Hide Forgot
Description of problem: It seems we have a case where the openvswitch firewall driver and a use of trunks interferes with each other. I tried using the parent's MAC address for a subport. Like this: openstack network create net0 openstack network create net1 openstack subnet create --network net0 --subnet-range 10.0.4.0/24 subnet0 openstack subnet create --network net1 --subnet-range 10.0.5.0/24 subnet1 openstack port create --network net0 port0 parent_mac="$( openstack port show port0 | awk '/ mac_address / { print $4 }' )" openstack port create --network net1 --mac-address "$parent_mac" port1 openstack network trunk create --parent-port port0 --subport port=port1,segmentation-type=vlan,segmentation-id=101 trunk0 openstack server create --flavor cirros256 --image cirros-0.3.4-x86_64-uec --nic port-id=port0 --key-name key0 --wait vm0 Then all packets are lost on the trunk's parent port: $ openstack server show vm0 | egrep addresses.*net0 | addresses | net0=10.0.4.6 | $ sudo ip netns exec "qdhcp-$( openstack network show net0 | awk '/ id / { print $4 }' )" ping -c3 10.0.4.6 WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils PING 10.0.4.6 (10.0.4.6) 56(84) bytes of data. --- 10.0.4.6 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms If I change the firewall_driver to noop and redo the same I have connectivity. If I still have the openvswitch firewall_driver but I don't explicitly set the subport MAC, but let neutron automatically assign one, then again I have connectivity. Version-Release number of selected component (if applicable): Pike How reproducible: 100% Steps to Reproduce: 1. Described in description 2. 3. Actual results: Expected results: Additional info:
The fix was approved upstream but CI never merged for some reason... I just rechecked the patch so that it has the chance to be merged. It should be available in the next downstream OSP 12 puddle.
Hi Kuba, SHould we add icmp allow to the SG in reproduction steps ? tnx
(In reply to Alexander Stafeyev from comment #4) > Hi Kuba, > > SHould we add icmp allow to the SG in reproduction steps ? > > tnx Yes
Verified [stack@undercloud-0 ~]$ rpm -qa | grep openstack-neu openstack-neutron-11.0.1-0.20170831212231.d6f8c44.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462