Created attachment 1264773 [details] A heat template to demonstrate eth1 failure using port_security_enabled=false Description of problem: When a Neutron port or network is created via Heat template, the interface on connected instances shows "disconnected" and fails to get IP configuration by DHCP Version-Release number of selected component (if applicable): OSP 10 How reproducible: Create an OSP10 service via OSP-D with the port_security extension enabled in the ML2 driver. https://wiki.openstack.org/wiki/Neutron/ML2PortSecurityExtensionDriver /etc/neutron/plugins/ml2/ml2_conf.ini extension_drivers = port_security Create an instance with a network interface with port_security_enabled=false *using heat*. Log into the instance and attempt to bring up the interface with ifdown/ifup. Observe the interface behavior and journalctl logs for the interface will indicate "disconnected" creating the same configuration with port_security_enabled=true results in a working interface, but with port security enabled. Steps to Reproduce: 1. Create OSP 10 from Director 2. Enable ML2 Port Security extension 3. Create heat stack with network with port_security_enabled=false and a host attached See "all-in-one.yaml" attached. Adapt the input paramters for the test environment. openstack stack create \ --parameter flavor=m1.small \ --parameter image=rhel73 \ --parameter ssh_user=cloud-user \ --parameter key_name=ocp3 \ --parameter hostname=test-port-security \ --parameter external_network=public_network \ --parameter nameservers=10.19.114.41,10.19.114.2 \ -t all-in-one.yaml test 4. Examine the attached interface (eth1) and attempt to bring it down and up 5. Examine journalctl output for eth1 Actual results: ifup fails indicating timeout. journalctl indicates the interface is disconnected Expected results: ifup causes interface to get DHCP and configure. Additional info:
It appears that it is not heat, but neutron that is the source of the problem. Creating the network with the CLI manifests the same problem: openstack network create --disable-port-security tenant-network openstack subnet create --network tenant-network --subnet-range 172.18.20.0/24 tenant-subnet Instances connected to 'tenant-network' will show the interface as present but disconnected.
Created attachment 1264830 [details] CLI shell only test run This script creates the required networks and a single host attached to both. Adjust key values (image, key, public_network, nameserver) as needed. If the PORT_SECURITY variable is false, then the eth1 network shows disconnected. If it is set true then the eth1 network comes up as expected and is configured by DHCP. You must log in and observe the journalctl for eth1 and attempt to up/down the interface.
Created attachment 1264844 [details] script to create a host with port security disabled on eth1 (corrected) This is a better version of the previous. it doesn't re-create after cleaning. - Mark
Created attachment 1264845 [details] Updated PROPERLY - a script to create a host with port-security disabled on eth1
Can you please upload an SOS report from a compute node and a controller node, and specify a timestamp in which you created a VM with port security equal to False?
Um... what's an SOS report and how do I generate one? Links are fine.
(In reply to Mark Lamourine from comment #6) > Um... what's an SOS report and how do I generate one? Links are fine. https://access.redhat.com/solutions/3592
Assaf: thanks, and apologies for my lack of knowledge. Roger Lopez did a search and found that this is likely a duplicate of BZ1406263
*** This bug has been marked as a duplicate of bug 1406263 ***