Fuel for OpenStack

[Neutron] [Nova] Security groups not applied by default

Bug #1563876 reported by Sergey Belous on 2016-03-30

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Released	Critical	Sergey Kolekonov	Fuel for OpenStack 10.0
Mitaka	Fix Released	Critical	Sergey Kolekonov	Fuel for OpenStack 9.0
Newton	Fix Released	Critical	Sergey Kolekonov	Fuel for OpenStack 10.0

Bug Description

Detailed bug description:
After deploy env the security groups not applied by default and allowing all connection to launched instance

Steps to reproduce:
1. Deploy fuel
2. Launch cirros in internal network
3. Associate floating ip to instance created on step 2
4. Try to ping instance by floating ip
5. Try to ssh to instance with using floating ip

Expected results:
Ping instance and ssh login should not work

Actual result:
Ping instance and ssh login works

Reproducibility:
Always

Workaround:
-

Impact:
-

Description of the environment:
-

Additional information:
- it's look like option firewall_driver is None in ml2_conf.ini by default

See original description

Tags:

Sergey Belous (sbelous) on 2016-03-30

description:	updated
description:	updated
description:	updated

Sergey Kolekonov (skolekonov) on 2016-03-30

Changed in fuel:
assignee:	nobody → Sergey Kolekonov (skolekonov)

Alexander Ignatov (aignatov) on 2016-03-31

Changed in fuel:
importance:	Undecided → High
status:	New → Confirmed
milestone:	none → 9.0

Dina Belova (dbelova) on 2016-03-31

tags:

added: area-neutron

Revision history for this message

Atsuko Ito (yottatsa) wrote on 2016-04-01:

Firewall driver is empty on controller
/etc/neutron/plugins/ml2/ml2_conf.ini:#firewall_driver = <None>

Changed in fuel:
importance:	High → Critical
tags:	added: area-mos removed: area-neutron

Revision history for this message

Sergey Kolekonov (skolekonov) wrote on 2016-04-05:

An upstream fix is on review already and the root cause is known https://review.openstack.org/#/c/300442/

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-05: Related fix proposed to fuel-library (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/301547

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-06: Related fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/301547
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=e522e6a98ca22dd22d5bd8740605389fd87dbfee
Submitter: Jenkins
Branch: master

commit e522e6a98ca22dd22d5bd8740605389fd87dbfee
Author: Sergey Kolekonov <email address hidden>
Date: Tue Apr 5 12:59:27 2016 +0300

Explicitly enable security groups for ML2 plugin

    If Neutron is installed from Ubuntu/Debian packages, neutron-server and
    openvswitch agent use separate files to load configuration related to
    ML2 plugin. So in order to use security groups firewall_driver value should
    be passed to both configuration files (ml2_conf.ini and openvswitch_agent.ini).

Also explicitly enable security groups to fix tests for related patch to
puppet-neutron

Change-Id: Ia298e002f71e8de0358c90277c24ca5a3c417b3c
Related-bug: #1563876

Timur Nurlygayanov (tnurlygayanov) on 2016-04-06

summary:	- security groups not applied by default + [Neutron] [Nova] Security groups not applied by default
Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Sergey Kolekonov (skolekonov) wrote on 2016-04-07:

The bug should be still open, as only the upstream patch and a temporary patch for fuel-library have been merged

Changed in fuel:
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-07: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/302699

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-07: Related fix proposed to fuel-library (stable/mitaka)

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/302833

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/302699
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=d3affe1c56e04fdda28d17eda5d5e1942ede9630
Submitter: Jenkins
Branch: master

commit d3affe1c56e04fdda28d17eda5d5e1942ede9630
Author: Sergey Kolekonov <email address hidden>
Date: Thu Apr 7 15:03:24 2016 +0300

Pass correct security groups driver for ML2 plugin

In order to use security groups firewall_driver value should be set
to a correct value for Neutron ML2 plugin

Change-Id: If3f2f07f75c24658bef23f2de072fafa3fe71d5a
Closes-bug: #1563876

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-11: Related fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/302833
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=a180b1bfb17f1a16ebec8fb289ba997e8170fead
Submitter: Jenkins
Branch: stable/mitaka

commit a180b1bfb17f1a16ebec8fb289ba997e8170fead
Author: Sergey Kolekonov <email address hidden>
Date: Tue Apr 5 12:59:27 2016 +0300

Explicitly enable security groups for ML2 plugin

This is a transitional patch to safely merge (with +1 form Fuel CI)
a patch to puppet-neutron I9819867251e3c35f252ddbbad1178bff1c585314

    Change-Id: Ia298e002f71e8de0358c90277c24ca5a3c417b3c
    Related-bug: #1563876
    (cherry picked from commit e522e6a98ca22dd22d5bd8740605389fd87dbfee)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-12: Fix proposed to fuel-library (stable/mitaka)

#10

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/304796

Sergey Kolekonov (skolekonov) on 2016-04-14

Changed in fuel:
status:	Fix Committed → In Progress

Sergey Shevorakov (sshevorakov) on 2016-04-15

tags:

added: swarm-blocker

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-18: Fix merged to fuel-library (stable/mitaka)

#11

Reviewed: https://review.openstack.org/304796
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=2ed07e70b1f377385f49790997741295d55bed8c
Submitter: Jenkins
Branch: stable/mitaka

commit 2ed07e70b1f377385f49790997741295d55bed8c
Author: Sergey Kolekonov <email address hidden>
Date: Thu Apr 7 15:03:24 2016 +0300

Pass correct security groups driver for ML2 plugin

In order to use security groups firewall_driver value should be set
to a correct value for Neutron ML2 plugin

    Change-Id: If3f2f07f75c24658bef23f2de072fafa3fe71d5a
    Closes-bug: #1563876
    (cherry picked from commit d3affe1c56e04fdda28d17eda5d5e1942ede9630)

Revision history for this message

Alexander Zatserklyany (zatserklyany) wrote on 2016-05-12:

#12

Verified on
-----------
fuel_build_id: 312
fuel_build_number: 312
fuel_release: 9.0
fuel_openstack_version: mitaka-9.0
----------------------------------
root@node-3:~# ping -c 3 10.109.3.132
PING 10.109.3.132 (10.109.3.132) 56(84) bytes of data.

--- 10.109.3.132 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

root@node-3:~# ssh 10.109.3.132
ssh: connect to host 10.109.3.132 port 22: Connection timed out

Ekaterina Shutova (eshutova) on 2017-03-30

tags:

added: on-verification

Revision history for this message

Ekaterina Shutova (eshutova) wrote on 2017-04-03:

#13

Verified on 10.0 build #1556.
root@node-1:~# nova list
+--------------------------------------+------+--------+------------+-------------+----------------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+----------------------------------------------+
| 6f66bec1-cb93-4e40-9ba2-ff6f1f05b8a2 | vm_1 | ACTIVE | - | Running | admin_internal_net=192.168.0.3, 10.109.8.136 |
+--------------------------------------+------+--------+------------+-------------+----------------------------------------------+
root@node-1:~# ping 10.109.8.136
PING 10.109.8.136 (10.109.8.136) 56(84) bytes of data.
64 bytes from 10.109.8.136: icmp_seq=1 ttl=63 time=3.85 ms
64 bytes from 10.109.8.136: icmp_seq=2 ttl=63 time=4.37 ms
64 bytes from 10.109.8.136: icmp_seq=3 ttl=63 time=1.29 ms
^C

tags:

removed: on-verification

Ekaterina Shutova (eshutova) on 2017-04-03

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.