[Bug 1839477] Re: Firewall group stuck in PENDING_UPDATE
Triveni Gurram
1839477 at bugs.launchpad.net
Tue Apr 21 13:30:13 UTC 2020
** Changed in: neutron-fwaas (Ubuntu)
Assignee: (unassigned) => Triveni Gurram (triveni12)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron-fwaas in Ubuntu.
https://bugs.launchpad.net/bugs/1839477
Title:
Firewall group stuck in PENDING_UPDATE
Status in neutron-fwaas package in Ubuntu:
Confirmed
Bug description:
neutron-common 2:14.0.2-0ubuntu1~cloud0
neutron-fwaas-common 1:14.0.0-0ubuntu1~cloud0
neutron-plugin-ml2 2:14.0.2-0ubuntu1~cloud0
neutron-server 2:14.0.2-0ubuntu1~cloud0
python3-neutron 2:14.0.2-0ubuntu1~cloud0
python3-neutron-dynamic-routing 2:14.0.0-0ubuntu1~cloud0
python3-neutron-fwaas 1:14.0.0-0ubuntu1~cloud0
python3-neutron-lbaas 2:14.0.0-0ubuntu1~cloud0
python3-neutron-lib 1.25.0-0ubuntu1~cloud0
When adding or removing a port to a firewall group it remains stuck in pending_update state and any update operation fails with:
ERROR neutron_lib.callbacks.manager [req-
3acdfb35-f2d6-428d-a367-0a84d6df126a d090c19794dd4f27b08deab6713bd4ac
b7b614bf32a64c7d8dfc0994f9c1dc7d - a1effaa626284677ade0fbe3e85c59bd
a1effaa626284677ade0fbe3e85c59bd] Error during notification for
neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2.handle_update_port
--9223372036854603287 port, after_update:
neutron_lib.exceptions.firewall_v2.FirewallGroupInPendingState:
Operation cannot be performed since associated firewall group
41f281cb-5ffd-4c0b-998f-86804825c2f6 is in PENDING_UPDATE.
Steps to reproduce:
openstack firewall group set --ingress-firewall-policy 036a0d73-f34e-
43f7-87a5-c264b918af41 --egress-firewall-policy eb09e58c-683d-4a9d-
8aca-c765b94f8d69 2f3f2dc5-2903-4151-af30-219065ee664e
openstack firewall group show 2f3f2dc5-2903-4151-af30-219065ee664e
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| Description | |
| Egress Policy ID | eb09e58c-683d-4a9d-8aca-c765b94f8d69 |
| ID | 2f3f2dc5-2903-4151-af30-219065ee664e |
| Ingress Policy ID | 036a0d73-f34e-43f7-87a5-c264b918af41 |
| Name | test-fw1 |
| Ports | [] |
| Project | 8ca4fc0104ba4b72aeaf3e2a70f43519 |
| Shared | False |
| State | UP |
| Status | INACTIVE |
| project_id | 8ca4fc0104ba4b72aeaf3e2a70f43519 |
+-------------------+--------------------------------------+
openstack port show 524f3c08-ce81-4d18-b5c8-508b7762ca1d
+-----------------------+-------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+-------------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | vcd41021 |
| binding_profile | |
| binding_vif_details | bridge_name='br-int', datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| binding_vif_type | ovs |
| binding_vnic_type | normal |
| created_at | 2019-08-08T12:49:49Z |
| data_plane_status | None |
| description | |
| device_id | 1a2d060c-5860-4cc8-b294-c30cdc4a9489 |
| device_owner | compute:AZ3 |
| dns_assignment | fqdn='test2.openstack.voith.eu1.lan.', hostname='test2', ip_address='192.168.1.21' |
| dns_domain | |
| dns_name | test2 |
| extra_dhcp_opts | |
| fixed_ips | ip_address='192.168.1.21', subnet_id='b783270c-6e5b-462d-a501-078b1a152bc6' |
| id | 524f3c08-ce81-4d18-b5c8-508b7762ca1d |
| mac_address | fa:16:3e:66:98:49 |
| name | |
| network_id | cd2a6db6-a1b7-492c-9f30-fc8d3cec9c90 |
| port_security_enabled | True |
| project_id | 8ca4fc0104ba4b72aeaf3e2a70f43519 |
| qos_policy_id | None |
| revision_number | 4 |
| security_group_ids | 695e60b0-5877-481d-aa35-5ca06b9ce528 |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| updated_at | 2019-08-08T12:49:56Z |
+-----------------------+-------------------------------------------------------------------------------------------+
openstack firewall group set --port 524f3c08-ce81-4d18-b5c8-508b7762ca1d 2f3f2dc5-2903-4151-af30-219065ee664e
openstack firewall group show 2f3f2dc5-2903-4151-af30-219065ee664e
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| Description | |
| Egress Policy ID | eb09e58c-683d-4a9d-8aca-c765b94f8d69 |
| ID | 2f3f2dc5-2903-4151-af30-219065ee664e |
| Ingress Policy ID | 036a0d73-f34e-43f7-87a5-c264b918af41 |
| Name | test-fw1 |
| Ports | ['524f3c08-ce81-4d18-b5c8-508b7762ca1d'] |
| Project | 8ca4fc0104ba4b72aeaf3e2a70f43519 |
| Shared | False |
| State | UP |
| Status | PENDING_UPDATE |
| project_id | 8ca4fc0104ba4b72aeaf3e2a70f43519 |
+-------------------+------------------------------------------+
From a functional perspective the firewall rules are not working
either and we can see traffic allowed on 192.168.1.21:22 i.e.
We can't update the firewall either:
openstack firewall group set --port bbce83fa-d03f-433c-9dfe-2b72e4d1151c 2f3f2dc5-2903-4151-af30-219065ee664e
Failed to set firewall group '2f3f2dc5-2903-4151-af30-219065ee664e': Operation cannot be performed since associated firewall group 2f3f2dc5-2903-4151-af30-219065ee664e is in PENDING_UPDATE.
Neutron server returns request_ids: ['req-8cfe982a-8b15-47da-b290-079c4cad9c30']
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron-fwaas/+bug/1839477/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list