neutron

Neutron remote security group does not work

Bug #1862703 reported by Hang Yang on 2020-02-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Hang Yang

Bug Description

Steps to reproduce the issue using Neutron Rocky with OVS:

# create bastion-sec-grp to allow ssh from anywhere
openstack security group create bastion-sec-grp
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp

# create application-sec-grp
openstack security group create application-sec-grp

# Allow ssh to egress from the bastion group to the application group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp

# Allow ssh to ingress to the application group from the bastion group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp

# create servers and associate with security groups
openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server
openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server

After boot, bastion-server and application-server are landed on different HVs and we can ssh to bastion-server but cannot ssh to application-server from there. Neutron debug log from application-server's HV shows:

2020-02-05 22:57:05,825 DEBUG [neutron.agent.linux.openvswitch_firewall.firewall] /opt/openstack/venv/neutron/lib/python2.7/site-packages/neutron/agent/linux/openvswitch_firewall/firewall.py:_build_addr_conj_id_map:297 No member for SG <BASTION_SEC_GRP_ID>

Suspect this is related to: https://bugs.launchpad.net/neutron/+bug/1854131 and after reverting the change https://review.opendev.org/#/c/696976/ locally then remote security group started to work again.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-11: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/707248

Changed in neutron:
assignee:	nobody → Hang Yang (hangyang)
status:	New → In Progress

Akihiro Motoki (amotoki) on 2020-02-17

tags:	added: ovs-fw sg-fw
Changed in neutron:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/708484

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/708488

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix proposed to neutron (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/708490

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/708491

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/707248
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6dbba8d5ce18805a6f104782510c055017267435
Submitter: Zuul
Branch: master

commit 6dbba8d5ce18805a6f104782510c055017267435
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

Check SG members instead of ports to skip flow update

Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-19: Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/708484
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fb06c497a651369682d453a283234f2414d7ace4
Submitter: Zuul
Branch: stable/train

commit fb06c497a651369682d453a283234f2414d7ace4
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

Check SG members instead of ports to skip flow update

Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

tags:	added: in-stable-train
tags:	added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-19: Fix merged to neutron (stable/queens)

Reviewed: https://review.opendev.org/708491
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=51eb5b2f6098b9404169b5856bdb72604f30fc0c
Submitter: Zuul
Branch: stable/queens

commit 51eb5b2f6098b9404169b5856bdb72604f30fc0c
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

Check SG members instead of ports to skip flow update

Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

tags:

added: in-stable-rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-19: Fix merged to neutron (stable/rocky)

Reviewed: https://review.opendev.org/708490
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1adda631c431245234615cbcd8e8b7b27ad657f5
Submitter: Zuul
Branch: stable/rocky

commit 1adda631c431245234615cbcd8e8b7b27ad657f5
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

Check SG members instead of ports to skip flow update

Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-21: Fix included in openstack/neutron 16.0.0.0b1

#10

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-22: Fix merged to neutron (stable/stein)

#11

Reviewed: https://review.opendev.org/708488
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=4193c6ca0e0165a2bcc7a11eee775df15019e755
Submitter: Zuul
Branch: stable/stein

commit 4193c6ca0e0165a2bcc7a11eee775df15019e755
Author: Hang Yang <email address hidden>
Date: Tue Feb 11 12:38:25 2020 -0800

Check SG members instead of ports to skip flow update

Security group can have a state of empty ports but non-empty members. So
we need skip the flow update only when members dict is empty.

    Change-Id: I429edb3d2dea5fa97441909b4d2c776f97f0516f
    Closes-Bug: #1862703
    Related-Bug: #1854131
    (cherry picked from commit 6dbba8d5ce18805a6f104782510c055017267435)

tags:

added: in-stable-stein

Revision history for this message

Yang Li (yang-li) wrote on 2020-02-27:

#12

I tested this patch, and it's true this bug can be fixed, but the bug https://bugs.launchpad.net/neutron/+bug/1854131 will be reproduced again :(

I think we should find a best way to solve the two bugs.

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2020-02-27:

#13

So, do You think we should revert this patch now? Or will You work on better fix?

Revision history for this message

Hang Yang (hangyang) wrote on 2020-02-27:

#14

Reverting this patch will compromise the basic functionality of remote security group again, unless we revert the patch for https://bugs.launchpad.net/neutron/+bug/1854131 as well. @yang-li Can you elaborate how this patch reopens the bug/1854131? Does that mean after moving a vm from sg1 to sg2, sg1 still somehow holds the vm's ip address in its member dictionary? If so, then I think we need a different approach to fix the issue.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-28: Fix included in openstack/neutron 13.0.7

#15

This issue was fixed in the openstack/neutron 13.0.7 release.

Bernard Cafarelli (bcafarel) on 2020-04-21

tags:

added: neutron-proactive-backport-potential

Felipe Reyes (freyes) on 2020-05-09

tags:

added: sts

Bernard Cafarelli (bcafarel) on 2020-06-04

tags:

removed: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-18: Fix included in openstack/neutron queens-eol

#16

This issue was fixed in the openstack/neutron queens-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.