-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhos-18.0.1, rhos-18.0.2
-
None
-
False
-
-
False
-
?
-
No Docs Impact
-
?
-
?
-
Yes
-
-
Known Issue
-
Done
-
Automated
-
-
-
Rejected
-
Important
The security group logging feature has a regression only on RHOSO afaik, noticed in recent week with 18.0.1 compose.
Test 'test_only_accepted_traffic_logged' failure reproduced on autohold with downstream neutron component job [1].
The test generates traffic that should be logged (icmp) and that shouldn't be logged (ssh), yet results contain both type of entries logged.
This is the test code point of failure (line 574) [2], and python traceback [3].
I did set a breakpoint before failure and verified using openstack command that the only existing OSP log object is for 'ACCEPT' type of traffic [4].
Also verified journal file directly '/var/log/messages' on another test run, checked recent 'acl_log' pattern containing entries, the test entries for ssh/icmp were within reasonable time frame of same minute.
Notice: test failure was found only after applying test fix [5] to adjust for z1 feature/bug OSPRH-9248 [6] to log neutron services into journal on edpm nodes, this is the reason it took longer to notice this regression (since it was hiding behind a failure which was due to a feature change).
[1]
[2]
[3]
whitebox_neutron_tempest_plugin.tests.scenario.test_security_group_logging.StatelessSecGroupLoggingTest.test_only_accepted_traffic_logged[id-2efc5a0c-859c-4a35-b658-52d323c46fef] ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 926, in test_only_accep ted_traffic_logged self._test_only_accepted_traffic_logged() File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/common/utils.py", line 264, in inner return f(*args, **kwargs) File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 574, in _test_only_acce pted_traffic_logged self.check_log_ssh( File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 304, in check_log_ssh self._check_log(should_log, pattern, fail_msg, hypervisor_ssh) File "/var/lib/tempest/external-plugins/.venv/lib64/python3.9/site-packages/whitebox_neutron_tempest_plugin/tests/scenario/test_security_group_logging.py", line 271, in _check_log self.assertNotRegex( File "/usr/lib64/python3.9/unittest/case.py", line 1327, in assertNotRegex raise self.failureException(msg) AssertionError: Regex matched: 'acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22' matches 'acl_log.*verdict=drop.*tcp.*tp_dst=22' in 'Sep 12 10:15:30 np0002020644 ovn_controller[66666]: 2024-09-12T14:15:30Z|00108|acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22,tcp_flags=syn\nSep 12 10:15:34 np0002020644 ovn_controller[66666]: 2024-09-12T14:15:34Z|00109|acl_log(ovn_pinctrl0)|INFO|name="neutron-14e202aa-f86c-47d7-b8cd-6c8d19740b3e", verdict=drop, severity=info, direction=to-lport: tcp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:5f:7e:ab,nw_src=192.168.122.10,nw_dst=10.100.0.3,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,tp_src=54866,tp_dst=22,tcp_flags=syn\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00112|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:db:08:b2,nw_src=192.168.122.10,nw_dst=10.100.0.6,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,icmp_type=8,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00113|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:db:08:b2,dl_dst=fa:16:3e:da:73:74,nw_src=10.100.0.6,nw_dst=192.168.122.10,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00114|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=to-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:da:73:74,dl_dst=fa:16:3e:db:08:b2,nw_src=192.168.122.10,nw_dst=10.100.0.6,nw_tos=0,nw_ecn=0,nw_ttl=61,nw_frag=no,icmp_type=8,icmp_code=0\nSep 12 10:17:44 np0002020644 ovn_controller[66666]: 2024-09-12T14:17:44Z|00115|acl_log(ovn_pinctrl0)|INFO|name="neutron-95447f60-f1a3-4435-8a18-81d3fe2fa007", verdict=allow, severity=info, direction=from-lport: icmp,vlan_tci=0x0000,dl_src=fa:16:3e:db:08:b2,dl_dst=fa:16:3e:da:73:74,nw_src=10.100.0.6,nw_dst=192.168.122.10,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0' : ssh traffic should not be logged in tested log entries.
[4]
sh-5.1$ openstack network log list +--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+ | ID | Enabled | Name | Type | Summary | +--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+ | 352b26ae-5c5a-4ae0-ab85-be25e1fff16b | True | tempest-StatelessSecGroupLoggingTest-test-log-1022024100 | security_group | Event: ACCEPT, | | | | | | Logged: (security_group) 9ae285ca-94f7-402f-ad1e-f8621e3624c7 | +--------------------------------------+---------+----------------------------------------------------------+----------------+---------------------------------------------------------------+
[5]
927919: Fix SGL tests log file for podified | https://review.opendev.org/c/x/whitebox-neutron-tempest-plugin/+/927919
[6]