Modifying security groups when using openvswitch firewall causes existing connections to drop
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Medium
|
Slawek Kaplonski |
Bug Description
Environment: OpenStack Newton
Driver: ML2 w/ OVS
Firewall: openvswitch
Clients using an OpenStack cloud based on the Newton release are facing network issues when updating security groups/rules. We are able to replicate the issue by modifying security group rules in an existing security group applied to a port.
Test scenario:
--------------
1. Built a test instance. Example:
root@osctrl-
WARNING: openstackclient
+------
| Field | Value |
+------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-STS:vm_state | active |
| OS-SRV-
| OS-SRV-
| accessIPv4 | |
| accessIPv6 | |
| addresses | Public=
| config_drive | |
| created | 2017-11-
| flavor | m1.medium (103) |
| hostId | 1599f0caa6bb077
| id | 5d5afb5b-
| image | Ubuntu-
| key_name | rpc_support |
| name | rackspace-
| os-extended-
| progress | 0 |
| project_id | 723cdf11c4dd41c
| properties | |
| security_groups | [{u'name': u'rpc-support'}] |
| status | ACTIVE |
| updated | 2017-11-
| user_id | 74cebd9525a843f
+------
2. Initiate a 4G image download from the VM
# wget -4 -O /dev/null http://
--2017-11-13 15:00:59-- http://
Resolving centos.
Connecting to centos.
HTTP request sent, awaiting response... 200 OK
Length: 4521459712 (4.2G) [application/
Saving to: ‘/dev/null’
20% [======
3. Add a rule to security group
root@osctrl-
WARNING: openstackclient
+------
| Field | Value |
+------
| created_at | 2017-11-
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | d9b28673-
| port_range_max | 443 |
| port_range_min | 443 |
| project_id | 723cdf11c4dd41c
| project_id | 723cdf11c4dd41c
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 2870f0a0-
| updated_at | 2017-11-
+------
4. Observe download stalls after few seconds
Saving to: ‘/dev/null’
24% [======
24% [======
24% [======
24% [======
After 20 minutes, I cancelled the transfer.
Trying again immediately results in a successful write:
ubuntu@
--2017-11-13 15:15:29-- http://
Resolving centos.
Connecting to centos.
HTTP request sent, awaiting response... 200 OK
Length: 4521459712 (4.2G) [application/
Saving to: ‘/dev/null’
100%[==
2017-11-13 15:16:17 (89.9 MB/s) - ‘/dev/null’ saved [4521459712/
--
We have identified areas in the code we feel may be responsible for this:
Newton: https:/
Master: https:/
This has had a negative impact to the user experience. Thanks for taking a look and let me know if you have any questions.
tags: | added: ovs-fw |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Slawek Kaplonski (slaweq) |
Changed in neutron: | |
assignee: | Slawek Kaplonski (slaweq) → nobody |
I checked it today on devstack with Neutron from master branch and it looks that it is still the same issue