Bug 1744235
| Summary: | Security group rules for remote prefix/group do not enable traffic | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-provider-ovn | Reporter: | msheena |
| Component: | provider | Assignee: | Miguel Duarte Barroso <mduarted> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | msheena |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 1.2.25 | CC: | bugs, danken, dholler, lsvaty, mburman, mduarted, pelauter, royoung |
| Target Milestone: | ovirt-4.3.7 | Keywords: | Automation, Rebase, Regression, ZStream |
| Target Release: | 1.2.27 | Flags: | sbonazzo:
ovirt-4.3?
pelauter: planning_ack+ dholler: devel_ack+ mburman: testing_ack+ |
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovirt-provider-ovn-1.2.27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-21 12:44:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Failed QE on
============
ovirt-provider-ovn-1.2.26-1.el7ev.noarch
ovirt-engine-4.3.6.4-0.1.el7.noarch
Reason for failure
==================
Security group rules for 'remote_group_id' cannot be provisioned, since it seems the provider does not recognize existing security group IDs.
example:
POST https://<FQDN>:9696/v2.0/security-group-rules
{
"security_group_rule": {
"remote_group_id": "087b9a9c-4e1e-4dc2-9b60-06e2e9785c88", // existing security group UUID
"direction": "ingress",
"protocol": "icmp",
"ethertype": "IPv4",
"security_group_id": "f1e3d72e-ef21-4e48-903d-3a10fc5a30b3"
}
}
Replied by:
{
"error": {
"message": "Security Group 087b9a9c-4e1e-4dc2-9b60-06e2e9785c88 does not exist",
"code": 404,
"title": "Not Found"
}
}
Further notes
=============
The scenario for security group rules for remote_ip_prefix passed QE.
New provider wasn't shipped with 4.3.7, moving back to MODIFIED Verified on =========== ovirt-engine-4.3.7.0-0.1.el7.noarch ovirt-provider-ovn-1.2.27-1.el7ev.noarch This bugzilla is included in oVirt 4.3.7 release, published on November 21st 2019. Since the problem described in this bug report should be resolved in oVirt 4.3.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report. |
====================== Description of problem ====================== =========== Scenario #1 =========== Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and p_1 is member of a security group that is not the default group and there is a security group rule in that group allowing ingress traffic from the subnet prefix p_2 belongs to, When I ping from p_2 to p_1 (meaning from the associated oVirt VMs), Then the ping failes - although it is expected to succeed. =========== Scenario #2 =========== Given I have 2 OVN ports 'p_1', 'p_2' each attached to oVirt VMs and p_1 is member of a security group 's_1' that is not the default group and p_2 is a member of a security group 's_2' that is not the default group and there is a security group rule in s_1 allowing ingress traffic from all members of s_2, When I ping from p_2 to p_1 (meaning from the associated oVirt VMs), Then the ping failes - although it is expected to succeed. ============================================================ Version-Release number of selected component (if applicable) ============================================================ ovirt-provider-ovn-1.2.25-1.el7ev.noarch ================ How reproducible ================ 100%