Bug 2184552
| Summary: | when disable port_security, there is no mac info from ovn side | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Chorong Park <chopark> |
| Component: | openstack-neutron | Assignee: | Miguel Lavalle <mlavalle> |
| Status: | CLOSED DUPLICATE | QA Contact: | Eran Kuris <ekuris> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16.2 (Train) | CC: | chrisw, gurpsing, jlibosva, ltomasbo, mlavalle, scohen |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-04 13:52:26 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Chorong, If the issue your customer is experiencing happens with VMs with ports on provider networks, then it is the same as the one reported in https://bugzilla.redhat.com/show_bug.cgi?id=2173575. If that's the case, yes a workaround can be to enable ports security in the VM port. Is this an acceptable workaround for your customer? |
Description of problem: 1. In the Red Hat Office 16.2 environment, openvswitch and ovn were tested for two environments. 2. As a result of the test, the following results were obtained for no-security-port. - openvswitch: no abnormalities between VMs on the same compute - ovn: Discovery of outbound traffic interference between VMs on the same computer and same network 3. For the interference found in ovn, the two test workaround was conducted as follows. Workaround #1 - security enable Result: No abnormalities between VMs on the same compute Workaround #2 - ovn-nbctl lsp-set-port-security [PortID] [PortMac] (force update) Result: No abnormalities between VMs on the same compute Currently, a customer is composed of multistack, so the internal test was conducted with a single stack. However, even in the basic configuration, if ovn + no-security-group is used, it seems that outbound traffic interferes with the same compute and VMs on the same network. How reproducible: When Port Security is disabled, Spoofing Check does not seem to work because there is no eth.src, eth.dst MAC information in the ls_in_port_sec_l2 table as shown below. Due to this feature, VMs on the same Compute Node, same network with Port Security disabled seem to be affected. (VMs on other Compute Nodes are not affected) =========================================== Enabled Security Groups =========================================== table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "bfc6f69d-435a-450b-98ae-b906bf0e87fc" && eth.src == {fa:16:3e:f9:57:48}), action=(next;) ... table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "bfc6f69d-435a-450b-98ae-b906bf0e87fc" && eth.dst == {fa:16:3e:f9:57:48}), action=(output;) =========================================== Disabled Security Groups =========================================== table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "c4a04f44-d5cd-42de-bde3-30fb3261992e"), action=(next;) ... table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport == "c4a04f44-d5cd-42de-bde3-30fb3261992e"), action=(output;) Additional info: We wonder if this problem is a bug, and in the OVN environment, our wonder if this problem does not exist only when security groups are used.