Neutron remote security group does not work in UCA Rocky and Stein - fixed upstream
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Critical
|
Unassigned | ||
Rocky |
Fix Released
|
Critical
|
Unassigned | ||
Stein |
Fix Released
|
Critical
|
Unassigned | ||
Train |
Fix Released
|
Critical
|
Unassigned | ||
Ussuri |
Fix Released
|
Critical
|
Unassigned | ||
neutron (Ubuntu) |
Fix Released
|
Critical
|
James Page | ||
Eoan |
Fix Released
|
Critical
|
Unassigned | ||
Focal |
Fix Released
|
Critical
|
Unassigned | ||
Groovy |
Fix Released
|
Critical
|
James Page |
Bug Description
[Impact]
OpenStack deployments using the OVS firewall driver are broken when remote security groups are used due to a regression caused by bug 1854131.
[Test Case]
Deploy OpenStack (using charms)
Follow reproduction steps as detailed in bug 1862703
# create bastion-sec-grp to allow ssh from anywhere
openstack security group create bastion-sec-grp
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp
# create application-sec-grp
openstack security group create application-sec-grp
# Allow ssh to egress from the bastion group to the application group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp
# Allow ssh to ingress to the application group from the bastion group
openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp
# create servers and associate with security groups
openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server
openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server
After boot, bastion-server and application-server are landed on different HVs and we can ssh to bastion-server but cannot ssh to application-server from there. Neutron debug log from application-
2020-02-05 22:57:05,825 DEBUG [neutron.
[Regression Potential]
Low - the fix is upstream across multiple releases and resolves a previous regression in functionality.
[Original Bug Report]
Remote security groups are broken in the UCA Rocky and Stein versions of Neutron.
The broken patch was introduced in LP #1854131 and fixed in LP #1862703.
The relevant fixed has landed in Neutron 13.0.7 for Rocky¹.
The relevant fixed landed in Neutron 14.1.0-37 for Stein², alternatively the specific fix is available here:
https:/
The Queens version of Neutron currently in UCA (12.1.0) doesn't appear to have the bad patch from #1854131 in it.
We ran into this while upgrading a customer cloud and it caused several hours of VM connectivity downtime while we diagnosed it. Please upgrade Neutron in the Ubuntu Cloud Archive to have this fix available for at least Rocky and Stein.
I realise Rocky is no longer supported, but given that the supported upgrade path from Queens is via Rocky, I think it needs fixed there too.
¹ https:/
² https:/
summary: |
- UCA rocky neutron-openvswitch-agent has a bug which causes VM - connectivity problems during Rocky upgrade (to get to Stein) + Neutron remote security group does not work in UCA Rocky and Stein - + fixed upstream |
description: | updated |
description: | updated |
Changed in neutron (Ubuntu): | |
assignee: | nobody → James Page (james-page) |
importance: | Undecided → Critical |
no longer affects: | cloud-archive/queens |
Changed in neutron (Ubuntu Groovy): | |
status: | New → Fix Released |
Changed in neutron (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in neutron (Ubuntu Eoan): | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in neutron (Ubuntu Focal): | |
importance: | Undecided → Critical |
description: | updated |
Subscribed ~field-high due to network outages on upgrade.