Intermittent Issue seen --Associating a vm from one security group (having tcp rule) to another security group(not having tcp rule) does not stop ssh from happening

Bug #1586354 reported by Krishna Kanth on 2016-05-27
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-hyperv
Medium
Claudiu Belu

Bug Description

steps to reproduce:

create a custom security grp with tcp rule
boot a vm
create another security group or use default security group( make sure no tcp rule exists)
update the port of above booted vm to security group above which is not having tcp rule
ssh still happens to the vm from network node
observation:

Tcp rule on compute got flushed as expected
However ssh still happens, suspecting underlying windows issue.
Expected result: ssh should not happen.

Note: This is seen intermittently and fairly easy to reproduce by trying for few times.

Claudiu Belu (cbelu) on 2016-06-15
Changed in networking-hyperv:
status: New → Confirmed
importance: Undecided → Medium
Claudiu Belu (cbelu) wrote :
Changed in networking-hyperv:
assignee: nobody → Claudiu Belu (cbelu)

Reviewed: https://review.openstack.org/332715
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=9233449d97a9ccd2c6bd008b8c7d035174833d82
Submitter: Jenkins
Branch: master

commit 9233449d97a9ccd2c6bd008b8c7d035174833d82
Author: Claudiu Belu <email address hidden>
Date: Wed Jun 22 12:45:43 2016 +0300

    Properly updates the SG rules when SG is changed

    When a port's security group is changed, the neutron-hyperv-agent
    receives a port_update notification. Next, the agent will call the
    HyperVSecurityGroupsDriver's prepare_port_filter, in order to process
    the new security group.

    prepare_port_filter does not remove any old rules from the port.
    update_port_filter should called instead, as it removes old rules.

    Removes 'security_group_id' and 'remote_group_id' from security
    group rules, as they make checking rule equality harder, and they
    are not used in applying the rules.

    Closes-Bug: #1586354

    Change-Id: I1c6f4bd08020ae8ae2dd6ac665a3ddb602b518c4

Changed in networking-hyperv:
status: Confirmed → Fix Released

Reviewed: https://review.openstack.org/338234
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=97fb3236c30cd96f05908579d38c692a1e9da56d
Submitter: Jenkins
Branch: stable/mitaka

commit 97fb3236c30cd96f05908579d38c692a1e9da56d
Author: Claudiu Belu <email address hidden>
Date: Wed Jun 22 12:45:43 2016 +0300

    Properly updates the SG rules when SG is changed

    When a port's security group is changed, the neutron-hyperv-agent
    receives a port_update notification. Next, the agent will call the
    HyperVSecurityGroupsDriver's prepare_port_filter, in order to process
    the new security group.

    prepare_port_filter does not remove any old rules from the port.
    update_port_filter should called instead, as it removes old rules.

    Removes 'security_group_id' and 'remote_group_id' from security
    group rules, as they make checking rule equality harder, and they
    are not used in applying the rules.

    Closes-Bug: #1586354

    Change-Id: I1c6f4bd08020ae8ae2dd6ac665a3ddb602b518c4
    (cherry picked from commit 9233449d97a9ccd2c6bd008b8c7d035174833d82)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/networking-hyperv 3.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers