[openstack] IpV6 is not working when ml2_port_security is enabled

Hi,

we have an juju openstack wallaby cluster. We created the network with ipv6 and not the dual stack.

When i enable the neutron ml2_port_ security, the ipv6 is not working. When i disable the ml2_port_security, the ipv6 is working perfectly. But i want the ml2_port_security to be enabled. I dont know where this issue is caused.

I have to add any parameter in ml2_conf.ini to allow the ipv6 traffic. My security groups also looks perfect.


Ml2_conf.ini :

# queens

###############################################################################

# [ WARNING ]

# Configuration file maintained by Juju. Local changes may be overwritten.

###############################################################################

[ml2]

port_security_enabled = True

extension_drivers=port_security

type_drivers = geneve,gre,vlan,flat,local

tenant_network_types = geneve,gre,vlan,flat,local

mechanism_drivers = ovn

path_mtu = 1500

[ml2_type_gre]

tunnel_id_ranges = 1:1000



[ml2_type_vxlan]

vni_ranges = 1001:2000



[ml2_type_vlan]

network_vlan_ranges = physnet1:1000:2000

supported_pci_vendor_devs = *



[ml2_type_flat]

flat_networks = physnet1



[ovs]

enable_tunneling = True

local_ip = 10.153.67.74



[agent]

tunnel_types = gre

[securitygroup]

enable_ipset = True

enable_security_group = True

[ovn]

ovn_nb_connection = ssl:10.153.67.70:6641,ssl:10.153.67.38:6641,ssl:10.153.67.94:6641

ovn_nb_private_key = /etc/neutron/plugins/ml2/key_host

ovn_nb_certificate = /etc/neutron/plugins/ml2/cert_host

ovn_nb_ca_cert = /etc/neutron/plugins/ml2/neutron-api-plugin-ovn.crt

ovn_sb_connection = ssl:10.153.67.70:16642,ssl:10.153.67.38:16642,ssl:10.153.67.94:16642

ovn_sb_private_key = /etc/neutron/plugins/ml2/key_host

ovn_sb_certificate = /etc/neutron/plugins/ml2/cert_host

ovn_sb_ca_cert = /etc/neutron/plugins/ml2/neutron-api-plugin-ovn.crt

ovn_l3_scheduler = leastloaded

ovn_metadata_enabled = True

enable_distributed_floating_ip = False

dns_servers =

dhcp_default_lease_time = 43200

ovn_dhcp4_global_options =

ovn_dhcp6_global_options =

vhost_sock_dir = /run/libvirt-vhost-user



[ml2_type_geneve]

vni_ranges = 1001:2000

max_header_size = 38

Hi, thanks for the report. I had a few questions about your config to see if we can help figure out why it’s not working.

  1. Is the network you created a tenant network connected to a router or a public network?

  2. Is this an IPv6-only configuration? Things like metadata I don’t think would work in the Wallaby release, so you would have to use config drive to boot a VM correctly.

  3. What security group rules have you added? Maybe a listing of them would help.

  4. One setting that didn’t look correct in your .ini file was this:

[agent] tunnel_types = gre

If this is using OVN I would have thought that to be ‘geneve’.

Any other information you can provide on what the boot sequence looks like, possibly console out of the VM, might help as well.

Thanks.

Hi Brian,

Thanks for your reply !

Below are the answers for you questions:

  1. the ipv6 network is a public network and not connected by any router inside the openstack.

  2. Yes, its ipv6 only configuration. i booting my instances with config-drive . Ip address configured inside the instance, but its not accessible.

  3. I use the default security-group;

Egress IPv4 Any Any 0.0.0.0/0 - -

Egress IPv4 TCP Any 0.0.0.0/0 - -
Egress IPv6 Any Any ::/0 - -
Ingress IPv4 Any Any 0.0.0.0/0 - -
Ingress IPv4 Any Any - default -
Ingress IPv4 TCP Any 0.0.0.0/0 - -
Ingress IPv4 UDP Any 0.0.0.0/0 - -
Ingress IPv6 Any Any - default -
Ingress IPv6 Any Any ::/0 - -
  1. I changed the tunnel_types to geneve. but i cannot able to save the paramater permanently. since the config file is managed by juju. How can i change the parameter permanently ?

It looks like your security group rules are Ok, but the one thing to note is there are also anti-spoofing rules installed that you can’t see to limit what MAC and IP(v6) addresses can be used on a port. So I think if we focus on how you are configuring things via config-drive it might show what’s wrong.

Can you determine what addresses neutron has assigned to this instance? For example, by either looking at ‘openstack server show …’ or ‘openstack port show …’ for this instance. If you try to configure something other than those IPs, then it will be blocked, but things would work if you disabled port security.

And regarding the tunnel_types that might not be an issue as OVN might just ignore it. Might just need some cleanup on the juju side to write it correctly in all cases.

Thanks

my instance and the neutron-port ip are same and also youre right, when i disable the port security for the instance. its work. But i need to enable the port security.

Also, if i provision a 5 instances with the ipv6, 3 instances are working but 2 are not.

I think it was an ovn bug.

Yes, it could be something with OVN. Can you give any info on what the flow table looks like with regards to a running and failed instance? Also if there are any failures in the logs that might be some place to start.

Yes the issue is caused by ovn. After upgrading the openstack from wallaby to xena, the issue is resolved. The issue is caused by the ovn version 20.19, when the upgrade it to 21.03 . Its works perfectly.

Is there any way to resolve the ovn issue in 20.19 ?

Hi.

First I assume you mean it was still broken on 20.09 not 20.19? If it is a bug in OVN we would have to figure out what commit fixed it. Looking through the source code there wasn’t an obvious change, especially since you mentioned it didn’t always happen. You would have to do something like ‘git bisect’ and build OVN yourself to figure that out, which is going to be time intensive.

You also mentioned going from Wallaby to Xena so we’d also have to look at the Openstack changes that might have affected this as well. Is there a reason you need this fix backported to the older version(s)? Thanks.