yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1511782] Re: securitygroup rule and member updates not applied correctly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1511782@xxxxxxxxxxxxxxxxxx>
Date: Sat, 23 Jan 2016 01:27:59 -0000
Reply-to: Bug 1511782 <1511782@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/240577
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a8e9cc848b049bfb900eb6a82516e6995ab7db6e
Submitter: Jenkins
Branch:    master

commit a8e9cc848b049bfb900eb6a82516e6995ab7db6e
Author: sonu <sonu.sudhakaran@xxxxxxxxx>
Date:   Fri Oct 30 09:31:40 2015 -0700

    Rule, member updates are missed with enhanced rpc
    
    The procedure to update security group rules and members in
    firewall driver is called after update_port_filter call.
    Because of this, new rules and member updates are not applied
    on the port.
    
    With this change the call to update rules and members
    is moved before the port update call, giving a chance to
    firewall drivers to update their rule and member caches.
    
    Closes Bug: 1511782
    
    Change-Id: I457e17c34b86f861f6e15de7c3adcb3f2b79d14e


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1511782

Title:
  securitygroup rule and member updates not applied correctly

Status in neutron:
  Fix Released

Bug description:
  Summary:
  When using enhanced RPC, the security group rules and members are updated after the call to update port filter. This is with a firewall driver that has no need to use defer_apply based implementation.

  Description:

  In class SecurityGroupAgentRpc(..) refresh_firewall, if we use
  enhanced_rpc, the rules and members are updated after the calls to
  update_port_filter (...). This works fine for IP Tables based firewall
  driver, since it has the need to override 'filter_defer_apply_on' and
  'filter_defer_apply_off' methods to defer calling of iptables cmds.

  Due to this, Firewall drivers that do not override
  filter_defer_apply_on/off methods misses applying the new rules, since
  rule updates happens post update_port_filter call into the driver.

  Symptoms:
  Rule update or a security group member update is not processed by the firewall driver instantly. 

  Environment:
  Openstack master with hyper-v security groups driver with enhanced_rpc set to True. 
  This is applicable to any Firewall driver that chooses not to implement defer_apply* related methods.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1511782/+subscriptions

References

[Bug 1511782] [NEW] securitygroup rule and member updates not applied correctly
From: Sonu, 2015-10-30