Bug 1575843

Summary: [OVN] When removing all security groups, all traffic is allowed instead of blocked
Product: Red Hat OpenStack Reporter: Eran Kuris <ekuris>
Component: python-networking-ovnAssignee: Numan Siddique <nusiddiq>
Status: CLOSED ERRATA QA Contact: Daniel Alvarez Sanchez <dalvarez>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: amuller, apevec, bcafarel, dalvarez, jamsmith, jschluet, lhh, lmartins, majopela, nusiddiq, nyechiel, oblaut, tfreger
Target Milestone: rcKeywords: AutomationBlocker, Regression, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-networking-ovn-4.0.1-0.20180420150810.c7c16d4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:55:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eran Kuris 2018-05-08 05:36:58 UTC 
Description of problem:
tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group test failed in CI run

error:

2018-05-06 10:36:00,738 1358 INFO     [tempest.lib.common.rest_client] Request (TestSecurityGroupsBasicOps:_run_cleanups): 202 DELETE http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022 0.042s
2018-05-06 10:36:00,738 1358 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'status': '202', u'content-length': '0', 'content-location': 'http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022', u'x-compute-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b', u'vary': 'OpenStack-API-Version,X-OpenStack-Nova-API-Version', u'server': 'Apache', u'openstack-api-version': 'compute 2.1', u'connection': 'close', u'x-openstack-nova-api-version': '2.1', u'date': 'Sun, 06 May 2018 14:36:00 GMT', u'content-type': 'application/json', u'x-openstack-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b'}
        Body:
}}}

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 107, in wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 88, in wrapper
    return f(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/test_security_groups_basic_ops.py", line 621, in test_port_security_disable_security_group
    should_succeed=False)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/manager.py", line 913, in check_remote_connectivity
    self.fail(msg)
  File "/usr/lib/python2.7/site-packages/unittest2/case.py", line 666, in fail
    raise self.failureException(msg)
AssertionError: 10.100.0.8 is reachable from 10.0.0.220

Version-Release number of selected component (if applicable):
OSP-13  -p 2018-05-04.1
openvswitch-ovn-common-2.9.90-1.el7.x86_64
openvswitch-ovn-host-2.9.90-1.el7.x86_64
python-networking-ovn-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
openvswitch-ovn-central-2.9.90-1.el7.x86_64
puppet-ovn-12.4.0-0.20180329043503.36ff219.el7ost.noarch
python-networking-ovn-metadata-agent-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
How reproducible:
100%

Steps to Reproduce:
1.run ci job
2.
3.

Actual results:
test failed 

Expected results:
test should pass

Additional info:
Comment 2 Numan Siddique 2018-05-10 16:51:25 UTC 
It's a bug and we need to fix it in networking-ovn.

When a port has port security enabled and non security groups we shouldn't allow any traffic to it.  If port security is disabled, we should allow it. This is what the test expects.
Comment 20 Daniel Alvarez Sanchez 2018-06-01 11:26:54 UTC 
This test [0] will still fail in CI sometimes due to [1].
Tried myself with just 1 compute and the issue is gone, traffic is now blocked on ports with no SGs and port security enabled.


[1] tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1566148
Comment 23 errata-xmlrpc 2018-06-27 13:55:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086