| Summary: | An existing port's port security cannot be disabled after activation of the port-security feature in OSP 7 | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Andreas Karis <akaris> |
| Component: | openstack-neutron | Assignee: | Ihar Hrachyshka <ihrachys> |
| Status: | CLOSED ERRATA | QA Contact: | Eran Kuris <ekuris> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 (Kilo) | CC: | amuller, chrisw, ihrachys, mlopes, nyechiel, oblaut, srevivo, tfreger |
| Target Milestone: | --- | Keywords: | Triaged, ZStream |
| Target Release: | 7.0 (Kilo) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-neutron-2015.1.4-14.el7ost | Doc Type: | Bug Fix |
| Doc Text: |
Prior to this update, ports created without the `port_security` ML2 extension driver enabled did not have `port_security` database records created. However, if the extension driver was enabled, the server code assumed that all ports had corresponding port security records.
Consequently, after the driver was enabled, neutron failed to disable port security for existing ports due to missing records in the database.
With this update, `neutron-server` gracefully handles missing port security records, and creates them if needed.
As a result, neutron now allows you to disable port security for ports that were created before the port security ml2 extension driver was enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-14 15:46:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
$ cat /etc/yum.repos.d/latest-installed 7 -p 2017-06-01.1 $ rpm -qa |grep openstack-neutron-2015 openstack-neutron-2015.1.4-14.el7ost.noarch fix verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1454 |
In OSP 7, after activation of the port-security feature on the controllers, an existing port's port security cannot be disabled. The reason is that the MySQL `ovs_neutron` table `portsecuritybindings` is not populated with new entries on an update operation, only on a port create. A manual insertion in this table fixes this issue easily. How to reproduce: Set on all controllers: ~~~ [root@overcloud-controller-0 ~]# grep port_sec /etc/neutron/plugins/ml2/ml2_conf.ini extension_drivers = port_security ~~~ Restart neutron server ~~~ pcs resource restart neutron-server-clone ~~~ (in fact, restarting all resources with pcs resource restart rabbitmq-clone was tried as well) Update an existing port ~~~ [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 ~~~ Verify this port ~~~ [stack@undercloud-7 ~]$ neutron port-show bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 | grep secu | port_security_enabled | True | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 ~~~ Verify in the database that the binding for this port was not created ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 1 row in set (0.01 sec) ~~~ Create a new port ~~~ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.20 c8cee2bb-9b53-47fd-a526-4f24b252e980Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.20"} | | id | 475df4c5-1aaf-4b6e-87ef-231669a7eb55 | | mac_address | fa:16:3e:a6:1c:d0 | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ ~~~ Verify that the binding was not created in the database ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 1 row in set (0.00 sec) ~~~ Create a new port with port-security explicitly enabled/disabled ~~~ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.21 --port-security-enabled=false c8cee2bb-9b53-47fd-a526-4f24b252e980 Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.21"} | | id | a3f1394d-61d4-4a1a-9b5e-1b75e2b4d7e3 | | mac_address | fa:16:3e:a5:2f:d7 | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | port_security_enabled | False | | security_groups | | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ [stack@undercloud-7 ~]$ neutron port-create --tenant-id 699394ca24544abd85d03d1e35d745fa --fixed-ip subnet_id=d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19,ip_address=192.168.0.22 --port-security-enabled=true c8cee2bb-9b53-47fd-a526-4f24b252e980 Created a new port: +-----------------------+-------------------------------------------------------------------------------------+ | Field | Value | +-----------------------+-------------------------------------------------------------------------------------+ | admin_state_up | True | | allowed_address_pairs | | | binding:host_id | | | binding:profile | {} | | binding:vif_details | {} | | binding:vif_type | unbound | | binding:vnic_type | normal | | device_id | | | device_owner | | | fixed_ips | {"subnet_id": "d1107cc5-3195-4d1d-87d0-bdd1c8cc7e19", "ip_address": "192.168.0.22"} | | id | 66f5304d-b516-4f20-a5bb-e94c3f9248b4 | | mac_address | fa:16:3e:a6:d3:2a | | name | | | network_id | c8cee2bb-9b53-47fd-a526-4f24b252e980 | | port_security_enabled | True | | security_groups | 456ab73e-118b-46bc-9450-faca924159f5 | | status | DOWN | | tenant_id | 699394ca24544abd85d03d1e35d745fa | +-----------------------+-------------------------------------------------------------------------------------+ ~~~ Verify in the database ~~~ MariaDB [ovs_neutron]> select * from portsecuritybindings \G *************************** 1. row *************************** port_id: 1a2f1165-4dc5-44b1-a3fb-27304004d979 port_security_enabled: 0 *************************** 2. row *************************** port_id: 66f5304d-b516-4f20-a5bb-e94c3f9248b4 port_security_enabled: 1 *************************** 3. row *************************** port_id: a3f1394d-61d4-4a1a-9b5e-1b75e2b4d7e3 port_security_enabled: 0 3 rows in set (0.00 sec) ~~~ Create a binding for the first port manually in the database ~~~ MariaDB [ovs_neutron]> insert into portsecuritybindings values ('bcaedbdc-0b2d-48f8-8f5b-3c93b234b030',0); Query OK, 1 row affected (0.15 sec) ~~~ Update the port ~~~ [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --port_security_enabled=false Port has security group associated. Cannot disable port security or ip address until security group is removed [stack@undercloud-7 ~]$ neutron port-update bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 --no-security-groups --port_security_enabled=false Updated port: bcaedbdc-0b2d-48f8-8f5b-3c93b234b030 ~~~ Verify on the compute node that the change took effect ~~~ [root@overcloud-compute-0 ~]# iptables-save | grep bcaedbdc-0b -A neutron-openvswi-FORWARD -m physdev --physdev-out tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-FORWARD -m physdev --physdev-in tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT -A neutron-openvswi-INPUT -m physdev --physdev-in tapbcaedbdc-0b --physdev-is-bridged -m comment --comment "Accept all packets when port security is disabled." -j ACCEPT [root@overcloud-compute-0 ~]# ~~~