VM are not reachable without disabling port_security when OVS Firewall driver is configured "NeutronOVSFirewallDriver: openvswitch" and DPDK.

Solution In Progress - Updated -

Issue

  • We Configured OVS firewall driver on Openstack environment

  • We enabled OVS firewall driver by adding the following to network-environment.yaml:

parameter_defaults:
  NeutronOVSFirewallDriver: openvswitch

  • We deployed the overcloud using openstack overcloud deploy .. command

  • We then deployed our infra using heat templates and by default we are creating instances with security groups.

  • We observed that the vrrp communication is not working during application deployment .

  • We removed the security_group from the vms and disabled port_secuirty on ports.

  • Then vm communication is then working fine and application deployment successfull.

  • Now we need to keep the port_security disable even during run time, without this we are unable to launch the application user interface. When we disable the port_security on load balancer vms then application UI is able to launch.

  • Looking at the RH article, we need to disable port_seurity on dataplane interfaces. But we see security impacts with port_security disabled during run time.

  • What is the configuration we need to enable to keep port_security enabled with OVS firewall driver?

Environment

  • Red Hat OpenStack Platform 13.0 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content