unable to add allow all ingress traffic security group rule

Bug #1252806 reported by Aaron Rosen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Aaron Rosen
Grizzly
Fix Released
High
Aaron Rosen
Havana
Fix Released
High
Aaron Rosen

Bug Description

The following rule is unable to be installed:

$ neutron security-group-rule-create --direction ingress default
409-{u'NeutronError': {u'message': u'Security group rule already exists. Group id is 29dc1837-75d3-457a-8a90-14f4b6ea6db9.', u'type': u'SecurityGroupRuleExists', u'detail': u''}}

The reason for this is when the db query is done it passes this in as a filter:

{'tenant_id': [u'577a2f0c78fb4e36b76902977a5c1708'], 'direction': [u'ingress'], 'ethertype': ['IPv4'], 'security_group_id': [u'0fb10163-81b2-4538-bd11-dbbd3878db51']}

and the remote_group_id is wild carded thus it matches this rule:

[ {'direction': u'ingress',
  'ethertype': u'IPv4',
  'id': u'8d5c3429-f4ef-4258-8140-5ff3247f9dd6',
  'port_range_max': None,
  'port_range_min': None,
  'protocol': None,
  'remote_group_id': None,
  'remote_ip_prefix': None,
  'security_group_id': u'0fb10163-81b2-4538-bd11-dbbd3878db51',
  'tenant_id': u'577a2f0c78fb4e36b76902977a5c1708'}]

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/57670

Changed in neutron:
status: Confirmed → In Progress
Aaron Rosen (arosen)
tags: added: havana-backport-potential
removed: folsom-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/57670
Committed: http://github.com/openstack/neutron/commit/9335ffd7c3eaad0d66d7d19e7760ae12476a5ea2
Submitter: Jenkins
Branch: master

commit 9335ffd7c3eaad0d66d7d19e7760ae12476a5ea2
Author: Aaron Rosen <email address hidden>
Date: Thu Nov 21 05:28:28 2013 -0800

    Fix unable to add allow all IPv4/6 security group rule

    Previously, if one tried to add a rule to allow all ingress ipv4 neutron
    would respond that the rule was already part of the security group.
    This happened as the filter for querying existing rules uses a wildcard for
    remote_group_id thus returning a false match. This patch addresses
    this issue.

    Change-Id: I0320013a3869d25fb424995354721929465d2848
    Closes-bug: #1252806

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/60587

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/60589

Aaron Rosen (arosen)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/havana)

Reviewed: https://review.openstack.org/60587
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=94d1dee76629aea63afa6bff98a8bfb855f07e45
Submitter: Jenkins
Branch: stable/havana

commit 94d1dee76629aea63afa6bff98a8bfb855f07e45
Author: Aaron Rosen <email address hidden>
Date: Thu Nov 21 05:28:28 2013 -0800

    Fix unable to add allow all IPv4/6 security group rule

    Previously, if one tried to add a rule to allow all ingress ipv4 neutron
    would respond that the rule was already part of the security group.
    This happened as the filter for querying existing rules uses a wildcard for
    remote_group_id thus returning a false match. This patch addresses
    this issue.

    Change-Id: I0320013a3869d25fb424995354721929465d2848
    Closes-bug: #1252806
    (cherry picked from commit 9335ffd7c3eaad0d66d7d19e7760ae12476a5ea2)

tags: added: in-stable-havana
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/grizzly)

Reviewed: https://review.openstack.org/60589
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e2c2fc675aa224a844dc08c60edbbb5b2e03b97c
Submitter: Jenkins
Branch: stable/grizzly

commit e2c2fc675aa224a844dc08c60edbbb5b2e03b97c
Author: Aaron Rosen <email address hidden>
Date: Thu Nov 21 05:28:28 2013 -0800

    Fix unable to add allow all IPv4/6 security group rule

    Previously, if one tried to add a rule to allow all ingress ipv4 neutron
    would respond that the rule was already part of the security group.
    This happened as the filter for querying existing rules uses a wildcard for
    remote_group_id thus returning a false match. This patch addresses
    this issue.

    Change-Id: I0320013a3869d25fb424995354721929465d2848
    Closes-bug: #1252806
    (cherry picked from commit 9335ffd7c3eaad0d66d7d19e7760ae12476a5ea2)

tags: added: in-stable-grizzly
Thierry Carrez (ttx)
Changed in neutron:
milestone: none → icehouse-2
status: Fix Committed → Fix Released
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential havana-backport-potential in-stable-grizzly in-stable-havana
Thierry Carrez (ttx)
Changed in neutron:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.