Bug 1660885 - Octavia lb SG rules are modified when namespace isolation is not used
Summary: Octavia lb SG rules are modified when namespace isolation is not used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-kuryr-kubernetes
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z1
: 14.0 (Rocky)
Assignee: Luis Tomas Bolivar
QA Contact: Itzik Brown
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-19 14:11 UTC by Luis Tomas Bolivar
Modified: 2019-03-18 13:04 UTC (History)
1 user (show)

Fixed In Version: openstack-kuryr-kubernetes-0.5.3-0.20190121111334
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-18 13:04:08 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1809119 None None None 2018-12-19 14:11:06 UTC
OpenStack gerrit 626174 None None None 2018-12-19 14:11:51 UTC
OpenStack gerrit 626363 None None None 2018-12-20 06:57:15 UTC
Red Hat Product Errata RHBA-2019:0591 None None None 2019-03-18 13:04:16 UTC

Description Luis Tomas Bolivar 2018-12-19 14:11:06 UTC
When using the kuryr namespace isolation there is a need for modifying the rules created by Octavia at the LoadBalancer SG. However, in the case namespace isolation is not enabled there is no need to try to change them. And by default, a normal tenant is not able to modify them (for the amphora driver), leading to the next error:

2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 [-] Failed when creating security group rule to enable routes for listener test/demo:TCP:80.: NotFound: Security group 8a6d6559-ada4-4df0-abb0-b6780161378b does not exist
Neutron server returns request_ids: ['req-09e62506-87f8-4f8d-9328-c9ef8d39a773']
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Traceback (most recent call last):
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/lbaasv2.py", line 228, in _extend_lb_security_group_rules
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 'description': listener.name,
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 989, in create_security_group_rule
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 return self.post(self.security_group_rules_path, body=body)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 359, in post
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 headers=headers, params=params)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 294, in do_request
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 self._handle_fault_response(status_code, replybody, resp)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 269, in _handle_fault_response
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 exception_handler_v20(status_code, error_body)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 93, in exception_handler_v20
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 request_ids=request_ids)
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 NotFound: Security group 8a6d6559-ada4-4df0-abb0-b6780161378b does not exist
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2 Neutron server returns request_ids: ['req-09e62506-87f8-4f8d-9328-c9ef8d39a773']
2018-12-19 11:32:52.765 1 ERROR kuryr_kubernetes.controller.drivers.lbaasv2

Comment 6 Itzik Brown 2019-03-04 11:45:32 UTC
Will verify when we have the proper image (https://bugzilla.redhat.com/show_bug.cgi?id=1673799)

Comment 9 Itzik Brown 2019-03-07 00:43:35 UTC
Checked with:
openstack-kuryr-kubernetes-controller-0.5.3-0.20190121111334.a895113.el7ost.noarch

Comment 11 errata-xmlrpc 2019-03-18 13:04:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0591


Note You need to log in before you can comment on or make changes to this bug.