The bug was originally reported in OCP 4.2 (https://bugzilla.redhat.com/show_bug.cgi?id=1750831), but as it seems an issue in OSP I create this one against OSP OVN component. Description of problem: OCP 4.2 installation on OSP 15 fails due to some SG rules not being applied. The bootstrap node cannot communicate with etcd services running in master nodes. When rules are created with a port range they are not being applied. If the port range includes only one port, the rule is correctly applied. There are more info and comments on the original BZ. Version-Release number of selected component (if applicable): OSP 15 RHOS_TRUNK-15.0-RHEL-8-20190905.n.0 How reproducible: seen first time when running OCP 4.2 on OSP 15 Reproducer (thanks Martin André): ---------- Create a rule than spans multiple ports: openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2391:2392 The port is still blocked: sh-5.0# telnet 192.168.1.175 2392 Trying 192.168.1.175... ^C Create a rule with only one port: openstack security group rule create morenod-osp15-s2hbx-master --protocol tcp --dst-port 2392:2392 We can now connect to the port: sh-5.0# telnet 192.168.1.175 2392 Trying 192.168.1.175... telnet: connect to address 192.168.1.175: Connection refused (we got connection refused because I didn't have any services listening on that port) Issue reproduced on panther18, feel free to login into the server for debugging.
Numan's working on this. There's a problem in ovn-controller with the conjunction flows. This shows up when using multiple Security group rules that match on a port range. We're working on a fix. Worst case if the fix is not simple, we'll disable conjunctive flows to unblock this and keep working on the actual fix.
It is an OVN issue. We are working on the fix. I will update this BZ as soon as we submit the patch upstream to fix this issue. Thanks
The fix is merged upstream - https://github.com/ovn-org/ovn/commit/298701dbc99645700be41680a43d049cb061847a
The BZ https://bugzilla.redhat.com/show_bug.cgi?id=1756466 is tracked in OVN2.11 component. I am moving this BZ to python-networking-ovn to track this issue. Thanks Numan
This has been tested to work with the current builds of openvswitch2.11 and ovn2.11 available from the Fast Datapath for RHEL8 repository.