Bug 2021261

Summary:	Floating IPs do not respect security groups while attached to Baremetal vlan tenant network
Product:	Red Hat OpenStack	Reporter:	Chris Janiszewski <cjanisze>
Component:	openstack-neutron	Assignee:	OSP Team <rhos-maint>
Status:	CLOSED WONTFIX	QA Contact:	Eran Kuris <ekuris>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	16.1 (Train)	CC:	bcafarel, ccamposr, chrisw, dsneddon, jjoyce, jschluet, scohen, skaplons, slinaber, tvignaud
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-24 10:31:01 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Janiszewski 2021-11-08 17:04:03 UTC

Description of problem:
We are unable to control a security access to Baremetal Instances with attached Floating IP. The Floating IP itself for north/south traffic is where we need to control the access.

(poc-az1) [stack@director ~]$ nova list
+--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+
| ID                                   | Name             | Status | Task State | Power State | Networks                                 |
+--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+
| fdb53a0f-f561-4702-beff-50100f29172d | baremetal-test-1 | ACTIVE | -          | Running     | oc_provisioning=11.21.26.28, 11.21.24.48 |
| 59e76d74-2673-4da9-ac9e-d260ddc1585f | baremetal-test-2 | ACTIVE | -          | Running     | oc_provisioning=11.21.26.107             |
| d004dd91-069e-4c52-a7e5-fba014f19016 | baremetal-test-3 | ACTIVE | -          | Running     | oc_provisioning=11.21.26.167             |
+--------------------------------------+------------------+--------+------------+-------------+------------------------------------------+

#ping floating ip:
(poc-az1) [stack@director ~]$ ping -c 1 11.21.24.48
PING 11.21.24.48 (11.21.24.48) 56(84) bytes of data.
64 bytes from 11.21.24.48: icmp_seq=1 ttl=63 time=0.897 ms

--- 11.21.24.48 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.897/0.897/0.897/0.000 ms

(poc-az1) [stack@director ~]$ openstack port list | grep 11.21.24.48                                                                                                     | 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c |                                                                               | fa:16:3e:56:bf:98 | ip_address='11.21.24.48', subnet_id='04180469-84be-40cc-8840-e3ce600d6446'     | N/A    |

#port security enabled and assigned:

(poc-az1) [stack@director ~]$ openstack port show --fit-width 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c                                                               [34/870]+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+| Field                   | Value                                                                                                                                          $
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------$
| admin_state_up          | UP                                                                                                                                             $
| allowed_address_pairs   |                                                                                                                                                $
| binding_host_id         |                                                                                                                                                $
| binding_profile         |                                                                                                                                                $
| binding_vif_details     |                                                                                                                                                $
| binding_vif_type        | unbound                                                                                                                                        $
| binding_vnic_type       | normal                                                                                                                                         $
| created_at              | 2021-11-08T14:55:38Z                                                                                                                           $
| data_plane_status       | None                                                                                                                                           $
| description             |                                                                                                                                                $
| device_id               | 9817c05f-199d-4ece-88d3-49a51313b5fe                                                                                                           $
| device_owner            | network:floatingip                                                                                                                             $
| dns_assignment          | None                                                                                                                                           $
| dns_domain              | None                                                                                                                                           $
| dns_name                | None                                                                                                                                           $
| extra_dhcp_opts         |                                                                                                                                                $
| fixed_ips               | ip_address='11.21.24.48', subnet_id='04180469-84be-40cc-8840-e3ce600d6446'                                                                     $
| id                      | 8eb03065-5b30-4ea8-b92d-e53dcdd37a9c                                                                                                           $
| location                | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin',              ||                         | region_name='regionOne', zone=                                                                                                                 || mac_address             | fa:16:3e:56:bf:98                                                                                                                              || name                    |                                                                                                                                                || network_id              | a8281e22-2a8c-4537-9da3-b14745437042                                                                                                           || port_security_enabled   | True                                                                                                                                           || project_id              | 3ee2ae6c63b743708aec498565aeaa77                                                                                                               || propagate_uplink_status | None                                                                                                                                           || qos_policy_id           | None                                                                                                                                           || resource_request        | None                                                                                                                                           || revision_number         | 4                                                                                                                                              || security_group_ids      | 66739708-fe26-49d8-902b-88fbe3d463f5                                                                                                           || status                  | N/A                                                                                                                                            || tags                    |                                                                                                                                                || trunk_details           | None                                                                                                                                           || updated_at              | 2021-11-08T16:48:42Z                                                                                                                           |+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+

