networking-hyperv

Security Groups not removed if agent is down while the port's SGs are removed

Bug #1747666 reported by Claudiu Belu
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
networking-hyperv
Fix Released
Undecided
Unassigned

Bug Description

If a port is bound with security groups, and the neutron-hyperv-agent is stopped while the port's security groups are removed / disabled, the port's security groups still remain after the neutron-hyperv-agent starts again.

Steps to reproduce:
1. Spawn instance with ports with security groups enabled.
2. Stop neutron-hyperv-agent
3. Remove / Disable security groups on the instance's ports
4. Start neutron-hyperv-agent
5. Check that the Security Group ACLs are still applied on the Hyper-V ports.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (master)

Reviewed: https://review.openstack.org/541261
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=13a1d75fe79dc05c7822625b29fe07554855d70e
Submitter: Zuul
Branch: master

commit 13a1d75fe79dc05c7822625b29fe07554855d70e
Author: Claudiu Belu <email address hidden>
Date: Tue Feb 6 04:57:38 2018 -0800

    Removes SG rules on port with SG disabled

    The SecurityGroupsDriver relies on its cache when removing a port's
    ACL rules if the port's port_security_enabled field is False.

    If the port was updated while the agent was down, the cache will be
    empty, and thus skip removing the port's ACLs.

    This patch addresses this issue by removing all of the port's ACLs if
    the port's port_security_enabled is False.

    Change-Id: Ibda80fbd17310e13ceb7fe4e6db7f68e6403e87b
    Closes-Bug: #1747666

Changed in networking-hyperv:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-hyperv (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/588239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (stable/queens)

Reviewed: https://review.openstack.org/588239
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=de0b45bca4883d55860dcabf6363ae6d4a830587
Submitter: Zuul
Branch: stable/queens

commit de0b45bca4883d55860dcabf6363ae6d4a830587
Author: Claudiu Belu <email address hidden>
Date: Tue Feb 6 04:57:38 2018 -0800

    Removes SG rules on port with SG disabled

    The SecurityGroupsDriver relies on its cache when removing a port's
    ACL rules if the port's port_security_enabled field is False.

    If the port was updated while the agent was down, the cache will be
    empty, and thus skip removing the port's ACLs.

    This patch addresses this issue by removing all of the port's ACLs if
    the port's port_security_enabled is False.

    Change-Id: Ibda80fbd17310e13ceb7fe4e6db7f68e6403e87b
    Closes-Bug: #1747666
    (cherry picked from commit 13a1d75fe79dc05c7822625b29fe07554855d70e)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-hyperv 7.0.0

This issue was fixed in the openstack/networking-hyperv 7.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-hyperv queens-eol

This issue was fixed in the openstack/networking-hyperv queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.