OpenContrail

Security group and rule have incorrect relevance

Bug #1787078 reported by fanguiju
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
Trunk
In Progress
Undecided
fanguiju
OpenContrail
Confirmed
Undecided
fanguiju

Bug Description

When I integrated opencontrail into openstack and used Octavia LBaaS, I found that there was an incorrect association between network security groups and rules.

OpenStack version: Pike
Open Contrail version: 5.1(Master)
OS: CentOS 7

Step 1. List SGs.

(test_env) [root@control03 ~]# openstack security group list
+--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+
| ID | Name | Description | Project |
+--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+
...
| 6fb7cbf4-942e-4c96-b586-d1b47f0fa054 | lb-e56866b1-65e7-4123-a4fc-6048830f2f7a | | 0e67d1936ed545ea999965d8dc052e04 |
...
| 4db32be4-58f5-4c9d-9666-c609d08e6ec9 | lb-mgmt-sec-grp | lb-mgmt-sec-grp | 0e67d1936ed545ea999965d8dc052e04 |
+--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+

Step 2. Get rule of SG: lb-e56866b1-65e7-4123-a4fc-6048830f2f7a

(test_env) [root@control03 ~]# openstack security group rule list 6fb7cbf4-942e-4c96-b586-d1b47f0fa054
+--------------------------------------+-------------+-----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+------------+-----------------------+
| da9bf391-f678-46df-bc81-e790cbbba644 | any | 0.0.0.0/0 | 0:65535 | None |
| a167a712-7db1-4791-8d42-a350a5832b57 | any | ::/0 | 0:65535 | None |
| 816c73bc-64d0-45f8-8b81-5116f445fe34 | 112 | None | 0:65535 | None |
| 0d2dc4e1-c804-4f22-8614-8af29669753e | 51 | None | 0:65535 | None |
| e434f160-a8bc-4be1-98fc-3530ff547e49 | any | 0.0.0.0/0 | 0:65535 | None |
| c06c11c1-4b15-4dc7-8cc0-d30a29d4da16 | any | ::/0 | 0:65535 | None |
| 1cb8ccc5-d928-4615-9e8d-a5769433bfd7 | 112 | None | 0:65535 | None |
| 77a56d7b-ee47-40a2-98cb-2f30357610e9 | 51 | None | 0:65535 | None |
| 1aa2aa57-1314-4d88-a758-f1a1863e4042 | any | 0.0.0.0/0 | 0:65535 | None |
| 00b3478e-36c1-4c43-9361-1cfa63e2de0d | any | ::/0 | 0:65535 | None |
| 6bf63425-07cf-4966-bec7-8a8d87967fae | 112 | None | 0:65535 | None |
| 3bc1d8f3-a9bb-4f28-a195-a7b78e5c2ed1 | 51 | None | 0:65535 | None |
| 09948a3c-2f23-4455-b3d0-4d2f43f1e5f0 | any | 0.0.0.0/0 | 0:65535 | None |
| a56865c1-3510-4fc8-ab14-f51355dafca1 | any | ::/0 | 0:65535 | None |
| 64ea589a-cc18-488f-84ed-6b6c5f3f4e0d | 112 | None | 0:65535 | None |
| 75e184a9-1ffc-48f3-aec3-544f644719ad | 51 | None | 0:65535 | None |
| 2e21c094-6784-484f-965f-f1ef9acd7e96 | any | 0.0.0.0/0 | 0:65535 | None |
| 6737ea73-4156-4a5c-9457-0ed8c5fb5579 | any | ::/0 | 0:65535 | None |
| 75344fce-eb8d-4db6-b88e-a273e8063794 | 112 | None | 0:65535 | None |
| 27caf226-1a83-4f82-9878-2a3d00ee2c5d | 51 | None | 0:65535 | None |
| 4467d2b1-02f5-42fb-9f86-2b44e04c666e | any | 0.0.0.0/0 | 0:65535 | None |
| 269959e1-f76f-4726-9c78-1265cc78ab30 | any | ::/0 | 0:65535 | None |
| c026bbc7-2b8f-4ed1-b1ed-d4b378f1c9e5 | 112 | None | 0:65535 | None |
| 5bd2a622-8bfb-4379-927b-526cc9d3aef7 | icmp | 0.0.0.0/0 | | None |
| 048ce516-f62f-4685-a427-2a431e9f7f71 | udp | 0.0.0.0/0 | 5555:5555 | None |
| 027d5ddc-acad-4b34-8df8-3b1970fdbaf8 | any | 0.0.0.0/0 | 0:65535 | None |
| ed352314-96bf-47b0-b12d-a012e7db4088 | any | ::/0 | 0:65535 | None |
| eabd3bcf-4946-44ef-9220-4ef754cfa4c0 | 112 | None | 0:65535 | None |
| a884e260-60da-4a75-bfed-5bfe631e9d2d | 51 | None | 0:65535 | None |
| 1894f1d7-a8d4-4200-8ccf-354aee0acfaa | any | 0.0.0.0/0 | 0:65535 | None |
| 40f9f71d-c6ce-4bce-a5e0-7bc28402b72c | any | ::/0 | 0:65535 | None |
| 1d41daed-3493-4ccb-8e82-a56fdb0d4d10 | udp | 0.0.0.0/0 | 5555:5555 | None |
| fa224307-361f-43d7-9ec9-4e679cb0e64d | 112 | None | 0:65535 | None |
| 805f9038-1749-49cf-a385-efbc8e1a76cc | 51 | None | 0:65535 | None |
| 3455d5c9-c5c8-4bdd-98c1-dfda4f42e3ec | any | 0.0.0.0/0 | 0:65535 | None |
| 5c5f14e3-0a86-4fe7-9712-4441c2b6cdfd | any | ::/0 | 0:65535 | None |
| b396eb29-0964-434c-8fee-131cb0e516a2 | 112 | None | 0:65535 | None |
| 107d226c-1050-4497-a87b-76301daf20c7 | 51 | None | 0:65535 | None |
| 4e796942-9875-4b57-9086-a570808746df | any | 0.0.0.0/0 | 0:65535 | None |
| eed48712-79fc-4d05-aa69-f2badc99f787 | any | ::/0 | 0:65535 | None |
| aa474f0a-6ad3-4c8d-a870-22d1e0fe7698 | 112 | None | 0:65535 | None |
| 6581f823-b1a6-4837-bd1e-429406654b2a | 51 | None | 0:65535 | None |
| bd314559-818c-46b6-aa92-7d085a8083b0 | any | 0.0.0.0/0 | 0:65535 | None |
| 1fe3f9b5-2a43-4c05-8d17-df6ee1b3eb81 | any | ::/0 | 0:65535 | None |
| 86955c3d-6598-4365-bdd8-1931bd527745 | udp | 0.0.0.0/0 | 5555:5555 | None |
| ebab899e-fa79-4bb1-a6e6-fc1f72fe5952 | any | 0.0.0.0/0 | 0:65535 | None |
| 9bf57206-4cdf-45e4-a66c-645e14b9a1c5 | any | ::/0 | 0:65535 | None |
| cc72b3f1-5e43-43f7-abb7-d8c7107cfe2d | icmp | 0.0.0.0/0 | | None |
| 18778e46-a470-4d68-a0c6-54d6e80e38ad | tcp | 0.0.0.0/0 | 9443:9443 | None |
+--------------------------------------+-------------+-----------+------------+-----------------------+

