Mirantis OpenStack

Improper configuration of security group driver

Bug #1350875 reported by Ilya Shakhat on 2014-07-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Won't Fix	Low	Sergey Kolekonov	Mirantis OpenStack 5.1.1
	5.0.x	Won't Fix	Low	Sergey Kolekonov	Mirantis OpenStack 5.0-updates

Bug Description

{
    "build_id": "2014-07-30_15-13-48",
    "ostf_sha": "9c0454b2197756051fc9cee3cfd856cf2a4f0875",
    "build_number": "375",
    "auth_required": true,
    "api": "1.0",
    "nailgun_sha": "aed9ca4c68fee08a61c96c1d7271b6b42d31eb01",
    "production": "docker",
    "fuelmain_sha": "09acf940bc60b8c1dabd08641de21af3e3c8916a",
    "astute_sha": "b16efcec6b4af1fb8669055c053fbabe188afa67",
    "feature_groups": [
        "mirantis"
    ],
    "release": "5.1",
    "fuellib_sha": "0e60fb01a4600608e0c04741d264ab4edf9324db"
}

Symptoms:
openvswitch-agent.log contains the following warning:
WARNING neutron.agent.securitygroups_rpc [req-0b8ef3ef-d4aa-4eef-b4cd-e90bafaf84df None] Driver configurat
ion doesn't match with enable_security_group

The agent is started with parameters --config-file=/etc/neutron/neutron.conf --config-file=/etc/neutron/plugin.ini
Grepping over configs give the following:
neutron.conf:firewall_driver=neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
plugin.ini:firewall_driver=neutron.agent.firewall.NoopFirewallDriver
plugins/ml2/ml2_conf.ini:firewall_driver=neutron.agent.firewall.NoopFirewallDriver

When agent is started the value from plugin.ini overwrites value from neutron.conf producing wrong configuration:
DEBUG neutron.plugins.openvswitch.agent.ovs_neutron_agent [-] SECURITYGROUP.firewall_driver = neutron.age
nt.firewall.NoopFirewallDriver log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1949

Tags:

Ilya Shakhat (shakhat) on 2014-07-31

tags:	added: neutron
Changed in mos:
milestone:	none → 5.1
assignee:	nobody → MOS Neutron (mos-neutron)
importance:	Undecided → High

Sergey Kolekonov (skolekonov) on 2014-07-31

Changed in mos:
assignee:	MOS Neutron (mos-neutron) → Sergey Kolekonov (skolekonov)

Revision history for this message

Vladimir Kuklin (vkuklin) wrote on 2014-08-01:

Well, for controller, it should not be enabled. I guess. And for compute nodes it is overriden by plugin configuration. So why is this bug set to High? Is it breaking anything? It looks like - not. So I am lowering the priority to low as it is only a matter of artifacts in log files.

Changed in mos:
milestone:	5.1 → 6.0
importance:	High → Low
status:	New → Confirmed

Revision history for this message

Dmitry Mescheryakov (dmitrymex) wrote on 2014-09-24:

I've added 5.0.x as affect though I am not sure since the issue could be ml2 plugin specific. Please set to invalid for 5.0.x if it is so.

Revision history for this message

Sergey Kolekonov (skolekonov) wrote on 2014-11-06:

This bug was fixed in 6.0 by merging upstream Neutron manifests.

Sergey Kolekonov (skolekonov) on 2014-11-06

no longer affects:

mos/6.0.x

Sergey Kolekonov (skolekonov) on 2014-11-06

Changed in mos:
status:	Confirmed → Won't Fix

Dmitry Mescheryakov (dmitrymex) on 2014-11-11

no longer affects:

mos/5.1.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.