OpenStack Neutron Gateway Charm

Firewall creation/deletion stalls pending forever >= newton

Bug #1680164 reported by José Pekkarinen
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Neutron API Charm
Invalid
High
Unassigned
OpenStack Neutron API Charm 17.11
OpenStack Neutron Gateway Charm
Fix Released
High
James Page
OpenStack Neutron Gateway Charm 17.11

Bug Description

In an ocata deployment with the following configuration on neutron-gateway and
neutron-openvswitch, trying to create a firewall through fwaas stalls forever:

  neutron-gateway:
    annotations:
      gui-x: '0'
      gui-y: '0'
    charm: cs:~openstack-charmers-next/xenial/neutron-gateway
    num_units: 1
    options:
      openstack-origin: cloud:xenial-ocata
      bridge-mappings: physnet1:br-ex
      data-port: br-ex:ethX.X
      worker-multiplier: 0.25
    to:
    - '0'
  neutron-openvswitch:
    annotations:
      gui-x: '250'
      gui-y: '500'
    charm: cs:~openstack-charmers-next/xenial/neutron-openvswitch
    num_units: 0

Steps to reproduce:

1) Create a couple of rules:

neutron firewall-rule-create --source-ip-address 0.0.0.0/32 --destination-ip-address X.X.X.X/24 --destination-port 80 --enable true --protocol tcp --action allow --name http
neutron firewall-rule-create --source-ip-address 0.0.0.0/32 --destination-ip-address X.X.X.X/24 --destination-port 20 --enable true --protocol tcp --action allow --name ssh

2) Create a policy:

neutron firewall-policy-create --firewall-rules "http ssh" test_policy

3) Create a router:

neutron router-create test-router
neutron router-gateway-set test-router public_net
neutron router-interface-add test-router private_subnet

4) Create a firewall:

neutron firewall-create --name test-fw --router test-router test_policy

Created a new firewall:
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 1ab576a4-1c58-4afb-9b8e-03a1c1482719 |
| id | 50139345-23c9-40c1-aa45-dcd90856c8b5 |
| name | cli-test-fw |
| project_id | ca0861a638bb42ad9d9e048fdde1e0fa |
| router_ids | 38be5530-966b-4056-8bcc-019d90cf2621 |
| status | PENDING_CREATE |
| tenant_id | ca0861a638bb42ad9d9e048fdde1e0fa |
+--------------------+--------------------------------------+

Status will never change from that even in hours.

Removing it will be pending until you destroy the router completely.

Best regards.

José.

Revision history for this message
James Page (james-page) wrote :

Revalidated on xenial/mitaka - firewall correctly went active.

Revision history for this message
James Page (james-page) wrote :

Confirmed this bug on xenial-ocata using openstack-charm-testing bundles and the following commands:

  neutron firewall-rule-create --source-ip-address 0.0.0.0/32 --destination-ip-address 192.168.21.0/24 --destination-port 80 --enable true --protocol tcp --action allow --name http
  neutron firewall-rule-create --source-ip-address 0.0.0.0/32 --destination-ip-address 192.168.21.0/24 --destination-port 22 --enable true --protocol tcp --action allow --name ssh
  neutron firewall-policy-create --firewall-rules "http ssh" test_policy
  neutron firewall-create --name test-fw --router provider-router test_policy
  neutron firewall-show bc2f4f5b-08ee-4dfc-8749-7c1453d236b5

Changed in charm-neutron-gateway:
status: New → Confirmed
Revision history for this message
James Page (james-page) wrote :

Some minor tweaks required to neutron-gateway templates to re-enable this feature >= newton AFAICT

Changed in charm-neutron-api:
status: New → In Progress
Changed in charm-neutron-gateway:
status: Confirmed → In Progress
Changed in charm-neutron-api:
importance: Undecided → High
Changed in charm-neutron-gateway:
importance: Undecided → High
Changed in charm-neutron-api:
milestone: none → 17.11
Changed in charm-neutron-gateway:
milestone: none → 17.11
Changed in charm-neutron-api:
status: In Progress → Invalid
Revision history for this message
James Page (james-page) wrote :

https://review.openstack.org/508100

Changed in charm-neutron-gateway:
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

If you happen to have a firewall stuck in PENDING_CREATE, you can reset it using:

  neutron firewall-update --no-routers UUID

which will place it back into INACTIVE state; after upgrading to the fixed version of the charm, the router can then be set back again, e.g:

  neutron firewall-update --router=ef61d331-6493-430b-92da-ab98144e5f90 bc2f4f5b-08ee-4dfc-8749-7c1453d236b5

at which point it should go active.

summary: - Firewall creation/deletion stalls pending forever
+ Firewall creation/deletion stalls pending forever >= newton
Revision history for this message
James Page (james-page) wrote :

Proposed fix can be tested from:

  cs:~james-page/neutron-gateway-4

using

  juju upgrade-charm --switch cs:~james-page/neutron-gateway-4 neutron-gateway

Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-neutron-gateway (master)

Reviewed: https://review.openstack.org/508100
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-gateway/commit/?id=7ab7046153926b543ac07b229dff09481c3d2fb7
Submitter: Zuul
Branch: master

commit 7ab7046153926b543ac07b229dff09481c3d2fb7
Author: James Page <email address hidden>
Date: Thu Sep 28 10:42:49 2017 +0100

    Fix support for FWaaS for >= Newton

    Newton introduced the new v2 driver for the l3-agent; update
    configuration to stick with v1 for the time being, ensuring
    that firewalls can actually be applied to routers.

    Change-Id: I44b7b84a1805bc096ffdd072665189146f63eba9
    Closes-Bug: 1680164

Changed in charm-neutron-gateway:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-neutron-gateway (stable/17.08)

Fix proposed to branch: stable/17.08
Review: https://review.openstack.org/508889

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-neutron-gateway (stable/17.08)

Reviewed: https://review.openstack.org/508889
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-gateway/commit/?id=bb523e4f9c4fc2c342d3abe17598c080a8368d19
Submitter: Zuul
Branch: stable/17.08

commit bb523e4f9c4fc2c342d3abe17598c080a8368d19
Author: James Page <email address hidden>
Date: Thu Sep 28 10:42:49 2017 +0100

    Fix support for FWaaS for >= Newton

    Newton introduced the new v2 driver for the l3-agent; update
    configuration to stick with v1 for the time being, ensuring
    that firewalls can actually be applied to routers.

    Change-Id: I44b7b84a1805bc096ffdd072665189146f63eba9
    Closes-Bug: 1680164
    (cherry picked from commit 7ab7046153926b543ac07b229dff09481c3d2fb7)

James Page (james-page)
Changed in charm-neutron-gateway:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.