← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2009053] [NEW] OVN: default stateless SG blocks metadata traffic

 

Public bug reported:

Bug originally found by Alex Katz and reported in the bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=2149713

Description of problem:
When a stateless security group is attached to the instance it fails to fetch metadata info. An explicit rule is required to allow metadata traffic from 169.254.169.254.

Checked with the custom security group (only egress traffic is allowed)
as well as with the default security group (egress and ingress from the
same SG are allowed).

Version-Release number of selected component (if applicable):
RHOS-17.1-RHEL-9-20221115.n.2
Red Hat Enterprise Linux release 9.1 (Plow)

How reproducible:
100%

Steps to Reproduce:
openstack security group create --stateless test_sg
openstack server create --image <IMG> --flavor <FLAV> --network <NET> --security-group test_sg vm_1

Actual results:
checking http://169.254.169.254/2009-04-04/instance-id
failed 1/20: up 21.53. request failed
failed 2/20: up 70.89. request failed
failed 3/20: up 120.12. request failed
failed 4/20: up 169.36. request failed
failed 5/20: up 218.81. request failed
failed 6/20: up 268.17. request failed

Expected results:
Metadata is successfully fetched

** Affects: neutron
     Importance: Undecided
     Assignee: Ihar Hrachyshka (ihar-hrachyshka)
         Status: Confirmed


** Tags: ovn sg-fw

** Changed in: neutron
       Status: New => Confirmed

** Changed in: neutron
     Assignee: (unassigned) => Ihar Hrachyshka (ihar-hrachyshka)

** Tags added: ovn sg-fw

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2009053

Title:
  OVN: default stateless SG blocks metadata traffic

Status in neutron:
  Confirmed

Bug description:
  Bug originally found by Alex Katz and reported in the bugzilla:
  https://bugzilla.redhat.com/show_bug.cgi?id=2149713

  Description of problem:
  When a stateless security group is attached to the instance it fails to fetch metadata info. An explicit rule is required to allow metadata traffic from 169.254.169.254.

  Checked with the custom security group (only egress traffic is
  allowed) as well as with the default security group (egress and
  ingress from the same SG are allowed).

  Version-Release number of selected component (if applicable):
  RHOS-17.1-RHEL-9-20221115.n.2
  Red Hat Enterprise Linux release 9.1 (Plow)

  How reproducible:
  100%

  Steps to Reproduce:
  openstack security group create --stateless test_sg
  openstack server create --image <IMG> --flavor <FLAV> --network <NET> --security-group test_sg vm_1

  Actual results:
  checking http://169.254.169.254/2009-04-04/instance-id
  failed 1/20: up 21.53. request failed
  failed 2/20: up 70.89. request failed
  failed 3/20: up 120.12. request failed
  failed 4/20: up 169.36. request failed
  failed 5/20: up 218.81. request failed
  failed 6/20: up 268.17. request failed

  Expected results:
  Metadata is successfully fetched

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2009053/+subscriptions



Follow ups