[neutron] Disable dhcp drop rule

Eugen Block eblock at nde.ag
Wed Aug 19 16:42:11 UTC 2020

That sounds promising, thank you! I had noticed that option but didn’t  
have a chance to look closer into it.
I’ll try that tomorrow.

Thanks for the tip!

Zitat von Ben Nemec <openstack at nemebean.com>:

> On 8/19/20 8:36 AM, Eugen Block wrote:
>> Hi *,
>> we recently upgraded our Ocata Cloud to Train and also switched  
>> from linuxbridge to openvswitch.
>> One of our instances within the cloud works as DHCP server and to  
>> make that work we had to comment the respective part in this file  
>> on the compute node the instance was running on:
>> /usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_firewall.py
>> Now we tried the same in
>> /usr/lib/python3.6/site-packages/neutron/agent/linux/openvswitch_firewall/firewall.py  
>> /usr/lib/python3.6/site-packages/neutron/agent/linux/iptables_firewall.py
>> but restarting openstack-neutron-openvswitch-agent.service didn't  
>> drop that rule, the DHCP reply didn't get through. To continue with  
>> our work we just dropped it manually, so we get by, but since there  
>> have been a couple of years between Ocata and Train, is there any  
>> smoother or better way to achieve this? This seems to be a  
>> reoccuring request but I couldn't find any updates on this topic.  
>> Maybe someone here can shed some light? Is there more to change  
>> than those two files I mentioned?
> You might try disabling port-security on the instance's port. That's  
> what we use in OVB to allow a DHCP server in an instance now.
> neutron port-update [port-id] --port_security_enabled=False
> That will drop all port security for that instance, not just the  
> DHCP rule, but on the other hand it leaves the DHCP rule in place  
> for any instances you don't want running DHCP servers.
>> Any pointers are highly appreciated!
>> Best regards,
>> Eugen

More information about the openstack-discuss mailing list