Description of problem:
It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this:
openstack network create net0
openstack network create net1
openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0
openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1
openstack port create --network net0 port0
parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )"
openstack port create --network net1 --mac-address "$parent_mac" port1
openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0
openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0
Then all packets are lost on the trunk's parent port:
$ openstack server show vm0 | egrep addresses.*net0
| addresses | net0=10.0.4.6 |
$ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data.
--- 10.0.4.6 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2016ms
If I change the firewall_driver to noop and redo the same I have connectivity.
If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity.
Version-Release number of selected component (if applicable):
Pike
How reproducible:
100%
Steps to Reproduce:
1. Described in description
2.
3.
Actual results:
Expected results:
Additional info:
The fix was approved upstream but CI never merged for some reason... I just rechecked the patch so that it has the chance to be merged. It should be available in the next downstream OSP 12 puddle.
Comment 4Alexander Stafeyev
2017-10-15 13:59:30 UTC
Hi Kuba,
SHould we add icmp allow to the SG in reproduction steps ?
tnx
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2017:3462
Description of problem: It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this: openstack network create net0 openstack network create net1 openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0 openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1 openstack port create --network net0 port0 parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )" openstack port create --network net1 --mac-address "$parent_mac" port1 openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0 openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0 Then all packets are lost on the trunk's parent port: $ openstack server show vm0 | egrep addresses.*net0 | addresses | net0=10.0.4.6 | $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6 WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data. --- 10.0.4.6 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms If I change the firewall_driver to noop and redo the same I have connectivity. If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity. Version-Release number of selected component (if applicable): Pike How reproducible: 100% Steps to Reproduce: 1. Described in description 2. 3. Actual results: Expected results: Additional info: