[NETVIRT-258] VM to DHCP ping is failed with default SG associated to VM instance Created: 09/Nov/16 Updated: 08/Apr/19 Resolved: 14/Dec/16 |
|
| Status: | Resolved |
| Project: | netvirt |
| Component/s: | None |
| Affects Version/s: | Boron |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | balakrishnan k | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 7128 |
| Description |
|
issue scenario: steps to reproduce the Bug: |
| Comments |
| Comment by Eric Multanen [ 14/Nov/16 ] |
|
This looks like same issue i've been debugging for Openstack tempest scenario tests of networking-odl. The test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops See gerrit: https://git.opendaylight.org/gerrit/48301 for a patch which allows the test to pass. |
| Comment by Eric Multanen [ 15/Nov/16 ] |
|
I have observed in my setup, that the DCHP port has 'port_security_enabled' set to False. It was created that way by Neutron. Whereas, the VM port has 'port_security_enabled' and the default security groups. Since the DHCP port does not have a security group, it does not match the remote security group of the default ingress rule for the VM port. Therefore, the ping replies from the DHCP port to the VM are dropped. That appears to be what is happening now. I suppose the correct default behavior should be that the VM port should accept ingress traffic from other members of the VM's default security group 'AND' ports on the same tenant network with port security disabled. That is based on the assumptions that: Any thoughts or comments? This is my first dive into security group details, so not sure my understanding is fully correct yet. |
| Comment by balakrishnan k [ 14/Dec/16 ] |
|
fixed in |