yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1881157] [NEW] [OVS][FW] Remote SG IDs left behind when a SG is removed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Rodolfo Alonso <1881157@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 May 2020 16:59:04 -0000
Reply-to: Bug 1881157 <1881157@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When any port in the OVS agent is using a SG, is marked to be deleted.
This deletion process is done in [1].

The SG deletion process consists on removing any reference of this SG
from the firewall and the SG port map. The firewall removes this SG in
[2].

The information of a SG is stored in:
- ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
  ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX

- ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
  self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])

When a SG is removed, this reference should be deleted both from
"conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed in
[3]. But from "conj_ids" is not being deleted properly. Instead of the
current logic, what we should do is to walk through the nested
dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG
ID to be removed).

The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
- A memory leak in the OVS agent, storing in memory those unneeded remote SG.
- A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
- A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).


[1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
[2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
[3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296

** Affects: neutron
     Importance: Undecided
     Assignee: Rodolfo Alonso (rodolfo-alonso-hernandez)
         Status: New

** Changed in: neutron
     Assignee: (unassigned) => Rodolfo Alonso (rodolfo-alonso-hernandez)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1881157

Title:
  [OVS][FW] Remote SG IDs left behind when a SG is removed

Status in neutron:
  New

Bug description:
  When any port in the OVS agent is using a SG, is marked to be deleted.
  This deletion process is done in [1].

  The SG deletion process consists on removing any reference of this SG
  from the firewall and the SG port map. The firewall removes this SG in
  [2].

  The information of a SG is stored in:
  - ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
    ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX

  - ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
    self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])

  When a SG is removed, this reference should be deleted both from
  "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed
  in [3]. But from "conj_ids" is not being deleted properly. Instead of
  the current logic, what we should do is to walk through the nested
  dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG
  ID to be removed).

  The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
  - A memory leak in the OVS agent, storing in memory those unneeded remote SG.
  - A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
  - A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).

  
  [1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
  [2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
  [3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1881157/+subscriptions

Follow ups

[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Corey Bryant, 2021-02-03
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Launchpad Bug Tracker, 2021-02-02
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Corey Bryant, 2021-01-06
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Mathew Hodson, 2020-12-23
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Corey Bryant, 2020-12-01
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Chris MacNaughton, 2020-11-30
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Edward Hope-Morley, 2020-10-24
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Edward Hope-Morley, 2020-09-22
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Edward Hope-Morley, 2020-09-21
[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed
From: Edward Hope-Morley, 2020-09-17