Juniper Openstack

[R3.0-25]:vnc-api:source and destination port should not be mandatory to create SG

Bug #1573444 reported by alok kumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Undecided
Ranjeet R
Juniper Openstack r3.0.2.0
Trunk
Fix Committed
Undecided
Ranjeet R
Juniper Openstack r3.1.0.0-fcs

Bug Description

While creating security group through contrail API, if source and destination ports both are not used then there are some unexpected behaviour.

1. Both ports should not be mandatory, however neutron allows to create SG rule without any port input too.
    for ingress rule, only src port makes sense and for egress rule only dst port should be used.
    even if it's mandatory in config, API should throw error while creation.

2. When try to create SG egress rule without src port, creation goes through fine but egress ACL is not populated in agent.

Rest api call to create SG:
curl -X POST -H "Content-Type: application/json; charset=UTF-8" -d '{"security-group": {"parent_type": "project", "fq_name": ["default-domain", "admin", "sg-test2"], "security_group_entries": {"policy_rule": [{"protocol": "udp", "dst_addresses": [{"subnet": {"ip_prefix": "1.1.1.0", "ip_prefix_len": 24}}, {"subnet": {"ip_prefix": "2.2.2.0", "ip_prefix_len": 24}}], "dst_ports": [{"start_port": 8194, "end_port": 8198}], "src_addresses": [{"security_group": "local"}], "ethertype":"IPv4"}]}}}' -u admin:contrail123 http://127.0.0.1:8095/security-groups

After debugging, it was seen that there was no egress rule in ifmap egress acl sent to agent.

type:access-control-list name:default-domain:admin:sg-test2:egress-access-control-list access-control-list-entries dynamic:false id-perms permissions owner:admin owner-access:7 group:admin group-access:7 other-access:7 uuid uuid-mslong:5019399869121053502 uuid-lslong:13110311576962971613 Uuid : 45a87d96-489a-433e-b5f1-2eeaf791b7dd enable:true created:2016-04-22T06:34:43 last-modified:2016-04-22T06:34:43 user-visible:true perms2 owner:81f6025b7c75424d86a3de7baf4f8c3c owner-access:7 global-access:0 display-name:egress-access-control-list Adjacencies: security-group default-domain:admin:sg-test2

3. when try to create SG ingress rule without dst port, creation goes through fine and its visible in config too but SG does not show up in horizon/neutron.

without dst port:

curl -X POST -H "Content-Type: application/json; charset=UTF-8" -d '{"security-group": {"parent_type": "project", "fq_name": ["default-domain", "admin", "sg-test6"], "security_group_entries": {"policy_rule": [{"protocol": "udp", "src_addresses": [{"subnet": {"ip_prefix": "1.1.1.0", "ip_prefix_len": 24}}, {"subnet": {"ip_prefix": "2.2.2.0", "ip_prefix_len": 24}}], "src_ports": [{"start_port": 8194, "end_port": 8199}], "dst_addresses": [{"security_group": "local"}], "ethertype":"IPv4"}]}}}' -u admin:contrail123 http://127.0.0.1:8095/security-groups

root@nodeg18:~# neutron security-group-list
+--------------------------------------+-------------+------------------------------+
| id | name | description |
+--------------------------------------+-------------+------------------------------+
| 73744aee-1e9b-4588-82e1-35976b7edc7b | no-rule | |
| a935164d-3bd1-4f1d-aeb9-313272fbf185 | __no_rule__ | Security group with no rules |
| 2348464f-2817-4b32-9417-711644e05c6b | sg-test4 | |
| 579e461d-2403-439d-9d5d-21d2d75a62dc | sg-test2 | |
| 289c0898-d843-4268-be87-12017b6c5f86 | default | Default security group |
| 6f0e9628-7fd7-4389-8beb-ebf2248c9d75 | default | Default security group |
+--------------------------------------+-------------+------------------------------+

4. same as 2 for ingress rule(without src port). agent does get ingress rule.

curl -X POST -H "Content-Type: application/json; charset=UTF-8" -d '{"security-group": {"parent_type": "project", "fq_name": ["default-domain", "admin", "sg-test3"], "security_group_entries": {"policy_rule": [{"protocol": "udp", "src_addresses": [{"subnet": {"ip_prefix": "1.1.1.0", "ip_prefix_len": 24}}, {"subnet": {"ip_prefix": "2.2.2.0", "ip_prefix_len": 24}}], "dst_ports": [{"start_port": 8194, "end_port": 8198}], "dst_addresses": [{"security_group": "local"}], "ethertype":"IPv4"}]}}}' -u admin:contrail123 http://127.0.0.1:8095/security-groups

See original description
Tags: config
Revision history for this message
alok kumar (kalok) wrote :

Setup Info:

env.roledefs = {
    'all': [host1,host2,host3,host4],
    'cfgm': [host1],
    'openstack':[host2],
    'control': [host1,host2],
    'compute': [host3,host4],
    'collector': [host1,host2],
    'webui': [host1],
    'database': [host1],
    'build': [host_build],
}

env.hostnames = {
    'all': ['nodec64', 'nodeg18', 'nodec62', 'nodec12']
}

agent introspect ifmap page:
http://nodec12.englab.juniper.net:8085/Snh_ShowIFMapAgentReq?table_name=&node_sub_string=&link_type_sub_string=&link_node_sub_string=

alok kumar (kalok)
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/19756
Submitter: Ranjeet R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/19875
Submitter: Ranjeet R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19876
Submitter: Ranjeet R (<email address hidden>)

Jeba Paulaiyan (jebap)
information type: Proprietary → Public
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/19875
Submitter: Ranjeet R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19876
Submitter: Ranjeet R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/19876
Committed: http://github.org/Juniper/contrail-controller/commit/c08f26e3d66f09510ac011aeaf1cab93101de353
Submitter: Zuul
Branch: R3.0

commit c08f26e3d66f09510ac011aeaf1cab93101de353
Author: Ranjeet R <email address hidden>
Date: Tue May 3 18:07:54 2016 -0700

Fixes: vnc-api:source and destination port should not be mandatory to create SG

If the SG rule does not specifiy src/dst port information, assume
0-65535 in schema transformer.

Change-Id: I85bb0f8e4ecfdfbcde7e759f19e5f7c574aa4cae
Closes-Bug: 1573444

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/19875
Committed: http://github.org/Juniper/contrail-controller/commit/fd4125d77f66a973f3c04548e47b89173d53a4ba
Submitter: Zuul
Branch: master

commit fd4125d77f66a973f3c04548e47b89173d53a4ba
Author: Ranjeet R <email address hidden>
Date: Tue May 3 18:04:16 2016 -0700

Fixes: vnc-api:source and destination port should not be mandatory to create SG

If the SG rule does not specifiy src/dst port information, assume
0-65535 in schema transformer.

Change-Id: Ie955d6296c93ab543195b91081185553789e3c33
Closes-Bug: 1573444

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.