yahoo-eng-team team mailing list archive

[Wenran Xiao <1578132@xxxxxxxxxxxxxxxxxx>]

** Changed in: neutron
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1578132

Title:
  allowed-address-pairs only update ipset on one compute node

Status in neutron:
  Fix Released

Bug description:
  1. Two vms run on the same network but different compute nodes.
       vm1(100.100.100.3) on CN1
       vm2(100.100.100.4) on CN2
  2. both vms bind to securitygroup sg1, sg1 has two rules:
       a) egress: all protocol, 0.0.0.0/0
       b) ingress: all protocol, remote sg: sg1
  3. vm1 and vm2 could ping each other successfully as we expect.
  4. update port belong to vm1 by using:   neutron port-update 4d436802-fa9f-4552-97ee-7626f691b8ca  --allowed-address-pairs type=dict list=true ip_address=100.100.100.10
  5. change IP of vm1 to 100.100.100.10.     Now vm2 could ping vm1 successfully, but vm1 could not ping vm2.

  Then check the ipset on CN1:   ipset list
  Name: NETIPv4f766bf09-a5fa-4901-9
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16880
  References: 1
  Members:
  100.100.100.3
  100.100.100.10
  100.100.100.4

  Check ipset on CN2: ipset list
  Name: NETIPv4f766bf09-a5fa-4901-9
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16848
  References: 1
  Members:
  100.100.100.4
  100.100.100.3

  If add the IP (100.100.100.10) to IPSET NETIPv4f766bf09-a5fa-4901-9
  on CN2 , vm1 could ping vm2 successfully.

  I use kilo release, not sure master have this problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1578132/+subscriptions