Bug 1744235 - Security group rules for remote prefix/group do not enable traffic
Summary: Security group rules for remote prefix/group do not enable traffic
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-provider-ovn
Classification: oVirt
Component: provider
Version: 1.2.25
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ovirt-4.3.7
: 1.2.27
Assignee: Miguel Duarte Barroso
QA Contact: msheena
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-21 15:22 UTC by msheena
Modified: 2019-11-21 12:44 UTC (History)
8 users (show)

Fixed In Version: ovirt-provider-ovn-1.2.27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-21 12:44:36 UTC
oVirt Team: Network
sbonazzo: ovirt-4.3?
pelauter: planning_ack+
dholler: devel_ack+
mburman: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 102728 0 'None' MERGED security groups: fix ACL creation at ovn controller 2020-02-13 13:39:19 UTC
oVirt gerrit 103031 0 'None' ABANDONED security groups: map the remote group id to the new naming scheme 2020-02-13 13:39:19 UTC
oVirt gerrit 103368 0 'None' MERGED security groups: align mapping of sec. group/rule IDs 2020-02-13 13:39:19 UTC
oVirt gerrit 103369 0 'None' MERGED security groups: map the remote group ID when needed 2020-02-13 13:39:19 UTC

Description msheena 2019-08-21 15:22:55 UTC
======================
Description of problem
======================

===========
Scenario #1
===========
Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and
    p_1 is member of a security group that is not the default group and
    there is a security group rule in that group allowing ingress traffic from
    the subnet prefix p_2 belongs to,
When I ping from p_2 to p_1 (meaning from the associated oVirt VMs),
Then the ping failes - although it is expected to succeed.

===========
Scenario #2
===========
Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and
    p_1 is member of a security group 's_1' that is not the default group and
    p_2 is a member of a security group 's_2' that is not the default group
    and there is a security group rule in s_1 allowing ingress traffic from
    all members of s_2,
When I ping from p_2 to p_1 (meaning from the associated oVirt VMs),
Then the ping failes - although it is expected to succeed.

============================================================
Version-Release number of selected component (if applicable)
============================================================
ovirt-provider-ovn-1.2.25-1.el7ev.noarch

================
How reproducible
================
100%

Comment 2 msheena 2019-09-02 09:21:12 UTC
Failed QE on
============
ovirt-provider-ovn-1.2.26-1.el7ev.noarch
ovirt-engine-4.3.6.4-0.1.el7.noarch

Reason for failure
==================
Security group rules for 'remote_group_id' cannot be provisioned, since it seems the provider does not recognize existing security group IDs.
example:

POST https://<FQDN>:9696/v2.0/security-group-rules
{
    "security_group_rule": {
		"remote_group_id": "087b9a9c-4e1e-4dc2-9b60-06e2e9785c88",  // existing security group UUID
		"direction": "ingress", 
		"protocol": "icmp",
		"ethertype": "IPv4",
		"security_group_id": "f1e3d72e-ef21-4e48-903d-3a10fc5a30b3"
    }
}

Replied by:
{
  "error": {
    "message": "Security Group 087b9a9c-4e1e-4dc2-9b60-06e2e9785c88 does not exist",
    "code": 404,
    "title": "Not Found"
  }
}

Further notes
=============
The scenario for security group rules for remote_ip_prefix passed QE.

Comment 6 Michael Burman 2019-10-22 12:08:54 UTC
New provider wasn't shipped with 4.3.7, moving back to MODIFIED

Comment 7 msheena 2019-10-27 12:21:08 UTC
Verified on
===========
ovirt-engine-4.3.7.0-0.1.el7.noarch
ovirt-provider-ovn-1.2.27-1.el7ev.noarch

Comment 8 Sandro Bonazzola 2019-11-21 12:44:36 UTC
This bugzilla is included in oVirt 4.3.7 release, published on November 21st 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.7 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.