neutron

neutron ovs wires subports with wrong firewall loaded

Bug #1669074 reported by Kevin Benton
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Armando Migliaccio

Bug Description

The OVS agent doesn't have a problem wiring up subports with the hybrid_iptables firewall loaded. This leads to subports that end up not having security groups applied, which is bad. We did note that this deployment mode isn't supported, but it would be nice to have loud errors in the log or even fail to set the subport to ACTIVE if the wrong firewall is loaded.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: New → Confirmed
importance: Undecided → High
tags: added: trunk
Changed in neutron:
assignee: nobody → Armando Migliaccio (armando-migliaccio)
Revision history for this message
Inessa Vasilevskaya (ivasilevskaya) wrote :

Armando, do you mind if I assign this bug to myself?

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

@Inessa: thanks, shall we discuss approaches first? I'd be happy to hand it over to you, I couldn't come up with a good solution and I lost momentum.

Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

I looked at this a bit. Perhaps we can keep things relatively contained if we put a check() method at the beginning of the try block [1] and raise an exception if we spot the misconfiguration. Then we log and put the trunk in error state. I believe the VM will still boot (as of today), but at least we have a warning sent to the user to further investigate.

Thoughts?

[1] https://github.com/openstack/neutron/blob/master/neutron/services/trunk/drivers/openvswitch/agent/ovsdb_handler.py#L366-L377

OpenStack Infra (hudson-openstack)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/470402
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=48dbb65e8bc1aafc473172381525c9be4e3768ec
Submitter: Jenkins
Branch: master

commit 48dbb65e8bc1aafc473172381525c9be4e3768ec
Author: Armando Migliaccio <email address hidden>
Date: Fri Jun 2 11:59:16 2017 -0700

    Warn the admin of a potential OVS firewall_driver misconfiguration

    OVS trunks work only with OVS firewall to implement security
    groups. If a trunk request is indeed processed by an OVS agent
    whose firewall_driver = iptables_hybrid, we should at least
    log a warning to alert the admin.

    Closes-bug: #1669074

    Change-Id: I60e77e60e5e6d46ceff4bff61cbc07b6534ef152

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/475702
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=012de2ea0875609c60445a731ead0b522e8cdb22
Submitter: Jenkins
Branch: master

commit 012de2ea0875609c60445a731ead0b522e8cdb22
Author: ZhaoBo <email address hidden>
Date: Tue Jun 20 16:31:09 2017 +0800

    Correct the config group in check_trunk_dependencies

    The 'securitygroup' is registered as cfg.CONF.SECURITYGROUP. Currently,
    this check always raise error as no 'cfg.CONF.securitygroup', then neutron
    will abort the trunk_create. So nova will error when create VM with trunk
    parent port for waiting timeout about the network-vif-plugged event.

    Closes-Bug: #1699516
    Related-Bug: #1669074
    Change-Id: I0b0bdb5a39f1978e12ddaeddd4e0d825894ea241

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0b3

This issue was fixed in the openstack/neutron 11.0.0.0b3 development milestone.

Ihar Hrachyshka (ihar-hrachyshka)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/497922

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/497923

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/497924

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/497927

Jakub Libosvar (libosvar)
tags: removed: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/497922
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d114e0f105172ce51bb1bbba06a38e804f0aaa0b
Submitter: Jenkins
Branch: stable/ocata

commit d114e0f105172ce51bb1bbba06a38e804f0aaa0b
Author: Armando Migliaccio <email address hidden>
Date: Fri Jun 2 11:59:16 2017 -0700

    Warn the admin of a potential OVS firewall_driver misconfiguration

    OVS trunks work only with OVS firewall to implement security
    groups. If a trunk request is indeed processed by an OVS agent
    whose firewall_driver = iptables_hybrid, we should at least
    log a warning to alert the admin.

    Closes-bug: #1669074

    Change-Id: I60e77e60e5e6d46ceff4bff61cbc07b6534ef152
    (cherry picked from commit 48dbb65e8bc1aafc473172381525c9be4e3768ec)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/newton)

Change abandoned by Jakub Libosvar (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/497927
Reason: Not consider release critical

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Jakub Libosvar (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/497923
Reason: Not consider release critical

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/497924
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6d0e5ba7f63783e2a6eded094ab14090fc704aa1
Submitter: Jenkins
Branch: stable/ocata

commit 6d0e5ba7f63783e2a6eded094ab14090fc704aa1
Author: ZhaoBo <email address hidden>
Date: Tue Jun 20 16:31:09 2017 +0800

    Correct the config group in check_trunk_dependencies

    The 'securitygroup' is registered as cfg.CONF.SECURITYGROUP. Currently,
    this check always raise error as no 'cfg.CONF.securitygroup', then neutron
    will abort the trunk_create. So nova will error when create VM with trunk
    parent port for waiting timeout about the network-vif-plugged event.

    Closes-Bug: #1699516
    Related-Bug: #1669074
    Change-Id: I0b0bdb5a39f1978e12ddaeddd4e0d825894ea241
    (cherry picked from commit 012de2ea0875609c60445a731ead0b522e8cdb22)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.4

This issue was fixed in the openstack/neutron 10.0.4 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.