Mirantis OpenStack

[Murano] Only ingress rules are supported in security groups

Bug #1532334 reported by Stan Lagun on 2016-01-08

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Dmytro Dovbii	Mirantis OpenStack 8.0
6.1.x	Won't Fix	High	Dmytro Dovbii	Mirantis OpenStack 6.1-updates
7.0.x	Won't Fix	High	Dmytro Dovbii	Mirantis OpenStack 7.0-updates
8.0.x	Fix Released	High	Dmytro Dovbii	Mirantis OpenStack 8.0

Bug Description

Currently there is no way to specify in which direction security rule should be applied, only ingress is supported. Also it is impossible to create IPv6 rules

https://github.com/openstack/murano/blob/master/meta/io.murano/Classes/system/NeutronSecurityGroupManager.yaml#L56
https://github.com/openstack/heat/blob/stable/kilo/heat/engine/resources/openstack/neutron/security_group.py#L50

There should be a separate function for egress rules. Also optimal implementation should rely on IPv4 being the default and do not put into Heat resource so that the class will still work on older OpenStack versions which doesn't support IPv6 (and will complain on the property even if it is set to IPv4)

Upstream bug: https://bugs.launchpad.net/murano/+bug/1532317

Tags:

Revision history for this message

Serg Melikyan (smelikyan) wrote on 2016-01-10:

Moved to Opinion while we are waiting for response from Product Management Team regarding this bug/feature

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-01-15:

This sounds very much like a feature request to me - I suggest we implement it upstream first and close the bug for 8.0 as Won't Fix

tags:	added: area-murano
tags:	added: enhancement

Revision history for this message

Ilya Elterman (ielterman) wrote on 2016-01-22:

Sounds like a feature request indeed, please prove otherwise or close the bug as Invalid.

Revision history for this message

Serg Melikyan (smelikyan) wrote on 2016-01-22:

Hi Ilya,

this is may be considered as a feature, but from other side it is a flaw in Security Manager implementation which prevents to manage security groups properly - control out-coming traffic, which leads to inability to use properly any kind of VNFs. This is customer found issue.

Revision history for this message

Dmytro Dovbii (ddovbii) wrote on 2016-01-25:

patch in mos 8.0 https://review.fuel-infra.org/#/c/16443/

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-01-26: Fix merged to openstack/murano (openstack-ci/fuel-8.0/liberty)

Reviewed: https://review.fuel-infra.org/16443
Submitter: Pkgs Jenkins <email address hidden>
Branch: openstack-ci/fuel-8.0/liberty

Commit: e286cf20496c9977fc560bea3d33dc04360e1ab9
Author: Dmytro Dovbii <email address hidden>
Date: Mon Jan 25 15:19:17 2016

[Core-Library] Add ability to specify direction and ethetype for groups

Previously there was no way to specify in which direction security rule
should be applied, only ingress was supported. Also it was impossible
to create IPv6 rules.
This patch added ability to specify direction and ethertype for
Neutron security groups and direction - for AWS security groups

Change-Id: Iba5be7a8a94c34eab3e0e06f95e5358a84a5dd7b
Closes-Bug: #1532334
(cherry picked from commit 186612daf708b0ad3199bbf77ea8d3ed0f5eb48e)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-02-12: Fix proposed to openstack/murano (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Dmytro Dovbii <email address hidden>
Review: https://review.fuel-infra.org/16935

Revision history for this message

Anastasia Kuznetsova (akuznetsova) wrote on 2016-02-16:

Bug verified on:
VERSION:
  feature_groups:
    - mirantis
    - experimental
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "529"
  build_id: "529"
  fuel-nailgun_sha: "baec8643ca624e52b37873f2dbd511c135d236d9"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "e2d79330d5d708796330fac67722c21f85569b87"
  fuel-ostf_sha: "3bc76a63a9e7d195ff34eadc29552f4235fa6c52"
  fuel-mirror_sha: "fb45b80d7bee5899d931f926e5c9512e2b442749"
  fuelmenu_sha: "e071216cb214e34b4d861478033425ee6a54a3be"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "a365f05b903368225da3fea9aa42afc1d50dc9b4"

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-02-19:

Release notes:

It is now possible to specify in which direction security rule should be applied.

tags:

added: release-notes

Olga Gusarenko (ogusarenko) on 2016-02-25

tags:

added: 8.0 release-notes-done
removed: release-notes

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Change abandoned on openstack/murano (openstack-ci/fuel-7.0/2015.1.0)

#10

Change abandoned by Serg Melikyan <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/16935
Reason: Is not accepted by maintenance team

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2016-04-27:

#11

Won't Fix for 6.1- and 7.0-updates because this is feature request.

tags:

added: wontfix-feature

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.