Step 3. Get SG_ID with RULE: 18778e46-a470-4d68-a0c6-54d6e80e38ad from SG: lb-e56866b1-65e7-4123-a4fc-6048830f2f7a

(test_env) [root@control03 ~]# openstack security group rule show 18778e46-a470-4d68-a0c6-54d6e80e38ad
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | None |
| description | None |
| direction | ingress |
| ether_type | IPv4 |
| id | 18778e46-a470-4d68-a0c6-54d6e80e38ad |
| name | None |
| port_range_max | 9443 |
| port_range_min | 9443 |
| project_id | 0e67d1936ed545ea999965d8dc052e04 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | None |
| security_group_id | 4db32be4-58f5-4c9d-9666-c609d08e6ec9 |
| updated_at | None |
+-------------------+--------------------------------------+

Step 4. Get SG: lb-mgmt-sec-grp by SG_ID from RULE: 18778e46-a470-4d68-a0c6-54d6e80e38ad from SG: lb-e56866b1-65e7-4123-a4fc-6048830f2f7a. This is wrong !!

(test_env) [root@control03 ~]# openstack security group show 4db32be4-58f5-4c9d-9666-c609d08e6ec9
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | None |
| description | lb-mgmt-sec-grp |
| id | 4db32be4-58f5-4c9d-9666-c609d08e6ec9 |
| name | lb-mgmt-sec-grp |
| project_id | 0e67d1936ed545ea999965d8dc052e04 |
| revision_number | None |
| rules | created_at='2018-08-14T15:06:44.726250', direction='egress', ethertype='IPv4', id='ebab899e-fa79-4bb1-a6e6-fc1f72fe5952', port_range_max='65535', protocol='any', remote_ip_prefix='0.0.0.0/0', updated_at='2018-08-14T15:06:44.726250' |
| | created_at='2018-08-14T15:06:44.744370', direction='egress', ethertype='IPv6', id='9bf57206-4cdf-45e4-a66c-645e14b9a1c5', port_range_max='65535', protocol='any', remote_ip_prefix='::/0', updated_at='2018-08-14T15:06:44.744370' |
| | created_at='2018-08-14T15:07:52.096432', direction='ingress', ethertype='IPv4', id='cc72b3f1-5e43-43f7-abb7-d8c7107cfe2d', protocol='icmp', remote_ip_prefix='0.0.0.0/0', updated_at='2018-08-14T15:07:52.096432' |
| | created_at='2018-08-15T01:44:56.991088', direction='ingress', ethertype='IPv4', id='18778e46-a470-4d68-a0c6-54d6e80e38ad', port_range_max='9443', port_range_min='9443', protocol='tcp', remote_ip_prefix='0.0.0.0/0', updated_at='2018-08-15T01:44:56.991088' |
| updated_at | None |
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Revision history for this message
fanguiju (fanguiju) wrote :

Complete openstack CLI output

Revision history for this message
yong sheng gong (gongysh) wrote :

it seems the open contrail API failed to filter rules according to sgr id.

Changed in opencontrail:
status: New → Confirmed
fanguiju (fanguiju)
Changed in opencontrail:
assignee: nobody → fanguiju (fanguiju)
Revision history for this message
fanguiju (fanguiju) wrote :
Download full text (11.5 KiB)

Security group filtering mechanism does not take effect, e.g.

(test_env) [root@control03 ~]# openstack security group list
+--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+
| ID | Name | Description | Project |
 +--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+
| 1019ca1a-dde9-49d3-b337-89729d60cbfc | lb-1a277242-5230-41d4-a5c1-a6c0cda30b80 | | 0e67d1936ed545ea999965d8dc052e04 |
| 0a1e0c25-7476-4388-b408-364370508fd0 | lb-ebdee014-21cf-4b4d-b2b8-ca81c179aa05 | | 0e67d1936ed545ea999965d8dc052e04 |
| 2ffab67f-62d2-435e-953b-4a5290e44a2d | default | Default security group | 0e67d1936ed545ea999965d8dc052e04 |
| 6bdea468-6ce8-493a-9682-323a2c87c7de | lb-e7a15f18-069d-4c3c-8226-c27fbe268984 | | 0e67d1936ed545ea999965d8dc052e04 |
| 6e378672-cc3d-4189-a860-93fbabb11147 | lb-mgmt-sec-grp | lb-mgmt-sec-grp | 0e67d1936ed545ea999965d8dc052e04 |
| 70079e51-2070-4ad9-8ddc-e82b6da67bfa | default | Default security group | 809a3e46694f4f1f9141740d94b520ee |
| e5a7e778-7bd0-48ab-942e-4275c7555594 | lb-2627336b-a43f-48dc-a6ce-8674f6e07c81 | | 0e67d1936ed545ea999965d8dc052e04 |
| e1335f03-d811-4d8b-ade0-e791b2a48262 | lb-a07d3e52-55fd-4295-b0b0-b580c52226e1 | | 0e67d1936ed545ea999965d8dc052e04 |
| ebb40f8f-5bbe-4e98-a54e-2ae7b078c7f2 | __no_rule__ | Security group with no rules | 53336e1e2c0b4b25b0ebe2943852a33b |
 +--------------------------------------+-----------------------------------------+------------------------------+----------------------------------+

(test_env) [root@control03 ~]# openstack security group rule list 1019ca1a-dde9-49d3-b337-89729d60cbfc
+--------------------------------------+-------------+-----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
 +--------------------------------------+-------------+-----------+------------+-----------------------+
| 766e6e5d-5701-4abb-acea-63a395064736 | icmp | 0.0.0.0/0 | | None |
| 5bd2a622-8bfb-4379-927b-526cc9d3aef7 | icmp | 0.0.0.0/0 | | None |
| f7f1ab62-993c-4f03-806c-20c2b32866f9 | icmp | 0.0.0.0/0 | | None |
| e7c7eda3-e2a8-4b0f-a224-f945a2af5534 | tcp | 0.0.0.0/0 | 22:22 | None |
| a19406d9-cd1c-460c-9642-67e5ed3f2334 | tcp | 0.0.0.0/0 | 22:22 | None |
| 14c3a7c8-447a-4eb8-a62a-ec17d9c54c2d | tcp | 0.0.0.0/0 | 1:65535 | None |
| 9a54a481-292a-425d-bd43-e8778e28d948 | udp | 0.0.0.0/0 | 1:65535 | None ...

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/45748
Submitter: fanguiju (fanguiju1992@163.com)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.