Juniper Openstack

port-security-enabled flag for neutron is not working in contrail mitaka 3.1.0 as expected

Bug #1632961 reported by kalagesan
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.1
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r3.1.1.0
R3.2
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

Customer is using contrail 3.1.0 build 25 mitaka release.

There is a problem with using flag “port-security-enabled” with Contrail. It’s not possible to create neutron port with
no associated security group setting this flag to “False”.

As result this flag doesn’t work when it used in Heat templates either and ports are always created with “default” security
group.

port_security_enabled: {description: 'Flag to enable/disable port security on the port. When disable this feature(set it to False), there will
be no packages filtering, like security-group and address-pairs.',

Customer tested port craetion with same flag in Openstack Mitaka neutron ML2 plugin where it is working as expected.

Issue is only seen with Openstack mitaka contrail

Mitaka_with_Contrail_3_1.txt – How it works now

root@contrail-1:/etc/neutron/plugins/opencontrail# neutron ext-list
+---------------------------+-----------------------------------------------+
| alias | name |
+---------------------------+-----------------------------------------------+
| network-ip-availability | Network IP Availability |
| auto-allocated-topology | Auto Allocated Topology Services |
| timestamp_core | Time Stamp Fields addition for core resources |
| agent | agent |
| tag | Tag support |
| extra_lbaas_opts | Loadbalancer as a Service |
| external-net | Neutron external network |
| quotas | Quota management support |
| provider | Provider Network |
| policy | Network Policy |
| contrail | Contrail Extension |
| binding | Port Binding |
| route-table | route-table |
| router | Neutron L3 Router |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| service-interface | service-interface |
| vf-binding | vf-binding |
| lbaasv2 | LoadBalancing service v2 |
| security-group | security-group |
| ipam | Network IP Address Management |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| port-security | Port Security |
| allowed-address-pairs | Allowed Address Pairs |
+---------------------------+-----------------------------------------------+
root@contrail-1:/etc/neutron/plugins/opencontrail# neutron port-create ef92ac75-edd3-4ab8-bc02-574369684efd --port-security-enabled=False
Created a new port:
+---------------------+---------------------------------------------------------------------------------+
| Field | Value |
+---------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "b24ffa5e-ebc6-4e19-807f-fbe1715c7ad2", "ip_address": "10.0.0.2"} |
| id | 3692b6b0-4223-47de-a331-42ff2d575b35 |
| mac_address | 02:36:92:b6:b0:42 |
| name | 3692b6b0-4223-47de-a331-42ff2d575b35 |
| network_id | ef92ac75-edd3-4ab8-bc02-574369684efd |
| security_groups | f48bb9ec-4c50-423d-9cec-b0c20738b8a6 |
| status | DOWN |
| tenant_id | 828fbb812ffc46ab9425bae4d4c08fd9 |
+---------------------+---------------------------------------------------------------------------------+

Mitaka_with_ML2_Plugin.txt – Expected result of port creation with flag --port-security-enabled=False

[root@sdncloud41cn ~(keystone_admin)]# neutron ext-list
+---------------------------+-----------------------------------------------+
| alias | name |
+---------------------------+-----------------------------------------------+
| default-subnetpools | Default Subnetpools |
| network-ip-availability | Network IP Availability |
| network_availability_zone | Network Availability Zone |
| auto-allocated-topology | Auto Allocated Topology Services |
| ext-gw-mode | Neutron L3 Configurable external gateway mode |
| binding | Port Binding |
| metering | Neutron Metering |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| l3_agent_scheduler | L3 Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| net-mtu | Network MTU |
| availability_zone | Availability Zone |
| quotas | Quota management support |
| l3-ha | HA Router extension |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| extraroute | Neutron Extra Route |
| vlan-transparent | Vlantransparent |
| timestamp_core | Time Stamp Fields addition for core resources |
| port-security | Port Security |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| dns-integration | DNS Integration |
| security-group | security-group |
| dhcp_agent_scheduler | DHCP Agent Scheduler |
| router_availability_zone | Router Availability Zone |
| rbac-policies | RBAC Policies |
| standard-attr-description | standard-attr-description |
| router | Neutron L3 Router |
| allowed-address-pairs | Allowed Address Pairs |
| dvr | Distributed Virtual Router |
+---------------------------+-----------------------------------------------+

