[NEUTRON-78] SecurityGroupCRUD is not updated when a security rule is created/delted Created: 29/Oct/15  Updated: 03/May/18  Resolved: 24/Mar/17

Status: Resolved
Project: neutron
Component/s: transcriber
Affects Version/s: master
Fix Version/s: None

Type: Bug
Reporter: Aswin Suryanarayanan Assignee: Isaku Yamahata
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

External issue ID: 4550
Priority: High

 Description   

When a security rules is created after creating a security group, the security rule list in security group object is not updated in the data store

Steps to reproduce.
1.Create a security group
neutron security-group-create SG1 --description "SG1"
2.Add a rule to the security group
neutron security-group-rule-create --direction ingress --protocol udp --port-range-min 3333 --port-range-max 3333 --remote-ip-prefix 0.0.0.0/24 SG1

If the Data store is checked the newly added rule is missing in the Security Group Model.

Neutron DB
--------------

Security Group Table
-----------------------------------------------------------------------------------------------------------------

id name security_group_rules

-----------------------------------------------------------------------------------------------------------------

44f759e7-79ae-46d6-ad59-a3c1446c82f1 SG1 egress, IPv4
    egress, IPv6
    ingress, IPv4, 3333/udp, remote_ip_prefix: 0.0.0.0/24

-----------------------------------------------------------------------------------------------------------------

Security Rule Table
----------------------------------------------------------------------------------------------------+

id security_group direction ethertype protocol/port remote

----------------------------------------------------------------------------------------------------+

2bf8a6cc-b40a-48d2-95f4-bd4a0953bb73 SG1 egress IPv6 any any
b2e168eb-c35a-419e-baf0-40eeb89e6b90 SG1 ingress IPv4 3333/udp 0.0.0.0/24 (CIDR)
e491346d-a7dd-4c2a-8938-64163a00029e SG1 egress IPv4 any any

----------------------------------------------------------------------------------------------------+

In Data Store
---------------

Security Group Model

{
"security-groups": {
"security-group": [

{ "uuid": "44f759e7-79ae-46d6-ad59-a3c1446c82f1", "security-rules": [ "2bf8a6cc-b40a-48d2-95f4-bd4a0953bb73", "e491346d-a7dd-4c2a-8938-64163a00029e" ], "tenant-id": "27da8dfc-d61b-46ac-a5be-4533a4b7782c", "name": "SG1", "description": "SG1" }

]
}
}

Security Rule Model
--------------------
{
"security-rules": {
"security-rule": [

{ "id": "2bf8a6cc-b40a-48d2-95f4-bd4a0953bb73", "security-group-id": "44f759e7-79ae-46d6-ad59-a3c1446c82f1", "tenant-id": "27da8dfc-d61b-46ac-a5be-4533a4b7782c", "ethertype": "neutron-constants:ethertype-v6", "direction": "neutron-constants:direction-egress" }

,

{ "id": "b2e168eb-c35a-419e-baf0-40eeb89e6b90", "security-group-id": "44f759e7-79ae-46d6-ad59-a3c1446c82f1", "remote-ip-prefix": "0.0.0.0/24", "ethertype": "neutron-constants:ethertype-v4", "port-range-max": 3333, "tenant-id": "27da8dfc-d61b-46ac-a5be-4533a4b7782c", "direction": "neutron-constants:direction-ingress", "port-range-min": 3333, "protocol": "neutron-constants:protocol-udp" }

,

{ "id": "e491346d-a7dd-4c2a-8938-64163a00029e", "security-group-id": "44f759e7-79ae-46d6-ad59-a3c1446c82f1", "tenant-id": "27da8dfc-d61b-46ac-a5be-4533a4b7782c", "ethertype": "neutron-constants:ethertype-v4", "direction": "neutron-constants:direction-egress" }

]
}
}

 Comments   
Comment by Ravindra Kenchappa [ 28/Jan/16 ]

There is a workaround:

From the horizon after adding rule to security group, the security group needs to be modified (modify the SG description). After this the ODL data store gets updated.

With out modifying the SG if we associate it with a VM then the rules will not be available in SG object and hence no flows gets added.

Comment by Sam Hague [ 28/Jan/16 ]

Isaku, is there any idea why the mdsal does not update for this case?

Comment by Isaku Yamahata [ 31/Jan/16 ]

Sam, let me look into this.

Comment by Isaku Yamahata [ 01/Feb/16 ]

This is the result of the effort of transparent Neutron Northbound.
The change set of 906836c289a7e4c3d33669d90515d77e75cfb6da in ODL neutron caused it.

Basically the list of security group rule in security group isn't updated.
Instead, we have to check the security group id in security group rule should be checked.
In long term, security group rule in security group would be deleted.
(And other similar relationship would be deleted.)

So what can ODL Neutron northbound do for Beryllium release?
At least I'm willing to provide a patch for ovsdb/netvirt.

Comment by Aswin Suryanarayanan [ 01/Feb/16 ]

If the plan is to permanently remove the attribute from SecurityGroup, I think we may change the logic in net-virt to use the security group id in the security rule.

Comment by Isaku Yamahata [ 03/Feb/16 ]

https://git.opendaylight.org/gerrit/#/c/33957/
https://git.opendaylight.org/gerrit/#/c/34003/

Do the above patches help?
Can you please give them a try?

Comment by Isaku Yamahata [ 13/Feb/16 ]

patch for ovsdb/netvirt https://git.opendaylight.org/gerrit/#/c/34003/ was merged for Beryllium.

The patch for neutron targets Beryllium-SR1.

The patch for master(Boron) of neutron
https://git.opendaylight.org/gerrit/#/c/33957

The patch for Beryllium-SR1 of neutron
https://git.opendaylight.org/gerrit/#/c/34586

Generated at Wed Feb 07 20:25:30 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.