listener provisioning status in ERROR when port is 1025 and allowed_cidr is explicitly set to 0.0.0.0/0

Bug #1944666 reported by Hemanth Nakkina
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Undecided
Unassigned
Ussuri
High
Unassigned
Victoria
High
Unassigned
Wallaby
High
Unassigned
Xena
Undecided
Unassigned
octavia (Ubuntu)
High
Hemanth Nakkina
Focal
High
Unassigned
Hirsute
High
Unassigned
Impish
High
Unassigned

Bug Description

Corresponding upstream story link: https://storyboard.openstack.org/#!/story/2009117

Created a loadbalancer and a listener with protocol tcp protocol_port 1025 and allowed_cidr 0.0.0.0/0, the listener ends up in provisioning status as ERROR.

Error message in Octavia worker log
neutronclient.common.exceptions.Conflict: Security group rule already exists

This is a very edge case only when protocol port is 1025 (same as peer port which is hardcoded to constants.HAPROXY_BASE_PEER_PORT i.e, 1025) and allowed_cidr is explicitly set to 0.0.0.0/0.

Reproducer:
openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
openstack loadbalancer listener create --name lb1-listener --protocol tcp --protocol-port 1025 --allowed-cidr 0.0.0.0/0 lb1
openstack loadbalancer listener show lb1-listener lb1

The culprit is [1] where the allowed_cidr for peer port should handle both None and 0.0.0.0/0 as 0.0.0.0/0 is the default value.

Tested on: Ubuntu Focal Ussuri Octavia packages

Fix available in Upstream until stable/train (not part of any point release)
https://review.opendev.org/c/openstack/octavia/+/804485

[1] https://opendev.org/openstack/octavia/src/commit/b89c929c12fb262f59ba320a37f2a5bf4109df98/octavia/network/drivers/neutron/allowed_address_pairs.py#L150-L178

################################################################

SRU:

[Impact]
Not able to create a Loadbalancer listener

[Test Case]
1. Create a Loadbalancer
openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
2. Create a listener
openstack loadbalancer listener create --name lb1-listener --protocol tcp --protocol-port 1025 --allowed-cidr 0.0.0.0/0 lb1
3. Check listener status
openstack loadbalancer listener show lb1-listener lb1
Listener is not in active status.

[Regression Potential]
This is a simple change and all the CI unit/functional/tempest test cases are successful in upstream.
The fix can lead to some edge cases where the updated_ports end up in duplicate entries. However the updated_ports list is converted to set while determining new ports to be added which will discard the duplicates.

Changed in octavia (Ubuntu Impish):
status: New → Fix Released
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
description: updated
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Hi SRU team,

Debdiff's for hirsute/focal, UCA wallaby/victoria/focal are uploaded

tags: added: sts sts-sru-needed
Changed in octavia (Ubuntu):
assignee: nobody → Hemanth Nakkina (hemanth-n)
Changed in octavia (Ubuntu Hirsute):
status: New → Triaged
Changed in octavia (Ubuntu Focal):
status: New → Triaged
Changed in octavia (Ubuntu Hirsute):
importance: Undecided → High
Changed in octavia (Ubuntu Focal):
importance: Undecided → High
Revision history for this message
Corey Bryant (corey.bryant) wrote :
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Hemanth, or anyone else affected,

Accepted octavia into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/octavia/1:8.0.0-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in octavia (Ubuntu Hirsute):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Hemanth, or anyone else affected,

Accepted octavia into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/octavia/6.2.1-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in octavia (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello Hemanth, or anyone else affected,

Accepted octavia into wallaby-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:wallaby-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-wallaby-needed to verification-wallaby-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-wallaby-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hello Hemanth, or anyone else affected,

Accepted octavia into ussuri-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ussuri-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ussuri-needed to verification-ussuri-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ussuri-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-wallaby-needed
tags: added: verification-ussuri-needed
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Verified focal-proposed, hirsute-proposed, wallaby-proposed, ussuri-proposed and the test case is working as expected. Attached lp1944666_verification.

