Juniper Openstack

Adding security rules in parallel to security group results in some rules not being present in the SG

Series trunk
Bug #1738279

Bug #1738279 reported by Petr Jediný on 2017-12-14

280

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	Juniper Openstack	Status tracked in Trunk
	Trunk	New	High	Kamal Singh

Bug Description

This looks like race condition

P1 reads SG
P2 reads SG
P1 updates SG
P2 updates SG

but because P2 is updating data from before P1 updates, it overwrites updates made by P1.

This can be reproduced by using hashicorp terraform in parallel mode.

From user perspective, neutron return http response code 200, so the user has no way to know something went wrong.

See original description

Tags:

Petr Jediný (pjediny) on 2017-12-15

information type:

Private Security → Public Security

Petr Jediný (pjediny) on 2017-12-15

description:

updated

Nischal Sheth (nsheth) on 2017-12-17

tags:	added: config removed: contrail-control
Changed in juniperopenstack:
assignee:	nobody → Sachin Bansal (sbansal)

Slobodan Blatnjak (sblatnjak) on 2018-10-30

tags:

added: 2018-0820-0325 ebay jtac-p3

Revision history for this message

Shivayogi Ugaji (shivayogi123) wrote on 2018-12-04:

Kamal, Can you take a look.

Revision history for this message

Slobodan Blatnjak (sblatnjak) wrote on 2018-12-28:

https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/__init__.py#L1079
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_interface.py#L614
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_interface.py#L584
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L4628
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L1265
https://github.com/Juniper/contrail-controller/blob/R3.2/src/config/vnc_openstack/vnc_openstack/neutron_plugin_db.py#L395

def _security_group_rule_create(self, sg_id, sg_rule)
sg_vnc = self._vnc_lib.security_group_read(id=sg_id)
#read the group - API request 1
rules = sg_vnc.get_security_group_entries()
#get the rules from the group
rules.add_policy_rule(sg_rule)
#add sg_rule to SG rules
sg_vnc.set_security_group_entries(rules)
#prepare object for update
self._vnc_lib.security_group_update(sg_vnc)
#update SG - API request 2

If there was API request to update the same SG with self._vnc_lib.security_group_update(sg_vnc), adding rule 5 on existing 4 rules, and if landed in time between API request 1 and API request 2 above, then it will be lost. It's because of the time for "API request 1" there were 4 rules.

API returns 200/OK as it's doing correctly what was requested - to update SG adding rules one by one.

Solution could be to accept the list or rules, loop it and do rules.add_policy_rule(sg_rule),
but we'll need a new methods as we're sending only one rule in existing ones.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #1792165

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.