yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1746404] Re: 'auto_associate_default_firewall_group' got an error when new port is created

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1746404@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 Feb 2018 00:36:33 -0000
Reply-to: Bug 1746404 <1746404@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/539461
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=66d4431f990b2da0d3b42493a499ab67e9a0020a
Submitter: Zuul
Branch:    master

commit 66d4431f990b2da0d3b42493a499ab67e9a0020a
Author: Nguyen Phuong An <AnNP@xxxxxxxxxxxxxx>
Date:   Wed Jan 31 14:54:53 2018 +0700

    Remove disable option for default FWG and allow only on VM ports
    
    Currently, auto associate default FWG works only one time and the logic
    is broken if the new port is a DHCP port or router port. This patch
    fixes the problem by validating if a port is a VM port or not,
    ignores port binding failed or unbound and also adds trusted port
    handling. In addition, for security perspective,
    'auto_associate_default_firewall_group' CfgOpt is no longer used.
    Automatic association with default firewall group with VM port
    works by default.
    
    Closes-Bug: #1746404
    Co-Authored-By: Yushiro FURUKAWA<y.furukawa_2@xxxxxxxxxxxxxx>
    Co-Authored-By: Chandan Dutta Chowdhury<chandanc@xxxxxxxxxxx>
    Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1746404

Title:
  'auto_associate_default_firewall_group'  got an error when new port is
  created

Status in neutron:
  Fix Released

Bug description:
  If we create new port(binded somewhere) with following condition, an
  Error occurred.

  Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: DEBUG neutron_fwaas.db.firewall.v2.firewall_db_v2 [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] get_firewall_group() called {{(
  pid=25213) get_firewall_group /opt/stack/neutron-fwaas/neutron_fwaas/db/firewall/v2/firewall_db_v2.py:1080}}
  Jan 31 11:30:00 furukawa-verify-devstack neutron-server[25204]: ERROR neutron_lib.callbacks.manager [None req-f3c0994c-1547-410a-8bf8-b4b459e0dfba None None] Error during notification for neutron_fwaas.s
  ervices.firewall.fwaas_plugin_v2.FirewallPluginV2.handle_create_port_event--9223372036854763926 port, after_create: PortNotFound: Port c could not be found.

  It was due to as follows:

  1. Validation is missing that created port is for VM or not
  2. It should be a list of port ID, but string of ID of port

  [How to reproduce]
  1. Deploy devstack with the latest with q-fwaas-v2
  2. Configure following settings
     (/etc/neutron/neutron_fwaas.conf)
      [fwaas]
        auto_associate_default_firewall_group = True
  3. Restart q-svc
  4. Run following command

      $ neutron net-create test
      $ neutron subnet-create test 11.11.11.0/24

  Then, DHCP port will be created and an error occurred on q-svc.  You
  can see

      $ sudo journalctl -f -u devstack@q-svc.service

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1746404/+subscriptions

References

[Bug 1746404] [NEW] 'auto_associate_default_firewall_group' got an error when new port is created
From: Yushiro FURUKAWA, 2018-01-31