yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89460
[Bug 1983600] [NEW] Neutron should clean up ACLs in OVN NB DB when a remote security group is deleted
Public bug reported:
Neutron does not clean up ACLs in OVN NB DB when a remote security group
is deleted in Neutron. This causes some warning in OVN logs. This issue
does not impact functionality but it would be great if we could clean
this up and make those logs go away. I think this BZ can be marked as
low priority and low hanging fruit.
Reproducing steps:
1. A security group rule which has a rule that uses a remote security
group
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1155ffc7-9a99-41c7-bd65-fac33b719973 | icmp | None | | 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5 |
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
Here is a view in ovn nb db
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
2. now remove the remote security group and check the rules in the first
security group
openstack security group delete 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+-----------------------+
So from neutron the security group rule is removed
3. check the acl in ovn again and see they are still there
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
this causes warnings to be generated in ovn
2020-11-17T14:04:59Z|00708|lflow|WARN|Dropped 1 log messages in last 917 seconds (most recently, 917 seconds ago) due to excessive rate
2020-11-17T14:04:59Z|00709|lflow|WARN|error parsing match "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4)": Syntax error at `$pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4' expecting address set name.
What that is happening:
Only security groups that are not in use by other ports can be deleted. If a security group referenced as remote by other group is removed, the security group rule is deleted in DB because of the references in DB tables. It means there is no code triggered in the Neutron code. The corresponding port group is deleted in OVN but OVN doesn't have any on delete cascade functionality like SQL has. It means ACL remains in the OVN DB using port group that no longer exists. It has no impact on the traffic because the deleted security group was not in use.
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
Neutron does not clean up ACLs in OVN NB DB when a remote security group
is deleted in Neutron. This causes some warning in OVN logs. This issue
does not impact functionality but it would be great if we could clean
- this up and make those logs go away.
+ this up and make those logs go away. I think this BZ can be marked as
+ low priority and low hanging fruit.
Reproducing steps:
1. A security group rule which has a rule that uses a remote security
group
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1155ffc7-9a99-41c7-bd65-fac33b719973 | icmp | None | | 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5 |
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
Here is a view in ovn nb db
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
- to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
+ to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
2. now remove the remote security group and check the rules in the first
security group
openstack security group delete 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+-----------------------+
So from neutron the security group rule is removed
3. check the acl in ovn again and see they are still there
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
- to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
+ to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
this causes warnings to be generated in ovn
2020-11-17T14:04:59Z|00708|lflow|WARN|Dropped 1 log messages in last 917 seconds (most recently, 917 seconds ago) due to excessive rate
2020-11-17T14:04:59Z|00709|lflow|WARN|error parsing match "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4)": Syntax error at `$pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4' expecting address set name.
-
What that is happening:
Only security groups that are not in use by other ports can be deleted. If a security group referenced as remote by other group is removed, the security group rule is deleted in DB because of the references in DB tables. It means there is no code triggered in the Neutron code. The corresponding port group is deleted in OVN but OVN doesn't have any on delete cascade functionality like SQL has. It means ACL remains in the OVN DB using port group that no longer exists. It has no impact on the traffic because the deleted security group was not in use.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1983600
Title:
Neutron should clean up ACLs in OVN NB DB when a remote security
group is deleted
Status in neutron:
New
Bug description:
Neutron does not clean up ACLs in OVN NB DB when a remote security
group is deleted in Neutron. This causes some warning in OVN logs.
This issue does not impact functionality but it would be great if we
could clean this up and make those logs go away. I think this BZ can
be marked as low priority and low hanging fruit.
Reproducing steps:
1. A security group rule which has a rule that uses a remote security
group
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1155ffc7-9a99-41c7-bd65-fac33b719973 | icmp | None | | 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5 |
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
Here is a view in ovn nb db
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
2. now remove the remote security group and check the rules in the
first security group
openstack security group delete 4b0f872b-22ae-4ac2-b54e-ea1678a88dd5
openstack security group rule list 44038bce-38fd-4219-ae22-bafaad9bbde9
+--------------------------------------+-------------+----------+------------+-----------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+-----------------------+
| 8e4cdd63-c3e8-411f-8d72-c5cced5d4fc8 | None | None | | None |
| b72b29df-d5f1-4815-92ae-71b1cdc35f97 | None | None | | None |
+--------------------------------------+-------------+----------+------------+-----------------------+
So from neutron the security group rule is removed
3. check the acl in ovn again and see they are still there
docker exec -it ovn-dbs-bundle-docker-1 ovn-nbctl acl-list pg_44038bce_38fd_4219_ae22_bafaad9bbde9
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4) allow-related
from-lport 1002 (inport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip6) allow-related
to-lport 1002 (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4) allow-related
this causes warnings to be generated in ovn
2020-11-17T14:04:59Z|00708|lflow|WARN|Dropped 1 log messages in last 917 seconds (most recently, 917 seconds ago) due to excessive rate
2020-11-17T14:04:59Z|00709|lflow|WARN|error parsing match "((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @pg_44038bce_38fd_4219_ae22_bafaad9bbde9 && ip4 && ip4.src == $pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4 && icmp4)": Syntax error at `$pg_4b0f872b_22ae_4ac2_b54e_ea1678a88dd5_ip4' expecting address set name.
What that is happening:
Only security groups that are not in use by other ports can be deleted. If a security group referenced as remote by other group is removed, the security group rule is deleted in DB because of the references in DB tables. It means there is no code triggered in the Neutron code. The corresponding port group is deleted in OVN but OVN doesn't have any on delete cascade functionality like SQL has. It means ACL remains in the OVN DB using port group that no longer exists. It has no impact on the traffic because the deleted security group was not in use.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1983600/+subscriptions
Follow ups
