neutron

Create sg rule or delete sg rule, iptalbes can't be reloaded

Bug #1452718 reported by shihanzhang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
shihanzhang
neutron 7.0.0 "liberty"

Bug Description

when we create a new sg rule or delete a sg rule, the iptables can't be reload in compute node, this bug is introduced by patch: https://review.openstack.org/118274

See original description
Tags: sg-fw
shihanzhang (shihanzhang)
Changed in neutron:
assignee: nobody → shihanzhang (shihanzhang)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/181272

Changed in neutron:
status: New → In Progress
Revision history for this message
Kevin Benton (kevinbenton) wrote : Re: Create sg rule or delete sg rule, iptalbes can't be reload

What do you mean iptables can't be reloaded?

There is a tempest test that modifies security group rules and verifies the resulting connectivity here: https://github.com/openstack/tempest/blob/master/tempest/scenario/test_security_groups_basic_ops.py#L463

Can you please explain why that passed if iptables is not being reloaded?

Changed in neutron:
status: In Progress → Incomplete
Revision history for this message
shihanzhang (shihanzhang) wrote :

reproduce:
1. create a VM in security group A
2. create a new sg rule for security group A
3. the compute node which this VM residing on can't reload it's iptables

the reason it that when a sg rule change, l2 agent will put the devices to 'self.devices_to_refilter' firstly, in ovs agent next 'rpc_loop' , it handle these devices in 'setup_port_filters' function.

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Incomplete → In Progress
Eugene Nikanorov (enikanorov)
summary: - Create sg rule or delete sg rule, iptalbes can't be reload
+ Create sg rule or delete sg rule, iptalbes can't be reloaded
Changed in neutron:
importance: Undecided → Medium
tags: added: sg-fw
description: updated
Changed in neutron:
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/181272
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=39af7fb15ef5abe9402d80da207c2c43ca905d23
Submitter: Jenkins
Branch: master

commit 39af7fb15ef5abe9402d80da207c2c43ca905d23
Author: shihanzhang <email address hidden>
Date: Fri May 8 08:51:19 2015 +0800

    setup port filters when sg rules change

    when security group rules change, the l2 agents which have the
    ports in this security group should reload iptables, this bug
    was introduced by patch#118274.

    Closes-bug: #1452718
    Change-Id: Idb1577128be5d8812024467f599166bc131d57ea

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (neutron-pecan)

Fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → 7.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.