neutron

Flows per in_port are deleted after SG rules are applied

Bug #1559920 reported by Rodolfo Alonso
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
IWAMOTO Toshihiro
neutron pike-1 "p-1"

Bug Description

During the creation of a new port in the integration bridge (br-int), first the firewall rules are applied and then all flows matching this input port are deleted:

if cur_tag != lvm.vlan:
                self.int_br.delete_flows(in_port=port.ofport)

This happens only when the port is created (or the vlan tag changes). If any firewall rule is applied using the in_port as a condition, during the initialization of the firewall for this port, this rule is deleted.

Instead of that, this security action should be moved to the previous function, "_add_port_tag_info", in order to avoid any firewall rule deletion and maintaining the same security level during the port creation; that means the ports doesn't allow any kind of traffic until the firewall rules are applied.

how to reproduce:

    Start the Neutron agent with the OVS firewall configured.
    Wait untill all ovs flows are stablished. You'll see some flows with conditions "in_port=xx". Those are set in "initialize_port_flows", in the OVS firewall.
    Stop the agent. No flow must be deleted. Make a capture of all the flows.
    Restart the agent. At this point, the VLAN tag should be different from the last one assigned by the agent.
    Now you can compare the flows in OVS to the lsit of flows in step 3.

See original description
Rodolfo Alonso (rodolfo-alonso-hernandez)
tags: added: firewall groups ovs security
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/295154

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/295155

Hirofumi Ichihara (ichihara-hirofumi)
tags: added: sg-fw
removed: firewall groups security
Changed in neutron:
importance: Undecided → Low
milestone: none → newton-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/liberty)

Change abandoned by Ihar Hrachyshka (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/295155
Reason: Please repropose once master and mitaka patches land.

Miguel Angel Ajo (mangelajo)
tags: added: mitaka-backport-potential
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-1 → newton-2
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-2 → newton-3
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Not directly related, but the current implementation of ovsfirewall does del-flows then add-flows for update operations. This causes a short disruption of connectivity.
If the problem can be tackled by allocating some more cookies for ovsfirewall (eg. per-port or per-SG), it may be worth considering now.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Please, review this patch: https://review.openstack.org/#/c/295154/

It's been there form weeks, waiting for review.

Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Not directly related, but the current implementation of ovsfirewall does del-flows then add-flows for update operations. This causes a short disruption of connectivity.
If the problem can be tackled by allocating some more cookies for ovsfirewall (eg. per-port or per-SG), it may be worth considering now.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

@iwamoto I agree with your comment. But this bug tries to solve this problem. Furthermore, I'm adding cookies to the FW, so in a future modifying the flow management made by the FW could be easier.

Please, take a look at the patch (https://review.openstack.org/#/c/295154/).

Thank you for your comments!

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-3 → newton-rc1
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: newton-rc1 → ocata-1
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Not critical for Mitaka.

tags: removed: mitaka-backport-potential
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-1 → ocata-2
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

It seems to be one of the causes of ovsfw+tempest failure.
admin_state_up true -> false ->true transition seems to cause the cur_tag != lvm.vlan check to fire and ovsfw flows are wiped out.

http://logs.openstack.org/00/399400/5/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/41d30bc/

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

I found this error several months ago, doing manual tests. It should be merged as soon as possible. Having a patch not reviewed/accepted for 9 months is frustrating for the developer and bad for the product.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/406731

Changed in neutron:
assignee: Rodolfo Alonso (rodolfo-alonso-hernandez) → IWAMOTO Toshihiro (iwamoto)
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

@IWAMOTO: I have a patch submited nine months ago and I'm still waiting for reviews. This patch is still active and I'm taking care of it.

It's impolite the way you moved the assignee of this patch, submiting another one with the same number.

Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Hi Rodolfo,

I just followed your comment on
https://review.openstack.org/#/c/295154/29/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py@1664

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: IWAMOTO Toshihiro (iwamoto) → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Another patch but not for this bug, because your solution doesn't solves the problem. Maybe it does for the tempest test you mentioned, but not this bug.

Anyway, I'll wait for other reviewers, but I won't refactor anymore this patch. This is taking too long.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-2 → ocata-3
Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-3 → ocata-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/406731
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
milestone: ocata-rc1 → pike-1
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Rodolfo Alonso (rodolfo-alonso-hernandez) → IWAMOTO Toshihiro (iwamoto)
YAMAMOTO Takashi (yamamoto)
description: updated
Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

I followed the sequence in the description but couldn't reproduce.

1. I started an openstack system with devstack.
2. When the system is up, there are 2 flows with in_port=xx. They are both in_port=1, which specifies int-br-ex.
3. Restarted ovs-agent. No change.

I also tried with some ports and vlans.

1'. Same as 1
2'. Devstack sets up 2 networks: private and public. Issued the following.
$ openstack network create privdeux
$ openstack subnet create --subnet-range 10.0.1.0/26 --network privdeux pri
vdeux-subnet
$ openstack --image cirros-0.3.4-x86_64-uec --flavor m1.tiny --nic net-id=p
rivate --nic net-id=privdeux hoge

3': At this point there are 29 flows with in_port=xxx. Issued the following to capture local vlan ids.

$ sudo ovs-vsctl list Port >/tmp/port.txt

4': Restarted ovs-agent. There are still 29 flows with in_port=xxx. "ovs-vsctl list Port" output was same, indicating no local vlan change.

Revision history for this message
YAMAMOTO Takashi (yamamoto) wrote :

Toshihiro,

it seems like the expected behaviour for the given procedure.

Rodolfo,

do you have any idea why vlan tag has been changed for you?

Revision history for this message
IWAMOTO Toshihiro (iwamoto) wrote :

Rodolfo, did you boot instances before restarting ovs-agent, or did you issue any neutron API while ovs-agent is down?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Rodolfo Alonso Hernandez (<email address hidden>) on branch: master
Review: https://review.openstack.org/295154

Jakub Libosvar (libosvar)
Changed in neutron:
importance: Low → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/406731
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c54c5791b43deada9936f0c9c5d8b681a3216893
Submitter: Jenkins
Branch: master

commit c54c5791b43deada9936f0c9c5d8b681a3216893
Author: IWAMOTO Toshihiro <email address hidden>
Date: Mon Dec 5 13:28:59 2016 +0900

    ovs-agent: Clear in_port=ofport flow earlier

    This is the minimum change to pass tempest's
    test_update_instance_port_admin_state test. Alternatively, the delete_flows
    could be changed to just deal with drop_port flows, which can affect
    3rd party codes.

    Change-Id: Id15eed5f21bc6842daceb28ee9bc660f20e9b04a
    Closes-Bug: #1559920

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0b2

This issue was fixed in the openstack/neutron 11.0.0.0b2 development milestone.

Ihar Hrachyshka (ihar-hrachyshka)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/482569

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/482569
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=466ab8f3492e5fc6756a00fc2dbf6d2dfc0fa9b7
Submitter: Jenkins
Branch: stable/ocata

commit 466ab8f3492e5fc6756a00fc2dbf6d2dfc0fa9b7
Author: IWAMOTO Toshihiro <email address hidden>
Date: Mon Dec 5 13:28:59 2016 +0900

    ovs-agent: Clear in_port=ofport flow earlier

    This is the minimum change to pass tempest's
    test_update_instance_port_admin_state test. Alternatively, the delete_flows
    could be changed to just deal with drop_port flows, which can affect
    3rd party codes.

     Conflicts:
     neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py

    Change-Id: Id15eed5f21bc6842daceb28ee9bc660f20e9b04a
    Closes-Bug: #1559920
    (cherry picked from commit c54c5791b43deada9936f0c9c5d8b681a3216893)

tags: added: in-stable-ocata
Daniel Alvarez (dalvarezs)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.3

This issue was fixed in the openstack/neutron 10.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/529315

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/ocata)

Change abandoned by Max Pavlukhin (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/529315

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.