5fa-4901-9  on
CN2 , vm1 could ping vm2 successfully.

I use kilo release, not sure master have this problem.

** Affects: neutron
     Importance: Undecided
     Assignee: yujie (16189455-d)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => yujie (16189455-d)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1578132

Title:
  allowed-address-pairs only update ipset on one compute node

Status in neutron:
  New

Bug description:
  1. Two vms run on the same network but different compute nodes.
       vm1(100.100.100.3) on CN1
       vm2(100.100.100.4) on CN2
  2. both vms bind to securitygroup sg1, sg1 has two rules:
       a) egress: all protocol, 0.0.0.0/0
       b) ingress: all protocol, remote sg: sg1
  3. vm1 and vm2 could ping each other successfully as we expect.
  4. update port belong to vm1 by using:   neutron port-update 4d436802-fa9f-4552-97ee-7626f691b8ca  --allowed-address-pairs type=dict list=true ip_address=100.100.100.10
  5. change IP of vm1 to 100.100.100.10.     Now vm2 could ping vm1 successfully, but vm1 could not ping vm2.

  Then check the ipset on CN1:   ipset list
  Name: NETIPv4f766bf09-a5fa-4901-9
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16880
  References: 1
  Members:
  100.100.100.3
  100.100.100.10
  100.100.100.4

  Check ipset on CN2: ipset list
  Name: NETIPv4f766bf09-a5fa-4901-9
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16848
  References: 1
  Members:
  100.100.100.4
  100.100.100.3

  If add the IP (100.100.100.10) to IPSET NETIPv4f766bf09-a5fa-4901-9
  on CN2 , vm1 could ping vm2 successfully.

  I use kilo release, not sure master have this problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1578132/+subscriptions

Follow ups

[Bug 1578132] Re: allowed-address-pairs only update ipset on one compute node
From: Wenran Xiao, 2018-09-21