Bug 1695452 - Unable to install new flows on compute nodes when having broken security group rules
Summary: Unable to install new flows on compute nodes when having broken security grou...
Keywords:
Status: CLOSED EOL
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: ---
Assignee: Bernard Cafarelli
QA Contact: Roee Agiman
URL:
Whiteboard:
Depends On: 1695450 1695451
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-03 06:53 UTC by Slawek Kaplonski
Modified: 2019-04-03 12:23 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1695451
Environment:
Last Closed: 2019-04-03 12:16:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1813007 0 None None None 2019-04-03 06:53:36 UTC
OpenStack gerrit 648102 0 None None None 2019-04-03 12:16:49 UTC

Description Slawek Kaplonski 2019-04-03 06:53:36 UTC 
+++ This bug was initially created as a clone of Bug #1695451 +++

+++ This bug was initially created as a clone of Bug #1695450 +++

It appears that we have found that neutron-openvswitch-agent appears to have a bug where two security group rules that have two different port ranges that overlap tied to the same parent security group will cause neutron to not be able to configure networks on the compute nodes where those security groups are present.
Those are the broken security rules: https://pastebin.canonical.com/p/wSy8RSXt85/
Here is the log when we discovered the issue: https://pastebin.canonical.com/p/wvFKjNWydr/

It affects only openvswitch firewall driver.

Backports proposed U/S: https://review.openstack.org/#/q/I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2
Note You need to log in before you can comment on or make changes to this bug.