Compute node drop dhcp with security group enabled

asked 2018-04-14 01:54:50 -0600

yuriy gravatar image


Faced the problem of the dhcp work in the openstack of the ocata.

my installation:

ubuntu 16-17 distributive
nova - 15.0.8-0ubuntu1
neutron - 10.0.4-0ubuntu1
network - vxlan


Virtual machines do not get Ip on dhcp. A virtual machine sends a dhcpdiscover but receives nothing in return.

I did a little diagnostics with tcpdump. And found the following I see the dhcpdiscover packages on the tap device, I see the dhcpdiscover packages on the qbr device and I do not see them on qvb / qvo / etc

if I perform the following changes:

net.bridge.bridge-nf-call-ip6tables = 1 => 0
net.bridge.bridge-nf-call-iptables = 1 => 0

dhcp starts working. But the security groups cease to function.

An intensive search for a solution has not yet given me any positive answers.

Can dhcp work with security groups?

edit retag flag offensive close merge delete


DHCP most definitely works with secgroups. It's an essential piece of a normal Neutron configuration.

If packets are not seen on the qvb/qvo veth pair, something is wrong with the netfilter config. Perhaps you have version mismatches in your Neutron code, or something else than Neutron changes it.

Bernd Bausch gravatar imageBernd Bausch ( 2018-04-15 19:17:55 -0600 )edit

yes, but not work... and i cant find as problem...

dhcp packets lost on qbr

iptables forward chain work. i made test it. And it work.

setting iptable FORWARD ACCEPT all not change it

yuriy gravatar imageyuriy ( 2018-04-16 03:13:18 -0600 )edit