[RFE] (Operator-only) Logging API for security group rules

Bug #1468366 reported by Yushiro FURUKAWA on 2015-06-24
32
This bug affects 3 people
Affects Status Importance Assigned to Milestone
neutron
Wishlist
Nguyen Phuong An

Bug Description

Learning what happened on traffic flows is necessary for cloud administrator to tackle a problem related to network.

Problem Description
===================
- When *operator* (including cloud administrator and developer) has an issue related to network (e.g network security issue). Gathering all events related to security groups is necessary for troubleshooting process.

- When tenant or operator deploys a security groups for number of VMs. They want to make sure security group rules work as expected and to assess what kinds of packets went through their security-groups or were dropped.

Currently, we don't have a way to perform that. In other word, logging is a missing feature in security groups.

Proposed Change
===============
- To improve the situation, we'd like to propose a logging API [1]_ to collect all events related to security group rules when they occurred.

- Only *operator* will be allowed to execute logging API.

- Layout the logging API model can extend to other resource such as firewall.

[1] https://review.openstack.org/#/c/203509/

Changed in neutron:
assignee: nobody → Yushiro FURUKAWA (y-furukawa-2)
Changed in neutron:
assignee: Yushiro FURUKAWA (y-furukawa-2) → nobody
assignee: nobody → Yushiro FURUKAWA (y-furukawa-2)
yong sheng gong (gongysh) wrote :

at first sight, I thought it was about oslo-logging stuff.

yong sheng gong (gongysh) wrote :

+1

Cao Xuan Hoang (hoangcx) on 2015-06-25
summary: - RFE - logging API for Neutron
+ RFE - Packet logging API for Neutron

Hi yong sheng gong,

Thank you for your comment.

I'm sorry about my title.
I'd like to set logging configuration to specified resource.

As far as I know, oslo-logging is used by neutron-server and some agents for logging.

Currently, my target is not neutron-server or some agents, but Neutron resource.
(Ex. Security-group, Security-group-rule, Firewall, Firewall-rule)

Kyle Mestery (mestery) wrote :

This one will require some broader discussion, if I'm not mistaken it has already generated some debates. I'd encourage the author to add this to the Neutron meeting agenda for next week.

Changed in neutron:
status: New → Confirmed
Yushiro FURUKAWA (y-furukawa-2) wrote :

Hi, Kyle

Thank you for your help. I will definitely attend next IRC meetings.

description: updated
description: updated
description: updated
Paul Michali (pcm) wrote :

Some ramblings...

The mw_logging should be more verbose, and maybe indicate the type of logging (packet_logging)?

I would think a spec would be appropriate for this RFE, given the scope and complexity.

@pc_m

Thank you for your comment :-)
Your comment is right. I think the resource name 'packet-logging' is better.

And, I've posted packet-logging spec at #7:
Would you please confirm it ??

description: updated
description: updated
description: updated
Kyle Mestery (mestery) wrote :

Per the review on the patch itself, it's unclear if this belongs in Neutron or a separate repository ala L2GW. The reason being, exposing packet logging means that certain backends may not work with it, or may only support a subset of things.

Hi, Kyle. Thank you for the comment.

In current implementation, following feature is implemented.
  - target for logging: firewall-rule, security-group-rule
  - output log: Using 'logrotate' and 'rsyslog' feature.
                It can store at dedicated server.
                ex.(http://docs.openstack.org/openstack-ops/content/logging_monitoring.html)

Therefore I think this feature is for neutron and I'd like to implement until Liberty-3.
 If possible, could you please help me to review and accelerate the progress?

description: updated
Henry Gessau (gessau) on 2015-08-07
summary: - RFE - Packet logging API for Neutron
+ RFE - Logging API for security group and firewall rules

@Henry

Thank you for your help. I fogtot changing the title.

Kyle Mestery (mestery) wrote :

This is likely a Mitaka thing at this point.

Changed in neutron:
importance: Undecided → High
Changed in neutron:
status: Confirmed → Triaged

My suggestion would be to split this RFE between security groups and firewall: i.e. let's handle the feature enhancement separately even though the two could share some foundation elements. This is too big to be chewed in a single cycle.

Also, please clarify the use case: do not reference existing specs and ML threads. Do not reference design changes or Neutron internals. Please describe in your own words, what you would expect to happen?

If this is about providing an API to expose for administrators to fetch a list of events that relate to what security groups actions have taken place in the system, then this may be sensible, but anything more than that, I feel it's out of the scope of the project, especially logging actual packets.

description: updated
Akihiro Motoki (amotoki) wrote :

(Copy of my comment in the spec review)

In addition to Armando's suggestion to split the effort into SG and FWaaS, I would like to suggest to break down the goal of this work into two points: (a) to define an API to enable logging for a specific set of rules or similar ones, and (b) to define logging format (if necessary). As far as I read through the proposal, (a) looks a more important thing. Right?

