yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #72846
[Bug 1770575] [NEW] FWG status will be overided by mutilple l2 agent
Public bug reported:
Currently, we support VM port/router port to apply fwg. So we deep into
L2 and L3 agent implementation to process the associated port for fwg.
For this bug, I will raise an example:
Server side set fwg status
--------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79
L3 agent FW extension for "create_firewall_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387
L2 agent FW extension for "_create_firewarll_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263
That means there is a case that the fwg status could be overrided.
1. port A, port B, they are in the same subnet, and its gw port is GW
2. Port A is VM A's nic, Port B is VM B's nic.
3. VM A locates on compute Node X, VM B locates on compute Node Y.
4. Create a FWG and its ingress/egress policy/rules with port A, B, GW
So the server side will fanout the rpc to agent side, including l2/l3
agent. Then the agent side will process its local port and set the fwg
status through rpc to server. But existing server code just update the
status if the request status is not PENDING status. It will be in a
wrong way to process the status, if there are 2 rpc to set status from
agent to server, the first one is ERROR, the second one is ACTIVE. The
status is overrided.
** Affects: neutron
Importance: Undecided
Status: New
** Tags: fwaas
** Tags added: fwaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1770575
Title:
FWG status will be overided by mutilple l2 agent
Status in neutron:
New
Bug description:
Currently, we support VM port/router port to apply fwg. So we deep
into L2 and L3 agent implementation to process the associated port for
fwg.
For this bug, I will raise an example:
Server side set fwg status
--------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/fwaas_plugin_v2.py#n79
L3 agent FW extension for "create_firewall_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l3reference/firewall_l3_agent_v2.py#n387
L2 agent FW extension for "_create_firewarll_group"
------------------------------------
http://git.openstack.org/cgit/openstack/neutron-fwaas/tree/neutron_fwaas/services/firewall/agents/l2/fwaas_v2.py#n263
That means there is a case that the fwg status could be overrided.
1. port A, port B, they are in the same subnet, and its gw port is GW
2. Port A is VM A's nic, Port B is VM B's nic.
3. VM A locates on compute Node X, VM B locates on compute Node Y.
4. Create a FWG and its ingress/egress policy/rules with port A, B, GW
So the server side will fanout the rpc to agent side, including l2/l3
agent. Then the agent side will process its local port and set the fwg
status through rpc to server. But existing server code just update the
status if the request status is not PENDING status. It will be in a
wrong way to process the status, if there are 2 rpc to set status from
agent to server, the first one is ERROR, the second one is ACTIVE. The
status is overrided.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1770575/+subscriptions
