Security group rule deleted by cascade (because its remote group had been deleted) is not deleted in the backend
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Bence Romsics |
Bug Description
devstack 7533276c
neutron aa40aef70f
This reproduction uses the openvswitch ml2 mechanism_driver and firewall_driver, but I believe this bug affects all mechanism_drivers.
# Choose a port number no other rule uses on the test host.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
[nothing]
# Create two security groups.
$ openstack security group create sg1
$ openstack security group create sg2
# Create a rule in sg1 that references sg2 (as remote group).
$ openstack security group rule create sg1 --ingress --ethertype IPv4 --dst-port 1234:1234 --protocol tcp --remote-group sg2
# The API returns the new rule.
$ openstack security group rule list sg1
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 77db9548-
| 9b569a88-
| f40d258b-
+------
# Make sure sg1 is used on the test host.
$ openstack server create --flavor cirros256 --image cirros-
# See if the rule is implemented in the backend.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
cookie=
cookie=
# Delete sg2...
$ openstack security group delete sg2
# ...by cascade also delete the rule in sg1 referencing sg2. At least in the API.
$ openstack security group rule list sg1
+------
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+------
| 77db9548-
| f40d258b-
+------
# But the delete is not propagated to the backend.
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
cookie=
cookie=
# Clean up - even the left over backend flows.
$ openstack server delete vm1 --wait
$ sudo ovs-ofctl dump-flows br-int | egrep 1234
[nothing]
$ openstack security group delete sg2
$ openstack security group delete sg1
tags: | added: sg-fw |
Changed in neutron: | |
assignee: | nobody → Bence Romsics (bence-romsics) |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
importance: | Undecided → High |
I've tested this bug with ML2/OVS and I can confirm it. When sg2 is deleted, sg1 rules are updated but the mech driver agent does not receive this update.
However, this is not happening in ML2/OVN. When the rule using sg2 is created, if there is no other VM using this SG, no local OF rule is created. If the SG is used in a VM, it cannot be deleted. So this is affecting only ML2/OVS (and most probably ML2/LB).