yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1655579] [NEW] Attached port with disabled security does not work properly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bartłomiej Daca <bartek.daca@xxxxxxxxx>
Date: Wed, 11 Jan 2017 09:07:25 -0000
Reply-to: Bug 1655579 <1655579@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When I attach port with disabled security to a vm, I am not able to use
this port.

Steps to reproduce:

1. Create port and disable security:

neutron port-create --name test-sec-group --no-security-groups <net_id>
neutron port-update <port_id> --port-security-enabled=False

2. Attach port to vm

nova interface-attach <server_id> --port-id <port_id>

After this steps I am unable to use this port on the vm (for example
obtain dhcp lease). The cause that I identified is that after this steps
the iptables on the host with vm is not configured properly. I can't see
rules that should be there:

-A neutron-openvswi-FORWARD -m physdev --physdev-out <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
-A neutron-openvswi-INPUT -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT

When I add this rules manually, everything works fine.

Another scenario when everything works fine: change steps order - create
port, attach it and then disable security.

My environment: 
* Openstack mitaka on centos 7
* neutron version: neutron-8.2.0
* nova version: nova-13.1.1

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1655579

Title:
  Attached port with disabled security does not work properly

Status in neutron:
  New

Bug description:
  When I attach port with disabled security to a vm, I am not able to
  use this port.

  Steps to reproduce:

  1. Create port and disable security:

  neutron port-create --name test-sec-group --no-security-groups <net_id>
  neutron port-update <port_id> --port-security-enabled=False

  2. Attach port to vm

  nova interface-attach <server_id> --port-id <port_id>

  After this steps I am unable to use this port on the vm (for example
  obtain dhcp lease). The cause that I identified is that after this
  steps the iptables on the host with vm is not configured properly. I
  can't see rules that should be there:

  -A neutron-openvswi-FORWARD -m physdev --physdev-out <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-openvswi-FORWARD -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT
  -A neutron-openvswi-INPUT -m physdev --physdev-in <port_interface> --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT

  When I add this rules manually, everything works fine.

  Another scenario when everything works fine: change steps order -
  create port, attach it and then disable security.

  My environment: 
  * Openstack mitaka on centos 7
  * neutron version: neutron-8.2.0
  * nova version: nova-13.1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1655579/+subscriptions