← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1787119] [NEW] [Logging] firewall_group log resource and security_group log resource could not co-exist correctly

 

Public bug reported:

I would like to report a bug that relates to co-existence between
security_group log resource and firewall_group log resource in
stable/rocky [1]. Please follow a given procedure to reproduce this bug.

Environment
-----------
- Devstack stable/rocky
- Install devstack with local.conf: http://paste.openstack.org/show/727916/
- Make sure that 'log' is added into '[agent] extensions' in '/etc/neutron/plugins/ml2/ml2_conf.ini'
- Topology: Set up topolocy with the following script http://paste.openstack.org/show/728095/

Testcase
--------
- Create firewall_group log resource:
  openstack network log create --resource-type firewall_group fwg_log
	+-----------------+--------------------------------------+
	| Field           | Value                                |
	+-----------------+--------------------------------------+
	| Description     |                                      |
	| Enabled         | True                                 |
	| Event           | ALL                                  |
	| ID              | ebe7a495-027e-4982-bd64-fe269617dd6d |
	| Name            | fwg_log                              |
	| Project         | 61c7600120ac44178c8064250d971b76     |
	| Resource        | None                                 |
	| Target          | None                                 |
	| Type            | firewall_group                       |
	| created_at      | 2018-08-15T07:55:37Z                 |
	| revision_number | 0                                    |
	| tenant_id       | 61c7600120ac44178c8064250d971b76     |
	| updated_at      | 2018-08-15T07:55:37Z                 |
	+-----------------+--------------------------------------+
- Ping from VM0 to router0 -> Cannot ping
- Check ovs flow with: sudo ovs-ofctl dump-flows br-int
  Results: http://paste.openstack.org/show/728098/
- Check log in /var/log/syslog with: tailf /var/log/syslog | grep -e ACCEPT
  Results: http://paste.openstack.org/show/728097/
  This log came from security_group log, but log_resource_ids=[u'ebe7a495-027e-4982-bd64-fe269617dd6d'] that include the ID of fwg_log

References:
[1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: logging

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1787119

Title:
  [Logging] firewall_group log resource and security_group log resource
  could not co-exist correctly

Status in neutron:
  New

Bug description:
  I would like to report a bug that relates to co-existence between
  security_group log resource and firewall_group log resource in
  stable/rocky [1]. Please follow a given procedure to reproduce this
  bug.

  Environment
  -----------
  - Devstack stable/rocky
  - Install devstack with local.conf: http://paste.openstack.org/show/727916/
  - Make sure that 'log' is added into '[agent] extensions' in '/etc/neutron/plugins/ml2/ml2_conf.ini'
  - Topology: Set up topolocy with the following script http://paste.openstack.org/show/728095/

  Testcase
  --------
  - Create firewall_group log resource:
    openstack network log create --resource-type firewall_group fwg_log
  	+-----------------+--------------------------------------+
  	| Field           | Value                                |
  	+-----------------+--------------------------------------+
  	| Description     |                                      |
  	| Enabled         | True                                 |
  	| Event           | ALL                                  |
  	| ID              | ebe7a495-027e-4982-bd64-fe269617dd6d |
  	| Name            | fwg_log                              |
  	| Project         | 61c7600120ac44178c8064250d971b76     |
  	| Resource        | None                                 |
  	| Target          | None                                 |
  	| Type            | firewall_group                       |
  	| created_at      | 2018-08-15T07:55:37Z                 |
  	| revision_number | 0                                    |
  	| tenant_id       | 61c7600120ac44178c8064250d971b76     |
  	| updated_at      | 2018-08-15T07:55:37Z                 |
  	+-----------------+--------------------------------------+
  - Ping from VM0 to router0 -> Cannot ping
  - Check ovs flow with: sudo ovs-ofctl dump-flows br-int
    Results: http://paste.openstack.org/show/728098/
  - Check log in /var/log/syslog with: tailf /var/log/syslog | grep -e ACCEPT
    Results: http://paste.openstack.org/show/728097/
    This log came from security_group log, but log_resource_ids=[u'ebe7a495-027e-4982-bd64-fe269617dd6d'] that include the ID of fwg_log

  References:
  [1] https://docs.openstack.org/neutron/latest/admin/config-logging.html#service-workflow-for-operator

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1787119/+subscriptions


Follow ups