neutron

Security group rule deleted by cascade (because its remote group had been deleted) is not deleted in the backend

Bug #2008712 reported by Bence Romsics
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Bence Romsics

Bug Description

devstack 7533276c
neutron aa40aef70f

This reproduction uses the openvswitch ml2 mechanism_driver and firewall_driver, but I believe this bug affects all mechanism_drivers.

# Choose a port number no other rule uses on the test host.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
[nothing]

# Create two security groups.
$ openstack security group create sg1
$ openstack security group create sg2

# Create a rule in sg1 that references sg2 (as remote group).
$ openstack security group rule create sg1 --ingress --ethertype IPv4 --dst-port 1234:1234 --protocol tcp --remote-group sg2

# The API returns the new rule.
$ openstack security group rule list sg1
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 77db9548-b3ab-46ea-94a5-f00f6a4062da | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 9b569a88-177a-4422-a0f3-6ed039e0217a | tcp | IPv4 | 0.0.0.0/0 | 1234:1234 | ingress | 7df90218-3d52-4156-9630-43563a3d5ba6 | None |
| f40d258b-4d13-4dc8-a0c4-82ccce9922e0 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+

# Make sure sg1 is used on the test host.
$ openstack server create --flavor cirros256 --image cirros-0.5.2-x86_64-disk --availability-zone :devstack0 --nic net-id=private --security-group sg1 vm1 --wait

# See if the rule is implemented in the backend.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
 cookie=0x33704a39bf5031d7, duration=55.263s, table=82, n_packets=0, n_bytes=0, idle_age=57, priority=73,ct_state=+est-rel-rpl,tcp,reg5=0x20,tp_dst=1234 actions=conjunction(22,2/2)
 cookie=0x33704a39bf5031d7, duration=55.263s, table=82, n_packets=0, n_bytes=0, idle_age=57, priority=73,ct_state=+new-est,tcp,reg5=0x20,tp_dst=1234 actions=conjunction(23,2/2)

# Delete sg2...
$ openstack security group delete sg2

# ...by cascade also delete the rule in sg1 referencing sg2. At least in the API.
$ openstack security group rule list sg1
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 77db9548-b3ab-46ea-94a5-f00f6a4062da | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| f40d258b-4d13-4dc8-a0c4-82ccce9922e0 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+

# But the delete is not propagated to the backend.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
 cookie=0x33704a39bf5031d7, duration=112.917s, table=82, n_packets=0, n_bytes=0, idle_age=115, priority=73,ct_state=+est-rel-rpl,tcp,reg5=0x20,tp_dst=1234 actions=conjunction(22,2/2)
 cookie=0x33704a39bf5031d7, duration=112.917s, table=82, n_packets=0, n_bytes=0, idle_age=115, priority=73,ct_state=+new-est,tcp,reg5=0x20,tp_dst=1234 actions=conjunction(23,2/2)

# Clean up - even the left over backend flows.
$ openstack server delete vm1 --wait
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
[nothing]
$ openstack security group delete sg2
$ openstack security group delete sg1

Lajos Katona (lajos-katona)
tags: added: sg-fw
Bence Romsics (bence-romsics)
Changed in neutron:
assignee: nobody → Bence Romsics (bence-romsics)
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
status: New → Confirmed
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

I've tested this bug with ML2/OVS and I can confirm it. When sg2 is deleted, sg1 rules are updated but the mech driver agent does not receive this update.

However, this is not happening in ML2/OVN. When the rule using sg2 is created, if there is no other VM using this SG, no local OF rule is created. If the SG is used in a VM, it cannot be deleted. So this is affecting only ML2/OVS (and most probably ML2/LB).

Revision history for this message
Lajos Katona (lajos-katona) wrote :

Hmmm, as I see it is a "feature" of the RPC notification Hell, but I still not see the full picture.

Lajos Katona (lajos-katona)
Changed in neutron:
importance: Undecided → High
Revision history for this message
Lajos Katona (lajos-katona) wrote :

Finally I think I got a know with which I am able to handle this issue for OVS:

https://opendev.org/openstack/neutron/src/branch/master/neutron/api/rpc/handlers/securitygroups_rpc.py#L297-L308

Here I can add an extra rcache.get_resources with filters to get rules which remote_group_id is the deleted sg, tomorrow I push a patch with it.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876716

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/881661

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/881662

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/881663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/876716
Committed: https://opendev.org/openstack/neutron/commit/63584957203ec9f5ba165177978213c3909f81f0
Submitter: "Zuul (22348)"
Branch: master

commit 63584957203ec9f5ba165177978213c3909f81f0
Author: elajkat <email address hidden>
Date: Fri Mar 10 13:29:48 2023 +0100

