[NETVIRT-258] VM to DHCP ping is failed with default SG associated to VM instance Created: 09/Nov/16  Updated: 08/Apr/19  Resolved: 14/Dec/16

Status: Resolved
Project: netvirt
Component/s: None
Affects Version/s: Boron
Fix Version/s: None

Type: Bug
Reporter: balakrishnan k Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


External issue ID: 7128

 Description   

issue scenario:
when VM is spawned with Default SG.
ping from VM instance to DCHP IP is not working.

steps to reproduce the Bug:
1.create network(10.0.0.0/24) using openstack.
2.create VM instance(10.0.0.3) with Default SG.
3.login to the VM instance.
4.Try ping DHCP IP(10.0.0.2) here ping is failed.



 Comments   
Comment by Eric Multanen [ 14/Nov/16 ]

This looks like same issue i've been debugging for Openstack tempest scenario tests of networking-odl.

The test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops
test was failing due to not being able to ping the DHCP namespace.

See gerrit:

https://git.opendaylight.org/gerrit/48301
NETVIRT-258 - VM to DHCP ping not working with default SG

for a patch which allows the test to pass.

Comment by Eric Multanen [ 15/Nov/16 ]

I have observed in my setup, that the DCHP port has 'port_security_enabled' set to False. It was created that way by Neutron.

Whereas, the VM port has 'port_security_enabled' and the default security groups.

Since the DHCP port does not have a security group, it does not match the remote security group of the default ingress rule for the VM port. Therefore, the ping replies from the DHCP port to the VM are dropped. That appears to be what is happening now.

I suppose the correct default behavior should be that the VM port should accept ingress traffic from other members of the VM's default security group 'AND' ports on the same tenant network with port security disabled.

That is based on the assumptions that:
1. neutron setting dhcp port security to disabled is correct and intended
2. tempest scenario tests that do this type of ping from vm to dhcp port without adding any additional security group rules are expected to pass (e.g. tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_hotplug_nic)

Any thoughts or comments?

This is my first dive into security group details, so not sure my understanding is fully correct yet.

Comment by balakrishnan k [ 14/Dec/16 ]

fixed in
Boron : https://git.opendaylight.org/gerrit/#/c/48720/
Master: https://git.opendaylight.org/gerrit/#/c/49008/

Generated at Wed Feb 07 20:21:06 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.