OS::Neutron::Port doesn't work because default value of security_groups property is always set.

Bug #1271112 reported by Ryo Miki
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Thomas Herve

Bug Description

[[ Issue ]]

OS::Neutron::Port resource has security_groups property that default value is [].
When firewall_driver option in Neutron is
'neutron.agent.firewall.NoopFirewallDriver', we cannot create any
OS::Neutron::Port via Heat (cause 400 error).

[[ Reproduce ]]

1. Set NoopFirewallDriver in firewall_driver at Neutron (e.g. using ovsdriver)

vim /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini

> [securitygroup]
> firewall_driver = neutron.agent.firewall.NoopFirewallDriver

2. Restart Neutron server to update config

3. Create a port with Heat

devstack@heat-test-env:~/template$ cat port.template
{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Parameters": {
    "network_id" : {
      "Type" : "String"
    }
  },
  "Resources" : {
    "Port1": {
      "Type": "OS::Neutron::Port",
      "Properties": {
        "network_id": {"Ref": "network_id"}
      }
    }
  }
}

devstack@heat-test-env:~/nohin/heat_templates$ neutron net-list
+--------------------------------------+---------+-------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+-------------------------------------------------------+
| 4f71a420-9461-49db-a165-6d7dd52d93ee | private | b8f6c423-8eaa-4499-951d-6921e64f805f 10.0.0.0/24 |
| c7cb47d6-4687-4f81-b4c2-8efea4965607 | public | 40a5451a-ada0-44ac-852d-0b72847c41f8 192.168.1.192/26 |
+--------------------------------------+---------+-------------------------------------------------------+
devstack@heat-test-env:~/template$ heat stack-create stack1 -f port.template -P "network_id=4f71a420-9461-49db-a165-6d7dd52d93ee"
+--------------------------------------+------------+--------------------+----------------------+
| id | stack_name | stack_status | creation_time |
+--------------------------------------+------------+--------------------+----------------------+
| 59defb70-7390-49e9-b796-42bdb62b653b | stack1 | CREATE_IN_PROGRESS | 2014-01-21T07:01:45Z |
+--------------------------------------+------------+--------------------+----------------------+
devstack@heat-test-env:~/template$ heat stack-list
+--------------------------------------+------------+---------------+----------------------+
| id | stack_name | stack_status | creation_time |
+--------------------------------------+------------+---------------+----------------------+
| 59defb70-7390-49e9-b796-42bdb62b653b | stack1 | CREATE_FAILED | 2014-01-21T07:01:45Z |
+--------------------------------------+------------+---------------+----------------------+
devstack@heat-test-env:~/nohin/heat_templates$ heat stack-show stack1
+----------------------+-------------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------------------+-------------------------------------------------------------------------------------------------------------------------------+
| capabilities | [] |
| creation_time | 2014-01-21T07:01:45Z |
| description | No description |
| disable_rollback | True |
| id | 59defb70-7390-49e9-b796-42bdb62b653b |
| links | http://192.168.10.99:8004/v1/5734982aa2604a5babe5c355cb7b0512/stacks/stack1/59defb70-7390-49e9-b796-42bdb62b653b |
| notification_topics | [] |
| parameters | { |
| | "network_id": "4f71a420-9461-49db-a165-6d7dd52d93ee", |
| | "AWS::StackId": "arn:openstack:heat::5734982aa2604a5babe5c355cb7b0512:stacks/stack1/59defb70-7390-49e9-b796-42bdb62b653b", |
| | "AWS::Region": "ap-southeast-1", |
| | "AWS::StackName": "stack1" |
| | } |
| stack_name | stack1 |
| stack_status | CREATE_FAILED |
| stack_status_reason | Resource create failed: NeutronClientException: |
| | Unrecognized attribute(s) 'security_groups' |
| template_description | No description |
| timeout_mins | 60 |
| updated_time | 2014-01-21T07:01:45Z |
+----------------------+-------------------------------------------------------------------------------------------------------------------------------+

[[ IMO ]]

I think the problem is that the resource always sends
security_groups option as []. If it didn't specified at the template, this
option should be omitted and not send to neutronclient.

Thomas Herve (therve)
Changed in heat:
assignee: nobody → Thomas Herve (therve)
milestone: none → icehouse-3
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/68073

Changed in heat:
status: New → In Progress
Thomas Herve (therve)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/68073
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=7362805a2834905d00bb0eeb16ece9d4d889516b
Submitter: Jenkins
Branch: master

commit 7362805a2834905d00bb0eeb16ece9d4d889516b
Author: Thomas Herve <email address hidden>
Date: Tue Jan 21 11:47:09 2014 +0100

    Don't pass empty security groups in port creation

    Skip the security_groups argument when the list is empty, as it can
    break some neutron extensions not supporting security groups.

    Change-Id: I970af48953d91182401f67f2483add51485a6f48
    Closes-Bug: #1271112

Changed in heat:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in heat:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in heat:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.