https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETVIRT-258 netvirt <p>issue scenario:<br/> when VM is spawned with Default SG.<br/> ping from VM instance to DCHP IP is not working.</p> <p>steps to reproduce the Bug:<br/> 1.create network(10.0.0.0/24) using openstack.<br/> 2.create VM instance(10.0.0.3) with Default SG.<br/> 3.login to the VM instance.<br/> 4.Try ping DHCP IP(10.0.0.2) here ping is failed.</p> <p>Operating System: All<br/> Platform: All</p> NETVIRT-258

VM to DHCP ping is failed with default SG associated to VM instance

Bug Resolved Done Unassigned balakrishnan k Wed, 9 Nov 2016 06:09:43 +0000 Mon, 8 Apr 2019 16:58:30 +0000 Wed, 14 Dec 2016 06:26:30 +0000 Boron 0 3 <p>This looks like same issue i've been debugging for Openstack tempest scenario tests of networking-odl.</p> <p>The test_network_basic_ops.TestNetworkBasicOps.test_network_basic_ops<br/> test was failing due to not being able to ping the DHCP namespace.</p> <p>See gerrit:</p> <p><a href="https://git.opendaylight.org/gerrit/48301" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/48301</a> <br/> <a href="https://jira.opendaylight.org/browse/NETVIRT-258" title="VM to DHCP ping is failed with default SG associated to VM instance" class="issue-link" data-issue-key="NETVIRT-258"><del>NETVIRT-258</del></a> - VM to DHCP ping not working with default SG</p> <p>for a patch which allows the test to pass.</p> <p>I have observed in my setup, that the DCHP port has 'port_security_enabled' set to False. It was created that way by Neutron.</p> <p>Whereas, the VM port has 'port_security_enabled' and the default security groups.</p> <p>Since the DHCP port does not have a security group, it does not match the remote security group of the default ingress rule for the VM port. Therefore, the ping replies from the DHCP port to the VM are dropped. That appears to be what is happening now.</p> <p>I suppose the correct default behavior should be that the VM port should accept ingress traffic from other members of the VM's default security group 'AND' ports on the same tenant network with port security disabled.</p> <p>That is based on the assumptions that:<br/> 1. neutron setting dhcp port security to disabled is correct and intended<br/> 2. tempest scenario tests that do this type of ping from vm to dhcp port without adding any additional security group rules are expected to pass (e.g. tempest.scenario.test_network_basic_ops.TestNetworkBasicOps.test_hotplug_nic)</p> <p>Any thoughts or comments?</p> <p>This is my first dive into security group details, so not sure my understanding is fully correct yet.</p> <p>fixed in<br/> Boron : <a href="https://git.opendaylight.org/gerrit/#/c/48720/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/48720/</a> <br/> Master: <a href="https://git.opendaylight.org/gerrit/#/c/49008/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/49008/</a></p> Development External issue ID 7128 External issue URL Rank 0|i01qov: