[Murano] Only ingress rules are supported in security groups

Bug #1532334 reported by Stan Lagun
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Dmytro Dovbii
6.1.x
Won't Fix
High
Dmytro Dovbii
7.0.x
Won't Fix
High
Dmytro Dovbii
8.0.x
Fix Released
High
Dmytro Dovbii

Bug Description

Currently there is no way to specify in which direction security rule should be applied, only ingress is supported. Also it is impossible to create IPv6 rules

https://github.com/openstack/murano/blob/master/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml#L56
https://github.com/openstack/heat/blob/stable/kilo/heat/engine/resources/openstack/neutron/security_group.py#L50

There should be a separate function for egress rules. Also optimal implementation should rely on IPv4 being the default and do not put into Heat resource so that the class will still work on older OpenStack versions which doesn't support IPv6 (and will complain on the property even if it is set to IPv4)

Upstream bug: https://bugs.launchpad.net/murano/+bug/1532317

Revision history for this message
Serg Melikyan (smelikyan) wrote :

Moved to Opinion while we are waiting for response from Product Management Team regarding this bug/feature

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

This sounds very much like a feature request to me - I suggest we implement it upstream first and close the bug for 8.0 as Won't Fix

tags: added: area-murano
tags: added: enhancement
Revision history for this message
Ilya Elterman (ielterman) wrote :

Sounds like a feature request indeed, please prove otherwise or close the bug as Invalid.

Revision history for this message
Serg Melikyan (smelikyan) wrote :

Hi Ilya,

this is may be considered as a feature, but from other side it is a flaw in Security Manager implementation which prevents to manage security groups properly - control out-coming traffic, which leads to inability to use properly any kind of VNFs. This is customer found issue.

Revision history for this message
Dmytro Dovbii (ddovbii) wrote :
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/murano (openstack-ci/fuel-8.0/liberty)

Reviewed: https://review.fuel-infra.org/16443
Submitter: Pkgs Jenkins <email address hidden>
Branch: openstack-ci/fuel-8.0/liberty

Commit: e286cf20496c9977fc560bea3d33dc04360e1ab9
Author: Dmytro Dovbii <email address hidden>
Date: Mon Jan 25 15:19:17 2016

[Core-Library] Add ability to specify direction and ethetype for groups

Previously there was no way to specify in which direction security rule
should be applied, only ingress was supported. Also it was impossible
to create IPv6 rules.
This patch added ability to specify direction and ethertype for
Neutron security groups and direction - for AWS security groups

Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
Closes-Bug: #1532334
(cherry picked from commit 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e)

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/murano (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Dmytro Dovbii <email address hidden>
Review: https://review.fuel-infra.org/16935

Revision history for this message
Anastasia Kuznetsova (akuznetsova) wrote :

Bug verified on:
VERSION:
  feature_groups:
    - mirantis
    - experimental
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "529"
  build_id: "529"
  fuel-nailgun_sha: "baec8643ca624e52b37873f2dbd511c135d236d9"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "e2d79330d5d708796330fac67722c21f85569b87"
  fuel-ostf_sha: "3bc76a63a9e7d195ff34eadc29552f4235fa6c52"
  fuel-mirror_sha: "fb45b80d7bee5899d931f926e5c9512e2b442749"
  fuelmenu_sha: "e071216cb214e34b4d861478033425ee6a54a3be"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "a365f05b903368225da3fea9aa42afc1d50dc9b4"

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Release notes:

It is now possible to specify in which direction security rule should be applied.

tags: added: release-notes
tags: added: 8.0 release-notes-done
removed: release-notes
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/murano (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Serg Melikyan <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/16935
Reason: Is not accepted by maintenance team

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Won't Fix for 6.1- and 7.0-updates because this is feature request.

tags: added: wontfix-feature
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.