Bug 1346819

Summary: Security Groups broken in OSP-d installed environment
Product: Red Hat OpenStack Reporter: Alexander Stafeyev <astafeye>
Component: openstack-neutronAssignee: Brent Eagles <beagles>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.0 (Mitaka)CC: amuller, beagles, chrisw, dbecker, jason.dobies, jcoufal, jlibosva, mburns, morazi, nyechiel, oblaut, rhel-osp-director-maint, slong, srevivo, tvignaud
Target Milestone: gaKeywords: AutomationBlocker, Security, Triaged
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-8.1.0-7.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-11 12:25:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1347362    

Description Alexander Stafeyev 2016-06-15 11:57:16 UTC 
Description of problem:
Security groups rules are not enforced. 
The problem seems same as in https://bugzilla.redhat.com/show_bug.cgi?id=1291621 


Version-Release number of selected component (if applicable):
9.0-RHEL-7-director/2016-06-08.1

How reproducible:
100%


Steps to Reproduce:
1.install OSPD OSP9
2. boot VM 
3.ssh to VM (for exact reproduction assign FIP to the VM and ssh to FIP) 
4. check /etc/sysctl.conf on compute node 

Actual results:
Security rules are not enforced 


Expected results:
ssh should not be allowed 

Additional info:
In compute nodes, the /etc/sysctl.conf values are not set: 
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
Comment 2 Mike Burns 2016-06-15 12:31:55 UTC 
Bug 1291621 was fixed in openstack-neutron, moving this bug there.
Comment 3 Assaf Muller 2016-06-15 13:32:42 UTC 
In OSP 9, the neutron-server uses an option called firewall_driver to tell OVS agents which driver to use. The server uses that value to tag a port with the vif driver to use: Either direct plug, or hybrid plug. Hybrid plug means that Nova will plug the VM's tap device to a linux bridge, which is then connected to the OVS bridge (br-int). Hybrid plugging is required when using Neutron and iptables based firewall driver (The default) in order for security groups to work.

We've determined that the issue is that the firewall_driver option is not being configured on controller nodes, resulting in the neutron-server always returning 'direct plug', meaning that the per-VIF linux bridge is not being created, and security groups don't work.

The solution is to make sure the firewall_driver option is defined on controller nodes.
Comment 4 Ofer Blaut 2016-06-15 13:57:18 UTC 
Hi Assaf, 

Will it be supported in upgrade from ospd8 to 9 ?
Comment 5 Assaf Muller 2016-06-15 14:28:00 UTC 
(In reply to Ofer Blaut from comment #4)
> Hi Assaf, 
> 
> Will it be supported in upgrade from ospd8 to 9 ?

Yes, that should not be a problem. The firewall_driver config option should be defined in both versions.
Comment 6 Brent Eagles 2016-06-17 16:43:21 UTC 
Armando backported Kevin's fix for this to mitaka stable https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag. Would we rather release our fix through an updated neutron RPM or by heat template configuration?
Comment 7 Assaf Muller 2016-06-17 17:19:15 UTC 
(In reply to Brent Eagles from comment #6)
> Armando backported Kevin's fix for this to mitaka stable
> https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag.
> Would we rather release our fix through an updated neutron RPM or by heat
> template configuration?

That patch should cover it, in which case that would be easier than a TripleO change, and would also take care of anyone installing via any other method.

@Jakub, are we missing anything here or would that patch suffice?
Comment 8 Jakub Libosvar 2016-06-20 09:22:47 UTC 
(In reply to Assaf Muller from comment #7)
> (In reply to Brent Eagles from comment #6)
> > Armando backported Kevin's fix for this to mitaka stable
> > https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag.
> > Would we rather release our fix through an updated neutron RPM or by heat
> > template configuration?
> 
> That patch should cover it, in which case that would be easier than a
> TripleO change, and would also take care of anyone installing via any other
> method.
> 
> @Jakub, are we missing anything here or would that patch suffice?

The patch suffices, we saw compute nodes have firewall driver set.

PS: So after all, I see it was my goof :)
Comment 12 Assaf Muller 2016-06-28 00:20:34 UTC 
*** Bug 1346804 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2016-08-11 12:25:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1597.html