OpenStack Dashboard (Horizon)

Adding security rules that are identical except for ingress/egress doesn't work properly when using neutron security groups

Bug #1254040 reported by Paul Emmerich
34
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Liyingjun
OpenStack Dashboard (Horizon) 2014.1 "icehouse"

Bug Description

Steps to reproduce:

1) edit an empty security group
2) add a rule with the following settings:
   Rule: All TCP
   Direction: Ingress
   (leave all other fields on their default)
3) add a rule with the following settings:
   Rule: All TCP
   Direction: Egress
   (leave all other fields on their default)
4) Get an error message.

The Neutron log shows:
   2013-11-22 14:54:47.129 5127 ERROR neutron.api.v2.resource [-] create failed
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource Traceback (most recent call last):
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/dist-packages/neutron/api/v2 /resource.py", line 84, in resource
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource result = method(request=request, **args)
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/dist-packages/neutron/api/v2/base.py", line 405, in create
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource obj = obj_creator(request.context, **kwargs)
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/dist-packages/neutron/db/securitygroups_rpc_base.py", line 43, in create_security_group_rule
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource bulk_rule)[0]
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/dist-packages/neutron/db/securitygroups_db.py", line 270, in create_security_group_rule_bulk_native
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource self._check_for_duplicate_rules(context, r)
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource File "/usr/lib/python2.7/dist-packages/neutron/db/securitygroups_db.py", line 400, in _check_for_duplicate_rules
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource raise ext_sg.SecurityGroupRuleExists(id=str(rules[0]['id']))
   2013-11-22 14:54:47.129 5127 TRACE neutron.api.v2.resource SecurityGroupRuleExists: Security group rule already exists. Group id is 6b942e69-5aee-484d-8539-096cc26a15d9.

Workaround:
  add the second security rule by selecting "Custom TCP rule" instead of "All TCP" and specify the port range 1 to 65535.

Version information:
openstack-dashboard=2013.2-1~bpo70+1

Revision history for this message
Julie Pichon (jpichon) wrote :

Even if trying to add "All TCP" as EGRESS first, the rule shows up as Ingress once added.

tags: added: neutron
Changed in horizon:
status: New → Confirmed
importance: Undecided → Medium
milestone: none → icehouse-1
David Lyle (david-lyle)
Changed in horizon:
milestone: icehouse-1 → icehouse-2
Alejandro Emanuel Paredes (alejandro-e-paredes)
Changed in horizon:
assignee: nobody → alejandro emanuel paredes (alejandro-e-paredes)
Revision history for this message
Alejandro Emanuel Paredes (alejandro-e-paredes) wrote :

Hi Paul and Julie, I think this problem occurs due to the conditions that are used when adding a new security rule.
In the code, I found the following comments:

 # "direction" field is enabled only when custom mode. It is because most common rules in local_settings.py is meaningful when its direction is 'ingress'.

 # There are two cases where cleaned_data['direction'] is empty: (1) Nova Security Group is used. Since "direction" is HiddenInput, direction field exists but its value is ''. (2) Template is used. In this case, the default value is None. To make sure 'direction' field has 'ingress' or 'egress', fill this field here if it is not specified.

The actual behavior is that always is setting direction as "ingress" when choosing one of the ALL* rules (ALL ICMP, ALL TCP and ALL UDP).
When this happens if you previously has crated an ALL TCP (direction: ingress) and then you add a new ALL TCP (direction: egress) it fails as they are the same rule (direction: ingress)
Also, if you add a ALL TCP (direction: egress) rule first, it is created with direction: ingress.

Facing the solution, if only the custom rules allow setting the direction, I think we should remove the direction selection combo from the ALL* rules (ALL ICMP, ALL TCP and ALL UDP).

By doing this, if you need to add an egress rule, you can do it by adding a new custom rule...

What do you think?

Revision history for this message
Alejandro Emanuel Paredes (alejandro-e-paredes) wrote :

Thinking deeply, a cleaner solution for this issue could be to maintain the direction selection combo and allow it to set the value for the ALL* rules (ALL ICMP, ALL TCP and ALL UDP.
In the case that there is any direction value in the local_settings.py, it will be used.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/61238

Changed in horizon:
status: Confirmed → In Progress
OpenStack Infra (hudson-openstack)
Changed in horizon:
assignee: alejandro emanuel paredes (alejandro-e-paredes) → Liyingjun (liyingjun)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/60245
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=77c35574e52a0653aa75ca26b1ec2ab38eaebff8
Submitter: Jenkins
Branch: master

commit 77c35574e52a0653aa75ca26b1ec2ab38eaebff8
Author: liyingjun <email address hidden>
Date: Fri Nov 22 23:34:27 2013 +0800

    Add missing egress sec group for all tcp/udp/icmp

    When creating "Security Group Egress ALL TCP/UDP/ICMP", the
    direction is always Ingress, need to add egress in the situation.

    Fixes bug #1254040

    Change-Id: I1a2bdc07d7ca4ecc12ebdb35a1f357de0d09c502

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: icehouse-2 → 2014.1
Julie Pichon (jpichon)
tags: added: havana-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.