Public bug reported:
Scenario:
VM port with 1 Security Group with 1 egress icmp rule
(example rule:
{u'ethertype': u'IPv4', u'direction': u'egress', u'protocol': u'icmp',
u'dest_ip_prefix': u'0.0.0.0/0'}
)
Steps:
Delete the (last) rule from the above Security Group via Horizon
Result:
Find that iptables shows the egress icmp rule even after its deletion
Root Cause:
In this scenario, security_group_info_for_devices() returns the following
to the agent: Note that the
'security_groups ' field is an empty dictionary {} !! this causes
_update_security_groups_info in the agent to NOT update firewall.
The security_groups field must contain the security_group_id as key with
an empty list for the rules.
{u'sg_member_ips': {}, u'devices': {u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95':
{u'status': u'ACTIVE', u'security_group_source_groups': [], u'binding:host_id':
u'vRHEL29-1', u'name': u'', u'allowed_address_pairs': [{u'ip_address':
u'10.0.0.201', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address':
u'10.0.10.202', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address':
u'10.0.20.203', u'mac_address': u'fa:16:3e:02:4b:b3'}], u'admin_state_up':
True, u'network_id': u'f665dc8c-76da-4fde-8d26-535871487e4c', u'tenant_id':
u'f5019aeae9e64443970bb0842e22e2b3', u'extra_dhcp_opts': [],
u'security_group_rules': [{u'source_port_range_min': 67, u'direction':
u'ingress', u'protocol': u'udp', u'ethertype': u'IPv4', u'port_range_max': 68,
u'source_port_range_max': 67, u'source_ip_prefix': u'10.0.2.3',
u'port_range_min': 68}], u'binding:vif_details': {u'port_filter': False},
u'binding:vif_type': u'bridge', u'device_owner': u'compute:nova',
u'mac_address': u'fa:16:3e:02:4b:b3', u'device': u'tapea19fb55-
39', u'binding:profile': {}, u'binding:vnic_type': u'normal', u'fixed_ips':
[u'10.0.2.6'], u'id': u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95',
u'security_groups': [u'849ee59c-d100-4940-930b-44e358775ed3'], u'device_id':
u'2b330c29-c16f-4bbf-b80a-bd5bae41b514'}}, u'security_groups': {}}
security_group_info_for_devices
/usr/lib/python2.6/site-packages/neutron/agent/securitygroups_rpc.py:104
** Affects: neutron
Importance: Undecided
Status: New
** Summary changed:
- Deleting last rule in Security Group does not work
+ Deleting last rule in Security Group does not update firewall
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1420056
Title:
Deleting last rule in Security Group does not update firewall
Status in OpenStack Neutron (virtual network service):
New
Bug description:
Scenario:
VM port with 1 Security Group with 1 egress icmp rule
(example rule:
{u'ethertype': u'IPv4', u'direction': u'egress', u'protocol': u'icmp',
u'dest_ip_prefix': u'0.0.0.0/0'}
)
Steps:
Delete the (last) rule from the above Security Group via Horizon
Result:
Find that iptables shows the egress icmp rule even after its deletion
Root Cause:
In this scenario, security_group_info_for_devices() returns the following
to the agent: Note that the
'security_groups ' field is an empty dictionary {} !! this causes
_update_security_groups_info in the agent to NOT update firewall.
The security_groups field must contain the security_group_id as key
with an empty list for the rules.
{u'sg_member_ips': {}, u'devices': {u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95':
{u'status': u'ACTIVE', u'security_group_source_groups': [], u'binding:host_id':
u'vRHEL29-1', u'name': u'', u'allowed_address_pairs': [{u'ip_address':
u'10.0.0.201', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address':
u'10.0.10.202', u'mac_address': u'fa:16:3e:02:4b:b3'}, {u'ip_address':
u'10.0.20.203', u'mac_address': u'fa:16:3e:02:4b:b3'}], u'admin_state_up':
True, u'network_id': u'f665dc8c-76da-4fde-8d26-535871487e4c', u'tenant_id':
u'f5019aeae9e64443970bb0842e22e2b3', u'extra_dhcp_opts': [],
u'security_group_rules': [{u'source_port_range_min': 67, u'direction':
u'ingress', u'protocol': u'udp', u'ethertype': u'IPv4', u'port_range_max': 68,
u'source_port_range_max': 67, u'source_ip_prefix': u'10.0.2.3',
u'port_range_min': 68}], u'binding:vif_details': {u'port_filter': False},
u'binding:vif_type': u'bridge', u'device_owner': u'compute:nova',
u'mac_address': u'fa:16:3e:02:4b:b3', u'device': u'tapea19fb5
5-39', u'binding:profile': {}, u'binding:vnic_type': u'normal', u'fixed_ips':
[u'10.0.2.6'], u'id': u'ea19fb55-39bb-4e59-9d10-26c74eb3ff95',
u'security_groups': [u'849ee59c-d100-4940-930b-44e358775ed3'], u'device_id':
u'2b330c29-c16f-4bbf-b80a-bd5bae41b514'}}, u'security_groups': {}}
security_group_info_for_devices
/usr/lib/python2.6/site-packages/neutron/agent/securitygroups_rpc.py:104
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1420056/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
