When a new security group rule is created, logging is not properly configured

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/947324

Hai kyuyeong lee

If your using memcached along with neutron.
Please try to restart both containers .
Previously I faced the same issue hope it works for you.

On Wed, 16 Apr 2025, 13:45 OpenStack Infra, <email address hidden>
wrote:

> Fix proposed to branch: master
> Review: https://review.opendev.org/c/openstack/neutron/+/947324
>
> ** Changed in: neutron
> Status: New => In Progress
>
> --
> You received this bug notification because you are subscribed to
> neutron.
> Matching subscriptions: balaji
> https://bugs.launchpad.net/bugs/2107446
>
> Title:
> When a new security group rule is created, logging is not properly
> configured
>
> Status in neutron:
> In Progress
>
> Bug description:
> OpenStack Version: 2024.1 (with OVN)
>
> How to reproduce:
> 1. Create new security group in Project A
> $ openstack security group create sg-test-01 --project project-a
>
> 2. Configure logging for that security group.
> $ openstack network log create log-test-01 --event ALL --resource-type
> security_group --resource sg-test-01 --project project-a
>
> 3. Create a security group rule using a context where the project is set
> to Project A
> $ openstack security group rule create sg-test-01 --ingress --protocol
> tcp --remote-ip 1.1.1.1/32 --dst-port 1111 --project project-a
>
> 4. Create a security group rule using a context where the project is set
> to Project B
> $ openstack security group rule create sg-test-01 --ingress --protocol
> tcp --remote-ip 2.2.2.2/32 --dst-port 2222 --project project-a
>
> 5. Check the acl table in OVN NB DB.
> $ ovn-nbctl list acl
> Defaulted container "ovsdb" out of: ovsdb, init (init)
>
> _uuid : f574dfbe-6342-4ed6-9fbe-a2c5fe1de820
> action : allow-related
> direction : to-lport
> external_ids :
> {"neutron:security_group_rule_id"="967de8be-4cd1-4a2c-93ef-473b1ffc74b4"}
> label : 867022203
> log : true
> match : "outport ==
> @pg_0a6255a5_2892_476b_92a7_74b792072c18 && ip4 && ip4.src == 1.1.1.1/32
> && tcp && tcp.dst == 1111"
> meter : acl_log_meter
> name : neutron-7961f56c-b0d7-4c3b-9bc8-828a446dd53e
> options : {log-related="true"}
> priority : 1002
> severity : info
>
> _uuid : 3918f28c-8f6d-4a73-b0ad-a35174fcb386
> action : allow-related
> direction : to-lport
> external_ids :
> {"neutron:security_group_rule_id"="f132a1a4-a2aa-448f-8d25-60936814c0ea"}
> label : 0
> log : false
> match : "outport ==
> @pg_0a6255a5_2892_476b_92a7_74b792072c18 && ip4 && ip4.src == 2.2.2.2/32
> && tcp && tcp.dst == 2222"
> meter : []
> name : []
> options : {}
> priority : 1002
> severity : []
>
> --
>
> Expected :
> In step 5, both ACLs created in steps 3 and 4 should have logging
> enabled.
>
> Actual :
> Only the ACL created in step 3 has logging enabled.
> The ACL from step 4 does not have logging configured.
>
> It appears that...

Hi, Balaji

Thank you for your comment.
Unfortunately, I have already tried restarting the containers multiple times, but the issue still persists.

Hi, sorry for late response, i had issues with my dev env.
I tried to reproduce your issue with master (~Epoxy 2025.1) but failed.
$ sudo ovn-nbctl list acl
....
_uuid : 12923039-713f-4c6a-b96f-3733d8b2a269
action : allow-related
direction : to-lport
external_ids : {"neutron:security_group_rule_id"="ef6b4c72-edee-4677-862e-6e1547e1c640"}
label : 1013418503
log : true
match : "outport == @pg_1279058c_61dc_4bcd_b28e_90541cd0335a && ip4 && ip4.src == 1.1.1.1/32 && tcp && tcp.dst == 1111"
meter : acl_log_meter
name : neutron-d96d664e-86fa-45c1-b57d-910ec8a70fb7
options : {log-related="true"}
priority : 1002
sample_est : []
sample_new : []
severity : info
tier : 0
....
_uuid : c2d9f0ca-8e89-41ff-b1a0-402785160af7
action : allow-related
direction : to-lport
external_ids : {"neutron:security_group_rule_id"="a8ffa612-ff95-4049-aa0c-59a5dad66e8c"}
label : 1395488214
log : true
match : "outport == @pg_1279058c_61dc_4bcd_b28e_90541cd0335a && ip4 && ip4.src == 2.2.2.2/32 && tcp && tcp.dst == 2222"
meter : acl_log_meter
name : neutron-d96d664e-86fa-45c1-b57d-910ec8a70fb7
options : {log-related="true"}
priority : 1002
sample_est : []
sample_new : []
severity : info
tier : 0

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/956094

Fix proposed to branch: stable/2025.1
Review: https://review.opendev.org/c/openstack/neutron/+/956246

Fix proposed to branch: stable/2024.2
Review: https://review.opendev.org/c/openstack/neutron/+/956247

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/neutron/+/956248

Reviewed: https://review.opendev.org/c/openstack/neutron/+/956094
Committed: https://opendev.org/openstack/neutron/commit/6e70cd450c8b920a1055af88e000f824f8bea2cf
Submitter: "Zuul (22348)"
Branch: master

commit 6e70cd450c8b920a1055af88e000f824f8bea2cf
Author: Elvira Garcia <email address hidden>
Date: Tue Jul 29 17:42:36 2025 +0200

    [SGL] Use admin context to retrieve log objs

    Previously we tried to search which log objects existed based on the
    context of the user who is creating a change on a security group rule.
    This is not correct as only admin can fetch log objects.

    Closes-Bug: #2107446
    Change-Id: Ia65e06c83ced9cde7618d4d7f3c7b0b3ae48c3fa
    Signed-off-by: Elvira Garcia <email address hidden>

Reviewed: https://review.opendev.org/c/openstack/neutron/+/956247
Committed: https://opendev.org/openstack/neutron/commit/06770df2d33ea194c10b7c9fa84f68920db3d023
Submitter: "Zuul (22348)"
Branch: stable/2024.2

commit 06770df2d33ea194c10b7c9fa84f68920db3d023
Author: Elvira Garcia <email address hidden>
Date: Tue Jul 29 17:42:36 2025 +0200

    [SGL] Use admin context to retrieve log objs

    Previously we tried to search which log objects existed based on the
    context of the user who is creating a change on a security group rule.
    This is not correct as only admin can fetch log objects.

    Closes-Bug: #2107446
    Change-Id: Ia65e06c83ced9cde7618d4d7f3c7b0b3ae48c3fa
    Signed-off-by: Elvira Garcia <email address hidden>
    (cherry picked from commit 6e70cd450c8b920a1055af88e000f824f8bea2cf)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/956248
Committed: https://opendev.org/openstack/neutron/commit/cc4b1d3461893923b0d48e9cadef53163b56ec60
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit cc4b1d3461893923b0d48e9cadef53163b56ec60
Author: Elvira Garcia <email address hidden>
Date: Tue Jul 29 17:42:36 2025 +0200

    [SGL] Use admin context to retrieve log objs

    Previously we tried to search which log objects existed based on the
    context of the user who is creating a change on a security group rule.
    This is not correct as only admin can fetch log objects.

    Closes-Bug: #2107446
    Change-Id: Ia65e06c83ced9cde7618d4d7f3c7b0b3ae48c3fa
    Signed-off-by: Elvira Garcia <email address hidden>
    (cherry picked from commit 6e70cd450c8b920a1055af88e000f824f8bea2cf)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/956246
Committed: https://opendev.org/openstack/neutron/commit/afc6ab714c8439b4f08032b7144e819908e134e6
Submitter: "Zuul (22348)"
Branch: stable/2025.1

commit afc6ab714c8439b4f08032b7144e819908e134e6
Author: Elvira Garcia <email address hidden>
Date: Tue Jul 29 17:42:36 2025 +0200

    [SGL] Use admin context to retrieve log objs

    Previously we tried to search which log objects existed based on the
    context of the user who is creating a change on a security group rule.
    This is not correct as only admin can fetch log objects.

    Closes-Bug: #2107446
    Change-Id: Ia65e06c83ced9cde7618d4d7f3c7b0b3ae48c3fa
    Signed-off-by: Elvira Garcia <email address hidden>
    (cherry picked from commit 6e70cd450c8b920a1055af88e000f824f8bea2cf)

This issue was fixed in the openstack/neutron 24.2.1 Caracal release.

This issue was fixed in the openstack/neutron 27.0.0.0rc1 Flamingo release candidate.

This issue was fixed in the openstack/neutron 25.2.1 Dalmatian release.

This issue was fixed in the openstack/neutron 26.0.2 Epoxy release.