Bug 2232279

Summary: Add firewall rules to allow ovn traffic from dcn site
Product: Red Hat OpenStack Reporter: Jaison Raju <jraju>
Component: openstack-tripleo-heat-templatesAssignee: OSP Team <rhos-maint>
Status: NEW --- QA Contact: Joe H. Rahme <jhakimra>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17.1 (Wallaby)CC: jraju, mburns, tkajinam
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaison Raju 2023-08-16 05:31:04 UTC 
Description of problem:
It was observed that the controller nodes had allow rule for traffic to 6642 from internal_api network from its leaf only and not from other leafs or dcn sites.
For example:
We have 2 sites central & dcn1 with 172.18.1.0/24 & 172.18.2.0/24, controller only allowed this:
[root@central-controller0-0 ~]# iptables-save | grep 6642
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT

This caused the computes to not be able to get the required ovn wiring like tunnels or port bind post deployment.

Version-Release number of selected component (if applicable):
17.1 / RHOS-17.1-RHEL-9-20230628.n.2

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I feel like we need to consider adding firewall rules similar to this for each dcn site:

-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6644 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6643 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT

I guess the best way to do this would be to make sure the final deployment on central site after adding any dcn site should consider separate net_cidr for each site. (Looking at the file, I am not sure whether it was supposed to apply for each site, it in my environment the rules for dcn site were missing):
/usr/share/openstack-tripleo-heat-templates/deployment/ovn/ovn-dbs-cluster-ansible.yaml

  role_data:
    description: Role data for the OVN multi-active cluster role.
    value:
      service_name: ovn_dbs
      firewall_rules:
        map_merge:
          repeat:
            for_each:
              <%net_cidr%>:
                get_param:
                  - ServiceData
                  - net_cidr_map
                  - {get_param: [ServiceNetMap, OvnDbsNetwork]}
            template:
              '121 OVN DB server and cluster ports for <%net_cidr%>':
                proto: 'tcp'
                source: <%net_cidr%>
                dport:
                  - {get_param: OVNNorthboundServerPort}
                  - {get_param: OVNSouthboundServerPort}
                  - {get_param: OVNNorthboundClusterPort}
                  - {get_param: OVNSouthboundClusterPort}