@Corey,
Octavia package is not yet available in victoria-proposed.

Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
tags: added: verification-done-focal verification-done-hirsute verification-ussuri-done verification-wallaby-done
removed: verification-needed-focal verification-needed-hirsute verification-ussuri-needed verification-wallaby-needed
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

Hello Hemanth, or anyone else affected,

Accepted octavia into victoria-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:victoria-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-victoria-needed to verification-victoria-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-victoria-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-victoria-needed
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Verified victoria-proposed and test case is successful.

# dpkg -l | grep octavia
ii octavia-api 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer as a Service - API frontend
ii octavia-common 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer as a Service - Common files
ii octavia-health-manager 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer Service - Health manager
ii octavia-housekeeping 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer Service - Housekeeping manager
ii octavia-worker 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer Service - Worker
ii python3-octavia 7.1.1-0ubuntu1~cloud1 all OpenStack Load Balancer as a Service - Python libraries
ii python3-octavia-lib 2.2.0-0ubuntu1~cloud0 all Library to support Octavia provider drivers

$ openstack loadbalancer listener show lb1-listener -c provisioning_status
+---------------------+--------+
| Field | Value |
+---------------------+--------+
| provisioning_status | ACTIVE |
+---------------------+--------+

tags: added: verification-done verification-victoria-done
removed: verification-needed verification-victoria-needed
Mathew Hodson (mhodson)
Changed in octavia (Ubuntu):
importance: Undecided → High
Changed in octavia (Ubuntu Impish):
importance: Undecided → High
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for octavia has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package octavia - 6.2.1-0ubuntu2

---------------
octavia (6.2.1-0ubuntu2) focal; urgency=medium

  * d/p/0001-Fix-duplicate-SG-creation-for-listener-peer-port.patch: Fix listener
    creation when allowed_cidr is set to 0.0.0.0/0 (LP: #1944666).

 -- Hemanth Nakkina <email address hidden> Wed, 13 Oct 2021 15:11:45 +0530

Changed in octavia (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package octavia - 1:8.0.0-0ubuntu2

---------------
octavia (1:8.0.0-0ubuntu2) hirsute; urgency=medium

  [ Corey Bryant ]
  * d/gbp.conf: Create stable/wallaby branch.

  [ Hemanth Nakkina ]
  * d/p/0001-Fix-duplicate-SG-creation-for-listener-peer-port.patch: Fix listener
    creation when allowed_cidr is set to 0.0.0.0/0 (LP: #1944666).

 -- Corey Bryant <email address hidden> Mon, 26 Apr 2021 10:48:41 -0400

Changed in octavia (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for octavia has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package octavia - 1:8.0.0-0ubuntu2~cloud0
---------------

 octavia (1:8.0.0-0ubuntu2~cloud0) focal-wallaby; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 octavia (1:8.0.0-0ubuntu2) hirsute; urgency=medium
 .
   [ Corey Bryant ]
   * d/gbp.conf: Create stable/wallaby branch.
 .
   [ Hemanth Nakkina ]
   * d/p/0001-Fix-duplicate-SG-creation-for-listener-peer-port.patch: Fix listener
     creation when allowed_cidr is set to 0.0.0.0/0 (LP: #1944666).

Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for octavia has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package octavia - 7.1.1-0ubuntu1~cloud1
---------------

 octavia (7.1.1-0ubuntu1~cloud1) focal-victoria; urgency=medium
 .
   * d/p/0001-Fix-duplicate-SG-creation-for-listener-peer-port.patch: Fix listener
     creation when allowed_cidr is set to 0.0.0.0/0 (LP: #1944666).

Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for octavia has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package octavia - 6.2.1-0ubuntu2~cloud0
---------------

 octavia (6.2.1-0ubuntu2~cloud0) bionic-ussuri; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 octavia (6.2.1-0ubuntu2) focal; urgency=medium
 .
   * d/p/0001-Fix-duplicate-SG-creation-for-listener-peer-port.patch: Fix listener
     creation when allowed_cidr is set to 0.0.0.0/0 (LP: #1944666).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers