VMs on subnet suffer IGMP timeouts.
Havana + neutron + vswitch:
Via Horizon dashboard, I created a network with a 10.16.1/24 subnet, disabled gateway, enabled dhcp with range 10.16.1.100,10.16.1.120. Then I launched 2 trusty instances, each with two NICS; eth0 for my regular public interface, and eth1 for the 10.16.1/24 subnet. I installed mgen and configured complementary mgen scripts to have the two exchange 1 multicast message per second for 360 seconds. One VM stops receiving packets after 260 seconds (the IGMP Snooping Group Timeout?). The other VM keeps receiving messages for the entire period.
Using wireshark, I captured the IGMP traffic at each VM (not enough points to attach images, yet). The successful VM sees and responds to IGMP Membership queries. The failing VM never sees those queries, hence the timeout, hence the missing data.
I'm guessing this is a firewall issue - keeping the failing VM from seeing the queries. If so, how can I open the firewall for all VMs, so I don't have to do this for each affected VM (many) of each affected tenant (also many)?
two random ideas: - write a script to add rules to the security groups? http://docs.openstack.org/openstack-o... - modify default security group and allow what you want?
Both VMs get the same default security group settings - so I don't know why one would work OK, and the other would block IGMP unless that is a feature of the neutron/vswitch software. What are the correct security group settings to allow IGMP? There's no selection for "All IGMP".
Duplicate: https://ask.openstack.org/en/question/8466/igmp-snoopingquery-support-in-openvswitch/ (Duplicate) - though now answer there either.
Duplicate: https://ask.openstack.org/en/question/26599/igmp-queries-are-blocked-somewhere-between-bridge-and-tap/ (Duplicate) - no answer...