Fuel for OpenStack

Neutron's port security extension not enabled in MOS

Bug #1514010 reported by Adam Heczko
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
Medium
Sergey Kolekonov
Fuel for OpenStack 8.0
7.0.x
Won't Fix
Medium
Sergey Kolekonov
Fuel for OpenStack 7.0-updates

Bug Description

Affects: MOS 7.0 GA and future releases.

Problem description:

Port security extension allows turn off L2 filtering on specified Neutron ports.
This extension was developed in Kilo cycle and addresses issues raised up by operators who were not able to pass L2 traffic to OpenStack instances.
Default action when creating Neutron's port is to still have filtering enabled (it is safe by default from security standpoint).

Solution proposal:

On all MOS controller nodes add:

# file /etc/neutron/plugins/ml2/ml2_conf.ini
extension_drivers = port_security

Adam Heczko (aheczko-mirantis)
Changed in fuel:
importance: Undecided → Medium
assignee: nobody → Fuel Library Team (fuel-library)
milestone: none → 8.0
tags: added: area-library
tags: added: customer-found
Revision history for this message
Alexander Ignatov (aignatov) wrote :

This bug looks like a feature request, I don't suggest to fix it in maintenance updates.

Changed in fuel:
status: New → Confirmed
Matthew Mosesohn (raytrac3r)
tags: added: low-hanging-fruit
Revision history for this message
Matthew Mosesohn (raytrac3r) wrote :

This is for mos-puppet, actually

Changed in fuel:
assignee: Fuel Library Team (fuel-library) → MOS Puppet Team (mos-puppet)
Ivan Berezovskiy (iberezovskiy)
Changed in fuel:
assignee: MOS Puppet Team (mos-puppet) → Sergey Kolekonov (skolekonov)
Revision history for this message
Sergey Kolekonov (skolekonov) wrote :

Necessary parameters for puppet-neutron module will be added in this upstream patch https://review.openstack.org/#/c/216654/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/248244

Changed in fuel:
status: Confirmed → In Progress
Dmitry Pyzhov (dpyzhov)
tags: added: area-mos
removed: area-library
OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Sergey Kolekonov (skolekonov) → Sergey Vasilenko (xenolog)
OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Sergey Vasilenko (xenolog) → Sergey Kolekonov (skolekonov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/248244
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=ac1ac7b30821dbef3cfb93c3c891c0a90fd658e5
Submitter: Jenkins
Branch: master

commit ac1ac7b30821dbef3cfb93c3c891c0a90fd658e5
Author: Sergey Kolekonov <email address hidden>
Date: Fri Nov 20 23:49:33 2015 +0300

    Enable Neutron's port security

    Port security extension allows turn off L2 filtering on specified Neutron ports
    This extension was developed in Kilo cycle and addresses issues raised up
    by operators who were not able to pass L2 traffic to OpenStack instances.

    Change-Id: Idc2abdcfdfb9e62f7cda3f1429ce45cd75c6929e
    Closes-bug: #1514010

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
Kristina Berezovskaia (kkuznetsova) wrote :

Verify on iso 241

Steps to verify:
1.
Check parameter extension_drivers шт file /etc/neutron/plugins/ml2/ml2_conf.ini
2.
create net1, subnet
create net2, subnet
boot vm1 in net1
boot instanse 'r1_2' in net1 and net2
boot vm2 in net2
ping v2 from vm1
Result: ping isnt't available (which we need)
3.
create net3, subnet
create net4, subnet
create port in net3 with port secure False
boot vm3 in this port
create port in net3 with port secure False
create port in net4 with port secure False
boot instance 'r3_4' in previous 2 ports
create port in net4 with port secure False
boot vm4 in this port
ping vm4 from vm3
Result: ping is available (expected result)

Changed in fuel:
status: Fix Committed → Fix Released
Vitaly Sedelnik (vsedelnik)
tags: added: wontfix-feature
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.