At the begging of the proposed spec, the demand that operators want to enable logging for a specific sg rule(s), sg or project is discussed. However, logging format is discussed in the latter half. To satisfy the demand from operators, there is no need to define a logging format. If they can request to enable logging for a specific set of rules or something, the demand will be satisfied.

description: updated
description: updated
summary: - RFE - Logging API for security group and firewall rules
+ RFE - Logging API for security group rules

@Armando, @German, @Carl, @Akihiro

Thank you for your comments. I understood the suggestion from Armando and Akihiro.
So, I'll focus on the logging API for security-group-rules. I've just updated bug description and spec. Would you please confirm it?

YAMAMOTO Takashi (yamamoto) wrote :

i'm (still) not sure if i understand the use case.
debugging sg rules, or debugging implementation (firewall driver etc), or something else?

description: updated

@Yamamoto

Thank you for comment. "debugging sg rules" is.

description: updated
Miguel Angel Ajo (mangelajo) wrote :

Shouldn't importance still be set to undecided?

Please, let's not mess with RFE bug report importances.

Changed in neutron:
importance: High → Undecided

Based on meeting [1], we reached consensus that this a sensible feature to have, we should keep it small in scope to ensure we minimize the chance of failure.

[1] http://eavesdrop.openstack.org/meetings/neutron_drivers/2015/neutron_drivers.2015-11-10-15.05.log.html

tags: added: rfe-approved
removed: rfe
summary: - RFE - Logging API for security group rules
+ Logging API for security group rules
Changed in neutron:
importance: Undecided → Wishlist
summary: - Logging API for security group rules
+ (Admin-only) Logging API for security group rules
summary: - (Admin-only) Logging API for security group rules
+ (Operator-only) Logging API for security group rules
Changed in neutron:
milestone: none → mitaka-1
Changed in neutron:
milestone: mitaka-1 → mitaka-2

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/203509

Changed in neutron:
status: Triaged → Incomplete
assignee: Yushiro FURUKAWA (y-furukawa-2) → nobody
milestone: mitaka-2 → none

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
Nguyen Phuong An (annp) on 2016-04-05
description: updated
tags: added: rfe
removed: rfe-approved
Changed in neutron:
status: Expired → New
Nguyen Phuong An (annp) on 2016-04-14
description: updated
Nguyen Phuong An (annp) on 2016-04-14
description: updated

Let's see if we can find a new 'sponsor' to this initiative.

Changed in neutron:
status: New → Triaged
summary: - (Operator-only) Logging API for security group rules
+ [RFE] (Operator-only) Logging API for security group rules

Fix proposed to branch: master
Review: https://review.openstack.org/308825

Changed in neutron:
assignee: nobody → Nguyen Phuong An (annp)
status: Triaged → In Progress
Cao Xuan Hoang (hoangcx) wrote :

@Armando Migliaccio:
I have just had a sort conversation with Rossella about becoming a new "sponsor" this initiative. She will willing and can be approver for this.
Thank you very much.

tags: added: rfe-approved
removed: rfe

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/308825
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Related fix proposed to branch: master
Review: https://review.openstack.org/395504

Related fix proposed to branch: master
Review: https://review.openstack.org/396104

Related fix proposed to branch: master
Review: https://review.openstack.org/396116

Related fix proposed to branch: master
Review: https://review.openstack.org/396138

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/396138
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/396116
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Related fix proposed to branch: master
Review: https://review.openstack.org/415817

Related fix proposed to branch: master
Review: https://review.openstack.org/419481

Changed in neutron:
milestone: none → pike-1

Related fix proposed to branch: master
Review: https://review.openstack.org/445827

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/415803
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/418862
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/419481
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by boden (<email address hidden>) on branch: master
Review: https://review.openstack.org/415817
Reason: This patch has been stale for a few months now. Please post a new patch if you wish to continue this work.

Changed in neutron:
milestone: pike-1 → pike-2

Reviewed: https://review.openstack.org/203509
Committed: https://git.openstack.org/cgit/openstack/neutron-specs/commit/?id=c1f64e1b9f6531bd2797bbb76ae1876658cf0628
Submitter: Jenkins
Branch: master

commit c1f64e1b9f6531bd2797bbb76ae1876658cf0628
Author: Yushiro FURUKAWA <email address hidden>
Date: Mon Jul 20 16:35:29 2015 +0900

    (Operator-only) Logging API for security groups

    This spec proposes a new API for logging configuration
    to security groups. The implementation can be referred
    in these links below:

    [DB]:https://review.openstack.org/#/c/395483/
    [API]: https://review.openstack.org/#/c/395504/
    [Agent]:https://review.openstack.org/#/c/396104/

