Juniper Openstack

security rule not created

Bug #1792165 reported by Slobodan Blatnjak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
New
Undecided
Édouard Thuleau
R3.2
New
High
Édouard Thuleau
Juniper Openstack r3.2.13.0

Bug Description

Contrail 3.2.1

attached is the script used to create a sec group with 8 rules (the same with teraform). As result some rules are not created.

In contrail-api logs we can see url = http://127.0.0.1:9100/security-group/uuid operation = put where body has only 7 rules

This one is not created (neutron reports it as created while running the script).
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | None |
| description | None |
| direction | ingress |
| ether_type | IPv4 |
| id | a48cef55-3781-4c71-aa7d-b7752cae137f |
| name | None |
| port_range_max | 4789 |
| port_range_min | 4789 |
| project_id | 5f5c3541f7a34f7d9ba34320216adc47 |
| protocol | udp |
| remote_group_id | None |
| remote_ip_prefix | 10.0.0.0/8 |
| revision_number | None |
| security_group_id | 28799181-a985-4f01-965b-62aa1636bd6d |
| updated_at | None |
+-------------------+--------------------------------------+

openstack security group rule show a48cef55-3781-4c71-aa7d-b7752cae137f
Error while executing command: No SecurityGroupRule found for a48cef55-3781-4c71-aa7d-b7752cae137f

Crated one:
openstack security group rule show 5af5640b-dfd5-4273-bf7e-e840e2981f8d
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | None |
| description | None |
| direction | ingress |
| ether_type | IPv4 |
| id | 5af5640b-dfd5-4273-bf7e-e840e2981f8d |
| name | None |
| port_range_max | 10250 |
| port_range_min | 10250 |
| project_id | 5f5c3541f7a34f7d9ba34320216adc47 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 10.0.0.0/8 |
| revision_number | None |
| security_group_id | 28799181-a985-4f01-965b-62aa1636bd6d |
| updated_at | None |
+-------------------+--------------------------------------+

Contrail API:
INFO:contrail-api:__default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = 28799181-a985-4f01-965b-62aa1636bd6d object_type = security_group identifier_name
 = default-domain:dev-bavanveen:test_k8s url = http://127.0.0.1:9100/security-group/28799181-a985-4f01-965b-62aa1636bd6d operation = put useragent = contrail-config-blue-1
.ams1.cloud.ecg.so:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 body = {"security-group": {"security_group_entries": {"policy_rule": [{"direction": ">", "protocol": "an
y", "dst_addresses": [{"security_group": null, "subnet": {"ip_prefix": "0.0.0.0", "ip_prefix_len": 0}, "network_policy": null, "subnet_list": [], "virtual_network": null}], "
action_list": null, "rule_uuid": "ad6f77d7-c437-486f-a5ba-bb521608d734", "dst_ports": [{"end_port": 65535, "start_port": 0}], "application": [], "ethertype": "IPv4", "src_add
resses": [{"security_group": "local", "subnet": null, "network_policy": null, "subnet_list": [], "virtual_network": null}], "rule_sequence": null, "src_ports": [{"end_port":
65535, "start_port": 0}]}, {"direction": ">", "protocol": "any", "dst_addresses": [{"security_group": null, "subnet": {"ip_prefix": "::", "ip_prefix_len": 0}, "network_policy
": null, "subnet_list": [], "virtual_network": null}], "action_list": null, "rule_uuid": "c6ba8094-ddde-4df4-aed7-db3677c0a8b7", "dst_ports": [{"end_port": 65535, "start_port
": 0}], "application": [], "ethertype": "IPv6", "src_addresses": [{"security_group": "local", "subnet": null, "network_policy": null, "subnet_list": [], "virtual_network": nu
ll}], "rule_sequence": null, "src_ports": [{"end_port": 65535, "start_port": 0}]}, {"direction": ">", "protocol": "tcp", "dst_addresses": [{"security_group": "local", "subnet
": null, "network_policy": null, "subnet_list": [], "virtual_network": null}], "action_list": null, "rule_uuid": "5af5640b-dfd5-4273-bf7e-e840e2981f8d", "dst_ports": [{"end_p
ort": 10250, "start_port": 10250}], "application": [], "ethertype": "IPv4", "src_addresses": [{"security_group": null, "subnet": {"ip_prefix": "10.0.0.0", "ip_prefix_len": 8}
, "network_policy": null, "subnet_list": [], "virtual_network": null}], "rule_sequence": null, "src_ports": [{"end_port": 65535, "start_port": 0}]}, {"direction": ">", "proto
col": "tcp", "dst_addresses": [{"security_group": "local", "subnet": null, "network_policy": null, "subnet_list": [], "virtual_network": null}], "action_list": null, "rule_uu
id": "955b7ae9-c081-46c2-b6ed-0aade6566cea", "dst_ports": [{"end_port": 4194, "start_port": 4194}], "application": [], "ethertype": "IPv4", "src_addresses": [{"security_group
": null, "subnet": {"ip_prefix": "10.0.0.0", "ip_prefix_len": 8}, "network_policy": null, "subnet_list": [], "virtual_network": null}], "rule_sequence": null, "src_ports": [{
"end_port": 65535, "start_port": 0}]}, {"direction": ">", "protocol": "tcp", "dst_addresses": [{"security_group": "local", "subnet": null, "network_policy": null, "subnet_lis
t": [], "virtual_network": null}], "action_list": null, "rule_uuid": "233c511b-4bfe-495c-8146-e6e0f2418c57", "dst_ports": [{"end_port": 32767, "start_port": 30000}], "applica
tion": [], "ethertype": "IPv4", "src_addresses": [{"security_group": null, "subnet": {"ip_prefix": "0.0.0.0", "ip_prefix_len": 0}, "network_policy": null, "subnet_list": [],
"virtual_network": null}], "rule_sequence": null, "src_ports": [{"end_port": 65535, "start_port": 0}]}, {"direction": ">", "protocol": "tcp", "dst_addresses": [{"security_gro
up": "local", "subnet": null, "network_policy": null, "subnet_list": [], "virtual_network": null}], "action_list": null, "rule_uuid": "b7dfe946-5d6a-4c36-8d11-68bc98f22e45",
"dst_ports": [{"end_port": 443, "start_port": 443}], "application": [], "ethertype": "IPv4", "src_addresses": [{"security_group": null, "subnet": {"ip_prefix": "0.0.0.0", "ip
_prefix_len": 0}, "network_policy": null, "subnet_list": [], "virtual_network": null}], "rule_sequence": null, "src_ports": [{"end_port": 65535, "start_port": 0}]}]}, "uuid":
 "28799181-a985-4f01-965b-62aa1636bd6d"}} domain = default-domain project = services user = neutron >>
127.0.0.1 - - [2018-09-11 10:51:24] "POST /fqname-to-id HTTP/1.1" 200 156 0.026310
127.0.0.1 - - [2018-09-11 10:51:24] "PUT /security-group/28799181-a985-4f01-965b-62aa1636bd6d HTTP/1.1" 200 262 0.127337

Revision history for this message
Slobodan Blatnjak (sblatnjak) wrote :
tags: added: 2018-0820-0325 config ebay jtac plugin
Revision history for this message
Slobodan Blatnjak (sblatnjak) wrote :
Download full text (4.1 KiB)

neutron logs:
[root@contrail-neutron-blue-1 openstack-log]# tail -f all.log | egrep '(POST|PUT)'
2018-09-11 12:00:29,568.568 8276 INFO neutron.wsgi [req-6a12aa02-ce44-4ebc-8350-eb75db716bb1 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:29] "POST /v2.0/security-groups HTTP/1.1" 201 478 0.677880
2018-09-11 12:00:29,684.684 8285 INFO neutron.wsgi [req-572a03c0-60fe-42b6-a63c-c746c27c4a9d 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:29] "POST /v2.0/security-groups HTTP/1.1" 201 481 0.682767
[root@contrail-neutron-blue-2 openstack-log]# tail -f all.log | egrep '(POST|PUT)'
2018-09-11 12:00:29,269.269 8207 INFO neutron.wsgi [req-7412d4b8-d7ad-47d8-bf74-a69bf3bd9a47 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:29] "POST /v2.0/security-groups HTTP/1.1" 201 481 0.539458
2018-09-11 12:00:34,804.804 8228 INFO neutron.wsgi [req-3930056b-d263-4341-a048-9aa74f882fb0 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:34] "POST /v2.0/security-group-rules HTTP/1.1" 201 571 0.245163
2018-09-11 12:00:34,858.858 8283 INFO neutron.wsgi [req-3a6bca4a-ce8f-4034-8e0b-7e0e614b032c 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:34] "POST /v2.0/security-group-rules HTTP/1.1" 201 573 0.218633
2018-09-11 12:00:35,017.017 8283 INFO neutron.wsgi [req-85171bb6-451f-4ccd-a22f-3a68c7d79c98 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:35] "POST /v2.0/security-group-rules HTTP/1.1" 201 571 0.196367
2018-09-11 12:00:35,021.021 8276 INFO neutron.wsgi [req-f9dbf7e5-6958-48f8-b70b-963928ca9e08 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:35] "POST /v2.0/security-group-rules HTTP/1.1" 201 566 0.765857
2018-09-11 12:00:35,200.200 8207 INFO neutron.wsgi [req-a6f703f5-bb92-4eed-a7fc-639c51a0678a 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:35] "POST /v2.0/security-group-rules HTTP/1.1" 201 567 0.180870
2018-09-11 12:00:35,381.381 8228 INFO neutron.wsgi [req-3360333e-2851-458d-9bdc-be00b726a64d 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:35] "POST /v2.0/security-group-rules HTTP/1.1" 201 572 0.311877
[root@contrail-neutron-blue-3 openstack-log]# tail -f all.log | egrep '(POST|PUT)'
2018-09-11 12:00:29,428.428 7897 INFO neutron.wsgi [req-1ffab470-350d-4bfa-906c-53078050554a 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:29] "POST /v2.0/security-groups HTTP/1.1" 201 496 0.368888
2018-09-11 12:00:34,658.658 7968 INFO neutron.wsgi [req-ede38d68-7c40-488b-a7db-499e16413da0 4d19fd7211324da39b6084ddd3443cc4 5f5c3541f7a34f7d9ba34320216adc47 - - -] 172.16.4.100 - - [11/Sep/2018 12:00:34] "POST /v2.0/security-group-rules HTTP/1.1" 201 568 0.257318
2018-09-11 12:00:34,840.840 789...

Read more...

Revision history for this message
Slobodan Blatnjak (sblatnjak) wrote :

One small note to last logs:
we do see 11 "POST /v2.0/security-group-rules HTTP 201" which is expected but when checking actual ingress rules added to the security groups we only see 8 being actually added in our case.

Himanshu (bhimanshu)
Changed in juniperopenstack:
assignee: nobody → Édouard Thuleau (ethuleau)
Édouard Thuleau (ethuleau)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.