Description of problem: We are unable to control a security access to Baremetal Instances with attached Floating IP. The Floating IP itself for north/south traffic is where we need to control the access. (poc-az1) [stack@director ~]$ nova list +--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+ | fdb53a0f-f561-4702-beff-50100f29172d | baremetal-test-1 | ACTIVE | - | Running | oc_provisioning=11.21.26.28, 11.21.24.48 | | 59e76d74-2673-4da9-ac9e-d260ddc1585f | baremetal-test-2 | ACTIVE | - | Running | oc_provisioning=11.21.26.107 | | d004dd91-069e-4c52-a7e5-fba014f19016 | baremetal-test-3 | ACTIVE | - | Running | oc_provisioning=11.21.26.167 | +--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+ #ping floating ip: (poc-az1) [stack@director ~]$ ping -c 1 11.21.24.48 PING 11.21.24.48 (11.21.24.48) 56(84) bytes of data. 64 bytes from 11.21.24.48: icmp_seq=1 ttl=63 time=0.897 ms --- 11.21.24.48 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.897/0.897/0.897/0.000 ms (poc-az1) [stack@director ~]$ openstack port list | grep 11.21.24.48 | 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c | | fa:16:3e:56:bf:98 | ip_address='11.21.24.48', subnet_id='04180469-84be-40cc-8840-e3ce600d6446' | N/A | #port security enabled and assigned: (poc-az1) [stack@director ~]$ openstack port show --fit-width 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c [34/870]+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value $ +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------$ | admin_state_up | UP $ | allowed_address_pairs | $ | binding_host_id | $ | binding_profile | $ | binding_vif_details | $ | binding_vif_type | unbound $ | binding_vnic_type | normal $ | created_at | 2021-11-08T14:55:38Z $ | data_plane_status | None $ | description | $ | device_id | 9817c05f-199d-4ece-88d3-49a51313b5fe $ | device_owner | network:floatingip $ | dns_assignment | None $ | dns_domain | None $ | dns_name | None $ | extra_dhcp_opts | $ | fixed_ips | ip_address='11.21.24.48', subnet_id='04180469-84be-40cc-8840-e3ce600d6446' $ | id | 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c $ | location | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin', || | region_name='regionOne', zone= || mac_address | fa:16:3e:56:bf:98 || name | || network_id | a8281e22-2a8c-4537-9da3-b14745437042 || port_security_enabled | True || project_id | 3ee2ae6c63b743708aec498565aeaa77 || propagate_uplink_status | None || qos_policy_id | None || resource_request | None || revision_number | 4 || security_group_ids | 66739708-fe26-49d8-902b-88fbe3d463f5 || status | N/A || tags | || trunk_details | None || updated_at | 2021-11-08T16:48:42Z |+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ (poc-az1) [stack@director ~]$ openstack security group show --fit-width 66739708-fe26-49d8-902b-88fbe3d463f5 +-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+| created_at | 2021-11-08T14:30:57Z || description | baremetal-sg || id | 66739708-fe26-49d8-902b-88fbe3d463f5 || location | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin', || | region_name='regionOne', zone= || name | baremetal-sg || project_id | 3ee2ae6c63b743708aec498565aeaa77 || revision_number | 1 || rules | created_at='2021-11-08T14:30:57Z', direction='egress', ethertype='IPv6', id='43d074d5-c4a1-4bc1-9e1e-735461cbd205', updated_at='2021-11-08T14:30:57Z' || | created_at='2021-11-08T14:30:57Z', direction='egress', ethertype='IPv4', id='78ccdb06-46f7-49f1-9df0-24ad505f6b59', updated_at='2021-11-08T14:30:57Z' || tags | [] || updated_at | 2021-11-08T14:30:57Z |+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ Version-Release number of selected component (if applicable): cat /etc/rhosp-release Red Hat OpenStack Platform release 16.1.6 GA (Train) OVS + iptables_hybrid firewall driver How reproducible: Everytime Steps to Reproduce: 1. Deploy Ironic node in overcloud with vlan tenant network 2. Attach floating IP 3. Set security group on the floating IP Actual results: The security restrictions on the FIP are ineffective Expected results: Security groups filter out undesired network traffic for the FIP Additional info: Will try to attach templates and sosreports below
(poc-az1) [stack@director ~]$ openstack security group rule list --fit-width 66739708-fe26-49d8-902b-88fbe3d463f5 +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | ID | IP Protocol | Ethertype | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+ | 43d074d5-c4a1-4bc1-9e1e-735461cbd205 | None | IPv6 | ::/0 | | None | | 78ccdb06-46f7-49f1-9df0-24ad505f6b59 | None | IPv4 | 0.0.0.0/0 | | None | +--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
(poc-az1) [stack@director ~]$ openstack security group rule show --fit-width 78ccdb06-46f7-49f1-9df0-24ad505f6b59 +-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+| created_at | 2021-11-08T14:30:57Z || description | None || direction | egress || ether_type | IPv4 || id | 78ccdb06-46f7-49f1-9df0-24ad505f6b59 || location | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin', || | region_name='regionOne', zone= || name | None || port_range_max | None || port_range_min | None || project_id | 3ee2ae6c63b743708aec498565aeaa77 || protocol | None || remote_group_id | None || remote_ip_prefix | 0.0.0.0/0 || revision_number | 0 || security_group_id | 66739708-fe26-49d8-902b-88fbe3d463f5 || tags | [] || updated_at | 2021-11-08T14:30:57Z |+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
Security groups are applied on the compute nodes for VMs, but not on network controllers handling the floating IPs. This means that security groups do not work for bare metal nodes with ML2/OVS. You can apply iptables rules on the BM node. You might be able to apply SGs on a load balancer with Octavia, but I have not tested this myself.