    APIImpact
    DocImpact

    Co-Authored-By: Nguyen Phuong An <email address hidden>

    Change-Id: I512944e50d4f0f06ff220dac35e8a1d2a5bafb50
    Related-Bug: 1468366

Related fix proposed to branch: master
Review: https://review.openstack.org/468265

Related fix proposed to branch: master
Review: https://review.openstack.org/468281

Related fix proposed to branch: master
Review: https://review.openstack.org/468309

Reviewed: https://review.openstack.org/395483
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ae791696b8451ab3058d932ffb150cd15da2baa4
Submitter: Jenkins
Branch: master

commit ae791696b8451ab3058d932ffb150cd15da2baa4
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 15:35:59 2016 +0700

    [log]: db models and migration rules

    This patch includes db models and migration rules for initial
    logging object. The implementation bases on logging api for
    security group spec[1]

    [1] https://goo.gl/t3NUlr

    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

    Change-Id: I3f91b3927c33021facc9eb9238555c0e06a918c0

Reviewed: https://review.openstack.org/415803
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=4bcd946734f5ebe74d56e97fc5f513ab19ef090c
Submitter: Jenkins
Branch: master

commit 4bcd946734f5ebe74d56e97fc5f513ab19ef090c
Author: Nguyen Phuong An <email address hidden>
Date: Fri Dec 30 13:19:41 2016 +0700

    api-ref: Introduce logging api reference

    This patch introduce a api reference of logging api feature.
    The api is following logging api for security group spec[1].

    [1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

    Change-Id: I7dd34d4d2ce4cac7210b10e43766d51d682764a8
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/415817
Committed: https://git.openstack.org/cgit/openstack/neutron-lib/commit/?id=c3fa7267c4349b3a27aaf58f73a68d7d2f7af9e0
Submitter: Jenkins
Branch: master

commit c3fa7267c4349b3a27aaf58f73a68d7d2f7af9e0
Author: Nguyen Phuong An <email address hidden>
Date: Thu Dec 29 10:56:10 2016 +0700

    Introduce logging api extension

    This patch define logging api extension follow logging api for
    security group spec [1].

    [1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

    Change-Id: I00642f6db650e6f546feb4ea9e394da1d603f6e1
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/395504
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=913c9e78b92cb000cc59e19cb84a5b8a1eae076b
Submitter: Jenkins
Branch: master

commit 913c9e78b92cb000cc59e19cb84a5b8a1eae076b
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log]: implement logging plugin

    This patch introduces the logging api definition and initial
    implementation of LoggingApiPlugin. The api definition code will
    be removed after [1] has been merged on neutron lib.

    [1]https://review.openstack.org/#/c/415817/

    Co-Authored-By: Yushiro FURUKAWA <email address hidden>

    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366
    Change-Id: Iace31506502de25da9dce5fcfdbfe2c726bea27f

Reviewed: https://review.openstack.org/468309
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=39a9ed4c50c14029498ccffa7928bb194cb2b703
Submitter: Jenkins
Branch: master

commit 39a9ed4c50c14029498ccffa7928bb194cb2b703
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log]: add driver manager to LoggingPlugin

    This patch adds driver manger to LoggingPlugin to manage
    logging drivers are enabled belong ML2 dirvers.

    Co-Authored-By: Yushiro FURUKAWA <email address hidden>

    Change-Id: I5a0f896c9ec7f670b662f16825feccbc07db19dd
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/467976
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=68477904140d7c4a1947f435c7f3ac5767c7e517
Submitter: Jenkins
Branch: master

commit 68477904140d7c4a1947f435c7f3ac5767c7e517
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log]: Add validator to logging api

    This patch added a validator to logging api for checking resource bound
    (sg or port is exist or not, ...) and validating whether or not supporting
    logging type on each port when we create a log object by specific port_id.

    Co-Authored-By: Yushiro FURUKAWA <email address hidden>

    Change-Id: I10f2441fc2c7bdbda51b05002549b235743a7deb
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Changed in neutron:
milestone: pike-2 → queens-1

Reviewed: https://review.openstack.org/396104
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=bb8954a228a9f09995b755fe0e7a347835b8f83d
Submitter: Jenkins
Branch: master

commit bb8954a228a9f09995b755fe0e7a347835b8f83d
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log]: implement logging agent extension

    This patch introduces generic logging agent extension following
    the spec [1].

