kolla-ansible

openvswitch firewall still broken after unclean backport

Bug #1869832 reported by Joseph M
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Radosław Piliszek
kolla-ansible 10.0.0 "ussuri"
Rocky
Fix Released
High
Radosław Piliszek
Stein
Fix Released
High
Radosław Piliszek
kolla-ansible 8.1.1 "stein"
Train
Fix Released
High
Radosław Piliszek
kolla-ansible 9.1.0 "Train"
Ussuri
Fix Released
High
Radosław Piliszek
kolla-ansible 10.0.0 "ussuri"

Bug Description

https://bugs.launchpad.net/kolla-ansible/+bug/1867506 was filed to fix openvswitch firewalls that were broken by https://bugs.launchpad.net/kolla-ansible/+bug/1861792

unfortunately it was not a complete fix.

https://review.opendev.org/#/c/709115/ originally broke the firewall

https://review.opendev.org/#/c/713129/ fixed it for neutron_openvswitch_agent in master but not neutron_openvswitch_agent_xenapi

https://review.opendev.org/#/c/713378/1/ansible/roles/neutron/defaults/main.yml fixed it for neutron_openvswitch_agent in train but not neutron_openvswitch_agent_xenapi

https://review.opendev.org/#/c/713488/ fixed it for neutron_openvswitch_agent_xenapi in stein but not neutron_openvswitch_agent

https://review.opendev.org/#/c/713490/ fixed it for neutron_openvswitch_agent_xenapi in stein but not neutron_openvswitch_agent

tl;dr its fixed for openvswitch in train/master, broken in stein/rocky. its fixed for openvswitch_xenapi in stein/rocky but not train/master

potentially a security issue since if the openvswitch firewall cant add rules it passes all traffic

See original description
Joseph M (noxoid)
summary: - openvswitch firewall still broken
+ openvswitch firewall still broken after unclean backport
description: updated
Radosław Piliszek (yoctozepto)
Changed in kolla-ansible:
importance: Undecided → High
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/716174

Changed in kolla-ansible:
assignee: nobody → Radosław Piliszek (yoctozepto)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/716175

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/716178

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/716179

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/716174
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=c033ddca082618062bdd3abe4b4e7ed111063cbd
Submitter: Zuul
Branch: master

commit c033ddca082618062bdd3abe4b4e7ed111063cbd
Author: Radosław Piliszek <email address hidden>
Date: Tue Mar 31 09:01:02 2020 +0200

    Fix ovs fw driver for the other ovs agent

    In [1] only neutron-openvswitch-agent was fixed and not xenapi.
    That merged in Ussuri and went cleanly into Train.
    In Stein and Rocky, the backport was not clean and
    accidentally fixed xenapi instead of the regular one.

    Neither the original bug nor its incomplete fix were released,
    except for Rocky. :-(
    Hence this patch also removes the confusing reno instead of
    adding a new one.

    [1] https://review.opendev.org/713129

    Change-Id: I331417c8d61ba6f180bcafa943be697418326645
    Closes-bug: #1869832
    Related-bug: #1867506

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/stein)

Reviewed: https://review.opendev.org/716178
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=5da311c69d0e877f16d4fae1b2a5e2897f729ada
Submitter: Zuul
Branch: stable/stein

commit 5da311c69d0e877f16d4fae1b2a5e2897f729ada
Author: Radosław Piliszek <email address hidden>
Date: Tue Mar 31 09:01:02 2020 +0200

    Fix ovs fw driver for the other ovs agent

    In [1] only neutron-openvswitch-agent was fixed and not xenapi.
    That merged in Ussuri and went cleanly into Train.
    In Stein and Rocky, the backport was not clean and
    accidentally fixed xenapi instead of the regular one.

    Neither the original bug nor its incomplete fix were released,
    except for Rocky. :-(
    Hence this patch also removes the confusing reno instead of
    adding a new one.

    [1] https://review.opendev.org/713129

    Change-Id: I331417c8d61ba6f180bcafa943be697418326645
    Closes-bug: #1869832
    Related-bug: #1867506
    (cherry picked from commit c033ddca082618062bdd3abe4b4e7ed111063cbd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/716175
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=1927ba28eee49dbe564c9f5d900a25ec97eaa875
Submitter: Zuul
Branch: stable/train

commit 1927ba28eee49dbe564c9f5d900a25ec97eaa875
Author: Radosław Piliszek <email address hidden>
Date: Tue Mar 31 09:01:02 2020 +0200

    Fix ovs fw driver for the other ovs agent

    In [1] only neutron-openvswitch-agent was fixed and not xenapi.
    That merged in Ussuri and went cleanly into Train.
    In Stein and Rocky, the backport was not clean and
    accidentally fixed xenapi instead of the regular one.

    Neither the original bug nor its incomplete fix were released,
    except for Rocky. :-(
    Hence this patch also removes the confusing reno instead of
    adding a new one.

    [1] https://review.opendev.org/713129

    Change-Id: I331417c8d61ba6f180bcafa943be697418326645
    Closes-bug: #1869832
    Related-bug: #1867506
    (cherry picked from commit c033ddca082618062bdd3abe4b4e7ed111063cbd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible rocky-eol

This issue was fixed in the openstack/kolla-ansible rocky-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.