yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2110087] [NEW] OVN log plugin merges log records from different log objects across projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Oleksandr Kozachenko <2110087@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 May 2025 02:55:30 -0000
Reply-to: Bug 2110087 <2110087@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

The ovn-controller log plugin in Neutron appears to incorrectly
associate log entries when security groups are used across different
projects. When VMs in different projects (and domains) each have their
own security groups and log objects, the log output from ovn-controller
shows traffic to both VMs under the same log object, instead of
segregating them by their correct log objects.

### How to Reproduce

1. Create two projects in different domains, e.g.:

   * `project-a` in `domain-a`
   * `project-b` in `domain-b`

2. In each project:

   * Create a security group (e.g., `sg-a` in `project-a`, `sg-b` in `project-b`)
   * Launch a VM (e.g., `vm-a` and `vm-b`)
   * Assign the respective security group to the VM

3. In each project:

   * Create a Neutron log object that tracks traffic for the
corresponding security group (i.e., one for `sg-a`, one for `sg-b`)

4. Generate some network traffic involving both VMs (e.g., incoming
pings or TCP traffic to the VMs)

---

### Observed Behavior

* The `ovn-controller` logs show destination IPs for both `vm-a` and `vm-b`
* However, all log entries are being attributed to only one of the Neutron log objects, despite being from different security groups and different projects/domains

---

### Expected Behavior

* Each log object should capture only the traffic related to the security group and project it is associated with
* Traffic logs should not be cross-associated or merged across different log objects, projects, or domains

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2110087

Title:
  OVN log plugin merges log records from different log objects across
  projects

Status in neutron:
  New

Bug description:
  The ovn-controller log plugin in Neutron appears to incorrectly
  associate log entries when security groups are used across different
  projects. When VMs in different projects (and domains) each have their
  own security groups and log objects, the log output from ovn-
  controller shows traffic to both VMs under the same log object,
  instead of segregating them by their correct log objects.

  ### How to Reproduce

  1. Create two projects in different domains, e.g.:

     * `project-a` in `domain-a`
     * `project-b` in `domain-b`

  2. In each project:

     * Create a security group (e.g., `sg-a` in `project-a`, `sg-b` in `project-b`)
     * Launch a VM (e.g., `vm-a` and `vm-b`)
     * Assign the respective security group to the VM

  3. In each project:

     * Create a Neutron log object that tracks traffic for the
  corresponding security group (i.e., one for `sg-a`, one for `sg-b`)

  4. Generate some network traffic involving both VMs (e.g., incoming
  pings or TCP traffic to the VMs)

  ---

  ### Observed Behavior

  * The `ovn-controller` logs show destination IPs for both `vm-a` and `vm-b`
  * However, all log entries are being attributed to only one of the Neutron log objects, despite being from different security groups and different projects/domains

  ---

  ### Expected Behavior

  * Each log object should capture only the traffic related to the security group and project it is associated with
  * Traffic logs should not be cross-associated or merged across different log objects, projects, or domains

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2110087/+subscriptions