neutron

NSX: neutron router-interface-add should clear security-groups

Bug #1329043 reported by Aaron Rosen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Aaron Rosen
neutron 2014.2 "juno"
Icehouse
Fix Released
Undecided
Unassigned
neutron 2014.1.2

Bug Description

If one pre-creates a port and then tells neutron to use that as a gateway port (a workflow) the UI exposes then this port will have the default security group on it. This causes traffic to not flow. Instead we should be removing the security group from this port as currently we do not add any security groups to ports that have a device_owner name that starts with network:

Aaron Rosen (arosen)
Changed in neutron:
assignee: nobody → Aaron Rosen (arosen)
importance: Undecided → High
tags: added: havana-backport-potential icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99461

Changed in neutron:
status: New → In Progress
Revision history for this message
yong sheng gong (gongysh) wrote : Re: neutron router-interface-add should clear security-groups

https://github.com/openstack/neutron/blob/master/neutron/db/dhcp_rpc_base.py#L54 the dhcp port will also have default sg.

Aaron Rosen (arosen)
Changed in neutron:
assignee: Aaron Rosen (arosen) → nobody
assignee: nobody → Aaron Rosen (arosen)
summary: - neutron router-interface-add should clear security-groups
+ NSX: neutron router-interface-add should clear security-groups
Kyle Mestery (mestery)
Changed in neutron:
milestone: none → juno-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/106199

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/99461
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=44438e864c4b3a19cbb1f7283783070fa209a5a2
Submitter: Jenkins
Branch: master

commit 44438e864c4b3a19cbb1f7283783070fa209a5a2
Author: Aaron Rosen <email address hidden>
Date: Wed Jul 9 10:02:09 2014 -0700

    NSX: neutron router-interface-add should clear security-groups

    NSX does not support security groups on router ports so in the case
    where someone uses a port that has a security group on it as the router
    port we need to clear the security group off the port.

    Change-Id: Ia0fb331516887dcd7e9a435094ce1eb082d72575
    closes-bug: 1329043

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/106199
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=46a37e2dc33dc784629c3286d10b9f6ebfa00744
Submitter: Jenkins
Branch: stable/icehouse

commit 46a37e2dc33dc784629c3286d10b9f6ebfa00744
Author: Aaron Rosen <email address hidden>
Date: Wed Jul 9 10:02:09 2014 -0700

    NSX: neutron router-interface-add should clear security-groups

    NSX does not support security groups on router ports so in the case
    where someone uses a port that has a security group on it as the router
    port we need to clear the security group off the port.

    Change-Id: Ia0fb331516887dcd7e9a435094ce1eb082d72575
    closes-bug: 1329043
    (cherry picked from commit 44438e864c4b3a19cbb1f7283783070fa209a5a2)

tags: added: in-stable-icehouse
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/108134

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/icehouse)

Related fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/108534

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/108134
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=25f1439ff356f78ab0d28a74dfc75d50e2f030b6
Submitter: Jenkins
Branch: master

commit 25f1439ff356f78ab0d28a74dfc75d50e2f030b6
Author: Aaron Rosen <email address hidden>
Date: Fri Jul 18 12:09:12 2014 -0700

    NSX: fix router ports port_security_enabled=False

    Previously there was a bug that resulted in a security group being
    added to router ports which was not supported in NSX. Removing the
    security group didn't actually completely solve the problem as we
    never cleared the allowed_address_pairs on the router port. This
    patch fixes this issue by disabling port_security_enabled on the
    router port.

    Change-Id: Ib61756e3bd5866318cbc3bb9856344571399d656
    Closes-bug: 1344266
    Related-bug: 1329043

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/108534
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b65c036c3322706533b91d955f741f18687c44d1
Submitter: Jenkins
Branch: stable/icehouse

commit b65c036c3322706533b91d955f741f18687c44d1
Author: Aaron Rosen <email address hidden>
Date: Fri Jul 18 12:09:12 2014 -0700

    NSX: fix router ports port_security_enabled=False

    Previously there was a bug that resulted in a security group being
    added to router ports which was not supported in NSX. Removing the
    security group didn't actually completely solve the problem as we
    never cleared the allowed_address_pairs on the router port. This
    patch fixes this issue by disabling port_security_enabled on the
    router port.

    Change-Id: Ib61756e3bd5866318cbc3bb9856344571399d656
    Closes-bug: 1344266
    Related-bug: 1329043
    (cherry picked from commit 25f1439ff356f78ab0d28a74dfc75d50e2f030b6)

Russell Bryant (russellb)
Changed in neutron:
status: Fix Committed → Fix Released
Chuck Short (zulcss)
tags: removed: icehouse-backport-potential
Thierry Carrez (ttx)
Changed in neutron:
milestone: juno-2 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.