Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1575843 - [OVN] When removing all security groups, all traffic is allowed instead of blocked
[OVN] When removing all security groups, all traffic is allowed instead of bl...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn (Show other bugs)
13.0 (Queens)
Unspecified Unspecified
urgent Severity urgent
: rc
: 13.0 (Queens)
Assigned To: Numan Siddique
Daniel Alvarez Sanchez
: AutomationBlocker, Regression, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-08 01:36 EDT by Eran Kuris
Modified: 2018-06-27 09:56 EDT (History)
14 users (show)

See Also:
Fixed In Version: python-networking-ovn-4.0.1-0.20180420150810.c7c16d4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-06-27 09:55:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 567928 None None None 2018-05-11 14:38 EDT
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 09:56 EDT

  None (edit)
Description Eran Kuris 2018-05-08 01:36:58 EDT 
Description of problem:
tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group test failed in CI run

error:

2018-05-06 10:36:00,738 1358 INFO     [tempest.lib.common.rest_client] Request (TestSecurityGroupsBasicOps:_run_cleanups): 202 DELETE http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022 0.042s
2018-05-06 10:36:00,738 1358 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'status': '202', u'content-length': '0', 'content-location': 'http://10.0.0.102:8774/v2.1/os-keypairs/tempest-TestSecurityGroupsBasicOps-1802014022', u'x-compute-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b', u'vary': 'OpenStack-API-Version,X-OpenStack-Nova-API-Version', u'server': 'Apache', u'openstack-api-version': 'compute 2.1', u'connection': 'close', u'x-openstack-nova-api-version': '2.1', u'date': 'Sun, 06 May 2018 14:36:00 GMT', u'content-type': 'application/json', u'x-openstack-request-id': 'req-93dbfb2b-a79a-4be9-91ff-8022c715970b'}
        Body:
}}}

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 107, in wrapper
    return func(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/common/utils/__init__.py", line 88, in wrapper
    return f(*func_args, **func_kwargs)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/test_security_groups_basic_ops.py", line 621, in test_port_security_disable_security_group
    should_succeed=False)
  File "/usr/lib/python2.7/site-packages/tempest/scenario/manager.py", line 913, in check_remote_connectivity
    self.fail(msg)
  File "/usr/lib/python2.7/site-packages/unittest2/case.py", line 666, in fail
    raise self.failureException(msg)
AssertionError: 10.100.0.8 is reachable from 10.0.0.220

Version-Release number of selected component (if applicable):
OSP-13  -p 2018-05-04.1
openvswitch-ovn-common-2.9.90-1.el7.x86_64
openvswitch-ovn-host-2.9.90-1.el7.x86_64
python-networking-ovn-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
openvswitch-ovn-central-2.9.90-1.el7.x86_64
puppet-ovn-12.4.0-0.20180329043503.36ff219.el7ost.noarch
python-networking-ovn-metadata-agent-4.0.1-0.20180420150809.c7c16d4.el7ost.noarch
How reproducible:
100%

Steps to Reproduce:
1.run ci job
2.
3.

Actual results:
test failed 

Expected results:
test should pass

Additional info:
Comment 2 Numan Siddique 2018-05-10 12:51:25 EDT 
It's a bug and we need to fix it in networking-ovn.

When a port has port security enabled and non security groups we shouldn't allow any traffic to it.  If port security is disabled, we should allow it. This is what the test expects.
Comment 20 Daniel Alvarez Sanchez 2018-06-01 07:26:54 EDT 
This test [0] will still fail in CI sometimes due to [1].
Tried myself with just 1 compute and the issue is gone, traffic is now blocked on ports with no SGs and port security enabled.


[1] tempest.scenario.test_security_groups_basic_ops.TestSecurityGroupsBasicOps.test_port_security_disable_security_group
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1566148
Comment 23 errata-xmlrpc 2018-06-27 09:55:29 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.