** Description changed: - Corresponding upstream story link: - https://storyboard.openstack.org/#!/story/2009117 + + Corresponding upstream story link: https://storyboard.openstack.org/#!/story/2009117 Created a loadbalancer and a listener with protocol tcp protocol_port 1025 and allowed_cidr 0.0.0.0/0, the listener ends up in provisioning status as ERROR. Error message in Octavia worker log neutronclient.common.exceptions.Conflict: Security group rule already exists This is a very edge case only when protocol port is 1025 (same as peer port which is hardcoded to constants.HAPROXY_BASE_PEER_PORT i.e, 1025) and allowed_cidr is explicitly set to 0.0.0.0/0. Reproducer: openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet openstack loadbalancer listener create --name lb1-listener --protocol tcp --protocol-port 1025 --allowed-cidr 0.0.0.0/0 lb1 openstack loadbalancer listener show lb1-listener lb1 The culprit is [1] where the allowed_cidr for peer port should handle both None and 0.0.0.0/0 as 0.0.0.0/0 is the default value. Tested on: Ubuntu Focal Ussuri Octavia packages Fix available in Upstream until stable/train (not part of any point release) https://review.opendev.org/c/openstack/octavia/+/804485 [1] https://opendev.org/openstack/octavia/src/commit/b89c929c12fb262f59ba320a37f2a5bf4109df98/octavia/network/drivers/neutron/allowed_address_pairs.py#L150-L178 + + + ################################################################ + + SRU: + + [Impact] + Not able to create a Loadbalancer listener + + [Test Case] + 1. Create a Loadbalancer + openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet + 2. Create a listener + openstack loadbalancer listener create --name lb1-listener --protocol tcp --protocol-port 1025 --allowed-cidr 0.0.0.0/0 lb1 + 3. Check listener status + openstack loadbalancer listener show lb1-listener lb1 + Listener is not in active status. + + [Regression Potential] + This is a simple change and all the CI unit/functional/tempest test cases are successful in upstream. + The fix can lead to some edge cases where the updated_ports end up in duplicate entries. However the updated_ports list is converted to set while determining new ports to be added which will discard the duplicates.
** Patch added: "Debdiff for hirsute" https://bugs.launchpad.net/ubuntu/+source/octavia/+bug/1944666/+attachment/5532417/+files/lp1944666_hisute.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944666 Title: listener provisioning status in ERROR when port is 1025 and allowed_cidr is explicitly set to 0.0.0.0/0 To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1944666/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs