Public bug reported:
The ovn-controller log plugin in Neutron appears to incorrectly
associate log entries when security groups are used across different
projects. When VMs in different projects (and domains) each have their
own security groups and log objects, the log output from ovn-controller
shows traffic to both VMs under the same log object, instead of
segregating them by their correct log objects.
### How to Reproduce
1. Create two projects in different domains, e.g.:
* `project-a` in `domain-a`
* `project-b` in `domain-b`
2. In each project:
* Create a security group (e.g., `sg-a` in `project-a`, `sg-b` in
`project-b`)
* Launch a VM (e.g., `vm-a` and `vm-b`)
* Assign the respective security group to the VM
3. In each project:
* Create a Neutron log object that tracks traffic for the
corresponding security group (i.e., one for `sg-a`, one for `sg-b`)
4. Generate some network traffic involving both VMs (e.g., incoming
pings or TCP traffic to the VMs)
---
### Observed Behavior
* The `ovn-controller` logs show destination IPs for both `vm-a` and `vm-b`
* However, all log entries are being attributed to only one of the Neutron log
objects, despite being from different security groups and different
projects/domains
---
### Expected Behavior
* Each log object should capture only the traffic related to the security group
and project it is associated with
* Traffic logs should not be cross-associated or merged across different log
objects, projects, or domains
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2110087
Title:
OVN log plugin merges log records from different log objects across
projects
Status in neutron:
New
Bug description:
The ovn-controller log plugin in Neutron appears to incorrectly
associate log entries when security groups are used across different
projects. When VMs in different projects (and domains) each have their
own security groups and log objects, the log output from ovn-
controller shows traffic to both VMs under the same log object,
instead of segregating them by their correct log objects.
### How to Reproduce
1. Create two projects in different domains, e.g.:
* `project-a` in `domain-a`
* `project-b` in `domain-b`
2. In each project:
* Create a security group (e.g., `sg-a` in `project-a`, `sg-b` in
`project-b`)
* Launch a VM (e.g., `vm-a` and `vm-b`)
* Assign the respective security group to the VM
3. In each project:
* Create a Neutron log object that tracks traffic for the
corresponding security group (i.e., one for `sg-a`, one for `sg-b`)
4. Generate some network traffic involving both VMs (e.g., incoming
pings or TCP traffic to the VMs)
---
### Observed Behavior
* The `ovn-controller` logs show destination IPs for both `vm-a` and `vm-b`
* However, all log entries are being attributed to only one of the Neutron
log objects, despite being from different security groups and different
projects/domains
---
### Expected Behavior
* Each log object should capture only the traffic related to the security
group and project it is associated with
* Traffic logs should not be cross-associated or merged across different log
objects, projects, or domains
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2110087/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
