Bug 1575843 - [OVN] When removing all security groups, all traffic is allowed instead of blocked
Summary: [OVN] When removing all security groups, all traffic is allowed instead of bl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 13.0 (Queens)
Assignee: Numan Siddique
QA Contact: Daniel Alvarez Sanchez
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-08 05:36 UTC by Eran Kuris
Modified: 2019-09-09 13:51 UTC (History)
13 users (show)

Fixed In Version: python-networking-ovn-4.0.1-0.20180420150810.c7c16d4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:55:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 567928 None None None 2018-05-11 18:38:14 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:56:49 UTC

Description Eran Kuris 2018-05-08 05:36:58 UTC
Description of problem:
tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group test failed in CI run

error:

2018-05-06 10:36:00,738 1358 INFO     [tempest.lib.common.rest_client] Request (TestSecurityGroupsBasicOps:_run_cleanups): 202 DELETE http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022 0.042s
2018-05-06 10:36:00,738 1358 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'status': '202', u'content-length': '0', 'content-location': 'http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022', u'x-compute-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b', u'vary': 'OpenStack-API-Version,X-OpenStack-Nova-API-Version', u'server': 'Apache', u'openstack-api-version': 'compute 2.1', u'connection': 'close', u'x-openstack-nova-api-version': '2.1', u'date': 'Sun, 06 May 2018 14:36:00 GMT', u'content-type': 'application/json', u'x-openstack-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b'}
        Body:
}}}

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 107, in wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 88, in wrapper
    return f(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/test_security_groups_basic_ops.py", line 621, in test_port_security_disable_security_group
    should_succeed=False)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/manager.py", line 913, in check_remote_connectivity
    self.fail(msg)
  File "/usr/lib/python2.7/site-packages/unittest2/case.py", line 666, in fail
    raise self.failureException(msg)
AssertionError: 10.100.0.8 is reachable from 10.0.0.220

Version-Release number of selected component (if applicable):
OSP-13  -p 2018-05-04.1
openvswitch-ovn-common-2.9.90-1.el7.x86_64
openvswitch-ovn-host-2.9.90-1.el7.x86_64
python-networking-ovn-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
openvswitch-ovn-central-2.9.90-1.el7.x86_64
puppet-ovn-12.4.0-0.20180329043503.36ff219.el7ost.noarch
python-networking-ovn-metadata-agent-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
How reproducible:
100%

Steps to Reproduce:
1.run ci job
2.
3.

Actual results:
test failed 

Expected results:
test should pass

Additional info:

Comment 2 Numan Siddique 2018-05-10 16:51:25 UTC
It's a bug and we need to fix it in networking-ovn.

When a port has port security enabled and non security groups we shouldn't allow any traffic to it.  If port security is disabled, we should allow it. This is what the test expects.

Comment 20 Daniel Alvarez Sanchez 2018-06-01 11:26:54 UTC
This test [0] will still fail in CI sometimes due to [1].
Tried myself with just 1 compute and the issue is gone, traffic is now blocked on ports with no SGs and port security enabled.


[1] tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1566148

Comment 23 errata-xmlrpc 2018-06-27 13:55:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.