OpenStack Security Advisory

  1. Bug #1813007
  2. Comment #4

Comment 4 for bug 1813007

Revision history for this message
Drew Freiberger (afreiberger) wrote : Re: Unable to install new flows on compute nodes when having broken security group rules

Found https://paste.ubuntu.com/p/s5Z4DNJspV/ missing.
New copy here: https://pastebin.ubuntu.com/p/g7Q3nFmhWN/

The thing to note is that they both have the same remote_group_id, 40ee2790-282f-4c6a-8f00-d5ee0b8b66d7 and one has ports_range_min/max=None (which in the code None is replaced with 1 on ports_range_min and 65535 on port_range_max).

The code then translated this remote_group_id into id 38, which in the cur_conj.remove(conj_id) call ended up failing to delete due to there being two different entities with the key 38, hence the KeyError. If I recall correctly from looking at this last week, cur_conj is an array of tuples of ('<json array of security group rule port/proto settings>', conj_id).