Public bug reported: Steps to reproduce the issue using Neutron Rocky with OVS:
# create bastion-sec-grp to allow ssh from anywhere openstack security group create bastion-sec-grp openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp # create application-sec-grp openstack security group create application-sec-grp # Allow ssh to egress from the bastion group to the application group openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp # Allow ssh to ingress to the application group from the bastion group openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp # create servers and associate with security groups openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server After boot, bastion-server and application-server are landed on different HVs and we can ssh to bastion-server but cannot ssh to application-server from there. Neutron debug log from application- server's HV shows: 2020-02-05 22:57:05,825 DEBUG [neutron.agent.linux.openvswitch_firewall.firewall] /opt/openstack/venv/neutron/lib/python2.7/site- packages/neutron/agent/linux/openvswitch_firewall/firewall.py:_build_addr_conj_id_map:297 No member for SG <BASTION_SEC_GRP_ID> Suspect this is related to: https://bugs.launchpad.net/neutron/+bug/1854131 and after reverting the change https://review.opendev.org/#/c/696976/ locally then remote security group started to work again. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1862703 Title: Neutron remote security group does not work Status in neutron: New Bug description: Steps to reproduce the issue using Neutron Rocky with OVS: # create bastion-sec-grp to allow ssh from anywhere openstack security group create bastion-sec-grp openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp # create application-sec-grp openstack security group create application-sec-grp # Allow ssh to egress from the bastion group to the application group openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp # Allow ssh to ingress to the application group from the bastion group openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp # create servers and associate with security groups openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server After boot, bastion-server and application-server are landed on different HVs and we can ssh to bastion-server but cannot ssh to application-server from there. Neutron debug log from application- server's HV shows: 2020-02-05 22:57:05,825 DEBUG [neutron.agent.linux.openvswitch_firewall.firewall] /opt/openstack/venv/neutron/lib/python2.7/site- packages/neutron/agent/linux/openvswitch_firewall/firewall.py:_build_addr_conj_id_map:297 No member for SG <BASTION_SEC_GRP_ID> Suspect this is related to: https://bugs.launchpad.net/neutron/+bug/1854131 and after reverting the change https://review.opendev.org/#/c/696976/ locally then remote security group started to work again. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1862703/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