    [1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

    Co-Authored-By: Yushiro FURUKAWA <email address hidden>

    Change-Id: I1a59367cf23060fb1a0cd9bab6772b22da15c9f0
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/419481
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/445827
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Change abandoned by Nguyen Phuong An (<email address hidden>) on branch: master
Review: https://review.openstack.org/482886
Reason: Moving this to https://review.openstack.org/#/c/522704/

Reviewed: https://review.openstack.org/468265
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a25323152290bc1ec061ecebc24a832ee9ca1277
Submitter: Zuul
Branch: master

commit a25323152290bc1ec061ecebc24a832ee9ca1277
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log]: Add driver api and rpc stuff for logging

    This patch adds driver api and rpc stuff for logging extension as
    below:
    - Provides create, update and delete log api for log drivers
    - Reserves a rpc notification api for log drivers if a log driver
    requires rpc.
    - Reserves a rpc listener for listening callback from log drivers.
    - Also provides db_api: get_logs_bound_port, get_logs_bound_sg and
      get_sg_log_info_for_port and get_sg_log_info_for_log_resources.

    Change-Id: I7d50356dd1da49af6faaaa8969b6ae9041f81063
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Related fix proposed to branch: master
Review: https://review.openstack.org/528977

Reviewed: https://review.openstack.org/528977
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=081870b1a58caf954188a5788b76d2f7e28e799d
Submitter: Zuul
Branch: master

commit 081870b1a58caf954188a5788b76d2f7e28e799d
Author: Nguyen Phuong An <email address hidden>
Date: Tue Dec 19 14:17:10 2017 +0700

    [log]: Change entry point name of logging plugin

    The name ('logapi') seems redundant 'api' and it looks inconsistent
    with entry point name of logging agent extension ('log') and
    LoggingPlugin class[1]. So this patch change 'logapi' to 'log' to
    make it look consistent.

    [1] https://github.com/openstack/neutron/blob/master/neutron/services/logapi/logging_plugin.py#L27

    Change-Id: I57d0b86823670a1dc5d116d98059993c802ef86c
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/526488
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=29080700eb457a68f27ed5b5ae45c9a74dabec8b
Submitter: Zuul
Branch: master

commit 29080700eb457a68f27ed5b5ae45c9a74dabec8b
Author: Jakub Libosvar <email address hidden>
Date: Thu Dec 7 15:01:37 2017 +0000

    ovsfw: Create tables for further consumption

    The patch creates tables where other services using openflow can
    implement rules for further packet processing. 3 new tables were created
    for packets accepted by egress, ingress pipeline and packets dropped by
    firewall.

    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

    Change-Id: I7900126de235ee9df902bef9556879f586d33ae8

Reviewed: https://review.openstack.org/468281
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7bd8b37e3863aca2d6cb0195e1df5068b8bfe497
Submitter: Zuul
Branch: master

commit 7bd8b37e3863aca2d6cb0195e1df5068b8bfe497
Author: Nguyen Phuong An <email address hidden>
Date: Wed Nov 9 17:02:48 2016 +0700

    [log] ovs fw logging implementation

    This patch implements ovs firewall logging driver for security group
    base discussed on the spec [1] and [2]

    [1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html
    [2] https://docs.google.com/presentation/d/1fteBesETsmA7CWV6wf1i2QKa7k8EHPpRjytj8Rzeb-A/edit#slide=id.p

    Change-Id: Ib8668dd25ee7c5000a6dafcc7db3dbc33ad190be
    Co-Authored-By: IWAMOTO Toshihiro <email address hidden>
    Co-Authored-By: Yushiro FURUKAWA <email address hidden>
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/418862
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dc5293bba6b6b2b90c481ee02b82e1e9af163d0a
Submitter: Zuul
Branch: master

commit dc5293bba6b6b2b90c481ee02b82e1e9af163d0a
Author: Nguyen Phuong An <email address hidden>
Date: Wed Jan 11 16:46:39 2017 +0700

    [log]: functional test for logging api

    This patch performs functional test for logging api. The
    implementation is based on the logging api for security group spec[1]

    [1]
    https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

    Change-Id: I157bdffe29b184c9e31166586f94eac7fa00188e
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Reviewed: https://review.openstack.org/396116
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b27164f0a834b63b241ae9141bd9c40fad2cf1e0
Submitter: Zuul
Branch: master

commit b27164f0a834b63b241ae9141bd9c40fad2cf1e0
Author: Nguyen Phuong An <email address hidden>
Date: Thu Nov 10 18:01:35 2016 +0700

    [log]: Devstack plugin for logging api

    This patch implements devstack plugin for logging api. The logging
    api service base on logging api spec [1].

    [1] https://specs.openstack.org/openstack/neutron-specs/specs/pike/logging-API-for-security-group-rules.html

    Change-Id: Ib86535ad24319cb0e10a48df50651264201673c3
    Depends-On: Ib8668dd25ee7c5000a6dafcc7db3dbc33ad190be
    Partially-implements: blueprint security-group-logging
    Related-Bug: #1468366

Akihiro Motoki (amotoki) on 2018-02-28
Changed in neutron:
milestone: queens-1 → queens-3
status: In Progress → Fix Released

Change abandoned by Nguyen Phuong An (<email address hidden>) on branch: master
Review: https://review.openstack.org/558426

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.openstack.org/445827
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints