Juniper Openstack

[Build 14]:Ubuntu: deleted SG rules still present in API and allowing traffic as per the rules.

Bug #1325531 reported by alok kumar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Fix Committed
High
Sachin Bansal
Juniper Openstack r1.06-fcs

Bug Description

i deleted all the rules from a security group "sg-icmp" and expecting all the traffic to be denied.

but all the deleted rules are still present in api and agent.

cli doesn't show any rule for that SG "sg-icmp".

root@nodeg18:/var/log/contrail# neutron security-group-rule-list
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| id | security_group | direction | protocol | remote_ip_prefix | remote_group |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+
| 0e243c96-c21f-4f85-b267-9c316ad4e974 | default | egress | any | 0.0.0.0/0 | |
| e33d0930-2bea-406a-9200-b021868c146a | default | ingress | any | | default |
| 35636743-3c84-4eaa-972a-791c05731373 | default | ingress | icmp | | default |
| 0e37f2b6-c99e-42a0-b53c-8f73f69a5c28 | default_alok | egress | any | 0.0.0.0/0 | |
| 7f7d1f6b-b82b-4c99-9686-1e6684e81610 | default_alok | ingress | any | | default_alok |
| 8dd032bd-6ecf-4ba8-98bd-e99962bcdb1a | sg-allowAll | egress | any | 0.0.0.0/0 | |
| e8cbc89f-96e9-4987-83b1-4d047de8e457 | sg-allowAll | ingress | any | 0.0.0.0/0 | |
| dc26ef9d-0d19-496c-9ac8-6f5e86fd0e7c | sg-http | egress | any | 0.0.0.0/0 | |
| 62dd1f62-3ef0-41a6-a043-065c0c9813b3 | sg-http | ingress | tcp | 0.0.0.0/0 | |
| 87a7f981-26e0-419f-8107-1b95e06c4c02 | sg-https | egress | any | 0.0.0.0/0 | |
| b3f597c7-b587-4440-aa89-15891fe5b5b0 | sg-https | ingress | tcp | 0.0.0.0/0 | |
| 67be8298-1098-4cf6-b5b4-3737982dd3c5 | sg-onlyEgress | egress | any | 0.0.0.0/0 | |
| 9170f30a-6e6a-48fa-ac41-547c31c1a210 | sg-onlyIngress | ingress | any | 0.0.0.0/0 | |
| 258366ea-3f3a-4de4-88c6-2963047ac279 | sg-ssh | egress | any | 0.0.0.0/0 | |
| b15eed9a-1819-49b2-b03a-e2f0878e6d01 | sg-ssh | ingress | tcp | 0.0.0.0/0 | |
| 426e2add-9222-426c-b1e3-74f1e7ae7c13 | default | ingress | any | | default |
| b7d04863-8e31-4c94-8153-03a23cd461a5 | default | egress | any | 0.0.0.0/0 | |
| 15bb1706-d941-42cb-8d6d-f2475babfda3 | default | ingress | any | | default |
| 49fb4805-65f7-4f18-b9d7-2b59972ad2a3 | default | egress | any | 0.0.0.0/0 | |
| b05f6f41-7950-4bbb-a9bb-eb1bf9e6fed3 | default | ingress | any | | default |
| f84b1dab-5157-465b-80b2-bf8db5e8febc | default | egress | any | 0.0.0.0/0 | |
+--------------------------------------+----------------+-----------+----------+------------------+--------------+

root@nodeg18:/var/log/contrail# neutron security-group-list
+--------------------------------------+------------------------+-----------------------------+
| id | name | description |
+--------------------------------------+------------------------+-----------------------------+
| 7f506022-b882-45bf-a69d-34b93be47412 | default | |
| 206f9e79-1e3f-4118-a8a6-665cf9c7557b | default_alok | same as default |
| da240674-d1e2-481b-8282-83ea6b82fca9 | sg-allowAll | allow all |
| e1203b2b-b772-4c68-b2e6-88a13d865357 | sg-http | allow http |
| 2b320608-c849-4d05-bea3-e278a2c97d97 | sg-https | allow https |
| e3ef5ffe-5a53-437b-9926-82c5ba5b36a8 | sg-icmp | allow icmp |
| eba78ce0-5eea-41c1-971e-04a48b9867a6 | sg-noRules | no rules |
| a6e6a0b0-4508-4d4b-ae33-a71dcdf3ab88 | sg-onlyEgress | allow only outbound traffic |
| 5b962978-4b0f-4be1-a891-c9019888c3e1 | sg-onlyIngress | allow only inbound traffic |
| 02362781-8d89-4719-9108-f0555b30d5d6 | sg-ssh | sg to allow ssh traffic |
| 23367856-b80d-468c-a410-1ba2728a448a | default-security-group | |
| 04dd5514-b6ae-40ee-b8ab-e24fff1d283c | default | |
| 8434d9fe-c43c-42be-aaf7-96f920964001 | default | |
| a5f0036c-81c6-4f73-bca9-0b1d2372dbf3 | default | |
+--------------------------------------+------------------------+-----------------------------+

rules present in api server:

{

    "access-control-list": {
        "fq_name": [
            "default-domain",
            "admin",
            "sg-icmp",
            "egress-access-control-list"
        ],
        "uuid": "2618c853-0377-42aa-8c3a-282a21a6f041",
        "parent_uuid": "e3ef5ffe-5a53-437b-9926-82c5ba5b36a8",
        "parent_href": "http://nodeh1.englab.juniper.net:8082/security-group/e3ef5ffe-5a53-437b-9926-82c5ba5b36a8",
        "parent_type": "security-group",
        "href": "http://nodeh1.englab.juniper.net:8082/access-control-list/2618c853-0377-42aa-8c3a-282a21a6f041",
        "id_perms": {
            "enable": true,
            "uuid": {
                "uuid_mslong": 2745164231748305400,
                "uuid_lslong": 10104432875377455000
            },
            "created": "2014-05-28T07:55:33.967920",
            "description": null,
            "last_modified": "2014-05-29T09:49:29.357589",
            "permissions": {
                "owner": "cloud-admin",
                "owner_access": 7,
                "other_access": 7,
                "group": "cloud-admin-group",
                "group_access": 7
            }
        },
        "access_control_list_entries": {
            "dynamic": null,
            "acl_rule": [
                {
                    "match_condition": {
                        "src_address": {
                            "security_group": null,
                            "subnet": null,
                            "virtual_network": null
                        },
                        "protocol": "any",
                        "src_port": {
                            "end_port": 65535,
                            "start_port": 0
                        },
                        "dst_port": {
                            "end_port": 65535,
                            "start_port": 0
                        },
                        "dst_address": {
                            "security_group": null,
                            "subnet": {
                                "ip_prefix": "0.0.0.0",
                                "ip_prefix_len": 0
                            },
                            "virtual_network": null
                        }
                    },
                    "action_list": {
                        "simple_action": "pass",
                        "gateway_name": null,
                        "apply_service": [ ],
                        "mirror_to": null,
                        "assign_routing_instance": null
                    }
                }
            ]
        },
        "name": "egress-access-control-list"
    }

}

{

    "access-control-list": {
        "fq_name": [
            "default-domain",
            "admin",
            "sg-icmp",
            "ingress-access-control-list"
        ],
        "uuid": "8a4a219d-0c67-467e-935d-98da884de004",
        "parent_uuid": "e3ef5ffe-5a53-437b-9926-82c5ba5b36a8",
        "parent_href": "http://nodeh1.englab.juniper.net:8082/security-group/e3ef5ffe-5a53-437b-9926-82c5ba5b36a8",
        "parent_type": "security-group",
        "href": "http://nodeh1.englab.juniper.net:8082/access-control-list/8a4a219d-0c67-467e-935d-98da884de004",
        "id_perms": {
            "enable": true,
            "uuid": {
                "uuid_mslong": 9964814083912321000,
                "uuid_lslong": 10618811560766595000
            },
            "created": "2014-05-28T07:55:33.855678",
            "description": null,
            "last_modified": "2014-05-29T09:49:29.350992",
            "permissions": {
                "owner": "cloud-admin",
                "owner_access": 7,
                "other_access": 7,
                "group": "cloud-admin-group",
                "group_access": 7
            }
        },
        "access_control_list_entries": {
            "dynamic": null,
            "acl_rule": [
                {
                    "match_condition": {
                        "src_address": {
                            "security_group": null,
                            "subnet": {
                                "ip_prefix": "0.0.0.0",
                                "ip_prefix_len": 0
                            },
                            "virtual_network": null
                        },
                        "protocol": "1",
                        "src_port": {
                            "end_port": 65535,
                            "start_port": 0
                        },
                        "dst_port": {
                            "end_port": 65535,
                            "start_port": 0
                        },
                        "dst_address": {
                            "security_group": null,
                            "subnet": null,
                            "virtual_network": null
                        }
                    },
                    "action_list": {
                        "simple_action": "pass",
                        "gateway_name": null,
                        "apply_service": [ ],
                        "mirror_to": null,
                        "assign_routing_instance": null
                    }
                }
            ]
        },
        "name": "ingress-access-control-list"
    }

}

all logs are @nodeb11:/home/kalok/contrail/bugLogs/<bugId>

Sachin Bansal (sbansal)
Changed in juniperopenstack:
assignee: nobody → Sachin Bansal (bansalsachin)
Nagabhushana R (bhushana)
Changed in juniperopenstack:
milestone: none → r1.06-fcs
Revision history for this message
Sachin Bansal (sbansal) wrote :

Could you please let me know how you deleted the rules? I tried with 'neutron security-group-rule-delete' and the acl rules were deleted correctly. Also, I could not login to nodeb11 either as myself or as root. Could you please provide access information?

Revision history for this message
Sachin Bansal (sbansal) wrote :

I was able to recreate this by setting security_group_entries to None using python API and submitted a fix for the same. If you used any other method, please update this bug.

Sachin Bansal (sbansal)
Changed in juniperopenstack:
status: New → Fix Committed
Revision history for this message
alok kumar (kalok) wrote :

Hi Sachin,

i deleted the rules thro horizon.
I was testing security grp with many combinations, like creating/deleting SG, adding/deleting rules.
at one time after deleting rules, it was not reflected in api.

all add/delete was done thro horizon ONLY.
cli was used only to see the list.(debug purpose)

Revision history for this message
Sachin Bansal (sbansal) wrote :

Fixed with this commit in mainline:
https://github.com/Juniper/contrail-controller/commit/24ef3729f8eaa73d82e70b0c0d28622d957614e9

Ashish Ranjan (aranjan-n)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.