Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!
Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly MCC). This means everything you need is in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.
Adjust security groups to allow access to DHCP and Metadata¶
To ensure that instances have access to the DHCP and Neutron Metadata services
after migration to OVN, adjust the security groups that violate the
pre-migration ports_with_blocked_access_to_dhcpv4_check check:
Log in to the
keystone-clientpod:kubectl -n openstack exec -it deployment/keystone-client -- bash
Obtain the list of the ports with the blocked DHCPv4 access:
IFS=','; ports=$(cat /tmp/preflight_checks.json | jq -c .ports_with_blocked_access_to_dhcpv4_check.violations | tr -d [] | tr -d \")
Obtain the list of security groups for each port from the list obtained in the previous step:
for p in $ports; do echo "Port $p security groups:" openstack port show $p -f json -c security_group_ids | jq -c .security_group_ids | tr -d [] | tr -d \" done
Analyze security group rules for each security group associated with ports in question. To list security group rules:
openstack security group rule list <SECURITY-GROUP-ID>
To allow access from instances to the DHCP server, add the following rules to the related security group:
openstack security group rule create --egress \ --ethertype IPv4 \ --protocol udp\ --dst-port 67 ${SEC_GROUP_ID}
The remote IP address may differ depending on the DHCPv6 mode.
openstack security group rule create --egress \ --ethertype IPv6 \ --protocol udp \ --dst-port 547 \ --remote-ip ff02::1:2 ${SEC_GROUP_ID}
To allow access from instances to the Metadata server, add the following rules to the related security group:
openstack security group rule create --egress \ --ethertype IPv4 \ --protocol tcp \ --remote-ip 169.254.169.254 \ --dst-port 80 ${SEC_GROUP_ID}
The remote IP address may differ depending on the DHCPv6 mode.
openstack security group rule create --egress \ --ethertype IPv6 \ --protocol tcp \ --remote-ip fe80::a9fe:a9fe ${SEC_GROUP_ID}