[NEUTRON-116] Null values received on neutron security-group-rule-delete and security-group-delete Created: 09/Mar/16  Updated: 19/Oct/17  Resolved: 03/Aug/16

Status: Resolved
Project: neutron
Component/s: neutron-spi
Affects Version/s: Multiple
Fix Version/s: None

Type: Bug
Reporter: Tomas Cechvala Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


Attachments: Text File command sequence.txt     Text File error_in_log.txt     Text File mikita-beryllium_karaflog.log     Text File mikita-master_karaflog.log     Text File mikita-master_karaflog_patch33957.log     File testing_sg.pcap    
External issue ID: 5478
Priority: Highest

 Description   

The problem occur when working with liberty devstack.

How to reproduce:

1)
create a security-group
remove one of it's default rule

neutron security-group-create sg1
neutron security-group-rule-delete <uuid> # one of the dafault rules

When deleting neutron security group rules, NeutronSecurityRule object is null in neutronSecurityRuleDeleted method.

2)
create a security-group
remove the security-group (securityRules list will contain null values)

neutron security-group-create sg1
neutron security-group-delete sg1

This also happens when deleting security groups. Security rules in NeutronSecurityGroup object are also null in neutronSecurityGroupDeleted method.



 Comments   
Comment by Tomas Cechvala [ 09/Mar/16 ]

on #2
securityRules in NeutronSecurityGroup is a list with null values in it.

Comment by Isaku Yamahata [ 10/Mar/16 ]

This seems like related to https://bugs.opendaylight.org/show_bug.cgi?id=4550

So can you please try
https://git.opendaylight.org/gerrit/#/c/33957

For Boron, the direction is to delete securitygroup::securitygrouprules because
it's backpointer instead of maintaining data integrity.
https://git.opendaylight.org/gerrit/#/c/35837/
The patch isn't ready for merge yet, though.

Comment by Isaku Yamahata [ 12/Mar/16 ]

The patch was merged into master branch.
The expected result is

  • on I*Aware interface, security-group:security-rules should be populated.
  • on MD-SAL model, security-group:security-rules is always [] (empty list).

If your code is using MD-SAL, you need to listen to data change notification of security rules in addition to security-group rules. and check security-rule:security-group-id.

In boron cycle, security-group:security-rules will be deleted.
https://git.opendaylight.org/gerrit/#/c/35837/

Comment by Tomas Cechvala [ 15/Mar/16 ]

Attachment command sequence.txt has been added with description: Devstack commands

Comment by Tomas Cechvala [ 15/Mar/16 ]

Attachment mikita-beryllium_karaflog.log has been added with description: karaf.log

Comment by Tomas Cechvala [ 15/Mar/16 ]

Attachment mikita-master_karaflog.log has been added with description: karaf.log

Comment by Tomas Cechvala [ 15/Mar/16 ]

Attachment mikita-master_karaflog_patch33957.log has been added with description: karaf log

Comment by Tomas Cechvala [ 15/Mar/16 ]

I'm not quite sure if I follow, let me attach karaf.log for more info.
Neutron mapper was set on trace.
log:set TRACE org.opendaylight.groupbasedpolicy.neutron.mapper

When removing a security-group, it’s rules are missing in NeutronSecurityGroup object. Please notice canDeleteNeutronSecurityGroup message
in master:
securityRules=[]
in beryllium:
securityRules=[null, null]

When removing just a rule, it comes to us as null. Please notice canDeleteNeutronSecurityRule. It behaves the same in master and beryllium.

Unfortunately patch https://git.opendaylight.org/gerrit/#/c/33957 didn't change this behavior.

Comment by Isaku Yamahata [ 15/Mar/16 ]

what version of networking-odlare you using?

Does it include the merged patch into master?
https://review.openstack.org/#/c/281621/

Can you please provide the packet capture between networking-odl and ODL?

Comment by Isaku Yamahata [ 15/Mar/16 ]

With Beryllium, did you apply the patch to beryllium branch?
the log doesn't seem so.

Can you please check it?

Comment by Isaku Yamahata [ 15/Mar/16 ]

For beryllium, the proposed patch is found at
https://git.opendaylight.org/gerrit/#/c/34586

Comment by Dileep Ranganathan [ 19/Mar/16 ]

Patch for handling the default rules associated with a security group
https://git.opendaylight.org/gerrit/#/c/36466/

Comment by Tomas Cechvala [ 21/Mar/16 ]

The problem still persits,

I checked out neutron beryllium patch https://git.opendaylight.org/gerrit/#/c/34586

Networking-odl master patch was included as well
https://review.openstack.org/#/c/281621/

I'm not sure if packet capture can get us closer, but i'm going to attach it.
Is there a package for which setting log to TRACE would help? Were you gents able to replicate this with GBP?

The following features should be installed
odl-groupbasedpolicy-neutronmapper
odl-restconf
and log set to trace
log:set TRACE org.opendaylight.groupbasedpolicy.neutron.mapper

Comment by Tomas Cechvala [ 21/Mar/16 ]

What i've tried

neutron net-create net1 (just to test logging)
neutron security-group-create sg1
neutron security-group-delete sg1 (no rules in NeutronSecurityGroup object and no other notification about removing the rules)
neutron security-group-create sg2
neutron security-group-rule-list (to find one of defaults for sg2)
neutron security-group-rule-delete <rule_uuid> (NeutronSecurityRule object is null)

logs looks the same as before.

Comment by Tomas Cechvala [ 21/Mar/16 ]

192.168.50.1 - ODL, 192.168.50.20 - Devstack Control Node

Comment by Tomas Cechvala [ 21/Mar/16 ]

Attachment testing_sg.pcap has been added with description: Wireshark capture on devstack-control

Comment by Isaku Yamahata [ 21/Mar/16 ]

Thanks, the remaining issues is null as NeutornSecurityRule.
There are

  • one patches for boron,
  • two patches for stable/beryllium(will be SR2)
  • one patch for networking-odl mitaka.

details:

It will be addressed by the following patch.
https://git.opendaylight.org/gerrit/#/c/36467/
This is for master branch.(and also picked for beryllium SR2)
There is an issue for networking-odl that it doesn't send request to create/delete default rules on group creation/deletion.
It is being addressed now.
https://review.openstack.org/#/c/294451/
The fix will goes in networking-odl Mitaka

As stable/beryllium which support liberty, the work around patch will be needed.
The patch is at
https://git.opendaylight.org/gerrit/#/c/36466/

Comment by Tomas Cechvala [ 23/Mar/16 ]

I've tested mitaka-boron with

neutron patch (already in master):
https://git.opendaylight.org/gerrit/#/c/36467/

networking-odl patch:
https://review.openstack.org/#/c/294451/

I don't recommend to merge networking-odl patch. An exception occurred in ODL everytime security-group was created (neutron security-group-create sg-name). Please, see error message.

I tried to test again but without networking-odl patch.
The only difference is that no notification came to ODL when default security-group-rule was removed.

Comment by Tomas Cechvala [ 23/Mar/16 ]

Attachment error_in_log.txt has been added with description: error after neutron security-group-create sg123

Comment by Tomas Cechvala [ 30/Mar/16 ]

I've just tested again with
https://review.openstack.org/#/c/294451/
https://review.openstack.org/#/c/294423/
and everything seem to be working, thanks.

Comment by Isaku Yamahata [ 30/Mar/16 ]

@Tomas, thank you for test.
Once those patches are merged, let's close it.

Comment by Isaku Yamahata [ 03/Aug/16 ]

As it's tested and there is no further comments. let's close this.
If there is anything, feel free to re-open this.

Generated at Wed Feb 07 20:25:36 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.