When a new listener is created, octavia adds a rule for it into the loadbalancer security group. For instance, if port 80 is the one to open: created_at='2019-01-02T17:57:28Z', direction='ingress', ethertype='IPv4', id='3f20b440-e086-4b8c-84f6-47d14980839e', port_range_max='80', port_range_min='80', protocol='tcp', updated_at='2019-01-02T17:57:28Z' However, in the cases when Network Policies or Namespace Isolation features are used, this is not the intended behavior and only the rules added by kuryr should be there. For namespace isolation, if kuryr is faster than Octavia adding its rules, Octavia will see that there is already a rule for the target port and protocol and skip the addition. However, this is prone to races as, if by any chance Octavia adds them first, kuryr will add its own on top, and the rules will not enforce the isolation. How reproducible: 100% by adding a sleep before kuryr adds the listener rules when namespace isolation is enabled The expected behavior is: +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-01-02T18:05:38Z | | description | | | id | 7d8e4d6f-c095-4992-8ea5-704745ce3eaa | | location | None | | name | lb-bf3a93cf-89f8-48af-9b6f-75eddeff026e | | project_id | 31acaefaee384d06bf3b19331737accf | | revision_number | 5 | | rules | created_at='2019-01-02T18:05:53Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='060feed8-eac4-4986-a450-7822c5c78bb1', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='10.0.0.128/26', updated_at='2019-01-02T18:05:53Z' | | | created_at='2019-01-02T18:05:53Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='36485db1-d2eb-4dad-9ada-6c7b8339f54b', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='e94504fa-09b1-4f4d-b787-35619b52a1ca', updated_at='2019-01-02T18:05:53Z' | | | created_at='2019-01-02T18:05:38Z', direction='egress', ethertype='IPv6', id='40aadfe9-36d8-413e-99a5-1664077e3039', updated_at='2019-01-02T18:05:38Z' | | | created_at='2019-01-02T18:05:53Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='6b452363-e51e-404e-9916-1b12680a6ae5', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='d7203bf6-3e32-4a08-a5d5-f2fe82b8fc36', updated_at='2019-01-02T18:05:53Z' | | | created_at='2019-01-02T18:05:54Z', direction='ingress', ethertype='IPv4', id='78da225c-5dd6-4be0-866d-4ceb330f309b', port_range_max='1025', port_range_min='1025', protocol='tcp', updated_at='2019-01-02T18:05:54Z' | | | created_at='2019-01-02T18:05:38Z', direction='egress', ethertype='IPv4', id='aead98e3-c546-4f1b-baee-84415be5e899', updated_at='2019-01-02T18:05:38Z' | | tags | [] | | updated_at | 2019-01-02T18:05:54Z | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ The results that are obtained when Octavia is faster adding the rules is: +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-01-02T17:57:12Z | | description | | | id | 1292827f-8faa-472a-af86-7e34aa4161a6 | | location | None | | name | lb-6fc4baf7-4f21-450b-8397-6bbf5735d7e1 | | project_id | 31acaefaee384d06bf3b19331737accf | | revision_number | 6 | | rules | created_at='2019-01-02T17:57:28Z', direction='ingress', ethertype='IPv4', id='3f20b440-e086-4b8c-84f6-47d14980839e', port_range_max='80', port_range_min='80', protocol='tcp', updated_at='2019-01-02T17:57:28Z' | | | created_at='2019-01-02T17:57:12Z', direction='egress', ethertype='IPv6', id='7bced533-1352-4f1a-911e-dbf8b785a93b', updated_at='2019-01-02T17:57:12Z' | | | created_at='2019-01-02T17:57:57Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='8761784d-b574-4321-ba80-b4b6684203cf', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='d7203bf6-3e32-4a08-a5d5-f2fe82b8fc36', updated_at='2019-01-02T17:57:57Z' | | | created_at='2019-01-02T17:57:57Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='97b36d4c-54aa-47a2-bd17-b717a5e0b89e', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='e94504fa-09b1-4f4d-b787-35619b52a1ca', updated_at='2019-01-02T17:57:57Z' | | | created_at='2019-01-02T17:57:57Z', description='test/demo:TCP:80', direction='ingress', ethertype='IPv4', id='e9397b72-725c-4af3-a0ba-d7ee2b3f9f45', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='10.0.0.128/26', updated_at='2019-01-02T17:57:57Z' | | | created_at='2019-01-02T17:57:12Z', direction='egress', ethertype='IPv4', id='e9d8ff32-8d3c-4465-8dd7-79b980a626b9', updated_at='2019-01-02T17:57:12Z' | | | created_at='2019-01-02T17:57:28Z', direction='ingress', ethertype='IPv4', id='f6129c3d-b14a-4e1c-848e-95125708d870', port_range_max='1025', port_range_min='1025', protocol='tcp', updated_at='2019-01-02T17:57:28Z' | | tags | [] | | updated_at | 2019-01-02T17:57:57Z | +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Verified in: openstack-kuryr-kubernetes-common-0.5.4-0.20190220170509.17d2635.el7ost.noarch openstack-kuryr-kubernetes-controller-0.5.4-0.20190220170509.17d2635.el7ost.noarch openstack-kuryr-kubernetes-cni-0.5.4-0.20190220170509.17d2635.el7ost.noarch Verification steps: - Deploy OSP14 with Octavia - Install OCP 3.11 with kuryr - Enable namespace isolation feature CREATE NS1, PODS AND SERVICE ---------------------------- $ oc new-project ns1 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo caller $ oc get pods NAME READY STATUS RESTARTS AGE caller-1-drrpw 1/1 Running 0 15s demo-1-bxwjp 1/1 Running 0 11m $ oc expose dc/demo --port 80 --target-port 8080 $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE demo ClusterIP 172.30.233.202 <none> 80/TCP 16m CREATE NS2, PODS AND SERVICE ---------------------------- $ oc new-project ns2 $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo caller $ oc get pods NAME READY STATUS RESTARTS AGE caller-1-pv82k 1/1 Running 0 15s demo-1-mgh96 1/1 Running 0 37s $ oc expose dc/demo --port 80 --target-port 8080 $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE demo ClusterIP 172.30.29.67 <none> 80/TCP 13s CREATE PODS AND SERVICE IN DEFAULT NS ------------------------------------- $ oc project default $ oc run --image kuryr/demo demo $ oc run --image kuryr/demo caller $ oc get pods NAME READY STATUS RESTARTS AGE caller-1-t4szj 1/1 Running 0 12m demo-1-wg89l 1/1 Running 0 2m docker-registry-1-gd8sn 1/1 Running 0 10d kuryr-pod-208940693 1/1 Running 0 10d registry-console-1-rh84n 1/1 Running 0 10d router-1-jmdph 1/1 Running 0 10d $ oc expose dc/demo --port 80 --target-port 8080 $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE demo ClusterIP 172.30.211.32 <none> 80/TCP 54s docker-registry ClusterIP 172.30.209.224 <none> 5000/TCP 10d kubernetes ClusterIP 172.30.0.1 <none> 443/TCP,53/UDP,53/TCP 10d registry-console ClusterIP 172.30.241.31 <none> 9000/TCP 10d router ClusterIP 172.30.142.176 <none> 80/TCP,443/TCP,1936/TCP 10d TESTS ----- Pod ns1 -> service ns1 (same namespace): OK $ oc project ns1 $ oc rsh caller-1-drrpw curl 172.30.233.202 demo-1-bxwjp: HELLO! I AM ALIVE!!! ----- Pod ns2 -> service ns2 (same namespace): OK $ oc project ns2 $ oc rsh caller-1-pv82k curl 172.30.29.67 demo-1-mgh96: HELLO! I AM ALIVE!!! ----- Pod ns2 -> service ns1 (different