yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1694965] [NEW] port security rules only applied at port binding/creation time

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Eduardo Gonzalez <dabarren@xxxxxxxxx>
Date: Thu, 01 Jun 2017 11:30:03 -0000
Reply-to: Bug 1694965 <1694965@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Quick Overview
==============

OpenStack is already running with networks and instances created.
Port security extension is not enabled.
When enabling port_security, instances in old networks not get DHCP.
Instances in new networks work fine.


Bug Description
===============

As suggestion in bug https://bugs.launchpad.net/neutron/+bug/1694420.
Decided to verify how port_security behaves regarding upgrade or
reconfiguration of existing environments without port_security to
port_security as this is a blocker to enable it by default.

During my verification/tests with source code from master branch (Pike
ATM) found that instances not get DHCP in old networks while instances
in new networks after enabling port_security worked fine.

In a IRC discussion, one suggestion was to disable and re-enable DHCP in
old subnets. After that DHCP worked fine and fixes the issue.


How to reproduce
================

- Deploy OpenStack without port_security
- Create 1 network, subnet and attach to a router
    - <Optionally deploy one instance> ->  Not really needed.
- Enable port_security extension in ml2_conf.ini
- Restart all neutron services.
- Create 1 instance in the old network.
- Instance not getting DHCP lease.
- Create 1 new network, subnet, attach to router.
- Spawn new instance in new network
- Instance gets DHCP lease.

Expected behaviour
=================

Instance in old network get DHCP lease.

Actual Results
==============

Instance in old network not get DHCP lease.


Environment configuration
=========================

- CentOS 7.
- Neutron master source code Latest commit: https://github.com/openstack/neutron/commit/0f218aae7ed666f3f13ac0560a57f1eeed45cee7
- OpenStack deployed with Kolla, all defaults.


Logs
====

Attached logs with:
 - network/ports information
 - iptables-save in qdhcp


Let me know if need something else.
I'm available in kolla's IRC channel as egonzalez

Regards

** Affects: neutron
     Importance: Undecided
         Status: New

** Attachment added: "port_security_dhcp_issue.txt"
   https://bugs.launchpad.net/bugs/1694965/+attachment/4887254/+files/port_security_dhcp_issue.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1694965

Title:
  port security rules only applied at port binding/creation time

Status in neutron:
  New

Bug description:
  Quick Overview
  ==============

  OpenStack is already running with networks and instances created.
  Port security extension is not enabled.
  When enabling port_security, instances in old networks not get DHCP.
  Instances in new networks work fine.

  
  Bug Description
  ===============

  As suggestion in bug https://bugs.launchpad.net/neutron/+bug/1694420.
  Decided to verify how port_security behaves regarding upgrade or
  reconfiguration of existing environments without port_security to
  port_security as this is a blocker to enable it by default.

  During my verification/tests with source code from master branch (Pike
  ATM) found that instances not get DHCP in old networks while instances
  in new networks after enabling port_security worked fine.

  In a IRC discussion, one suggestion was to disable and re-enable DHCP
  in old subnets. After that DHCP worked fine and fixes the issue.

  
  How to reproduce
  ================

  - Deploy OpenStack without port_security
  - Create 1 network, subnet and attach to a router
      - <Optionally deploy one instance> ->  Not really needed.
  - Enable port_security extension in ml2_conf.ini
  - Restart all neutron services.
  - Create 1 instance in the old network.
  - Instance not getting DHCP lease.
  - Create 1 new network, subnet, attach to router.
  - Spawn new instance in new network
  - Instance gets DHCP lease.

  Expected behaviour
  =================

  Instance in old network get DHCP lease.

  Actual Results
  ==============

  Instance in old network not get DHCP lease.

  
  Environment configuration
  =========================

  - CentOS 7.
  - Neutron master source code Latest commit: https://github.com/openstack/neutron/commit/0f218aae7ed666f3f13ac0560a57f1eeed45cee7
  - OpenStack deployed with Kolla, all defaults.

  
  Logs
  ====

  Attached logs with:
   - network/ports information
   - iptables-save in qdhcp

  
  Let me know if need something else.
  I'm available in kolla's IRC channel as egonzalez

  Regards

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1694965/+subscriptions