2020-05-28 16:59:04 |
Rodolfo Alonso |
bug |
|
|
added bug |
2020-05-28 16:59:10 |
Rodolfo Alonso |
neutron: assignee |
|
Rodolfo Alonso (rodolfo-alonso-hernandez) |
|
2020-06-01 09:33:59 |
Rodolfo Alonso |
neutron: importance |
Undecided |
Medium |
|
2020-08-07 02:58:57 |
OpenStack Infra |
tags |
|
in-stable-ussuri |
|
2020-08-07 02:59:03 |
OpenStack Infra |
tags |
in-stable-ussuri |
in-stable-train in-stable-ussuri |
|
2020-08-26 10:31:25 |
OpenStack Infra |
tags |
in-stable-train in-stable-ussuri |
in-stable-stein in-stable-train in-stable-ussuri |
|
2020-08-26 10:31:31 |
OpenStack Infra |
tags |
in-stable-stein in-stable-train in-stable-ussuri |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-08-26 10:31:38 |
OpenStack Infra |
tags |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-09-17 19:47:23 |
Edward Hope-Morley |
bug task added |
|
cloud-archive |
|
2020-09-18 08:05:30 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
2020-09-21 13:14:30 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/ussuri |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
bug task added |
|
cloud-archive/ussuri |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/train |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
bug task added |
|
cloud-archive/train |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/victoria |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
bug task added |
|
cloud-archive/victoria |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/queens |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
bug task added |
|
cloud-archive/queens |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
nominated for series |
|
cloud-archive/stein |
|
2020-09-21 13:14:30 |
Edward Hope-Morley |
bug task added |
|
cloud-archive/stein |
|
2020-09-21 13:14:42 |
Edward Hope-Morley |
cloud-archive/ussuri: status |
New |
Fix Released |
|
2020-09-21 13:14:45 |
Edward Hope-Morley |
cloud-archive/victoria: status |
New |
Fix Released |
|
2020-09-22 07:35:53 |
Dr. Jens Harbott |
bug |
|
|
added subscriber Dr. Jens Harbott |
2020-09-22 11:18:13 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~chris.macnaughton/ubuntu/+source/neutron/+git/neutron/+merge/391122 |
|
2020-09-22 11:22:53 |
Edward Hope-Morley |
bug task added |
|
neutron (Ubuntu) |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Focal |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
bug task added |
|
neutron (Ubuntu Focal) |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Groovy |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
bug task added |
|
neutron (Ubuntu Groovy) |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
nominated for series |
|
Ubuntu Bionic |
|
2020-09-22 11:23:05 |
Edward Hope-Morley |
bug task added |
|
neutron (Ubuntu Bionic) |
|
2020-09-22 11:23:29 |
Edward Hope-Morley |
neutron (Ubuntu Groovy): status |
New |
Fix Committed |
|
2020-09-22 11:23:43 |
Edward Hope-Morley |
cloud-archive/victoria: status |
Fix Released |
Fix Committed |
|
2020-09-22 11:23:59 |
Edward Hope-Morley |
neutron (Ubuntu Focal): status |
New |
Fix Released |
|
2020-09-22 11:38:23 |
Edward Hope-Morley |
description |
When any port in the OVS agent is using a SG, is marked to be deleted. This deletion process is done in [1].
The SG deletion process consists on removing any reference of this SG from the firewall and the SG port map. The firewall removes this SG in [2].
The information of a SG is stored in:
- ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX
- ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])
When a SG is removed, this reference should be deleted both from "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in [3]. But from "conj_ids" is not being deleted properly. Instead of the current logic, what we should do is to walk through the nested dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG ID to be removed).
The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).
[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
[3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296 |
[Impact]
neutron does not remove all trace of remote sg conj ids when deleting a security group.
[Test Case]
* deploy openstack (no particular feature needed)
* create two networks N1, N2 with security groups SG1, SG2 respectively
* SG2 must have a custom ingress tcp rule from remote SG1
* create a vm on each network, make a note of their fixed_ip then delete those vms
* on compute host running VM2 do the following:
* sudo ovs-ofctl dump-flows br-int table=82| grep <vm1-ip>
* sudo ovs-ofctl dump-flows br-int table=82| egrep "conjunction([0-9]+,2/2)"
* the above should not return anything
[Regression Potential]
Since the flows being deleted belong to deleted ports their deletion is not expected to have a noticeable impact but as this bug describes, their existance could be having an unexpected impact on ports that have a security that happens to share the same conjunction id.
-------------------------------------------------------------------------
When any port in the OVS agent is using a SG, is marked to be deleted. This deletion process is done in [1].
The SG deletion process consists on removing any reference of this SG from the firewall and the SG port map. The firewall removes this SG in [2].
The information of a SG is stored in:
- ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX
- ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])
When a SG is removed, this reference should be deleted both from "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in [3]. But from "conj_ids" is not being deleted properly. Instead of the current logic, what we should do is to walk through the nested dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG ID to be removed).
The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).
[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
[3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296 |
|
2020-09-23 08:14:42 |
Edward Hope-Morley |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri sts-sru-needed |
|
2020-10-24 15:08:20 |
Edward Hope-Morley |
cloud-archive/train: status |
New |
Fix Released |
|
2020-10-24 15:16:51 |
Edward Hope-Morley |
attachment added |
|
lp1881157-stein.debdiff https://bugs.launchpad.net/neutron/+bug/1881157/+attachment/5426509/+files/lp1881157-stein.debdiff |
|
2020-10-24 16:41:12 |
Ubuntu Foundations Team Bug Bot |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri sts-sru-needed |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed |
|
2020-10-24 16:41:23 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2020-11-15 01:44:11 |
Mathew Hodson |
neutron (Ubuntu): importance |
Undecided |
Medium |
|
2020-11-15 01:44:25 |
Mathew Hodson |
neutron (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2020-11-15 01:44:38 |
Mathew Hodson |
neutron (Ubuntu Focal): importance |
Undecided |
Medium |
|
2020-11-15 01:44:50 |
Mathew Hodson |
neutron (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2020-11-24 15:25:30 |
Corey Bryant |
cloud-archive/stein: status |
New |
Fix Committed |
|
2020-11-24 15:34:29 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
High |
|
2020-11-24 15:34:29 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2020-11-24 15:34:50 |
Corey Bryant |
neutron (Ubuntu Bionic): importance |
Medium |
High |
|
2020-11-24 15:34:50 |
Corey Bryant |
neutron (Ubuntu Bionic): status |
New |
Triaged |
|
2020-11-30 15:29:08 |
Chris MacNaughton |
cloud-archive/stein: status |
Fix Committed |
Fix Released |
|
2020-11-30 15:46:26 |
mohd fadhil bin yazid |
bug |
|
|
added subscriber mohd fadhil bin yazid |
2020-11-30 21:32:19 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-12-01 19:47:05 |
Brian Murray |
neutron (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2020-12-01 19:47:13 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-12-01 19:47:19 |
Brian Murray |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-needed verification-needed-bionic |
|
2020-12-01 19:51:48 |
Corey Bryant |
cloud-archive/victoria: status |
Fix Committed |
Fix Released |
|
2020-12-01 19:52:14 |
Corey Bryant |
neutron (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2020-12-01 20:01:13 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2020-12-03 13:23:36 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2020-12-03 13:23:39 |
Corey Bryant |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-needed verification-needed-bionic |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed |
|
2020-12-23 08:20:36 |
Mathew Hodson |
neutron: status |
New |
Fix Released |
|
2021-01-06 16:53:51 |
Corey Bryant |
neutron (Ubuntu): status |
Fix Committed |
Fix Released |
|
2021-02-01 17:12:28 |
Edward Hope-Morley |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-done-bionic verification-needed verification-queens-needed |
|
2021-02-02 13:03:39 |
Edward Hope-Morley |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-done-bionic verification-needed verification-queens-needed |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri patch sts-sru-needed verification-done verification-done-bionic verification-queens-done |
|
2021-02-02 22:03:16 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-02-02 22:13:19 |
Launchpad Janitor |
neutron (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-02-03 20:42:22 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|