namespace): NOK $ oc project ns2 $ oc rsh caller-1-pv82k curl 172.30.233.202 (timeout) ----- Pod ns1 -> service ns2 (different namespace): NOK $ oc project ns1 $ oc rsh caller-1-drrpw curl 172.30.29.67 (timeout) ----- Pod default ns -> service ns1: OK $ oc project default $ oc rsh caller-1-t4szj curl 172.30.233.202 demo-1-bxwjp: HELLO! I AM ALIVE!!! ----- Pod default ns -> service ns2: OK $ oc project default $ oc rsh caller-1-t4szj curl 172.30.29.67 demo-1-mgh96: HELLO! I AM ALIVE!!! ----- Pod ns1 -> service default ns: OK $ oc -n ns1 rsh caller-1-drrpw curl 172.30.211.32 demo-1-wg89l: HELLO! I AM ALIVE!!! ----- Pod ns2 -> service default ns: OK $ oc -n ns2 rsh caller-1-pv82k curl 172.30.211.32 demo-1-wg89l: HELLO! I AM ALIVE!!! ----- (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack loadbalancer list +--------------------------------------+-----------------------------------------------------+----------------------------------+----------------+---------------------+----------+ | id | name | project_id | vip_address | provisioning_status | provider | +--------------------------------------+-----------------------------------------------------+----------------------------------+----------------+---------------------+----------+ | 87dbc23a-c218-4df3-bf5c-d36ec0ca0341 | openshift.example.com-router_lb-nmgvss5p5uby | 33167bf65e17489aa9673acef89bca84 | 192.168.99.19 | ACTIVE | amphora | | a7f845ce-235e-47ea-a32a-de6c6b7013ea | openshift-ansible-openshift.example.com-api-lb | 33167bf65e17489aa9673acef89bca84 | 172.30.0.1 | ACTIVE | amphora | | fcd335ad-c26a-43d8-84f7-22b669bd9a55 | default/router | 33167bf65e17489aa9673acef89bca84 | 172.30.142.176 | ACTIVE | amphora | | d42bba23-242e-4c89-9cbc-f5572d10c98c | default/registry-console | 33167bf65e17489aa9673acef89bca84 | 172.30.241.31 | ACTIVE | amphora | | eb734a02-4377-4970-9aea-387bac1b7fba | default/docker-registry | 33167bf65e17489aa9673acef89bca84 | 172.30.209.224 | ACTIVE | amphora | | 9a31081e-f4aa-4d9b-8236-73b97b4bc36a | openshift-console/console | 33167bf65e17489aa9673acef89bca84 | 172.30.66.204 | ACTIVE | amphora | | aedaa1fc-d462-48c1-b108-b4b88d70cc28 | openshift-monitoring/grafana | 33167bf65e17489aa9673acef89bca84 | 172.30.196.164 | ACTIVE | amphora | | d70ddcdf-862a-4d77-baad-1389e92d3b48 | openshift-monitoring/prometheus-k8s | 33167bf65e17489aa9673acef89bca84 | 172.30.227.8 | ACTIVE | amphora | | 7d3c0924-0cbc-4e53-84ab-395b50db7e26 | openshift-monitoring/alertmanager-main | 33167bf65e17489aa9673acef89bca84 | 172.30.255.193 | ACTIVE | amphora | | ac44c0bc-df5b-4c1b-9ca8-3d0fb7a1403b | test/demo | 33167bf65e17489aa9673acef89bca84 | 172.30.32.204 | ACTIVE | amphora | | 9c239915-426b-4bac-a0cc-1f69b56ed252 | kuryr-namespace-1626775425/kuryr-service-1260541941 | 33167bf65e17489aa9673acef89bca84 | 172.30.25.30 | ACTIVE | amphora | | 4deb5fc6-f05b-4e55-b292-7147c875e531 | kuryr-namespace-813514137/kuryr-service-248043553 | 33167bf65e17489aa9673acef89bca84 | 172.30.74.116 | ACTIVE | amphora | | c27b6aea-c946-4349-b9f2-dd03efb5696a | kuryr-namespace-1691601596/kuryr-service-1527171087 | 33167bf65e17489aa9673acef89bca84 | 172.30.208.78 | ACTIVE | amphora | | c729d695-133e-43f6-acc4-4b98dc8efde9 | kuryr-namespace-1109799049/kuryr-service-1510596511 | 33167bf65e17489aa9673acef89bca84 | 172.30.240.127 | ACTIVE | amphora | | 96b1913f-0835-4071-a10c-47dc83be5fa9 | ns1/demo | 33167bf65e17489aa9673acef89bca84 | 172.30.233.202 | ACTIVE | amphora | <--- | da1c9c0b-28ea-4101-8875-2beb5771c3df | ns2/demo | 33167bf65e17489aa9673acef89bca84 | 172.30.29.67 | ACTIVE | amphora | <--- | 73de5722-38cc-4d49-b8e2-a20bb9a1e920 | default/demo | 33167bf65e17489aa9673acef89bca84 | 172.30.211.32 | ACTIVE | amphora | <--- +--------------------------------------+-----------------------------------------------------+----------------------------------+----------------+---------------------+----------+ (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack loadbalancer amphora list +--------------------------------------+--------------------------------------+-----------+------------+---------------+----------------+ | id | loadbalancer_id | status | role | lb_network_ip | ha_ip | +--------------------------------------+--------------------------------------+-----------+------------+---------------+----------------+ | 98536b3a-8f0d-42e0-a3ed-276727263353 | 87dbc23a-c218-4df3-bf5c-d36ec0ca0341 | ALLOCATED | STANDALONE | 172.24.0.20 | 192.168.99.19 | | d6c89ccf-7da8-462a-867a-f8f07425878a | a7f845ce-235e-47ea-a32a-de6c6b7013ea | ALLOCATED | STANDALONE | 172.24.0.27 | 172.30.0.1 | | 548c9063-f88c-4525-b857-6499f8302c8e | fcd335ad-c26a-43d8-84f7-22b669bd9a55 | ALLOCATED | STANDALONE | 172.24.0.19 | 172.30.142.176 | | c7797b79-5f5d-4a50-9149-2be2f2500cae | d42bba23-242e-4c89-9cbc-f5572d10c98c | ALLOCATED | STANDALONE | 172.24.0.10 | 172.30.241.31 | | a6c9eea4-9d37-4598-82d0-0cb3c3abc55e | eb734a02-4377-4970-9aea-387bac1b7fba | ALLOCATED | STANDALONE | 172.24.0.5 | 172.30.209.224 | | 776e4618-70a9-4ba0-9781-6fee336f6288 | 9a31081e-f4aa-4d9b-8236-73b97b4bc36a | ALLOCATED | STANDALONE | 172.24.0.11 | 172.30.66.204 | | a3a0506a-9e25-43b6-91e1-22aa51d288f2 | aedaa1fc-d462-48c1-b108-b4b88d70cc28 | ALLOCATED | STANDALONE | 172.24.0.12 | 172.30.196.164 | | f8747357-9ee3-4b68-9857-97aa7a0c505a | d70ddcdf-862a-4d77-baad-1389e92d3b48 | ALLOCATED | STANDALONE | 172.24.0.25 | 172.30.227.8 | | f9d7bd69-9c9b-4f17-8b4b-d329132c37d4 | 7d3c0924-0cbc-4e53-84ab-395b50db7e26 | ALLOCATED | STANDALONE | 172.24.0.15 | 172.30.255.193 | | b1e1dce8-bf2c-46ce-85c9-b25e22d380fc | ac44c0bc-df5b-4c1b-9ca8-3d0fb7a1403b | ALLOCATED | STANDALONE | 172.24.0.29 | 172.30.32.204 | | 33a644cc-33f9-4428-8479-1d5cddc4632c | 9c239915-426b-4bac-a0cc-1f69b56ed252 | ALLOCATED | STANDALONE | 172.24.0.17 | 172.30.25.30 | | 98f910ad-4c10-4600-b297-393b8867dd09 | 4deb5fc6-f05b-4e55-b292-7147c875e531 | ALLOCATED | STANDALONE | 172.24.0.21 | 172.30.74.116 | | a1d6a34d-f888-4ddf-8f2c-47cb1c93f485 | c27b6aea-c946-4349-b9f2-dd03efb5696a | ALLOCATED | STANDALONE | 172.24.0.16 | 172.30.208.78 | | 9a2ad10b-69b0-4003-b1a5-121a240e2e62 | c729d695-133e-43f6-acc4-4b98dc8efde9 | ALLOCATED | STANDALONE | 172.24.0.7 | 172.30.240.127 | | 61deec45-e59c-4b45-adab-7072e1ac3da9 | 96b1913f-0835-4071-a10c-47dc83be5fa9 | ALLOCATED | STANDALONE | 172.24.0.3 | 172.30.233.202 | <--- (ns1/demo) | 5cd7cd73-76e3-4aed-8d3f-90997c799732 | da1c9c0b-28ea-4101-8875-2beb5771c3df | ALLOCATED | STANDALONE | 172.24.0.8 | 172.30.29.67 | <--- (ns2/demo) | 912e54c0-eb78-4fd6-b258-bc465e624e26 | 73de5722-38cc-4d49-b8e2-a20bb9a1e920 | ALLOCATED | STANDALONE | 172.24.0.9 | 172.30.211.32 | <--- (default/demo) +--------------------------------------+--------------------------------------+-----------+------------+---------------+----------------+ (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack server list --all -c ID -c Name -c Status +--------------------------------------+----------------------------------------------+--------+ | ID | Name | Status | +--------------------------------------+----------------------------------------------+--------+ | a80689d9-19e0-4c6e-bb70-bc72399f59fe | amphora-912e54c0-eb78-4fd6-b258-bc465e624e26 | ACTIVE | <--- (default/demo) | aba9d1b6-bb70-4dc4-b498-878ece9c4d59 | amphora-5cd7cd73-76e3-4aed-8d3f-90997c799732 | ACTIVE | <--- (ns2/demo) | 8589ad00-6db1-4e44-b6cd-2b8976312e1b | amphora-61deec45-e59c-4b45-adab-7072e1ac3da9 | ACTIVE | <--- (ns1/demo) | 5338b99b-4c7a-419b-a03e-8c4863ac1100 | amphora-9a2ad10b-69b0-4003-b1a5-121a240e2e62 | ACTIVE | | 2b6626d8-40bc-41b0-b7d5-57b2422b6dae | amphora-a1d6a34d-f888-4ddf-8f2c-47cb1c93f485 | ACTIVE | | b54a5dab-390b-46a2-ab9e-94688414f9db | amphora-98f910ad-4c10-4600-b297-393b8867dd09 | ACTIVE | | b2bceb21-8553-4b5d-89a4-6fec103cdc48 | amphora-33a644cc-33f9-4428-8479-1d5cddc4632c | ACTIVE | | 19fa4a44-425f-4ed4-b09c-4b8f2318bce2 | amphora-b1e1dce8-bf2c-46ce-85c9-b25e22d380fc | ACTIVE | | ef60835a-124c-4f5d-b309-3182563ab6f0 | amphora-f9d7bd69-9c9b-4f17-8b4b-d329132c37d4 | ACTIVE | | 63bf4af8-a4cc-4834-9028-0b43c354664b | amphora-f8747357-9ee3-4b68-9857-97aa7a0c505a | ACTIVE | | e4a01327-19d4-4a72-a46b-5ae6cf98d595 | amphora-a3a0506a-9e25-43b6-91e1-22aa51d288f2 | ACTIVE | | 99cf8e52-99d7-4a90-9886-253cabc08789 | amphora-776e4618-70a9-4ba0-9781-6fee336f6288 | ACTIVE | | 30cb061a-5d02-44ad-b4ed-5246e89fa11a | amphora-a6c9eea4-9d37-4598-82d0-0cb3c3abc55e | ACTIVE | | ecebef5f-ff69-44b7-b015-84067edbd330 | amphora-c7797b79-5f5d-4a50-9149-2be2f2500cae | ACTIVE | | 89b55ea1-9417-4726-99af-b97f4eac2430 | amphora-548c9063-f88c-4525-b857-6499f8302c8e | ACTIVE | | 00f939ac-bc8a-454e-9583-a9f00ba8e4f1 | infra-node-0.openshift.example.com | ACTIVE | | 2b45e87b-7862-40b0-938a-e3741e763303 | master-0.openshift.example.com | ACTIVE | | 31ca1fb7-e188-4b44-88ed-55aa1b30c253 | amphora-d6c89ccf-7da8-462a-867a-f8f07425878a | ACTIVE | | 311a1628-1cf4-4bdd-9fe9-6f1e0cafcc4f | amphora-98536b3a-8f0d-42e0-a3ed-276727263353 | ACTIVE | | 79eec04a-2e7a-4d4d-80ad-3e45dcd6344b | app-node-0.openshift.example.com | ACTIVE | | 82b7cb27-957c-4655-9d6d-89fe59881422 | app-node-1.openshift.example.com | ACTIVE | | 2a7bf5f6-3b6a-4258-8868-0bede7655261 | ansible_host-0 | ACTIVE | | 5660de93-dffa-401c-81fe-891cf5aaad66 | openshift_dns-0 | ACTIVE | +--------------------------------------+----------------------------------------------+--------+ (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack server show 8589ad00-6db1-4e44-b6cd-2b8976312e1b +-------------------------------------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------------------+-------------------------------------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | compute-0.localdomain | | OS-EXT-SRV-ATTR:hypervisor_hostname | compute-0.localdomain | | OS-EXT-SRV-ATTR:instance_name | instance-00000028 | | OS-EXT-STS:power_state | Running | | OS-EXT-STS:task_state | None | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2019-04-15T15:14:42.000000 | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | lb-mgmt-net=172.24.0.3; openshift-ansible-openshift.example.com-service-net=172.30.128.31 | | config_drive | True | | created | 2019-04-15T15:14:32Z | | flavor | octavia_65 (65) | | hostId | ce00c26b1b961a96ace908253186a22d278cd2929c534b7b47094b00 | | id | 8589ad00-6db1-4e44-b6cd-2b8976312e1b | | image | octavia-amphora-14.0-20190304.2.x86_64 (32dda975-4b43-461c-86c0-f58c400a78e3) | | key_name | octavia-ssh-key | | name | amphora-61deec45-e59c-4b45-adab-7072e1ac3da9 | | progress | 0 | | project_id | 9f7f19ab6fa443c89f0568f56bf0e700 | | properties | | | security_groups | name='lb-mgmt-sec-grp' | <--- | | name='lb-96b1913f-0835-4071-a10c-47dc83be5fa9' | <--- | status | ACTIVE | | updated | 2019-04-15T15:14:42Z | | user_id | 7f2ea760f96749629e6bd060f3c1d592 | | volumes_attached | | +-------------------------------------+-------------------------------------------------------------------------------------------+ (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack server show aba9d1b6-bb70-4dc4-b498-878ece9c4d59 +-------------------------------------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------------------+-------------------------------------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | compute-0.localdomain | | OS-EXT-SRV-ATTR:hypervisor_hostname | compute-0.localdomain | | OS-EXT-SRV-ATTR:instance_name | instance-00000029 | | OS-EXT-STS:power_state | Running | | OS-EXT-STS:task_state | None | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2019-04-15T15:33:05.000000 | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | lb-mgmt-net=172.24.0.8; openshift-ansible-openshift.example.com-service-net=172.30.128.23 | | config_drive | True | | created | 2019-04-15T15:32:54Z | | flavor | octavia_65 (65) | | hostId | ce00c26b1b961a96ace908253186a22d278cd2929c534b7b47094b00 | | id | aba9d1b6-bb70-4dc4-b498-878ece9c4d59 | | image | octavia-amphora-14.0-20190304.2.x86_64 (32dda975-4b43-461c-86c0-f58c400a78e3) | | key_name | octavia-ssh-key | | name | amphora-5cd7cd73-76e3-4aed-8d3f-90997c799732 | | progress | 0 | | project_id | 9f7f19ab6fa443c89f0568f56bf0e700 | | properties | | | security_groups | name='lb-da1c9c0b-28ea-4101-8875-2beb5771c3df' | <--- | | name='lb-mgmt-sec-grp' | <--- | status | ACTIVE | | updated | 2019-04-15T15:33:05Z | | user_id | 7f2ea760f96749629e6bd060f3c1d592 | | volumes_attached | | +-------------------------------------+-------------------------------------------------------------------------------------------+ (.tempest) (overcloud) [stack@undercloud-0 tempest-dir]$ openstack server show a80689d9-19e0-4c6e-bb70-bc72399f59fe +-------------------------------------+-------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------------------+-------------------------------------------------------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | nova | | OS-EXT-SRV-ATTR:host | compute-0.localdomain | | OS-EXT-SRV-ATTR:hypervisor_hostname | compute-0.localdomain | | OS-EXT-SRV-ATTR:instance_name | instance-0000002a | | OS-EXT-STS:power_state | Running | | OS-EXT-STS:task_state | None | | OS-EXT-STS:vm_state | active | | OS-SRV-USG:launched_at | 2019-04-15T15:52:52.000000 | | OS-SRV-USG:terminated_at | None | | accessIPv4 | | | accessIPv6 | | | addresses | lb-mgmt-net=172.24.0.9; openshift-ansible-openshift.example.com-service-net=172.30.128.28 | | config_drive | True | | created | 2019-04-15T15:52:42Z | | flavor | octavia_65 (65) | | hostId | ce00c26b1b961a96ace908253186a22d278cd2929c534b7b47094b00 | | id | a80689d9-19e0-4c6e-bb70-bc72399f59fe | | image | octavia-amphora-14.0-20190304.2.x86_64 (32dda975-4b43-461c-86c0-f58c400a78e3) | | key_name | octavia-ssh-key | | name | amphora-912e54c0-eb78-4fd6-b258-bc465e624e26 | | progress | 0 | | project_id | 9f7f19ab6fa443c89f0568f56bf0e700 | | properties | | | security_groups | name='lb-mgmt-sec-grp' | <--- | | name='lb-73de5722-38cc-4d49-b8e2-a20bb9a1e920' | <--- | status | ACTIVE | | updated | 2019-04-15T15:52:52Z | | user_id | 7f2ea760f96749629e6bd060f3c1d592 | | volumes_attached | | +-------------------------------------+-------------------------------------------------------------------------------------------+ Check security rules added by Kuryr: (the ones with remote_group_id param) lb-mgmt-sec-grp lb-96b1913f-0835-4071-a10c-47dc83be5fa9 <--- (ns1/demo) (openstack) security group show lb-96b1913f-0835-4071-a10c-47dc83be5fa9 +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-04-15T15:15:05Z | | description | | | id | 3d0cf913-895c-45bb-a43c-3f1e4b9babff | | name | lb-96b1913f-0835-4071-a10c-47dc83be5fa9 | | project_id | 33167bf65e17489aa9673acef89bca84 | | revision_number | 8 | | rules | created_at='2019-04-15T15:15:05Z', direction='egress', ethertype='IPv4', id='3ab5cee8-fe93-4a9a-8d90-161474417c44', updated_at='2019-04-15T15:15:05Z' | | | created_at='2019-04-15T15:15:39Z', description='ns1/demo:TCP:80', direction='ingress', ethertype='IPv4', id='802849e5-6cf0-4466-8db8-0e211a9d722c', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='192.168.99.0/24', updated_at='2019-04-15T15:15:39Z' | | | created_at='2019-04-15T15:15:38Z', description='ns1/demo:TCP:80', direction='ingress', ethertype='IPv4', id='918e7ba2-5312-4bcf-9e35-c3a215d1fdee', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='1a66593f-f709-47c4-aa7b-3e07318cb8cb', updated_at='2019-04-15T15:15:38Z' | | | created_at='2019-04-15T15:15:39Z', description='ns1/demo:TCP:80', direction='ingress', ethertype='IPv4', id='959ab071-9065-4ac7-811e-724a8def8846', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='172.30.0.0/16', updated_at='2019-04-15T15:15:39Z' | | | created_at='2019-04-15T15:15:34Z', direction='ingress', ethertype='IPv4', id='dafe6301-bcb5-41f8-9a42-18f260c70a39', port_range_max='1025', port_range_min='1025', protocol='tcp', updated_at='2019-04-15T15:15:34Z' | | | created_at='2019-04-15T15:15:05Z', direction='egress', ethertype='IPv6', id='ecdd3bfb-84ff-4277-b682-f683830c8a9b', updated_at='2019-04-15T15:15:05Z' | | | created_at='2019-04-15T15:15:38Z', description='ns1/demo:TCP:80', direction='ingress', ethertype='IPv4', id='f72aefc0-924f-4d05-bd35-5486514ff02f', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='35df2609-c458-4b2c-97c1-42f35415669d', updated_at='2019-04-15T15:15:38Z' | | tags | [] | | updated_at | 2019-04-15T15:15:39Z | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lb-da1c9c0b-28ea-4101-8875-2beb5771c3df <--- (ns2/demo) (openstack) security group show lb-da1c9c0b-28ea-4101-8875-2beb5771c3df +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-04-15T15:33:28Z | | description | | | id | c1a55fed-6f27-4031-8b1f-e3d4d85b72b1 | | name | lb-da1c9c0b-28ea-4101-8875-2beb5771c3df | | project_id | 33167bf65e17489aa9673acef89bca84 | | revision_number | 8 | | rules | created_at='2019-04-15T15:33:45Z', direction='ingress', ethertype='IPv4', id='0d48c01c-4a25-4a89-b00d-7689727307bd', port_range_max='1025', port_range_min='1025', protocol='tcp', updated_at='2019-04-15T15:33:45Z' | | | created_at='2019-04-15T15:33:28Z', direction='egress', ethertype='IPv4', id='20efbc7a-823c-47de-8fbe-84e45545fc2c', updated_at='2019-04-15T15:33:28Z' | | | created_at='2019-04-15T15:33:28Z', direction='egress', ethertype='IPv6', id='30805bc1-09c8-43fc-bdaa-2d21f38cd43a', updated_at='2019-04-15T15:33:28Z' | | | created_at='2019-04-15T15:33:50Z', description='ns2/demo:TCP:80', direction='ingress', ethertype='IPv4', id='406dbcd9-bf48-4210-8b08-4063a51