This bug has been fixed on Master. https://review.openstack.org/#/c/177159/
** Changed in: neutron Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1527145 Title: when port updated on one compute node, ipset in other compute nodes did not be refreshed Status in neutron: Fix Released Bug description: I found this problem in Kilo release, but I'm not sure if it still exists in master branch. ===== Reproduce steps: ===== (Three compute nodes, ovs agent, security group with ipset enabled) 1. Launch VM1(1.1.1.1) on Compute Node1 with default security group 2. Launch VM2(1.1.1.2) on Compute Node2 with default security group 3. Launch VM3(1.1.1.3) on Compute Node3 with default security group 4. Change VM1's ip address to 1.1.1.10 and port-update add allowed address pair 1.1.1.10 After these operations, I found that ipset in Compute Node1 added member 1.1.1.10, but ipset in Compute Node2 and Compute Node3 did not, so that VM1 ping VM2 and VM3 failed. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1527145/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp