neutron

conntrack entry is not deleted when security_groups_member_updated

Bug #1580377 reported by Itsuro Oda
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
venkata anil

Bug Description

When remote group member changed, conntrack entry which should be deleted is not deleted.

How to reproduce:
* create a VM(VM1) on host-1 (net-a, default security-group) (ex. 10.0.0.3)
* create a VM(VM2) on host-2 (net-a, default security-group) (ex. 10.0.0.4)
* ssh from VM1(10.0.0.3) to VM2(10.0.0.4)
---
host-2:$ sudo conntrack -L |grep 10.0
tcp 6 431986 ESTABLISHED src=10.0.0.3 dst=10.0.0.4 sport=45074 dport=22 src=10.0.0.4 dst=10.0.0.3 sport=22 dport=45074 [ASSURED] mark=0 zone=1 use=1

host-2:$ sudo ipset list
Name: NIPv492469920-ef76-44af-98c7-
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16824
References: 1
Members:
10.0.0.4
10.0.0.3
---

* terminate VM1 (nova delete VM1)
expected: the conntrack entry showed above is deleted.
actual: not deleted
---
host-2:$ sudo conntrack -L |grep 10.0
tcp 6 431986 ESTABLISHED src=10.0.0.3 dst=10.0.0.4 sport=45074 dport=22 src=10.0.0.4 dst=10.0.0.3 sport=22 dport=45074 [ASSURED] mark=0 zone=1 use=1

host-2:$ sudo ipset list
Name: NIPv492469920-ef76-44af-98c7-
Type: hash:net
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16824
References: 1
Members:
10.0.0.4
---

Applied:
liberty, mitaka, master

Investigation:
summary - devices_with_updated_sg_members is consumed by remove_devices_filter unintentionally.
* when ovs-agent receives security_groups_member_updated RPC call,
  sg_ids and affected devices are registered to self.firewall.devices_with_updated_sg_members.
  (original intention is that it is handled when refresh_firewall is called. but...)
* in the main loop of ovs-agent process_deleted_ports is executed before process_network_ports.
  process_deleted_ports calls self.sg_agent.remove_devices_filter.
  if there is any deleted port,
  remove_devices_filter
  -> defer_apply_off
  -> _remove_conntrack_entries_from_sg_update
  -> _clean_deleted_remote_sg_members_conntrack_entries
  is called.
  at this time pre_sg_members and sg_members are same since no port info is
  updated in remove_devices_filter. so no conntrack entry is removed.
  but nonetheless devices_with_updated_sg_members is cleared !!
* afterwards
  process_network_ports
  -> setup_port_filters -> refresh_firewall -> defer_apply_off
  ...-> _clean_deleted_remote_sg_members_conntrack_entries
  is called.
  at this time pre_sg_members and sg_members are different since port info was updated.
  but no conntrack entry is removed since devices_with_updated_sg_members was cleared.

Note:
deleting conntrack entries was introduced by https://bugs.launchpad.net/neutron/+bug/1335375.
note that conntrack zone was per network at this time. (per port now)
The fix of 1335375 is complicated and I wonder it is incomplete (ex. no care of egress & remote-group rule).
How about simplify to just record affected ports and do "conntrack -D -w <port's zone id>"
for affected ports ?

Itsuro Oda (oda-g)
tags: added: sg-fw
Revision history for this message
Itsuro Oda (oda-g) wrote :

> ... and I wonder it is incomplete (ex. no care of egress & remote-group rule).

I found this was fixed by #1570171.

Revision history for this message
Brian Haley (brian-haley) wrote :

Yes, this looks like a duplicate. Can you look at the other bug and the patch and see if they fix the issue for you?

https://bugs.launchpad.net/neutron/+bug/1570171

https://review.openstack.org/#/c/305598/

Changed in neutron:
status: New → Incomplete
Revision history for this message
Itsuro Oda (oda-g) wrote :

Brian,

#1 is just a comment for 'Note' part.

This bug is independent of 1570171.
conntrack entry which should be deleted is not deleted regardless eggress or ingress.
'How to reproduce' is valid for the latest master.

Revision history for this message
Itsuro Oda (oda-g) wrote :

in addition to #3,
Please look to example of 'How to reproduce' carefully.
The conntrack entry of the example is deleting target originally before 1570171 applied.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315805

Changed in neutron:
assignee: nobody → Itsuro Oda (oda-g)
status: Incomplete → In Progress
Revision history for this message
Itsuro Oda (oda-g) wrote :

I submitted a fix (https://review.openstack.org/315805). It helps to understand what is the problem.
I really confirmed that the problem does not happen with the fix.

I don't have time to complete it. I want somebody to take over.

Changed in neutron:
assignee: Itsuro Oda (oda-g) → nobody
Hirofumi Ichihara (ichihara-hirofumi)
Changed in neutron:
status: In Progress → Confirmed
importance: Undecided → Medium
ugvddm (271025598-9)
Changed in neutron:
assignee: nobody → ugvddm (271025598-9)
yujie (16189455-d)
Changed in neutron:
assignee: ugvddm (271025598-9) → yujie (16189455-d)
Revision history for this message
ugvddm (271025598-9) wrote :

sorry, I have dealed with this issue

Revision history for this message
yujie (16189455-d) wrote :

sorry ugvddm, I assigned without aware of it has belong to you.

Changed in neutron:
assignee: yujie (16189455-d) → nobody
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: nobody → ugvddm (271025598-9)
status: Confirmed → In Progress
yujie (16189455-d)
Changed in neutron:
assignee: ugvddm (271025598-9) → yujie (16189455-d)
Revision history for this message
venkata anil (anil-venkata) wrote :

can someone check if https://review.openstack.org/#/c/352440/ solves this issue?

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: yujie (16189455-d) → venkata anil (anil-venkata)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/355163

Changed in neutron:
assignee: venkata anil (anil-venkata) → yujie (16189455-d)
Revision history for this message
yujie (16189455-d) wrote :

@venkata, sorry, i do not notice that you have reassign this bug. I give a patch at https://review.openstack.org/355163.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: yujie (16189455-d) → venkata anil (anil-venkata)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/315805
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: In Progress → Incomplete
assignee: venkata anil (anil-venkata) → nobody
Revision history for this message
venkata anil (anil-venkata) wrote :

Both the fixes [1] and [2] are needed to completely fix this issue.
For example, I booted vm1 on host1 and vm2 on host2, then ssh vm2 from vm1.
I see conntrack entries for this ssh(with source as vm1 ip) in both host1 and host2. Change [1] is deleting conntrack entry in host1 and change [2] is deleting conntrack entry in host2.

Bottom line is -
Change 1 is deleting conntrack in host where it's local port is removed
Change 2 is deleting conntrack in host when it gets notification about remote port removal
So both the fixes are needed to completely fix this issue.

[1] https://review.openstack.org/#/c/355163/
[2] https://review.openstack.org/#/c/352440/

venkata anil (anil-venkata)
Changed in neutron:
status: Incomplete → In Progress
assignee: nobody → venkata anil (anil-venkata)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/352440
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9168dbf93d70ec4df6ab29d2b300497fef401682
Submitter: Jenkins
Branch: master

commit 9168dbf93d70ec4df6ab29d2b300497fef401682
Author: venkata anil <email address hidden>
Date: Mon Aug 8 14:11:11 2016 +0000

    Delete conntrack when remote ipset member removed

    Through [1] ipset members are updated in update_security_group_members
    instead of updating during firewall apply. In the same way, we will
    delete conntrack entries immediately after deleting remote ipset
    members(in update_security_group_members) instead of deleting them after
    firewall apply.

    As explained in [2], this change partially fixes bug #1580377 i.e it
    deletes conntrack entries on remote hosts for a removed port.

    [1] https://review.openstack.org/#/c/347068/
    [2] https://bugs.launchpad.net/neutron/+bug/1580377/comments/13

    Co-Authored-By:shihanzhang <email address hidden>
    Partial-Bug: #1580377
    Change-Id: Iea3344a24e2a068b794c44796b4c945432379c13

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/408982

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/408986

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/408982
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ceb1b95b48f28f4c3ac022237e9f68c80bc8afe4
Submitter: Jenkins
Branch: stable/newton

commit ceb1b95b48f28f4c3ac022237e9f68c80bc8afe4
Author: venkata anil <email address hidden>
Date: Mon Aug 8 14:11:11 2016 +0000

    Delete conntrack when remote ipset member removed

    Through [1] ipset members are updated in update_security_group_members
    instead of updating during firewall apply. In the same way, we will
    delete conntrack entries immediately after deleting remote ipset
    members(in update_security_group_members) instead of deleting them after
    firewall apply.

    As explained in [2], this change partially fixes bug #1580377 i.e it
    deletes conntrack entries on remote hosts for a removed port.

    [1] https://review.openstack.org/#/c/347068/
    [2] https://bugs.launchpad.net/neutron/+bug/1580377/comments/13

    Co-Authored-By:shihanzhang <email address hidden>
    Partial-Bug: #1580377
    Change-Id: Iea3344a24e2a068b794c44796b4c945432379c13
    (cherry picked from commit 9168dbf93d70ec4df6ab29d2b300497fef401682)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/355163
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2acdcedb594d06e7c9f4f14e017c918a4a65c6b2
Submitter: Jenkins
Branch: master

commit 2acdcedb594d06e7c9f4f14e017c918a4a65c6b2
Author: yujie <email address hidden>
Date: Mon Aug 15 22:14:01 2016 +0800

    Delete related conntrack when delete vm

    When deleting vm, the conntrack for this vm is still
    exist. This patch deletes removed port's conntrack entries
    only in port's hosting node. Another patch [1] removes
    this port's conntrack entries in remote hosts.

    [1] https://review.openstack.org/#/c/352440/

    Closes-Bug: #1580377
    Change-Id: Ia8132a62050eaa5e01377f653337b5792f158e2f

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/414911

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/414912

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/408986
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7455b47e890eee69f6f8e3ca2e144dbac1fee906
Submitter: Jenkins
Branch: stable/mitaka

commit 7455b47e890eee69f6f8e3ca2e144dbac1fee906
Author: venkata anil <email address hidden>
Date: Mon Aug 8 14:11:11 2016 +0000

    Delete conntrack when remote ipset member removed

    Through [1] ipset members are updated in update_security_group_members
    instead of updating during firewall apply. In the same way, we will
    delete conntrack entries immediately after deleting remote ipset
    members(in update_security_group_members) instead of deleting them after
    firewall apply.

    As explained in [2], this change partially fixes bug #1580377 i.e it
    deletes conntrack entries on remote hosts for a removed port.

    [1] https://review.openstack.org/#/c/347068/
    [2] https://bugs.launchpad.net/neutron/+bug/1580377/comments/13

    Conflicts:
            neutron/tests/unit/agent/linux/test_iptables_firewall.py

    Co-Authored-By:shihanzhang <email address hidden>
    Partial-Bug: #1580377
    Change-Id: Iea3344a24e2a068b794c44796b4c945432379c13
    (cherry picked from commit 9168dbf93d70ec4df6ab29d2b300497fef401682)
    (cherry picked from commit ceb1b95b48f28f4c3ac022237e9f68c80bc8afe4)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/414911
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=07536155ca3a4c59f876577816249422ace10251
Submitter: Jenkins
Branch: stable/newton

commit 07536155ca3a4c59f876577816249422ace10251
Author: yujie <email address hidden>
Date: Mon Aug 15 22:14:01 2016 +0800

    Delete related conntrack when delete vm

    When deleting vm, the conntrack for this vm is still
    exist. This patch deletes removed port's conntrack entries
    only in port's hosting node. Another patch [1] removes
    this port's conntrack entries in remote hosts.

    [1] https://review.openstack.org/#/c/352440/

    Closes-Bug: #1580377
    Change-Id: Ia8132a62050eaa5e01377f653337b5792f158e2f
    (cherry picked from commit 2acdcedb594d06e7c9f4f14e017c918a4a65c6b2)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.0.0b3

This issue was fixed in the openstack/neutron 10.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.2.0

This issue was fixed in the openstack/neutron 9.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/mitaka)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/414912
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.