c9cc5', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='6b0504ff-60b8-450d-9aa2-8d3ad4907f56', updated_at='2019-04-15T15:33:50Z' | | | created_at='2019-04-15T15:33:50Z', description='ns2/demo:TCP:80', direction='ingress', ethertype='IPv4', id='809d4a27-1a3f-4022-b015-e0ff58a78fa3', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='192.168.99.0/24', updated_at='2019-04-15T15:33:50Z' | | | created_at='2019-04-15T15:33:50Z', description='ns2/demo:TCP:80', direction='ingress', ethertype='IPv4', id='9202f053-fc3a-41d6-bc3c-3afbce83defb', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='172.30.0.0/16', updated_at='2019-04-15T15:33:50Z' | | | created_at='2019-04-15T15:33:50Z', description='ns2/demo:TCP:80', direction='ingress', ethertype='IPv4', id='a767c332-902a-4f29-a3c5-10e2f2eef6be', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='35df2609-c458-4b2c-97c1-42f35415669d', updated_at='2019-04-15T15:33:50Z' | | tags | [] | | updated_at | 2019-04-15T15:33:50Z | +-----------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ lb-73de5722-38cc-4d49-b8e2-a20bb9a1e920 <--- (default/demo) (openstack) security group show lb-73de5722-38cc-4d49-b8e2-a20bb9a1e920 +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2019-04-15T15:53:16Z | | description | | | id | 465e5c5d-c527-41dc-89f7-a46b56ec5036 | | name | lb-73de5722-38cc-4d49-b8e2-a20bb9a1e920 | | project_id | 33167bf65e17489aa9673acef89bca84 | | revision_number | 8 | | rules | created_at='2019-04-15T15:53:37Z', description='default/demo:TCP:80', direction='ingress', ethertype='IPv4', id='11359adb-a959-4b94-8bb7-484ef2969383', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='811a43c6-7aa0-4f07-bf29-129d8043e678', updated_at='2019-04-15T15:53:37Z' | | | created_at='2019-04-15T15:53:38Z', description='default/demo:TCP:80', direction='ingress', ethertype='IPv4', id='6c9fc815-094d-420b-ba05-c49f28c3bfc6', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='192.168.99.0/24', updated_at='2019-04-15T15:53:38Z' | | | created_at='2019-04-15T15:53:37Z', description='default/demo:TCP:80', direction='ingress', ethertype='IPv4', id='90831785-4ac5-48e7-9c96-c9f470ce01e2', port_range_max='80', port_range_min='80', protocol='tcp', remote_group_id='5450e29d-e385-4886-b152-d0662943f461', updated_at='2019-04-15T15:53:37Z' | | | created_at='2019-04-15T15:53:38Z', description='default/demo:TCP:80', direction='ingress', ethertype='IPv4', id='a492d0b6-12b0-4c93-ae14-b7d28e3fff1d', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='172.30.0.0/16', updated_at='2019-04-15T15:53:38Z' | | | created_at='2019-04-15T15:53:16Z', direction='egress', ethertype='IPv6', id='b02e71db-4cdf-404a-a12d-aa7bb3128965', updated_at='2019-04-15T15:53:16Z' | | | created_at='2019-04-15T15:53:33Z', direction='ingress', ethertype='IPv4', id='f167bc20-4a24-4b71-9813-00894d83e43d', port_range_max='1025', port_range_min='1025', protocol='tcp', updated_at='2019-04-15T15:53:33Z' | | | created_at='2019-04-15T15:53:16Z', direction='egress', ethertype='IPv4', id='f357884f-26dd-4b24-8175-1401c307130d', updated_at='2019-04-15T15:53:16Z' | | tags | [] | | updated_at | 2019-04-15T15:53:38Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ test_namespace_sg_svc_isolation tempest test case also passes: $ python -m testtools.run kuryr_tempest_plugin.tests.scenario.test_namespace.TestNamespaceScenario.test_namespace_sg_svc_isolation Tests running... Ran 1 test in 378.760s OK
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0944