(poc-az1) [stack@director ~]$ openstack security group show --fit-width 66739708-fe26-49d8-902b-88fbe3d463f5
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+| Field           | Value                                                                                                                                                  |+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+| created_at      | 2021-11-08T14:30:57Z                                                                                                                                   || description     | baremetal-sg                                                                                                                                           || id              | 66739708-fe26-49d8-902b-88fbe3d463f5                                                                                                                   || location        | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin',                      ||                 | region_name='regionOne', zone=                                                                                                                         || name            | baremetal-sg                                                                                                                                           || project_id      | 3ee2ae6c63b743708aec498565aeaa77                                                                                                                       || revision_number | 1                                                                                                                                                      || rules           | created_at='2021-11-08T14:30:57Z', direction='egress', ethertype='IPv6', id='43d074d5-c4a1-4bc1-9e1e-735461cbd205', updated_at='2021-11-08T14:30:57Z'  ||                 | created_at='2021-11-08T14:30:57Z', direction='egress', ethertype='IPv4', id='78ccdb06-46f7-49f1-9df0-24ad505f6b59', updated_at='2021-11-08T14:30:57Z'  || tags            | []                                                                                                                                                     || updated_at      | 2021-11-08T14:30:57Z                                                                                                                                   |+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+



Version-Release number of selected component (if applicable):
cat /etc/rhosp-release
Red Hat OpenStack Platform release 16.1.6 GA (Train)
OVS + iptables_hybrid firewall driver


How reproducible:
Everytime


Steps to Reproduce:
1. Deploy Ironic node in overcloud with vlan tenant network
2. Attach floating IP
3. Set security group on the floating IP

Actual results:
The security restrictions on the FIP are ineffective


Expected results:
Security groups filter out undesired network traffic for the FIP


Additional info:
Will try to attach templates and sosreports below

Comment 4 Chris Janiszewski 2021-11-08 22:52:40 UTC

(poc-az1) [stack@director ~]$ openstack security group rule list --fit-width 66739708-fe26-49d8-902b-88fbe3d463f5
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| ID                                   | IP Protocol | Ethertype | IP Range  | Port Range | Remote Security Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+
| 43d074d5-c4a1-4bc1-9e1e-735461cbd205 | None        | IPv6      | ::/0      |            | None                  |
| 78ccdb06-46f7-49f1-9df0-24ad505f6b59 | None        | IPv4      | 0.0.0.0/0 |            | None                  |
+--------------------------------------+-------------+-----------+-----------+------------+-----------------------+

Comment 5 Chris Janiszewski 2021-11-08 22:57:05 UTC

(poc-az1) [stack@director ~]$  openstack security group rule show --fit-width 78ccdb06-46f7-49f1-9df0-24ad505f6b59
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+| Field             | Value                                                                                                                                                |+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+| created_at        | 2021-11-08T14:30:57Z                                                                                                                                 || description       | None                                                                                                                                                 || direction         | egress                                                                                                                                               || ether_type        | IPv4                                                                                                                                                 || id                | 78ccdb06-46f7-49f1-9df0-24ad505f6b59                                                                                                                 || location          | cloud='', project.domain_id=, project.domain_name='Default', project.id='3ee2ae6c63b743708aec498565aeaa77', project.name='admin',                    ||                   | region_name='regionOne', zone=                                                                                                                       || name              | None                                                                                                                                                 || port_range_max    | None                                                                                                                                                 || port_range_min    | None                                                                                                                                                 || project_id        | 3ee2ae6c63b743708aec498565aeaa77                                                                                                                     || protocol          | None                                                                                                                                                 || remote_group_id   | None                                                                                                                                                 || remote_ip_prefix  | 0.0.0.0/0                                                                                                                                            || revision_number   | 0                                                                                                                                                    || security_group_id | 66739708-fe26-49d8-902b-88fbe3d463f5                                                                                                                 || tags              | []                                                                                                                                                   || updated_at        | 2021-11-08T14:30:57Z                                                                                                                                 |+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+

Comment 6 Dan Sneddon 2021-11-15 10:10:45 UTC

Security groups are applied on the compute nodes for VMs, but not on network controllers handling the floating IPs. This means that security groups do not work for bare metal nodes with ML2/OVS. You can apply iptables rules on the BM node. You might be able to apply SGs on a load balancer with Octavia, but I have not tested this myself.