1961850 – Tripleo is not configuring the lb-health-mgr-sec-grp security group to allow IPv6 lb-mgmt-net

Bug 1961850 - Tripleo is not configuring the lb-health-mgr-sec-grp security group to allow IPv6 lb-mgmt-net

Summary: Tripleo is not configuring the lb-health-mgr-sec-grp security group to allow ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	tripleo-ansible
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	zstream
Target Release:	17.1
Assignee:	Tom Weininger
QA Contact:	Omer Schwartz
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-18 20:14 UTC by Michael Johnson
Modified:	2023-08-16 01:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:	tripleo-ansible-3.3.1-1.20230322222820.b65b485.el9ost
Doc Type:	Enhancement
Doc Text:	This enhancement adds director support for IPv6 load balancer management networks.
Clone Of:
Environment:
Last Closed:	2023-08-16 01:10:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	845729	None	MERGED	Add support for IPv6 lb management network	2023-02-28 11:19:08 UTC
OpenStack gerrit	872650	None	MERGED	Add support for IPv6 lb management network	2023-03-06 16:10:14 UTC
Red Hat Bugzilla	2057921	medium	CLOSED	ipv6 management network for Octavia	2024-04-15 15:43:59 UTC
Red Hat Issue Tracker	OSP-3958	None	None	None	2021-12-13 13:27:29 UTC
Red Hat Product Errata	RHEA-2023:4577	None	None	None	2023-08-16 01:11:06 UTC

Description Michael Johnson 2021-05-18 20:14:13 UTC

Description of problem:

Tripleo is not adding rules for IPv6 lb-mgmt-net configurations to allow connections to the health manager from IPv6 addresses. This should include rules for both the UDP/5555 HM port and the UDP/514 syslog port if log offloading is enabled.

The code to configure these security groups is here:
https://opendev.org/openstack/tripleo-ansible/src/branch/master/tripleo_ansible/roles/octavia_overcloud_config/tasks/network.yml#L89

This would block using an IPv6 subnet for the lb-mgmt-net.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 3 Gregory Thiemonge 2021-07-21 13:19:20 UTC

tripleo-ansible creates only an ipv4 subnet for the Octavia management network, so this BZ should be part of a wider RFE to enable ipv6 support in the management network

Comment 5 Tom Weininger 2022-06-22 08:22:55 UTC

Manual test with https://review.opendev.org/845729 showed that it already covers this issue and it works.

Comment 12 Omer Schwartz 2023-06-08 16:51:27 UTC

After running the following steps on puddle RHOS-17.1-RHEL-9-20230607.n.0:


# Making sure TripleO include rules for both the UDP/5555 & UDP/514 port

~ > openstack security group show lb-health-mgr-sec-grp | grep IPv6                                                               
| rules           | created_at='2023-06-07T17:09:33Z', direction='ingress', ethertype='IPv6', id='898d179b-5398-4ca2-a86e-53f83b1e16bf', normalized_cidr='::/0', port_range_max='514', port_range_min='514', protocol='udp', remote_ip_prefix='::/0', standard_attr_id='77', updated_at='2023-06-07T17:09:33Z'   |
|                 | created_at='2023-06-07T17:09:27Z', direction='egress', ethertype='IPv6', id='8c858026-39ab-4cef-8b53-e3cce8271522', standard_attr_id='71', updated_at='2023-06-07T17:09:27Z'                                                                                                                 |
|                 | created_at='2023-06-07T17:09:31Z', direction='ingress', ethertype='IPv6', id='9a5aa313-f2ec-4fd6-9b92-29695dfcd61a', normalized_cidr='::/0', port_range_max='5555', port_range_min='5555', protocol='udp', remote_ip_prefix='::/0', standard_attr_id='74', updated_at='2023-06-07T17:09:31Z' |
~ > openstack security group show lb-health-mgr-sec-grp | grep IPv6 | grep port                                                   stack@undercloud-0 16:41:26
| rules           | created_at='2023-06-07T17:09:33Z', direction='ingress', ethertype='IPv6', id='898d179b-5398-4ca2-a86e-53f83b1e16bf', normalized_cidr='::/0', port_range_max='514', port_range_min='514', protocol='udp', remote_ip_prefix='::/0', standard_attr_id='77', updated_at='2023-06-07T17:09:33Z'   |
|                 | created_at='2023-06-07T17:09:31Z', direction='ingress', ethertype='IPv6', id='9a5aa313-f2ec-4fd6-9b92-29695dfcd61a', normalized_cidr='::/0', port_range_max='5555', port_range_min='5555', protocol='udp', remote_ip_prefix='::/0', standard_attr_id='74', updated_at='2023-06-07T17:09:31Z' |



# Making sure the o-hm0 iface is configured for IPv6 on the controllers

~ > for controller in controller-0 controller-1 controller-2; do ssh -A ${controller}.ctlplane sudo ip a | grep hm -A5; done   
Warning: Permanently added 'controller-0.ctlplane' (ED25519) to the list of known hosts.
14: o-hm0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:57:28:19 brd ff:ff:ff:ff:ff:ff
    inet6 fda0:a908:2dc1:ff02:f816:3eff:fe57:2819/64 scope global    <----------
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe57:2819/64 scope link 
       valid_lft forever preferred_lft forever
Warning: Permanently added 'controller-1.ctlplane' (ED25519) to the list of known hosts.
14: o-hm0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:fd:00:69 brd ff:ff:ff:ff:ff:ff
    inet6 fda0:a908:2dc1:ff02:f816:3eff:fefd:69/64 scope global       <----------
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fefd:69/64 scope link 
       valid_lft forever preferred_lft forever
Warning: Permanently added 'controller-2.ctlplane' (ED25519) to the list of known hosts.
14: o-hm0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1442 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether fa:16:3e:2e:f0:08 brd ff:ff:ff:ff:ff:ff
    inet6 fda0:a908:2dc1:ff02:f816:3eff:fe2e:f008/64 scope global     <----------
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fe2e:f008/64 scope link 
       valid_lft forever preferred_lft forever


Looks good to me. I am moving this BZ status to VERIFIED.

Comment 20 errata-xmlrpc 2023-08-16 01:10:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577

Note You need to log in before you can comment on or make changes to this bug.