Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-10154

[Neutron] security group logging for accepted traffic logs dropped traffic

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhos-18.0.1, rhos-18.0.2
    • openstack-neutron
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • No Docs Impact
    • ?
    • ?
    • Yes
    • Hide
      .Security group logging erroneously logs some traffic

      The security group logging feature logs some dropped traffic even when you only configure it to log accepted traffic, and logs some accepted traffic even when you only configure it to log dropped traffic.

      Show
      .Security group logging erroneously logs some traffic The security group logging feature logs some dropped traffic even when you only configure it to log accepted traffic, and logs some accepted traffic even when you only configure it to log dropped traffic.
    • Known Issue
    • Done
    • Automated
    • Rejected
    • Important

      The security group logging feature has a regression only on RHOSO afaik, noticed in recent week with 18.0.1 compose.

      Test 'test_only_accepted_traffic_logged' failure reproduced on autohold with downstream neutron component job [1]

      The test generates traffic that should be logged (icmp) and that shouldn't be logged (ssh), yet results contain both type of entries logged.

      This is the test code point of failure (line 574) [2], and python traceback [3].

      I did set a breakpoint before failure and verified using openstack command that the only existing OSP log object is for 'ACCEPT' type of traffic [4].
      Also verified journal file directly '/var/log/messages' on another test run, checked recent 'acl_log' pattern containing entries, the test entries for ssh/icmp were within reasonable time frame of same minute.

      Notice: test failure was found only after applying test fix [5] to adjust for z1 feature/bug OSPRH-9248 [6] to log neutron services into journal on edpm nodes, this is the reason it took longer to notice this regression (since it was hiding behind a failure which was due to a feature change). 

      [1]

      https://gitlab.cee.redhat.com/ci-framework/ci-framework-jobs/-/blob/main/zuul.d/network-component-jobs-rhoso-18-rhel9.yaml#L36 

      https://sf.hosted.upshift.rdu2.redhat.com/logs/38/38/5f0de3b4a23af755325deef9303c1b6e46746305/check-gitlab-cee/component-network-edpm-rhel9-rhoso18.0-crc-mblue/bdb7961/controller/ci-framework-data/tests/test_operator/tempest-tests-single-thread-testing-workflow-step-0/stestr_results.html 

      [2]

      https://review.opendev.org/c/x/whitebox-neutron-tempest-plugin/+/927919/4/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py#L574 

      [3]

      whitebox_neutron_tempest_plugin.tests.scenario.test_security_group_logging.StatelessSecGroupLoggingTest.test_only_accepted_traffic_logged[id-2efc5a0c-859c-4a35-b658-52d323c46fef]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):      File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 926, in test_only_accep
ted_traffic_logged
    self._test_only_accepted_traffic_logged()      File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/common/utils.py", line 264, in inner
    return f(*args, **kwargs)      File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 574, in _test_only_acce
pted_traffic_logged
    self.check_log_ssh(      File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 304, in check_log_ssh
    self._check_log(should_log, pattern, fail_msg, hypervisor_ssh)      File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 271, in _check_log
    self.assertNotRegex(      File "/usr/lib64/python3.9/unittest/case.py", line 1327, in assertNotRegex
    raise self.failureException(msg)    AssertionError: Regex matched: 'acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22' matches 'acl_log.*verdict=drop.*tcp.*tp_dst=22' in 'Sep 12 10:15:30 np0002020644 ovn_controller[66666]: 2024-09-12T14:15:30Z|00108|acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22,tcp_flags=syn\nSep 12 10:15:34 np0002020644 ovn_controller[66666]: 2024-09-12T14:15:34Z|00109|acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22,tcp_flags=syn\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00112|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:db:08:b2,nw_src=192.168.122.10,nw_dst=10.100.0.6,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,icmp_type=8,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00113|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:db:08:b2,dl_dst=fa:16:3e:da:73:74,nw_src=10.100.0.6,nw_dst=192.168.122.10,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00114|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:db:08:b2,nw_src=192.168.122.10,nw_dst=10.100.0.6,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,icmp_type=8,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00115|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:db:08:b2,dl_dst=fa:16:3e:da:73:74,nw_src=10.100.0.6,nw_dst=192.168.122.10,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0' : ssh traffic should not be logged in tested log entries.

      [4]

      sh-5.1$ openstack network log list
+--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+
| ID                                   | Enabled | Name                                                     | Type           | Summary                                                       |
+--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+
| 352b26ae-5c5a-4ae0-ab85-be25e1fff16b | True    | tempest-StatelessSecGroupLoggingTest-test-log-1022024100 | security_group | Event: ACCEPT,                                                |
|                                      |         |                                                          |                | Logged: (security_group) 9ae285ca-94f7-402f-ad1e-f8621e3624c7 |
+--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+

      [5]

      927919: Fix SGL tests log file for podified | https://review.opendev.org/c/x/whitebox-neutron-tempest-plugin/+/927919 

      [6] 

      https://issues.redhat.com/browse/OSPRH-9248 

            egarciar@redhat.com Elvira Garcia
            rhn-support-mblue Maor Blaustein
            Maor Blaustein Maor Blaustein
            rhos-dfg-networking-squad-neutron
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: