Bug #1156504 “Plugin doesn't get called when explicit rules are ...” : Bugs : neutron

Revision history for this message

Tomoe Sugihara (tomoe) wrote on 2013-03-18:

#1

I should have caught this earlier when I was working on adding explicit egress rules. I'm now working on a patch to fix this.

Revision history for this message

Aaron Rosen (arosen) wrote on 2013-03-18:

#2

For grizzly I would recommend backporting a pactch for you plugin to explicity add the rules and then we can do something better in Havana.

Changed in quantum:
milestone:	none → havana-1

Revision history for this message

Tomoe Sugihara (tomoe) wrote on 2013-03-19:

#3

Hi Aaron,

Makes sense. I'm working on a patch for H1. As for our plugin, our code in G still need more work to support SG, so I'm working on SG implementation targeted for H. Hopefully I can backport something to G in the future.

Mark McClain (markmcclain) on 2013-03-21

Changed in quantum:
importance:	Undecided → Medium
tags:	added: sg-fw

Revision history for this message

Tomoe Sugihara (tomoe) wrote on 2013-03-22:

#4

Download full text (4.1 KiB)

Hi Aaron,

With my following change, I found a mutual recursion issue in the NVP plugin where _ensure_default_security_group() gets called infinitely.

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index c2b42b5..b812d20 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -105,22 +105,33 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             for ethertype in ext_sg.sg_supported_ethertypes:
                 if s.get('name') == 'default':
                     # Allow intercommunication
- ingress_rule = SecurityGroupRule(
- id=uuidutils.generate_uuid(), tenant_id=tenant_id,
- security_group=security_group_db,
- direction='ingress',
- ethertype=ethertype,
- source_group=security_group_db)
- context.session.add(ingress_rule)
-
- egress_rule = SecurityGroupRule(
- id=uuidutils.generate_uuid(), tenant_id=tenant_id,
- security_group=security_group_db,
- direction='egress',
- ethertype=ethertype)
- context.session.add(egress_rule)
-
- return self._make_security_group_dict(security_group_db)
+ ingress_rule = {'security_group_rule':
+ {'tenant_id': tenant_id,
+ 'security_group_id':
+ security_group_db.id,
+ 'direction': 'ingress',
+ 'ethertype': ethertype,
+ 'port_range_min': None,
+ 'port_range_max': None,
+ 'remote_group_id':
+ security_group_db.id,
+ 'protocol': None,
+ 'remote_ip_prefix': None}}
+ self.create_security_group_rule(context, ingress_rule)
+
+ egress_rule = {'security_group_rule':
+ {'tenant_id': tenant_id,
+ 'security_group_id': security_group_db.id,
+ 'direction': 'egress',
+ 'ethertype': ethertype,
+ 'port_range_min': None,
+ 'port_range_max': None,
+ 'remote_group_id': None,
+ 'protocol': None,
+ 'remote_ip_prefix': None}}
+ self.create_security_group_rule(context, egress_rule)
+
+ return self.get_security_group(context, security_group_db.id)

def get_security_groups(self, context, filters=None, fields=None,
sorts=None, limit=None,

Would it make sense to remove _ensure_default_security_group() call in create_security_group_rule_bulk() as follows?
I thought it'd be OK because you wouldn't create a SG rule without having a SG and SG c...

Hi Aaron,

With my following change, I found a mutual recursion issue in the NVP plugin where _ensure_default_security_group() gets called infinitely.

diff --git a/quantum/db/securitygroups_db.py b/quantum/db/securitygroups_db.py
index c2b42b5..b812d20 100644
--- a/quantum/db/securitygroups_db.py
+++ b/quantum/db/securitygroups_db.py
@@ -105,22 +105,33 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
             for ethertype in ext_sg.sg_supported_ethertypes:
                 if s.get('name') == 'default':
                     # Allow intercommunication
-                    ingress_rule = SecurityGroupRule(
-                        id=uuidutils.generate_uuid(), tenant_id=tenant_id,
-                        security_group=security_group_db,
-                        direction='ingress',
-                        ethertype=ethertype,
-                        source_group=security_group_db)
-                    context.session.add(ingress_rule)
-
-                egress_rule = SecurityGroupRule(
-                    id=uuidutils.generate_uuid(), tenant_id=tenant_id,
-                    security_group=security_group_db,
-                    direction='egress',
-                    ethertype=ethertype)
-                context.session.add(egress_rule)
-
-        return self._make_security_group_dict(security_group_db)
+                    ingress_rule = {'security_group_rule':
+                                   {'tenant_id': tenant_id,
+                                    'security_group_id':
+                                    security_group_db.id,
+                                    'direction': 'ingress',
+                                    'ethertype': ethertype,
+                                    'port_range_min': None,
+                                    'port_range_max': None,
+                                    'remote_group_id':
+                                    security_group_db.id,
+                                    'protocol': None,
+                                    'remote_ip_prefix': None}}
+                    self.create_security_group_rule(context, ingress_rule)
+
+                egress_rule = {'security_group_rule':
+                              {'tenant_id': tenant_id,
+                               'security_group_id': security_group_db.id,
+                               'direction': 'egress',
+                               'ethertype': ethertype,
+                               'port_range_min': None,
+                               'port_range_max': None,
+                               'remote_group_id': None,
+                               'protocol': None,
+                               'remote_ip_prefix': None}}
+                self.create_security_group_rule(context, egress_rule)
+
+        return self.get_security_group(context, security_group_db.id)
 
     def get_security_groups(self, context, filters=None, fields=None,
                             sorts=None, limit=None,

Would it make sense to remove  _ensure_default_security_group() call in create_security_group_rule_bulk() as follows? 
I thought it'd be OK because you wouldn't create a SG rule without having a SG and  SG creation triggers __ensure_default_security_group(). Therefore, you wouldn't need to ensure "default" in create_security_group_rule_bulk().

diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
index c5a2780..2acb380 100644
--- a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
+++ b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
@@ -2161,7 +2161,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
         # TODO(arosen) is there anyway we could avoid having the update of
         # the security group rules in nvp outside of this transaction?
         with context.session.begin(subtransactions=True):
-            self._ensure_default_security_group(context, tenant_id)
+            #self._ensure_default_security_group(context, tenant_id)
             security_group_id = self._validate_security_group_rules(
                 context, security_group_rule)

Let me know what you think.
Thanks!

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-03-26: Fix proposed to quantum (master)

#5

Fix proposed to branch: master
Review: https://review.openstack.org/25354

Changed in quantum:
assignee:	nobody → Tomoe Sugihara (tomoe)
status:	New → In Progress

Mark McClain (markmcclain) on 2013-05-28

Changed in quantum:
milestone:	havana-1 → none

Revision history for this message

Eugene Nikanorov (enikanorov) wrote on 2014-08-07:

#6

The patch was abandoned more than a year ago. I suggest marking it as Won't fix as community seems not to be interested in fixing this.

Eugene Nikanorov (enikanorov) on 2014-11-21

Changed in neutron:
status:	In Progress → Incomplete

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-03-12:

#7

This bug is > 172 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	Tomoe Sugihara (tomoe) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-05-11:

#8

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

neutron

Plugin doesn't get called when explicit rules are auto-created.

Bug Description

Other bug subscribers

Remote bug watches