StarlingX

DC sysinv firewall rules audit failed

Bug #1844147 reported by Andy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
In a Distributed Cloud system, sysinv firewallrules audit failed.

Severity
--------
Major: System/Feature is usable but degraded

Steps to Reproduce
------------------
- Deploy a DC system with at least one subcloud.
- Manage the subcloud by:
  dcmanager subcloud manage <subcloud>
- Check /var/log/dcorch/dcorch.log in system controller
  There will be ERRORs like:
ERROR dcorch.drivers.openstack.sysinv_v1 [-] get_firewallrules region=subcloud1 exception='Client' object has no attribute 'firewallrules'

Expected Behavior
------------------
There shouldn't be ERRORs for firewallrules audit, and the audit should be successful.

Actual Behavior
----------------
Firewallrules audit failed.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Distributed cloud with at least one subcloud.

Branch/Pull Time/Commit
-----------------------
STX master, git/distributedcloud, pulled at around Aug 26, 2019.

But the issue exists as latest as:
commit 2c538b9e521a5dd9a7e7a8b216a15dd47edf0ca4
Author: Scott Little <email address hidden>
Date: Thu Sep 5 14:52:07 2019 -0400

Last Pass
---------
Unknown.

Timestamp/Logs
--------------
2019-08-26 21:20:26.351 104053 ERROR dcorch.drivers.openstack.sysinv_v1 [-] get_firewallrules region=subcloud1 exception='Client' object has no attribute 'firewallrules'
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv [-] The sync operation failed, will retry: SyncRequestFailedRetry: The sync operation failed, will retry
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv Traceback (most recent call last):
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv File "/usr/lib/python2.7/site-packages/dcorch/engine/sync_services/sysinv.py", line 1041, in get_firewallrules_resource
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv ifirewallrules = os_client.sysinv_client.get_firewallrules()
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv File "/usr/lib/python2.7/site-packages/dcorch/drivers/openstack/sysinv_v1.py", line 484, in get_firewallrules
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv raise exceptions.SyncRequestFailedRetry()
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv SyncRequestFailedRetry: The sync operation failed, will retry
2019-08-26 21:20:26.352 104053 ERROR dcorch.engine.sync_services.sysinv
2019-08-26 21:20:26.356 104053 INFO dcorch.drivers.openstack.sdk_platform [-] get new keystone client for subcloud RegionOne
2019-08-26 21:20:27.844 104053 ERROR dcorch.drivers.openstack.sysinv_v1 [-] get_firewallrules region=RegionOne exception='Client' object has no attribute 'firewallrules'
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv [-] The sync operation failed, will retry: SyncRequestFailedRetry: The sync operation failed, will retry
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv Traceback (most recent call last):
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv File "/usr/lib/python2.7/site-packages/dcorch/engine/sync_services/sysinv.py", line 1041, in get_firewallrules_resource
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv ifirewallrules = os_client.sysinv_client.get_firewallrules()
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv File "/usr/lib/python2.7/site-packages/dcorch/drivers/openstack/sysinv_v1.py", line 484, in get_firewallrules
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv raise exceptions.SyncRequestFailedRetry()
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv SyncRequestFailedRetry: The sync operation failed, will retry
2019-08-26 21:20:27.844 104053 ERROR dcorch.engine.sync_services.sysinv
2019-08-26 21:20:27.845 104053 INFO dcorch.engine.sync_thread [-] subcloud1/platform: Audit firewallrules: [None] vs [None]
2019-08-26 21:20:27.845 104053 ERROR dcorch.engine.sync_services.sysinv [-] no get_resource_id for firewall

Test Activity
-------------
Found at feature development.

See original description
Andy (andy.wrs)
description: updated
Ghada Khalil (gkhalil)
tags: added: stx.distcloud
Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
status: New → In Progress
Revision history for this message
Andy (andy.wrs) wrote :

As per discussion with Brent, Matt, Greg and Bart:

OAM firewallrules are now managed through Calico GlobalNetworkPolicy configuration via k8s API. Firewallrules related subcommands have been removed from system command (eg, system firewall-rules-install). It would make more sense to have it handled in federated K8S in the future.

So within this LP we just cleanup firewallrules related code from dcorch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to distcloud (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682906

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as stx.3.0 / medium priority - code cleanup / should be done as Distributed Cloud is an stx.3.0 deliverable

Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.3.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to distcloud (master)

Reviewed: https://review.opendev.org/682906
Committed: https://git.openstack.org/cgit/starlingx/distcloud/commit/?id=a7d91e2961ecc114e7936b97d57b9540b71c658c
Submitter: Zuul
Branch: master

commit a7d91e2961ecc114e7936b97d57b9540b71c658c
Author: Andy Ning <email address hidden>
Date: Tue Sep 17 11:52:02 2019 -0400

    DC remove firewallrules audit from dcorch

    OAM firewallrules are now managed by Calico GlobalNetworkPolicy configuration
    via k8s API (not by sysinv anymore). This update removed firewallrules
    audit from dcorch.

    Change-Id: I9fab73c016bb4af760c7d78f0db18dcc8bb77057
    Closes-Bug: 1844147
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.