[Bug 1881157] Re: [OVS][FW] Remote SG IDs left behind when a SG is removed

Launchpad Bug Tracker 1881157 at bugs.launchpad.net
Tue Sep 22 11:18:13 UTC 2020 

** Merge proposal linked:
   https://code.launchpad.net/~chris.macnaughton/ubuntu/+source/neutron/+git/neutron/+merge/391122

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1881157

Title:
  [OVS][FW] Remote SG IDs left behind when a SG is removed

Status in Ubuntu Cloud Archive:
  Fix Committed
Status in Ubuntu Cloud Archive queens series:
  New
Status in Ubuntu Cloud Archive stein series:
  New
Status in Ubuntu Cloud Archive train series:
  New
Status in Ubuntu Cloud Archive ussuri series:
  Fix Released
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in neutron:
  New
Status in neutron package in Ubuntu:
  Fix Committed
Status in neutron source package in Bionic:
  New
Status in neutron source package in Focal:
  Fix Released
Status in neutron source package in Groovy:
  Fix Committed

Bug description:
  When any port in the OVS agent is using a SG, is marked to be deleted.
  This deletion process is done in [1].

  The SG deletion process consists on removing any reference of this SG
  from the firewall and the SG port map. The firewall removes this SG in
  [2].

  The information of a SG is stored in:
  - ConjIPFlowManager.conj_id_map = ConjIdMap(). This class stores the conjunction IDS (conj_ids) in a dictionary using the following keys:
    ConjIdMap.id_map[(sg_id, remote_sg_id, direction, ethertype, conj_ids)] = conj_id_XXX

  - ConjIPFlowManager.conj_ids is a nested dictionary, built in the following way:
    self.conj_ids[vlan_tag][(direction, ethertype)][remote_sg_id] = set([conj_id_1, conj_id_2, ...])

  When a SG is removed, this reference should be deleted both from
  "conj_id_map" and "conj_ids". From "conj_id_map" is correctly removed
  in [3]. But from "conj_ids" is not being deleted properly. Instead of
  the current logic, what we should do is to walk through the nested
  dictionary and remove any entry with "remote_sg_id" == "sg_id" (<-- SG
  ID to be removed).

  The current implementation leaves some "remote_sg_id" in the nested dictionary "conj_ids". That could cause:
  - A memory leak in the OVS agent, storing in memory those unneeded remote SG.
  - A increase in the complexity of the OVS rules, adding those unused SG (actually the conj_ids related to those SG)
  - A security breach between SGs if the conj_ids left in an unused SG is deleted and reused again (the FW stores the unused conj_ids to be recycled in later rules).

  
  [1]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L731
  [2]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L399
  [3]https://github.com/openstack/neutron/blob/118930f03d31f157f8c7a9e6c57122ecea8982b9/neutron/agent/linux/openvswitch_firewall/firewall.py#L296

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1881157/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list