[root@sdncloud41cn ~(keystone_admin)]# neutron port-create aaf7262f-a992-460e-9357-f65579a364e1 --port-security-enabled=False
Created a new port:
+-----------------------+-----------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-----------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| created_at | 2016-10-12T13:26:29 |
| description | |
| device_id | |
| device_owner | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7d00d65e-2ed0-41a8-bc4f-b125acf2285f", "ip_address": "10.0.0.144"} |
| id | cd41c250-aa2d-45d1-9118-ec1e7ed71a0d |
| mac_address | fa:16:3e:b3:a5:a5 |
| name | |
| network_id | aaf7262f-a992-460e-9357-f65579a364e1 |
| port_security_enabled | False |
| security_groups | |
| status | DOWN |
| tenant_id | b770743f66c44840a999cc8cf60916cd |
| updated_at | 2016-10-12T13:26:29 |
+-----------------------+-----------------------------------------------------------------------------------+

customer tried port creation with no-security-group flag insetad of port-security-enable option, this helped in creating the port with no
security group however customer needs this with port-security-enable flag since port-security-enable is available in HEAT template.
no-security-group paramter is not available for contrail neutron HEAT template.

root@contrail-1:/etc/neutron/plugins/opencontrail# neutron port-create ef92ac75-edd3-4ab8-bc02-574369684efd --no-security-group

Created a new port:
+---------------------+---------------------------------------------------------------------------------+
| Field | Value |
+---------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "b24ffa5e-ebc6-4e19-807f-fbe1715c7ad2", "ip_address": "10.0.0.2"} |
| id | 3692b6b0-4223-47de-a331-42ff2d575b35 |
| mac_address | 02:36:92:b6:b0:42 |
| name | 3692b6b0-4223-47de-a331-42ff2d575b35 |
| network_id | ef92ac75-edd3-4ab8-bc02-574369684efd |
| security_groups |
| status | DOWN |
| tenant_id | 828fbb812ffc46ab9425bae4d4c08fd9 |
+---------------------+---------------------------------------------------------------------------------+

Tags: neutron
kalagesan (kalagesan)
information type: Proprietary → Public
Revision history for this message
kalagesan (kalagesan) wrote :
Download full text (4.4 KiB)

I have tested this issue in ,my contrail 3.1.1.0 build 34 contrail mitaka setup , I see the customer issue

root@nodeg24:/etc/contrail# neutron port-create 0a712a2a-f745-4391-a8c1-b2a1d513b1f4 --port-security-enabled=False
Created a new port:
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
 +---------------------+-------------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "98bc37a2-2667-428c-90d1-fd5d6229dade", "ip_address": "30.30.30.252"} |
| id | 3f7e34c8-8a6b-44fb-b0f0-660a35109482 |
| mac_address | 02:3f:7e:34:c8:8a |
| name | 3f7e34c8-8a6b-44fb-b0f0-660a35109482 |
| network_id | 0a712a2a-f745-4391-a8c1-b2a1d513b1f4 |
| security_groups | 50720601-ba82-44a2-a801-601217ad21e4 |
| status | DOWN |
| tenant_id | 176164a252514c23abe7cb392e065072 |
 +---------------------+-------------------------------------------------------------------------------------+

root@nodeg24:/etc/contrail# neutron port-create 0a712a2a-f745-4391-a8c1-b2a1d513b1f4 --no-security-group
Created a new port:
+---------------------+-------------------------------------------------------------------------------------+
| Field | Value |
 +---------------------+-------------------------------------------------------------------------------------+
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter ...

Read more...

