Bug 1744235

Summary: Security group rules for remote prefix/group do not enable traffic
Product: [oVirt] ovirt-provider-ovn Reporter: msheena
Component: providerAssignee: Miguel Duarte Barroso <mduarted>
Status: CLOSED CURRENTRELEASE QA Contact: msheena
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2.25CC: bugs, danken, dholler, lsvaty, mburman, mduarted, pelauter, royoung
Target Milestone: ovirt-4.3.7Keywords: Automation, Rebase, Regression, ZStream
Target Release: 1.2.27Flags: sbonazzo: ovirt-4.3?
pelauter: planning_ack+
dholler: devel_ack+
mburman: testing_ack+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-provider-ovn-1.2.27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-21 12:44:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description msheena 2019-08-21 15:22:55 UTC
======================
Description of problem
======================

===========
Scenario #1
===========
Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and
    p_1 is member of a security group that is not the default group and
    there is a security group rule in that group allowing ingress traffic from
    the subnet prefix p_2 belongs to,
When I ping from p_2 to p_1 (meaning from the associated oVirt VMs),
Then the ping failes - although it is expected to succeed.

===========
Scenario #2
===========
Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and
    p_1 is member of a security group 's_1' that is not the default group and
    p_2 is a member of a security group 's_2' that is not the default group
    and there is a security group rule in s_1 allowing ingress traffic from
    all members of s_2,
When I ping from p_2 to p_1 (meaning from the associated oVirt VMs),
Then the ping failes - although it is expected to succeed.

============================================================
Version-Release number of selected component (if applicable)
============================================================
ovirt-provider-ovn-1.2.25-1.el7ev.noarch

================
How reproducible
================
100%

Comment 2 msheena 2019-09-02 09:21:12 UTC
Failed QE on
============
ovirt-provider-ovn-1.2.26-1.el7ev.noarch
ovirt-engine-4.3.6.4-0.1.el7.noarch

Reason for failure
==================
Security group rules for 'remote_group_id' cannot be provisioned, since it seems the provider does not recognize existing security group IDs.
example:

POST https://<FQDN>:9696/v2.0/security-group-rules
{
    "security_group_rule": {
		"remote_group_id": "087b9a9c-4e1e-4dc2-9b60-06e2e9785c88",  // existing security group UUID
		"direction": "ingress", 
		"protocol": "icmp",
		"ethertype": "IPv4",
		"security_group_id": "f1e3d72e-ef21-4e48-903d-3a10fc5a30b3"
    }
}

Replied by:
{
  "error": {
    "message": "Security Group 087b9a9c-4e1e-4dc2-9b60-06e2e9785c88 does not exist",
    "code": 404,
    "title": "Not Found"
  }
}

Further notes
=============
The scenario for security group rules for remote_ip_prefix passed QE.

Comment 6 Michael Burman 2019-10-22 12:08:54 UTC
New provider wasn't shipped with 4.3.7, moving back to MODIFIED

Comment 7 msheena 2019-10-27 12:21:08 UTC
Verified on
===========
ovirt-engine-4.3.7.0-0.1.el7.noarch
ovirt-provider-ovn-1.2.27-1.el7ev.noarch

Comment 8 Sandro Bonazzola 2019-11-21 12:44:36 UTC
This bugzilla is included in oVirt 4.3.7 release, published on November 21st 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.7 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.