Bug 1907349
Summary: | Amphora load balancer deployment fails when vip subnet's network has port security disabled | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Morgan Weetman <mweetman> |
Component: | openstack-octavia | Assignee: | Gregory Thiemonge <gthiemon> |
Status: | CLOSED ERRATA | QA Contact: | Bruna Bonguardo <bbonguar> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 16.1 (Train) | CC: | gthiemon, ihrachys, lpeer, majopela, scohen |
Target Milestone: | beta | Keywords: | Triaged |
Target Release: | 16.2 (Train on RHEL 8.4) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-octavia-5.1.1-2.20210304164955.ec60849.el8ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-09-15 07:10:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Morgan Weetman
2020-12-14 10:05:57 UTC
Hi, Octavia Amphora has only one network driver that handles the creation of the ports of a Load Balancer. This driver uses the allowed_address_pairs feature of Neutron, and this feature requires port_security_enabled on the networks (allowed_address_pairs allows Octavia to migrate or to failover the VIP port of a Load Balancer). There's currently no plan to add another network driver. Do you think we should improve the downstream doc or the validation of the parameters in the Octavia API? Hi Gregory, Personally I'd like the error message surfaced to the user if possible, so you don't have to dig through logs on a controller to work out why it failed, do I'd vote for parameter validation. thanks Created upstream story: https://storyboard.openstack.org/#!/story/2008449 and patch: https://review.opendev.org/c/openstack/octavia/+/767086 Version: [stack@undercloud-0 ~]$ cat /var/lib/rhos-release/latest-installed 16.2 -p RHOS-16.2-RHEL-8-20210713.n.0 #Before disabling port security: [2021-07-21 14:45:53] (tester) [stack@undercloud-0 ~]$ openstack network list +--------------------------------------+-----------+----------------------------------------------------------------------------+ | ID | Name | Subnets | +--------------------------------------+-----------+----------------------------------------------------------------------------+ | a10602b1-14fb-4f68-8a3d-3394593d5f03 | int_net_1 | 09ea3a4d-07c9-4dfd-ae5b-f7ebec06b23f, 652e2454-8e03-4fc1-8c8f-b06d44029b6b | | ca1f1aa9-e047-4cce-ae5c-e039a487dd3a | nova | 0828d3a6-a0c0-4ac9-b5dc-fe4b20931843, cc26b7ae-736c-4469-9891-f2d61639645c | +--------------------------------------+-----------+----------------------------------------------------------------------------+ [2021-07-21 14:46:02] (tester) [stack@undercloud-0 ~]$ openstack network show int_net_1 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2021-07-20T10:07:48Z | | description | | | dns_domain | | | id | a10602b1-14fb-4f68-8a3d-3394593d5f03 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='52237d051296475d9455ca1f654e5f77', project.name='test_cloud', region_name='', zone= | | mtu | 1442 | | name | int_net_1 | | port_security_enabled | True | | project_id | 52237d051296475d9455ca1f654e5f77 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 3 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | 09ea3a4d-07c9-4dfd-ae5b-f7ebec06b23f, 652e2454-8e03-4fc1-8c8f-b06d44029b6b | | tags | | | updated_at | 2021-07-20T10:08:04Z | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ #Disabling port security: [2021-07-21 14:58:19] (tester) [stack@undercloud-0 ~]$ openstack network set --disable-port-security int_net_1 [2021-07-21 14:59:20] (tester) [stack@undercloud-0 ~]$ [2021-07-21 14:59:22] (tester) [stack@undercloud-0 ~]$ openstack network show int_net_1 +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | | | created_at | 2021-07-20T10:07:48Z | | description | | | dns_domain | | | id | a10602b1-14fb-4f68-8a3d-3394593d5f03 | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='52237d051296475d9455ca1f654e5f77', project.name='test_cloud', region_name='', zone= | | mtu | 1442 | | name | int_net_1 | | port_security_enabled | False | | project_id | 52237d051296475d9455ca1f654e5f77 | | provider:network_type | None | | provider:physical_network | None | | provider:segmentation_id | None | | qos_policy_id | None | | revision_number | 4 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | 09ea3a4d-07c9-4dfd-ae5b-f7ebec06b23f, 652e2454-8e03-4fc1-8c8f-b06d44029b6b | | tags | | | updated_at | 2021-07-21T18:59:20Z | +---------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ #Attempt to create a load balancer: [2021-07-21 14:59:56] (tester) [stack@undercloud-0 ~]$ openstack subnet list +--------------------------------------+---------------+--------------------------------------+-------------+ | ID | Name | Network | Subnet | +--------------------------------------+---------------+--------------------------------------+-------------+ | 09ea3a4d-07c9-4dfd-ae5b-f7ebec06b23f | subnet_ipv6_1 | a10602b1-14fb-4f68-8a3d-3394593d5f03 | 2001::/64 | | 652e2454-8e03-4fc1-8c8f-b06d44029b6b | subnet_ipv4_1 | a10602b1-14fb-4f68-8a3d-3394593d5f03 | 10.0.1.0/24 | +--------------------------------------+---------------+--------------------------------------+-------------+ [2021-07-21 15:00:04] (tester) [stack@undercloud-0 ~]$ openstack loadbalancer create --name lb1 --vip-subnet-id subnet_ipv4_1 Provider 'amphora' reports error: Port security must be enabled on the VIP network. (HTTP 500) (Request-ID: req-fa519772-d93b-4917-ab6e-e58461ad869c) [2021-07-21 15:00:16] (tester) [stack@undercloud-0 ~]$ Getting the right API error message. Moving the bug to VERIFIED. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform (RHOSP) 16.2 enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:3483 |