Bug 1970907 - RHOSP16.1: The FIP of VIP is not reachable when allowed_address is set to full subnet range.
Summary: RHOSP16.1: The FIP of VIP is not reachable when allowed_address is set to ful...
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Rodolfo Alonso
QA Contact: Eran Kuris
Depends On: 1986337
TreeView+ depends on / blocked
Reported: 2021-06-11 12:43 UTC by Shravan Kumar Tiwari
Modified: 2021-12-01 03:44 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:
shtiwari: needinfo+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1982258 1 high CLOSED The FIP of VIP is not reachable when allowed_address is set to full subnet range 2021-08-06 20:45:16 UTC
Red Hat Issue Tracker OSP-5131 0 None None None 2021-11-15 13:10:04 UTC

Internal Links: 1982258

Description Shravan Kumar Tiwari 2021-06-11 12:43:46 UTC
Customer use case scenario:

Tenant of RHOSP infra wants to add the whole network as "allowed-address" and they use Terraform to spin up an environment. So right now they would have to lookup the information on the VIP port they are creating, in order to make it the allowed-address. If they could just add the entire network there, they would not have to perform this lookup first.

Description of problem:

As soon as customer sets the whole tenant network as allowed-address on the instance ports, as he can't predict what the VIP IP address will be, the VIP address is reachable inside the tenant network, but no longer via its Floating IP address.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
* Network and subnet is created;
* (Named) ports for the instances are created;
* (Named) port for the virtual IP address is created;
* Network subnet of VIP-port is added as allowed-address on the instance ports;
* Floating IP addresses for the instance- and VIP-ports are allocated and assigned;
* Instances are created and configured with keepalived

Actual results:
ping from external to VIP FIP -> no response

Expected results:
The FIP of VIP should be reachable from outside

Additional info:

- Same setup works perfectly fine if we use single IP (VIP) in the allowed-address filed for the instance port (FIP of VIP is pingable from external side).

Note You need to log in before you can comment on or make changes to this bug.