Fuel for OpenStack

fuel 7.0 neutron is not using stable/kilo code

Bug #1517336 reported by xin wu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Invalid
Medium
Alexey Stupnikov
Fuel for OpenStack 7.0-updates

Bug Description

We are using fuel 7.0 and found out that security group is not applied to the compute node. In other words, iptables rules are not programmed at compute nodes. The compute node's log has following error message

File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 703, in _remove_raw_chain_rules
  if port['zone_id']:
KeyError: 'zone_id'

Then I took a look at the /usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py file on the compute node. It has 718 lines. However, the upstream stable/kilo has 674 lines. The difference is mainly about conntrack zones.

Is it possible that when fuel 7.0 did the cherrypick from upstream to fix some bugs, some commits are not correctly cherry picked? Or did I miss something?

Ilya Kutukov (ikutukov)
Changed in fuel:
assignee: nobody → Fuel Library Team (fuel-library)
tags: added: area-library customer-found
Changed in fuel:
importance: Undecided → Medium
status: New → Confirmed
tags: added: area-mos
Ilya Kutukov (ikutukov)
Changed in fuel:
milestone: none → 8.0
milestone: 8.0 → 7.0-updates
assignee: Fuel Library Team (fuel-library) → MOS Maintenance (mos-maintenance)
Revision history for this message
xin wu (xin-wu) wrote :

Is it possible to provide a patch for 7.0? Otherwise, security groups will be broken until 8.0 is out.

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

xin wu, could you provide link to upstream review (I guess in neutron project) that adddresses your issue?

Revision history for this message
xin wu (xin-wu) wrote :

Vitaly, it looks like fuel 7.0 cherry picked commit bd5373b670cdd7f21f8a1ece98fde6be9fda71ab. The interesting part about this commit is that it causes bug https://bugs.launchpad.net/neutron/+bug/1478925, and as a result, a further fix is at commit 7e9b0e4ac53e83b18dd949564435710e86c7b81e. All these two commits are in liberty.

The commit that fuel cherry picked to 7.0 introduces conntrack zone to security groups, which breaks vendor plugins. I have merged workaround in vendor plugins to bypass this problem https://review.openstack.org/#/c/247852/

Dmitry Pyzhov (dpyzhov)
tags: removed: area-library
Alexey Stupnikov (astupnikov)
Changed in fuel:
assignee: MOS Maintenance (mos-maintenance) → Alexey Stupnikov (astupnikov)
Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

It looks like this bug description is a bit outdated. Our neutron project has only slight differences compared to upstream one.

$ diff -u ~/git/mos/openstack/neutron ~/git/openstack/neutron | grep '^+[a-Z]\|^-[a-Z]' | wc -l
18

According to our policy, it is also impossible to cherry pick anything from upstream without a bug in MOS reported. Please consider MOS8 and MOS9, we are syncing those releases with upstream.

Closing as invalid.

Changed in fuel:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.