port-security-enabled flag for neutron is not working in contrail mitaka 3.1.0 as expected
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.1 |
Fix Committed
|
Undecided
|
Sahil Sabharwal | |||
R3.2 |
Fix Committed
|
Undecided
|
Sahil Sabharwal | |||
Trunk |
Fix Committed
|
Undecided
|
Sahil Sabharwal |
Bug Description
Customer is using contrail 3.1.0 build 25 mitaka release.
There is a problem with using flag “port-security-
no associated security group setting this flag to “False”.
As result this flag doesn’t work when it used in Heat templates either and ports are always created with “default” security
group.
port_security_
be no packages filtering, like security-group and address-pairs.',
Customer tested port craetion with same flag in Openstack Mitaka neutron ML2 plugin where it is working as expected.
Issue is only seen with Openstack mitaka contrail
Mitaka_
root@contrail-
+------
| alias | name |
+------
| network-
| auto-allocated-
| timestamp_core | Time Stamp Fields addition for core resources |
| agent | agent |
| tag | Tag support |
| extra_lbaas_opts | Loadbalancer as a Service |
| external-net | Neutron external network |
| quotas | Quota management support |
| provider | Provider Network |
| policy | Network Policy |
| contrail | Contrail Extension |
| binding | Port Binding |
| route-table | route-table |
| router | Neutron L3 Router |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| service-interface | service-interface |
| vf-binding | vf-binding |
| lbaasv2 | LoadBalancing service v2 |
| security-group | security-group |
| ipam | Network IP Address Management |
| rbac-policies | RBAC Policies |
| standard-
| port-security | Port Security |
| allowed-
+------
root@contrail-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "b24ffa5e-
| id | 3692b6b0-
| mac_address | 02:36:92:b6:b0:42 |
| name | 3692b6b0-
| network_id | ef92ac75-
| security_groups | f48bb9ec-
| status | DOWN |
| tenant_id | 828fbb812ffc46a
+------
Mitaka_
[root@sdncloud41cn ~(keystone_admin)]# neutron ext-list
+------
| alias | name |
+------
| default-subnetpools | Default Subnetpools |
| network-
| network_
| auto-allocated-
| ext-gw-mode | Neutron L3 Configurable external gateway mode |
| binding | Port Binding |
| metering | Neutron Metering |
| agent | agent |
| subnet_allocation | Subnet Allocation |
| l3_agent_scheduler | L3 Agent Scheduler |
| tag | Tag support |
| external-net | Neutron external network |
| net-mtu | Network MTU |
| availability_zone | Availability Zone |
| quotas | Quota management support |
| l3-ha | HA Router extension |
| provider | Provider Network |
| multi-provider | Multi Provider Network |
| address-scope | Address scope |
| extraroute | Neutron Extra Route |
| vlan-transparent | Vlantransparent |
| timestamp_core | Time Stamp Fields addition for core resources |
| port-security | Port Security |
| extra_dhcp_opt | Neutron Extra DHCP opts |
| dns-integration | DNS Integration |
| security-group | security-group |
| dhcp_agent_
| router_
| rbac-policies | RBAC Policies |
| standard-
| router | Neutron L3 Router |
| allowed-
| dvr | Distributed Virtual Router |
+------
[root@sdncloud41cn ~(keystone_admin)]# neutron port-create aaf7262f-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| created_at | 2016-10-12T13:26:29 |
| description | |
| device_id | |
| device_owner | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "7d00d65e-
| id | cd41c250-
| mac_address | fa:16:3e:b3:a5:a5 |
| name | |
| network_id | aaf7262f-
| port_security_
| security_groups | |
| status | DOWN |
| tenant_id | b770743f66c4484
| updated_at | 2016-10-12T13:26:29 |
+------
customer tried port creation with no-security-group flag insetad of port-security-
security group however customer needs this with port-security-
no-security-group paramter is not available for contrail neutron HEAT template.
root@contrail-
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "b24ffa5e-
| id | 3692b6b0-
| mac_address | 02:36:92:b6:b0:42 |
| name | 3692b6b0-
| network_id | ef92ac75-
| security_groups |
| status | DOWN |
| tenant_id | 828fbb812ffc46a
+------
information type: | Proprietary → Public |
Changed in juniperopenstack: | |
assignee: | nobody → ssabharwal@juniper.net (ssabharwal) |
I have tested this issue in ,my contrail 3.1.1.0 build 34 contrail mitaka setup , I see the customer issue
root@nodeg24: /etc/contrail# neutron port-create 0a712a2a- f745-4391- a8c1-b2a1d513b1 f4 --port- security- enabled= False ------- ------- -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ ------- ------- -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ 2667-428c- 90d1-fd5d6229da de", "ip_address": "30.30.30.252"} | 8a6b-44fb- b0f0-660a351094 82 | 8a6b-44fb- b0f0-660a351094 82 | f745-4391- a8c1-b2a1d513b1 f4 | ba82-44a2- a801-601217ad21 e4 | 3abe7cb392e0650 72 | ------- ------- -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "98bc37a2-
| id | 3f7e34c8-
| mac_address | 02:3f:7e:34:c8:8a |
| name | 3f7e34c8-
| network_id | 0a712a2a-
| security_groups | 50720601-
| status | DOWN |
| tenant_id | 176164a252514c2
+------
root@nodeg24: /etc/contrail# neutron port-create 0a712a2a- f745-4391- a8c1-b2a1d513b1 f4 --no-security-group ------- ------- -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ ------- ------- -+----- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+
Created a new port:
+------
| Field | Value |
+------
| admin_state_up | True |
| binding:host_id | |
| binding:vif_details | {"port_filter": true} |
| binding:vif_type | vrouter ...