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    Change-Id: I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    Closes-Bug: #2008712

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/882060

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/882131

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/882228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/881661
Committed: https://opendev.org/openstack/neutron/commit/a15eece7712d94cec7a6de6472b46a1e81139dbc
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit a15eece7712d94cec7a6de6472b46a1e81139dbc
Author: elajkat <email address hidden>
Date: Fri Mar 10 13:29:48 2023 +0100

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    Change-Id: I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    (cherry picked from commit 63584957203ec9f5ba165177978213c3909f81f0)
    Closes-Bug: #2008712

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/881662
Committed: https://opendev.org/openstack/neutron/commit/e4cf8cc0a612f1a3831658ce6f0e675f5e455652
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e4cf8cc0a612f1a3831658ce6f0e675f5e455652
Author: elajkat <email address hidden>
Date: Fri Mar 10 13:29:48 2023 +0100

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    Change-Id: I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    (cherry picked from commit 63584957203ec9f5ba165177978213c3909f81f0)
    Closes-Bug: #2008712

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/881663
Committed: https://opendev.org/openstack/neutron/commit/c3c056950d253e7125604ce72a8bc158d10fa15c
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit c3c056950d253e7125604ce72a8bc158d10fa15c
Author: elajkat <email address hidden>
Date: Fri Mar 10 13:29:48 2023 +0100

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    Change-Id: I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    (cherry picked from commit 63584957203ec9f5ba165177978213c3909f81f0)
    Closes-Bug: #2008712

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882060
Committed: https://opendev.org/openstack/neutron/commit/a1c206b489e1a2a5c5d513ac3f85e2f3e84defd4
Submitter: "Zuul (22348)"
Branch: stable/xena

commit a1c206b489e1a2a5c5d513ac3f85e2f3e84defd4
Author: elajkat <email address hidden>
Date: Fri Mar 10 13:29:48 2023 +0100

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    Change-Id: I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    (cherry picked from commit 63584957203ec9f5ba165177978213c3909f81f0)
    Closes-Bug: #2008712

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.0.0.0b2

This issue was fixed in the openstack/neutron 23.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/883582
Committed: https://opendev.org/openstack/neutron/commit/ebc0658d5566ce527cb1104968d247db10edf3db
Submitter: "Zuul (22348)"
Branch: master

commit ebc0658d5566ce527cb1104968d247db10edf3db
Author: Brian Haley <email address hidden>
Date: Fri May 19 14:45:53 2023 +0000

    Revert "Delete sg rule which remote is the deleted sg"

    This reverts commit 63584957203ec9f5ba165177978213c3909f81f0.

    Reason for revert: This is generating a lot of
    "SecurityGroupNotFound" errors in neutron-server.log in
    the tempest-integrated-networking job.

    Closes-Bug: #2019449
    Related-Bug: #2008712
    Change-Id: I077fe87435f61bd29d5c1efc979c2adebca26181

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2023.1)

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/883927

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/zed)

Related fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/884205

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/yoga)

Related fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/884206

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/xena)

Related fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/884207

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/883927
Committed: https://opendev.org/openstack/neutron/commit/d3fb57617d56acb312cef18d32881dd608967313
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit d3fb57617d56acb312cef18d32881dd608967313
Author: Brian Haley <email address hidden>
Date: Fri May 19 14:45:53 2023 +0000

    Revert "Delete sg rule which remote is the deleted sg"

    This reverts commit 63584957203ec9f5ba165177978213c3909f81f0.

    Reason for revert: This is generating a lot of
    "SecurityGroupNotFound" errors in neutron-server.log in
    the tempest-integrated-networking job.

    Closes-Bug: #2019449
    Related-Bug: #2008712
    Change-Id: I077fe87435f61bd29d5c1efc979c2adebca26181
    (cherry picked from commit ebc0658d5566ce527cb1104968d247db10edf3db)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/884205
Committed: https://opendev.org/openstack/neutron/commit/8bf6f7f03c04d90d6953d9cd1a286d82a01fc040
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 8bf6f7f03c04d90d6953d9cd1a286d82a01fc040
Author: Brian Haley <email address hidden>
Date: Fri May 19 14:45:53 2023 +0000

    Revert "Delete sg rule which remote is the deleted sg"

    This reverts commit 63584957203ec9f5ba165177978213c3909f81f0.

    Reason for revert: This is generating a lot of
    "SecurityGroupNotFound" errors in neutron-server.log in
    the tempest-integrated-networking job.

