neutron

OVN: default stateless SG blocks metadata traffic

Bug #2009053 reported by Ihar Hrachyshka on 2023-03-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Won't Fix	Medium	Ihar Hrachyshka

Bug Description

Bug originally found by Alex Katz and reported in the bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2149713

Description of problem:
When a stateless security group is attached to the instance it fails to fetch metadata info. An explicit rule is required to allow metadata traffic from 169.254.169.254.

Checked with the custom security group (only egress traffic is allowed) as well as with the default security group (egress and ingress from the same SG are allowed).

Version-Release number of selected component (if applicable):
RHOS-17.1-RHEL-9-20221115.n.2
Red Hat Enterprise Linux release 9.1 (Plow)

How reproducible:
100%

Steps to Reproduce:
openstack security group create --stateless test_sg
openstack server create --image <IMG> --flavor <FLAV> --network <NET> --security-group test_sg vm_1

Actual results:
checking http://169.254.169.254/2009-04-04/instance-id
failed 1/20: up 21.53. request failed
failed 2/20: up 70.89. request failed
failed 3/20: up 120.12. request failed
failed 4/20: up 169.36. request failed
failed 5/20: up 218.81. request failed
failed 6/20: up 268.17. request failed

Expected results:
Metadata is successfully fetched

Tags:

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2023-03-02:

There's a workaround so the importance should be set to Medium.

Changed in neutron:
status:	New → Confirmed
assignee:	nobody → Ihar Hrachyshka (ihar-hrachyshka)
tags:	added: ovn sg-fw

Brian Haley (brian-haley) on 2023-03-02

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876656

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07:

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876657

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07:

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876658

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876659

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07: Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/876692

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07: Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/876656
Committed: https://opendev.org/openstack/neutron/commit/d9358b67bdd8babf890e07f3d0d480e90a1784d7
Submitter: "Zuul (22348)"
Branch: master

commit d9358b67bdd8babf890e07f3d0d480e90a1784d7
Author: Ihar Hrachyshka <email address hidden>
Date: Tue Mar 7 03:06:56 2023 +0000

functional: set dns_domain config option after its registration

Otherwise, the suite may complain about unknown option.

Related-Bug: #2009053
Change-Id: I5ead48d504d3429c0c829214bba02896f0d964ac

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07:

Reviewed: https://review.opendev.org/c/openstack/neutron/+/876657
Committed: https://opendev.org/openstack/neutron/commit/d44f164f4d38baf3e5b0e5a6fbb34df055e52b86
Submitter: "Zuul (22348)"
Branch: master

commit d44f164f4d38baf3e5b0e5a6fbb34df055e52b86
Author: Ihar Hrachyshka <email address hidden>
Date: Tue Mar 7 03:07:02 2023 +0000

ovn_idl_impl: fix a logic bug in get_sg_port_groups

    The function is supposed to omit neutron_pg_drop Port_Group (as per its
    docstring) but it actually returns it because of incorrect if-statement
    structure.

The function is not used anywhere in the tree and hence doesn't affect
any feature, at least in master.

(It was used before I27af495f96a3ea88dd31345dbfb55f1be8faabd6.)

The function will be used in a consequent patch, so it now becomes
important to make it behave as documented.

Related-Bug: #2009053
Change-Id: I0c5d3db521131cc71135a9c787ed01479b451cfb

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-29: Change abandoned on neutron (master)

Change abandoned by "Ihar Hrachyshka <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/876659
Reason: The decision is made during vPTG session to abandon this patch for metadata while keeping the one for DHCPv6.

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2023-03-29:

#10

The decision is made during vPTG session to abandon this patch for metadata while keeping the one for DHCPv6. This bug should be closed as Won't Fix.

Brian Haley (brian-haley) on 2023-03-29

Changed in neutron:
status:	In Progress → Won't Fix

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-29: Related fix proposed to neutron-lib (master)

#11

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/878947

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-30: Change abandoned on neutron-tempest-plugin (master)

#12

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/876692

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2023-03-31:

#13

Related PTG discussion summary:
https://etherpad.opendev.org/p/neutron-bobcat-ptg#L208

And mailthread:
https://lists.openstack.org/pipermail/openstack-discuss/2023-March/032797.html
(tl;dr summary mail based on PTG discussion: https://lists.openstack.org/pipermail/openstack-discuss/2023-March/033021.html )

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-04-03: Related fix merged to neutron-lib (master)

#14

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/878947
Committed: https://opendev.org/openstack/neutron-lib/commit/83375805618c1e7feb3e16070eeab6794e261dc0
Submitter: "Zuul (22348)"
Branch: master

commit 83375805618c1e7feb3e16070eeab6794e261dc0
Author: Ihar Hrachyshka <email address hidden>
Date: Wed Mar 29 16:22:36 2023 -0400

api-ref: describe which protocols are enabled for stateless SG

    This behavior matches what ML2/OVS implementation does and what we
    intend to implement for ML2/OVN. More than that, a decision was made
    during vPTG to make the behavior part of api-ref to facilitate
    cross-backend consistency.

    Related-Bug: #2006949
    Related-Bug: #2009053
    Change-Id: Ic633eedd9f0d320d9ad0c27a72f07b1b016d7ba3

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2023-04-07:

#15

The following command fixes the behavior: openstack security group rule create --ingress --protocol tcp --remote-ip 169.254.169.254 stateless-sg

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.