Sachin Bansal (sbansal)
Changed in juniperopenstack:
assignee: nobody → ssabharwal@juniper.net (ssabharwal)
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/25140
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25140
Committed: http://github.org/Juniper/contrail-controller/commit/ab55633f28cfbf17cc6eb822ea94838e604e17b0
Submitter: Zuul
Branch: master

commit ab55633f28cfbf17cc6eb822ea94838e604e17b0
Author: Sachin Bansal <email address hidden>
Date: Thu Oct 20 15:44:46 2016 -0700

Adding port-security-enabled parameter to the schema

This is a neutron extension that we claim to support, but it is
not currently implemented. To impement this, we will need to
support this flag at network and port level. At the port level,
if port security is disabled, no security groups can be applied
to the port and the port can communicate with all other ports.

At the time of port creation, if a specific value is not provided,
we will copy if from the corresponding network. The default value
for both will be True, i.e., port security is enabled unless
explicitly disabled by the user.

Change-Id: Ibaf659ee9b383268fad4b95f09adf9f90b3a87e6
Related-Bug: 1632961

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/25466
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/25468
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/25466
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/25468
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/25584
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25466
Committed: http://github.org/Juniper/contrail-controller/commit/cd930489ff96e214d51023302776167a2a4370f1
Submitter: Zuul
Branch: master

commit cd930489ff96e214d51023302776167a2a4370f1
Author: Sahil Sabharwal <email address hidden>
Date: Thu Oct 27 21:23:16 2016 -0700

Added Port Security Enabled extension

1. Added check 'port_security_enabled' flag at the time of creation and update.
2. If not disabled, then only security group is added
3. At the time of update, it can be disabled if no security group is associated
or a new security group can be added if 'port_security_enabled' was not disabled
at the time of port creation.

Change-Id: I7643373210f1a20ee1c6a352a3b3c39c5d3a76c7
Closes-Bug: 1632961

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/25584
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/25468
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/25584
Committed: http://github.org/Juniper/contrail-controller/commit/71a60e3fb1685ff9f0c79988ad9a0e30f8d9407a
Submitter: Zuul
Branch: R3.2

commit 71a60e3fb1685ff9f0c79988ad9a0e30f8d9407a
Author: Sahil Sabharwal <email address hidden>
Date: Thu Oct 27 21:23:16 2016 -0700

Added Port Security Enabled extension

This is a neutron extension that we claim to support, but it is
not currently implemented. To impement this, we will need to
support this flag at network and port level. At the port level,
if port security is disabled, no security groups can be applied
to the port and the port can communicate with all other ports.

At the time of port creation, if a specific value is not provided,
we will copy if from the corresponding network. The default value
for both will be True, i.e., port security is enabled unless
explicitly disabled by the user.

1. Added check 'port_security_enabled' flag at the time of creation and update.
2. If not disabled, then only security group is added
3. At the time of update, it can be disabled if no security group is associated
or a new security group can be added if 'port_security_enabled' was not disabled
at the time of port creation.

Change-Id: I7643373210f1a20ee1c6a352a3b3c39c5d3a76c7
Closes-Bug: 1632961

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/25468
Committed: http://github.org/Juniper/contrail-controller/commit/5ad00ef04a54211b821bc13a5b0fe1ee42245ce2
Submitter: Zuul
Branch: R3.1

commit 5ad00ef04a54211b821bc13a5b0fe1ee42245ce2
Author: Sahil Sabharwal <email address hidden>
Date: Thu Oct 27 21:23:16 2016 -0700

Added Port Security Enabled extension

This is a neutron extension that we claim to support, but it is
not currently implemented. To impement this, we will need to
support this flag at network and port level. At the port level,
if port security is disabled, no security groups can be applied
to the port and the port can communicate with all other ports.

At the time of port creation, if a specific value is not provided,
we will copy if from the corresponding network. The default value
for both will be True, i.e., port security is enabled unless
explicitly disabled by the user.

1. Added check 'port_security_enabled' flag at the time of creation and update.
2. If not disabled, then only security group is added
3. At the time of update, it can be disabled if no security group is associated
or a new security group can be added if 'port_security_enabled' was not disabled
at the time of port creation.

Change-Id: I7643373210f1a20ee1c6a352a3b3c39c5d3a76c7
Closes-Bug: 1632961
(cherry picked from commit 71a60e3fb1685ff9f0c79988ad9a0e30f8d9407a)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.