OpenStack Neutron API OVN Plugin Charm

neutron-api should enable security group logging when enable-security-group-logging charm config option is set

Bug #2043795 reported by Przemyslaw Hausman on 2023-11-17

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Neutron API Charm	Invalid	Undecided	Unassigned
	OpenStack Neutron API OVN Plugin Charm	In Progress	Wishlist	Russell Myers

Bug Description

neutron-api
- version: 20.4.0
- channel: yoga/stable
- revision: 560

Setting charm config option `enable-security-group-logging` to be `true` does not result in:

1. Adding `log` into `service_plugins` in /etc/neutron/neutron.conf
2. Adding `extensions = log` in /etc/neutron/plugins/ml2/ml2_conf.ini

(as described in https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-configuration)

As a result, `security_group` resource type is not available in my deployment:

```
$ openstack network loggable resources list
The resource could not be found.
```

I have manually updated /etc/neutron/neutron.conf and /etc/neutron/plugins/ml2/ml2_conf.ini on neutron-api unit and restarted the neutron-server service. Now I can see `security_group` resource type present:

```
$ openstack network loggable resources list
+-----------------+
| Supported types |
+-----------------+
| security_group |
+-----------------+
```

...and I am now able to configure logging with e.g. `openstack network log create --resource-type security_group --resource ${SG} --event ACCEPT logme`. The logs go into /var/log/ovn/ovn-controller.log on the hypervisor hosting the VM.

Tags:

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2023-12-20:

This is very strange; it *should* work as all the code is there to add 'log' to `neutron.conf` and `ml2_conf.ini`.

So, it would be interesting to understand if any of the following messages appeared in the log:

"Disabling NSG logging; implementation only exists for the OVS ML2 driver"
"The enable-security-group-logging option is only supported on Queens or later"

Changed in charm-neutron-api:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-02-19:

[Expired for OpenStack Neutron API Charm because there has been no activity for 60 days.]

Changed in charm-neutron-api:
status:	Incomplete → Expired

Revision history for this message

Vidar Tyldum (tyldum) wrote on 2024-03-06:

Hitting this.

So `/etc/neutron/neutron.conf` renders the service_plugins to:

```
service_plugins = metering,segments,ovn-router
```

While the debug log on the charms says:
```
unit-neutron-api-plugin-ovn-1: 09:47:10 INFO unit.neutron-api-plugin-ovn/1.juju-log DEBUG: neutron_config_data="{'core_plugin': 'neutron.plugins.ml2.plugin.Ml2Plugin', 'neutron_security_groups': True, 'tenant_ne
twork_types': 'gre,vlan,flat,local', 'restart_trigger': None, 'extension_drivers': 'port_security,dns_domain_ports', 'mechanism_drivers': 'openvswitch,hyperv,l2population,sriovnicswitch', 'service_plugins': 'rou
ter,metering,segments,neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,log'}"
```

Alex Kavanagh (ajkavanagh) on 2024-03-06

Changed in charm-neutron-api:
status:	Expired → New

Revision history for this message

Russell Myers (russellmyers) wrote on 2024-04-05:

Getting the same. Log says the following:

unit-neutron-api-plugin-ovn-2: 09:27:00 INFO unit.neutron-api-plugin-ovn/2.juju-log Invoking reactive handler: reactive/neutron_api_plugin_ovn_handlers.py:54:configure_neutron
unit-neutron-api-plugin-ovn-2: 09:27:00 INFO unit.neutron-api-plugin-ovn/2.juju-log DEBUG: neutron_config_data="{'core_plugin': 'neutron.plugins.ml2.plugin.Ml2Plugin', 'neutron_security_groups': True, 'tenant_network_types': 'gre,vlan,flat,local', 'restart_trigger': '1f2ec70f-c06f-442d-870b-fe6b50c4a8a2', 'extension_drivers': 'port_security', 'mechanism_drivers': 'openvswitch,hyperv,l2population', 'service_plugins': 'router,metering,segments,neutron_dynamic_routing.services.bgp.bgp_plugin.BgpPlugin,log'}"

But service_plugins in neutron.conf shows:

service_plugins = metering,segments,ovn-router

Revision history for this message

Russell Myers (russellmyers) wrote on 2024-04-05:

Also see this in the neutron-api unit which does not match the above for the neutron-api-plugin-ovn unit:

2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf
2024-04-05 15:31:59 INFO unit.neutron-api/0.juju-log server.go:316 Found subordinate_configuration on neutron-plugin-api-subordinate:16 but it contained nothing for /etc/neutron/neutron.conf

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2024-04-08:

I've stared at the code for a bit and it's not obvious why it's happening.

Please could [all|any] the contributors to this bug paste their neutron-api config and (neutron + plugin part of the) bundles so that it can be reproduced in the lab. Thanks.

Changed in charm-neutron-api:
status:	New → Incomplete

Revision history for this message

Russell Myers (russellmyers) wrote on 2024-04-11:

  neutron-api:
    charm: neutron-api
    channel: stable
    revision: 501
    resources:
      policyd-override: 0
    num_units: 3
    to:
    - lxd:0
    - lxd:1
    - lxd:2
    options:
      debug: true
      enable-ml2-port-security: true
      enable-security-group-logging: true
      flat-network-providers: physnet1
      neutron-security-groups: true
      openstack-origin: cloud:focal-yoga
      region: ----
      vip: ------------------
    constraints: arch=amd64
    bindings:
      "": openstack-management-space
      admin: openstack-management-space
      amqp: openstack-management-space
      certificates: openstack-management-space
      cluster: openstack-management-space
      etcd-proxy: openstack-management-space
      external-dns: openstack-management-space
      ha: openstack-management-space
      identity-service: openstack-management-space
      infoblox-neutron: openstack-management-space
      internal: openstack-management-space
      midonet: openstack-management-space
      neutron-api: openstack-management-space
      neutron-load-balancer: openstack-management-space
      neutron-plugin-api: openstack-management-space
      neutron-plugin-api-subordinate: openstack-management-space
      nrpe-external-master: openstack-management-space
      public: openstack-management-space
      shared-db: openstack-management-space
      vsd-rest-api: openstack-management-space
  neutron-api-hacluster:
    charm: hacluster
    channel: stable
    revision: 83
    options:
      cluster_count: 3
    bindings:
      "": alpha
      ha: alpha
      hanode: alpha
      juju-info: alpha
      nrpe-external-master: alpha
      pacemaker-remote: alpha
      peer-availability: alpha
  neutron-api-mysql-router:
    charm: mysql-router
    channel: 8.0/stable
    revision: 35
    bindings:
      "": alpha
      certificates: alpha
      db-router: alpha
      juju-info: alpha
      shared-db: alpha
  neutron-api-plugin-ovn:
    charm: neutron-api-plugin-ovn
    channel: stable
    revision: 10
    bindings:
      "": alpha
      certificates: alpha
      container: alpha
      neutron-plugin: alpha
      ovsdb-cms: alpha

neutron-api:
    charm: neutron-api
    channel: stable
    revision: 501
    resources:
      policyd-override: 0
    num_units: 3
    to:
    - lxd:0
    - lxd:1
    - lxd:2
    options:
      debug: true
      enable-ml2-port-security: true
      enable-security-group-logging: true
      flat-network-providers: physnet1
      neutron-security-groups: true
      openstack-origin: cloud:focal-yoga
      region: ----
      vip:  ------------------
    constraints: arch=amd64
    bindings:
      "": openstack-management-space
      admin: openstack-management-space
      amqp: openstack-management-space
      certificates: openstack-management-space
      cluster: openstack-management-space
      etcd-proxy: openstack-management-space
      external-dns: openstack-management-space
      ha: openstack-management-space
      identity-service: openstack-management-space
      infoblox-neutron: openstack-management-space
      internal: openstack-management-space
      midonet: openstack-management-space
      neutron-api: openstack-management-space
      neutron-load-balancer: openstack-management-space
      neutron-plugin-api: openstack-management-space
      neutron-plugin-api-subordinate: openstack-management-space
      nrpe-external-master: openstack-management-space
      public: openstack-management-space
      shared-db: openstack-management-space
      vsd-rest-api: openstack-management-space
  neutron-api-hacluster:
    charm: hacluster
    channel: stable
    revision: 83
    options:
      cluster_count: 3
    bindings:
      "": alpha
      ha: alpha
      hanode: alpha
      juju-info: alpha
      nrpe-external-master: alpha
      pacemaker-remote: alpha
      peer-availability: alpha
  neutron-api-mysql-router:
    charm: mysql-router
    channel: 8.0/stable
    revision: 35
    bindings:
      "": alpha
      certificates: alpha
      db-router: alpha
      juju-info: alpha
      shared-db: alpha
  neutron-api-plugin-ovn:
    charm: neutron-api-plugin-ovn
    channel: stable
    revision: 10
    bindings:
      "": alpha
      certificates: alpha
      container: alpha
      neutron-plugin: alpha
      ovsdb-cms: alpha

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2024-04-15:

Okay, the penny has finally dropped for me. It's not the neutron-api charm that is blocking this config; it's the neutron-api-plugin-ovn charm that directly blocks using "log" (https://opendev.org/openstack/charm-neutron-api-plugin-ovn/src/commit/91f868b420ecf69db0e11193c9f0cd0a76226a5c/src/lib/charm/openstack/neutron_api_plugin_ovn.py#L86):

        svc_plugin_blacklist = [
            # FWaaS is not supported and also deprecated
            'firewall',
            'firewall_v2',
            # Security groups logging not supported at this time
            'log',

i.e. the neutron-api-plugin-ovn charm has blacklisted it. That code was merged in 2020.

In https://bugs.launchpad.net/neutron/+bug/1914757 (and the subsequent review: https://bugs.launchpad.net/neutron/+bug/1914757) the logging for ovn is requested and then added in August 2021. The neutron-api-plugin-ovn charm hasn't been updated since then.

Therefore, this is a missing feature of the neutron-api-plugin-ovn charm. I'll update the bug, repoint it at charm-neutron-api-plugin and triage accordingly.

Thanks again for the additional information.

Changed in charm-neutron-api:
status:	Incomplete → Invalid
Changed in charm-neutron-api-plugin-ovn:
status:	New → Triaged
importance:	Undecided → Wishlist
tags:	added: good-first-bug