Hello James, or anyone else affected, Accepted neutron into stein-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository: sudo add-apt-repository cloud-archive:stein-proposed sudo apt-get update Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-stein-needed to verification-stein-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-stein-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: cloud-archive/stein Status: Confirmed => Fix Committed ** Tags added: verification-stein-needed ** Description changed: [Impact] OpenStack deployments using the OVS firewall driver are broken when remote security groups are used due to a regression caused by bug 1854131. [Test Case] Deploy OpenStack (using charms) Follow reproduction steps as detailed in bug 1862703 + # create bastion-sec-grp to allow ssh from anywhere + openstack security group create bastion-sec-grp + openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-ip 0.0.0.0/0 --ingress --dst-port=22 bastion-sec-grp + + # create application-sec-grp + openstack security group create application-sec-grp + + # Allow ssh to egress from the bastion group to the application group + openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group application-sec-grp --egress --dst-port=22 bastion-sec-grp + + # Allow ssh to ingress to the application group from the bastion group + openstack security group rule create --ethertype=IPv4 --protocol tcp --remote-group bastion-sec-grp --ingress --dst-port=22 application-sec-grp + + # create servers and associate with security groups + openstack server create --wait --image rhel7 --flavor small --security-group bastion-sec-grp bastion-server + openstack server create --wait --image rhel7 --flavor small --security-group application-sec-grp application-server + + After boot, bastion-server and application-server are landed on + different HVs and we can ssh to bastion-server but cannot ssh to + application-server from there. Neutron debug log from application- + server's HV shows: + + 2020-02-05 22:57:05,825 DEBUG + [neutron.agent.linux.openvswitch_firewall.firewall] + /opt/openstack/venv/neutron/lib/python2.7/site- + packages/neutron/agent/linux/openvswitch_firewall/firewall.py:_build_addr_conj_id_map:297 + No member for SG <BASTION_SEC_GRP_ID> [Regression Potential] Low - the fix is upstream across multiple releases and resolves a previous regression in functionality. [Original Bug Report] Remote security groups are broken in the UCA Rocky and Stein versions of Neutron. The broken patch was introduced in LP #1854131 and fixed in LP #1862703. The relevant fixed has landed in Neutron 13.0.7 for Rocky¹. The relevant fixed landed in Neutron 14.1.0-37 for Stein², alternatively the specific fix is available here: https://github.com/openstack/neutron/commit/4193c6ca0e0165a2bcc7a11eee775df15019e755 The Queens version of Neutron currently in UCA (12.1.0) doesn't appear to have the bad patch from #1854131 in it. We ran into this while upgrading a customer cloud and it caused several hours of VM connectivity downtime while we diagnosed it. Please upgrade Neutron in the Ubuntu Cloud Archive to have this fix available for at least Rocky and Stein. I realise Rocky is no longer supported, but given that the supported upgrade path from Queens is via Rocky, I think it needs fixed there too. ¹ https://docs.openstack.org/releasenotes/neutron/rocky.html ² https://docs.openstack.org/releasenotes/neutron/stein.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877797 Title: Neutron remote security group does not work in UCA Rocky and Stein - fixed upstream To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1877797/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