    Closes-Bug: #2019449
    Related-Bug: #2008712
    Change-Id: I077fe87435f61bd29d5c1efc979c2adebca26181
    (cherry picked from commit ebc0658d5566ce527cb1104968d247db10edf3db)
    (cherry picked from commit d3fb57617d56acb312cef18d32881dd608967313)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/884206
Committed: https://opendev.org/openstack/neutron/commit/8d30f9223a56f34822494dc45c4beb3f0fcf16c4
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 8d30f9223a56f34822494dc45c4beb3f0fcf16c4
Author: Brian Haley <email address hidden>
Date: Fri May 19 14:45:53 2023 +0000

    Revert "Delete sg rule which remote is the deleted sg"

    This reverts commit 63584957203ec9f5ba165177978213c3909f81f0.

    Reason for revert: This is generating a lot of
    "SecurityGroupNotFound" errors in neutron-server.log in
    the tempest-integrated-networking job.

    Closes-Bug: #2019449
    Related-Bug: #2008712
    Change-Id: I077fe87435f61bd29d5c1efc979c2adebca26181
    (cherry picked from commit ebc0658d5566ce527cb1104968d247db10edf3db)
    (cherry picked from commit d3fb57617d56acb312cef18d32881dd608967313)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/884207
Committed: https://opendev.org/openstack/neutron/commit/20172ca6dc5dac5792cb4dca710dc078cc061d08
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 20172ca6dc5dac5792cb4dca710dc078cc061d08
Author: Brian Haley <email address hidden>
Date: Fri May 19 14:45:53 2023 +0000

    Revert "Delete sg rule which remote is the deleted sg"

    This reverts commit 63584957203ec9f5ba165177978213c3909f81f0.

    Reason for revert: This is generating a lot of
    "SecurityGroupNotFound" errors in neutron-server.log in
    the tempest-integrated-networking job.

    Closes-Bug: #2019449
    Related-Bug: #2008712
    Change-Id: I077fe87435f61bd29d5c1efc979c2adebca26181
    (cherry picked from commit ebc0658d5566ce527cb1104968d247db10edf3db)
    (cherry picked from commit d3fb57617d56acb312cef18d32881dd608967313)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/884505

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/wallaby)

Change abandoned by "Lajos Katona <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/882131
Reason: revert was merged for this chain: https://review.opendev.org/q/I077fe87435f61bd29d5c1efc979c2adebca26181

new aproach is here: https://review.opendev.org/c/openstack/neutron/+/884505

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/victoria)

Change abandoned by "Lajos Katona <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/882228
Reason: revert was merged for this chain: https://review.opendev.org/q/I077fe87435f61bd29d5c1efc979c2adebca26181

new aproach is here: https://review.opendev.org/c/openstack/neutron/+/884505

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.1

This issue was fixed in the openstack/neutron 22.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.1

This issue was fixed in the openstack/neutron 21.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.3.1

This issue was fixed in the openstack/neutron 20.3.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.4.0

This issue was fixed in the openstack/neutron 20.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/887692
Committed: https://opendev.org/openstack/neutron/commit/9e79bd7ff4be716ce7b1d5b14fee1212b42dfde1
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 9e79bd7ff4be716ce7b1d5b14fee1212b42dfde1
Author: elajkat <email address hidden>
Date: Fri May 26 12:04:49 2023 +0200

    Delete sg rule which remote is the deleted sg

    Based on bug #2008712 if we have a security-group which
    is the remote group of a 2nd security-group, the backend
    never deletes the rule of the 2nd group which
    remote_group_id is the original security-group.
    By AFTER_DELETE event for each rule that has the
    security_group_id as remote_group_id, we can make the
    mech drivers do their work and delete these rules in the
    backend.

    One version of this fix was merged:
    https://review.opendev.org/q/I207ecf7954b06507e03cb16b502ceb6e2807e0e7
    and reverted due to #2019449:
    https://review.opendev.org/q/I077fe87435f61bd29d5c1efc979c2adebca26181

    This patch is based on
    https://review.opendev.org/c/openstack/neutron/+/876716/1

    Conflicts in (due to notify to publish changes):
    * neutron/db/securitygroups_db.py
    * neutron/tests/unit/db/test_securitygroups_db.py

    Closes-Bug: #2008712
    Related-Bug: #2019449
    Change-Id: I9e8ddfa26c5402fefd573b0e2ea5f3a57983ca35
    (cherry picked from commit 67a0b0728788207cee27adb586880fabb8da6f25)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.0.0.0b3

This issue was fixed in the openstack/neutron 23.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.1.0

This issue was fixed in the openstack/neutron 22.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.2.0

This issue was fixed in the openstack/neutron 21.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron victoria-eom

This issue was fixed in the openstack/neutron victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron wallaby-eom

This issue was fixed in the openstack/neutron wallaby-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron xena-eom

This issue was fixed in the openstack/neutron xena-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.