Adjust security groups to allow access to DHCP and Metadata¶

To ensure that instances have access to the DHCP and Neutron Metadata services after migration to OVN, adjust the security groups that violate the pre-migration ports_with_blocked_access_to_dhcpv4_check check:

kubectl -n openstack exec -it deployment/keystone-client -- bash

Obtain the list of the ports with the blocked DHCPv4 access:

IFS=',';
ports=$(cat /tmp/preflight_checks.json | jq -c .ports_with_blocked_access_to_dhcpv4_check.violations | tr -d [] | tr -d \")

Obtain the list of security groups for each port from the list obtained in the previous step:

for p in $ports; do
    echo "Port $p security groups:"
    openstack port show $p -f json -c security_group_ids | jq -c .security_group_ids | tr -d [] | tr -d \"
done

Analyze security group rules for each security group associated with ports in question. To list security group rules:

openstack security group rule list <SECURITY-GROUP-ID>

To allow access from instances to the DHCP server, add the following rules to the related security group:

IPv4

openstack security group rule create --egress \
    --ethertype IPv4 \
    --protocol udp\
    --dst-port 67 ${SEC_GROUP_ID}

IPv6

The remote IP address may differ depending on the DHCPv6 mode.

openstack security group rule create --egress \
    --ethertype IPv6 \
    --protocol udp \
    --dst-port 547 \
    --remote-ip ff02::1:2 ${SEC_GROUP_ID}

To allow access from instances to the Metadata server, add the following rules to the related security group:

IPv4

openstack security group rule create --egress \
    --ethertype IPv4 \
    --protocol tcp \
    --remote-ip 169.254.169.254 \
    --dst-port 80 ${SEC_GROUP_ID}

IPv6

The remote IP address may differ depending on the DHCPv6 mode.

openstack security group rule create --egress \
    --ethertype IPv6 \
    --protocol tcp \
    --remote-ip fe80::a9fe:a9fe ${SEC_GROUP_ID}

No results

An error occurred

Adjust security groups to allow access to DHCP and Metadata¶