[Logging] firewall_group log resource and security_group log resource could not co-exist correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Undecided
|
LongKB |
Bug Description
I would like to report a bug that relates to co-existence between security_group log resource and firewall_group log resource in stable/rocky [1]. Please follow a given procedure to reproduce this bug.
Environment
-----------
- Devstack stable/rocky
- Install devstack with local.conf: http://
- Make sure that 'log' is added into '[agent] extensions' in '/etc/neutron/
- Topology: Set up topolocy with the following script http://
Testcase
--------
- Create firewall_group log resource:
openstack network log create --resource-type firewall_group fwg_log
+-----
| Field | Value |
+-----
| Description | |
| Enabled | True |
| Event | ALL |
| ID | ebe7a495-
| Name | fwg_log |
| Project | 61c7600120ac441
| Resource | None |
| Target | None |
| Type | firewall_group |
| created_at | 2018-08-
| revision_number | 0 |
| tenant_id | 61c7600120ac441
| updated_at | 2018-08-
+-----
- Ping from VM0 to router0 -> Cannot ping
- Check ovs flow with: sudo ovs-ofctl dump-flows br-int
Results: http://
- Check log in /var/log/syslog with: tailf /var/log/syslog | grep -e ACCEPT
Results: http://
This log came from security_group log, but log_resource_
Each of log message contains a list of log objects that capture itself in log_resource_ids. This log message come from security_group logging, but it contains the ID of firewall_group log resource. Please note that, I only created firewall_group log with ID is 'ebe7a495-
References:
[1] https:/
Changed in neutron: | |
assignee: | nobody → Kim Bao Long (longkb.fvl) |
status: | New → In Progress |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
Hello Kim Bao Long,
I would like to raise following questions:
- what kind of message should be logged? ids=[u' ebe7a495- 027e-4982- bd64-fe269617dd 6d'] that include the ID of fwg_log", please?
- could you extend that part of bug description "This log came from security_group log, but log_resource_
Thank you,
Paweł