Description of problem: When Octavia is enable, TripleO creates the following two security groups, lb-mgmt-sec-grp and lb-health-mgr-sec-grp but the lb-health-mgr-sec-grp group is not used. Looking at the devstack plugin of Octavia the lb-health-mgr-sec-grp is used when creating neutron ports for management ports in controller nodes[1]. [1] https://github.com/openstack/octavia/blob/b1cc4467a916fea026454a7c3635a3681ab34253/devstack/plugin.sh#L396-L399 However in TripleO management port is now created without any security group specified. [2] https://github.com/openstack/tripleo-ansible/blob/36705150b1082763a9597da4e89be03fbae788a2/tripleo_ansible/roles/octavia-controller-config/tasks/netport.yml#L7-L13 ~~~ (overcloud) [stack@undercloud-0 ~]$ openstack security group list +--------------------------------------+-----------------------+------------------------+----------------------------------+------+ | ID | Name | Description | Project | Tags | +--------------------------------------+-----------------------+------------------------+----------------------------------+------+ | 47b3476e-579f-449a-bc83-94f1cdd26f90 | lb-mgmt-sec-grp | lb-mgmt-sec-grp | 91063c94413548b695edc6a0ef1f1252 | [] | | 55164695-1282-4663-a5e0-df14470c175f | lb-health-mgr-sec-grp | lb-health-mgr-sec-grp | 91063c94413548b695edc6a0ef1f1252 | [] | ... +--------------------------------------+-----------------------+------------------------+----------------------------------+------+ (overcloud) [stack@undercloud-0 ~]$ openstack security group rule list 47b3476e-579f-449a-bc83-94f1cdd26f90 +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | 4a568b06-dae7-4a31-9ae4-197b687d2d59 | None | IPv4 | 0.0.0.0/0 | | None | | b8428eb5-5b8a-43b3-a469-dd196985b76e | None | IPv6 | ::/0 | | None | | d103cd6b-0ebd-4899-8cb6-9c5737f54f16 | tcp | IPv4 | 0.0.0.0/0 | 9443:9443 | None | | d88db8b8-f875-45ca-9dbf-8bdd165e0b07 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack security group rule list 55164695-1282-4663-a5e0-df14470c175f +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | 352a3fcf-7866-4683-b989-a263e60fbfa6 | None | IPv4 | 0.0.0.0/0 | | None | | bb54770c-ba98-44c0-a120-18956ee37a7d | None | IPv6 | ::/0 | | None | | e8190197-609d-417c-940c-3cf7d1ba9c17 | udp | IPv4 | 0.0.0.0/0 | 5555:5555 | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack network show lb-mgmt-net +---------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +---------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | availability_zone_hints | | | availability_zones | nova | | created_at | 2021-06-02T03:50:18Z | | description | | | dns_domain | | | id | f1f1864a-43ce-499c-85e7-5e694331616b | | ipv4_address_scope | None | | ipv6_address_scope | None | | is_default | None | | is_vlan_transparent | None | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='942783ae248c4e9eb353a6e6b327bda5', project.name='admin', region_name='regionOne', zone= | | mtu | 1450 | | name | lb-mgmt-net | | port_security_enabled | True | | project_id | 942783ae248c4e9eb353a6e6b327bda5 | | provider:network_type | vxlan | | provider:physical_network | None | | provider:segmentation_id | 1 | | qos_policy_id | None | | revision_number | 2 | | router:external | Internal | | segments | None | | shared | False | | status | ACTIVE | | subnets | df241db3-0b72-4083-af92-6d0c7df8efa3 | | tags | | | updated_at | 2021-06-02T03:50:32Z | +---------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack subnet show lb-mgmt-subnet +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | allocation_pools | 172.24.0.2-172.24.255.254 | | cidr | 172.24.0.0/16 | | created_at | 2021-06-02T03:50:31Z | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 172.24.0.1 | | host_routes | | | id | df241db3-0b72-4083-af92-6d0c7df8efa3 | | ip_version | 4 | | ipv6_address_mode | None | | ipv6_ra_mode | None | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='942783ae248c4e9eb353a6e6b327bda5', project.name='admin', region_name='regionOne', zone= | | name | lb-mgmt-subnet | | network_id | f1f1864a-43ce-499c-85e7-5e694331616b | | prefix_length | None | | project_id | 942783ae248c4e9eb353a6e6b327bda5 | | revision_number | 0 | | segment_id | None | | service_types | | | subnetpool_id | None | | tags | | | updated_at | 2021-06-02T03:50:31Z | +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (overcloud) [stack@undercloud-0 ~]$ openstack port list +--------------------------------------+--------------------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+--------------------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+--------+ | 052e2696-6d9b-406d-bf3d-d6862ee2b1e0 | octavia-health-manager-controller-1.redhat.local-listen-port | fa:16:3e:10:41:81 | ip_address='172.24.1.229', subnet_id='df241db3-0b72-4083-af92-6d0c7df8efa3' | ACTIVE | ... | 6babad01-815b-4382-a94f-6c5d81c5d606 | octavia-health-manager-controller-0.redhat.local-listen-port | fa:16:3e:ae:28:75 | ip_address='172.24.0.146', subnet_id='df241db3-0b72-4083-af92-6d0c7df8efa3' | ACTIVE | ... | 8c4103ac-af82-4ea0-9735-ad866cc1a326 | octavia-health-manager-controller-2.redhat.local-listen-port | fa:16:3e:31:fd:19 | ip_address='172.24.0.25', subnet_id='df241db3-0b72-4083-af92-6d0c7df8efa3' | ACTIVE | ... +--------------------------------------+--------------------------------------------------------------+-------------------+----------------------------------------------------------------------------------------+--------+ (overcloud) [stack@undercloud-0 ~]$ openstack port show 6babad01-815b-4382-a94f-6c5d81c5d606 +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | controller-0.redhat.local | | binding_profile | | | binding_vif_details | bridge_name='br-int', connectivity='l2', datapath_type='system', ovs_hybrid_plug='True', port_filter='True' | | binding_vif_type | ovs | | binding_vnic_type | normal | | created_at | 2021-06-02T03:51:34Z | | data_plane_status | None | | description | | | device_id | | | device_owner | Octavia:health-mgr | | dns_assignment | fqdn='host-172-24-0-146.openstacklocal.', hostname='host-172-24-0-146', ip_address='172.24.0.146' | | dns_domain | None | | dns_name | | | extra_dhcp_opts | | | fixed_ips | ip_address='172.24.0.146', subnet_id='df241db3-0b72-4083-af92-6d0c7df8efa3' | | id | 6babad01-815b-4382-a94f-6c5d81c5d606 | | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='942783ae248c4e9eb353a6e6b327bda5', project.name='admin', region_name='regionOne', zone= | | mac_address | fa:16:3e:ae:28:75 | | name | octavia-health-manager-controller-0.redhat.local-listen-port | | network_id | f1f1864a-43ce-499c-85e7-5e694331616b | | port_security_enabled | False | | project_id | 942783ae248c4e9eb353a6e6b327bda5 | | propagate_uplink_status | None | | qos_policy_id | None | | resource_request | None | | revision_number | 17 | | security_group_ids | | | status | ACTIVE | | tags | | | trunk_details | None | | updated_at | 2021-06-30T09:48:38Z | +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ~~~ ~~~ [heat-admin@controller-0 ~]$ sudo cat /var/lib/config-data/puppet-generated/octavia/etc/octavia/post-deploy.conf [controller_worker] amp_boot_network_list = f1f1864a-43ce-499c-85e7-5e694331616b amp_secgroup_list = 47b3476e-579f-449a-bc83-94f1cdd26f90 amp_image_owner_id = 91063c94413548b695edc6a0ef1f1252 [health_manager] bind_ip = 172.24.0.146 controller_ip_port_list = 172.24.0.146:5555, 172.24.1.229:5555, 172.24.0.25:5555 ~~~ Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Deploy overcloud with Octavia enabled 2. Get list of security groups in overcloud Actual results: The lb-health-mgr-sec-grp security group is created but unused Expected results: The lb-health-mgr-sec-grp security group is not created or The lb-health-mgr-sec-grp security group is created and used for any purpose Additional info:
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 16.1.9 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8795