Bug 1346819 - Security Groups broken in OSP-d installed environment
Summary: Security Groups broken in OSP-d installed environment
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ga
: 9.0 (Mitaka)
Assignee: Brent Eagles
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
: 1346804 (view as bug list)
Depends On:
Blocks: 1347362
TreeView+ depends on / blocked
 
Reported: 2016-06-15 11:57 UTC by Alexander Stafeyev
Modified: 2016-08-11 12:25 UTC (History)
15 users (show)

Fixed In Version: openstack-neutron-8.1.0-7.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-11 12:25:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1597 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 9 Release Candidate Advisory 2016-08-11 16:06:52 UTC

Description Alexander Stafeyev 2016-06-15 11:57:16 UTC
Description of problem:
Security groups rules are not enforced. 
The problem seems same as in https://bugzilla.redhat.com/show_bug.cgi?id=1291621 


Version-Release number of selected component (if applicable):
9.0-RHEL-7-director/2016-06-08.1

How reproducible:
100%


Steps to Reproduce:
1.install OSPD OSP9
2. boot VM 
3.ssh to VM (for exact reproduction assign FIP to the VM and ssh to FIP) 
4. check /etc/sysctl.conf on compute node 

Actual results:
Security rules are not enforced 


Expected results:
ssh should not be allowed 

Additional info:
In compute nodes, the /etc/sysctl.conf values are not set: 
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

Comment 2 Mike Burns 2016-06-15 12:31:55 UTC
Bug 1291621 was fixed in openstack-neutron, moving this bug there.

Comment 3 Assaf Muller 2016-06-15 13:32:42 UTC
In OSP 9, the neutron-server uses an option called firewall_driver to tell OVS agents which driver to use. The server uses that value to tag a port with the vif driver to use: Either direct plug, or hybrid plug. Hybrid plug means that Nova will plug the VM's tap device to a linux bridge, which is then connected to the OVS bridge (br-int). Hybrid plugging is required when using Neutron and iptables based firewall driver (The default) in order for security groups to work.

We've determined that the issue is that the firewall_driver option is not being configured on controller nodes, resulting in the neutron-server always returning 'direct plug', meaning that the per-VIF linux bridge is not being created, and security groups don't work.

The solution is to make sure the firewall_driver option is defined on controller nodes.

Comment 4 Ofer Blaut 2016-06-15 13:57:18 UTC
Hi Assaf, 

Will it be supported in upgrade from ospd8 to 9 ?

Comment 5 Assaf Muller 2016-06-15 14:28:00 UTC
(In reply to Ofer Blaut from comment #4)
> Hi Assaf, 
> 
> Will it be supported in upgrade from ospd8 to 9 ?

Yes, that should not be a problem. The firewall_driver config option should be defined in both versions.

Comment 6 Brent Eagles 2016-06-17 16:43:21 UTC
Armando backported Kevin's fix for this to mitaka stable https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag. Would we rather release our fix through an updated neutron RPM or by heat template configuration?

Comment 7 Assaf Muller 2016-06-17 17:19:15 UTC
(In reply to Brent Eagles from comment #6)
> Armando backported Kevin's fix for this to mitaka stable
> https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag.
> Would we rather release our fix through an updated neutron RPM or by heat
> template configuration?

That patch should cover it, in which case that would be easier than a TripleO change, and would also take care of anyone installing via any other method.

@Jakub, are we missing anything here or would that patch suffice?

Comment 8 Jakub Libosvar 2016-06-20 09:22:47 UTC
(In reply to Assaf Muller from comment #7)
> (In reply to Brent Eagles from comment #6)
> > Armando backported Kevin's fix for this to mitaka stable
> > https://review.openstack.org/#/c/313173/. It's currently in the 8.1.1 tag.
> > Would we rather release our fix through an updated neutron RPM or by heat
> > template configuration?
> 
> That patch should cover it, in which case that would be easier than a
> TripleO change, and would also take care of anyone installing via any other
> method.
> 
> @Jakub, are we missing anything here or would that patch suffice?

The patch suffices, we saw compute nodes have firewall driver set.

PS: So after all, I see it was my goof :)

Comment 12 Assaf Muller 2016-06-28 00:20:34 UTC
*** Bug 1346804 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2016-08-11 12:25:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1597.html


Note You need to log in before you can comment on or make changes to this bug.