2232279 – Add firewall rules to allow ovn traffic from dcn site

Bug 2232279 - Add firewall rules to allow ovn traffic from dcn site

Summary: Add firewall rules to allow ovn traffic from dcn site

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	OSP Team
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-16 05:31 UTC by Jaison Raju
Modified:	2023-08-16 06:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-27532	0	None	None	None	2023-08-16 05:50:15 UTC

Description Jaison Raju 2023-08-16 05:31:04 UTC

Description of problem:
It was observed that the controller nodes had allow rule for traffic to 6642 from internal_api network from its leaf only and not from other leafs or dcn sites.
For example:
We have 2 sites central & dcn1 with 172.18.1.0/24 & 172.18.2.0/24, controller only allowed this:
[root@central-controller0-0 ~]# iptables-save | grep 6642
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT

This caused the computes to not be able to get the required ovn wiring like tunnels or port bind post deployment.

Version-Release number of selected component (if applicable):
17.1 / RHOS-17.1-RHEL-9-20230628.n.2

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
I feel like we need to consider adding firewall rules similar to this for each dcn site:

-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6644 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6643 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT
-A INPUT -s 172.18.1.0/24 -p tcp -m tcp --dport 6642 -m conntrack --ctstate NEW -m comment --comment "121 OVN DB server and cluster ports for 172.18.1.0/24 ipv4" -j ACCEPT

I guess the best way to do this would be to make sure the final deployment on central site after adding any dcn site should consider separate net_cidr for each site. (Looking at the file, I am not sure whether it was supposed to apply for each site, it in my environment the rules for dcn site were missing):
/usr/share/openstack-tripleo-heat-templates/deployment/ovn/ovn-dbs-cluster-ansible.yaml

  role_data:
    description: Role data for the OVN multi-active cluster role.
    value:
      service_name: ovn_dbs
      firewall_rules:
        map_merge:
          repeat:
            for_each:
              <%net_cidr%>:
                get_param:
                  - ServiceData
                  - net_cidr_map
                  - {get_param: [ServiceNetMap, OvnDbsNetwork]}
            template:
              '121 OVN DB server and cluster ports for <%net_cidr%>':
                proto: 'tcp'
                source: <%net_cidr%>
                dport:
                  - {get_param: OVNNorthboundServerPort}
                  - {get_param: OVNSouthboundServerPort}
                  - {get_param: OVNNorthboundClusterPort}
                  - {get_param: OVNSouthboundClusterPort}

Note You need to log in before you can comment on or make changes to this bug.