Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-18774

[18.0][OVN]Security group logging info are not updated when rules are modified from a different project

XMLWordPrintable

    • Neutron Sprint 19
    • 1
    • Moderate

      Description of problem:

      Security group logging info are not updated when rules are modified from a different project

      Version-Release number of selected component (if applicable):

      How reproducible:
      Execute:
      [stack@undercloud-0 tempest_17.1]$ tempest run -r "StatefulSecGroupLoggingTest.test_only_accepted_traffic_logged"
      public endpoint for orchestration service in regionOne region not found
      public endpoint for orchestration service in regionOne region not found
      > /home/stack/plugins/tempest_neutron_plugin/neutron_plugin/tests/scenario/test_security_group_logging.py(535)_test_only_accepted_traffic_logged()
      -> self.start_track_log(vm_a['hv_ssh_client'])
      (Pdb)

      ....

      > /home/stack/plugins/tempest_neutron_plugin/neutron_plugin/tests/scenario/test_security_group_logging.py(535)_test_only_accepted_traffic_logged()
      -> self.start_track_log(vm_a['hv_ssh_client'])
      (Pdb)

      And then do:

      417 openstack security group rule list tempest-type-security-group-1906751901
      418 openstack security group rule delete 02f449d6-081e-4930-a087-d08c22b9e9df
      419 openstack security group rule create --proto icmp tempest-type-security-group-1906751901

      and rule is created without logging enabled

      [root@controller-1 tripleo-admin]# ovn-nbctl find acl | grep "pg_ea8aafc4_14f2_4042_820d_8e618e2ff092" -A 6 -B 6
      _uuid : d5a98aa3-36eb-4299-a935-6efc509a3538
      action : allow-related
      direction : from-lport
      external_ids :

      {"neutron:security_group_rule_id"="45673bbc-b30d-4c66-b1ab-afa4507e263c"}

      label : 277170777
      log : true
      match : "inport == @pg_ea8aafc4_14f2_4042_820d_8e618e2ff092 && ip4"
      meter : acl_log_meter
      name : neutron-0285642f-55fc-45f3-9d16-63ed6f2099ca
      options :

      {log-related="true"}
      priority : 1002
      severity : info
      tier : 0

      _uuid : afa2ebc3-fd73-4296-a24a-2cf523159fa7
      action : allow-related
      direction : from-lport
      external_ids : {"neutron:security_group_rule_id"="662d2e06-9587-4e43-a999-f32e931de0cd"}
      label : 3909475224
      log : true
      match : "inport == @pg_ea8aafc4_14f2_4042_820d_8e618e2ff092 && ip6"
      meter : acl_log_meter
      name : neutron-0285642f-55fc-45f3-9d16-63ed6f2099ca
      options : {log-related="true"}


      priority : 1002
      severity : info
      tier : 0

      _uuid : 6657ec5a-8366-473b-9881-5d4c8d9e0418
      action : allow-related
      direction : to-lport
      external_ids :

      {"neutron:security_group_rule_id"="0e055b66-3571-42c0-97b3-abe79663b79b"}

      label : 0
      log : false
      match : "outport == @pg_ea8aafc4_14f2_4042_820d_8e618e2ff092 && ip4 && ip4.src == 0.0.0.0/0 && icmp4"
      meter : []
      name : []
      options : {}
      priority : 1002
      severity : []
      tier : 0

      ....

      the problem is log object for other projects aren't logged.

              egarciar@redhat.com Elvira Garcia
              jira-bugzilla-migration RH Bugzilla Integration
              Maor Blaustein Maor Blaustein
              rhos-dfg-networking-squad-neutron
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: