OpenStack Compute (nova)

Nova client produces a wrong exception when user tries to boot an instance without specific network UUID

Bug #1364344 reported by Nir Magnezi
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
melanie witt
OpenStack Compute (nova) 2014.2 "juno"

Bug Description

Description of problem:
=======================
pyhton-novaclient produces a wrong exception when user tries to boot an instance without specific network UUID.
The issue will only reproduce when an external network is shared with the tenant, but not created from within it (I created it in admin tenant).

Version-Release:
================
python-novaclient-2.17.0-2

How reproducible:
=================
Always

Steps to Reproduce:
===================
1. Have 2 tenants (admin + additional tenant would do).
2. In tenant A (admin), Create a network and mark it as both shared and external.
3. In tenant B, Create a network which is not shared or external.
4. Boot an instance within tenant B (I tested this via CLI), do not use the --nic option.

Actual results:
===============
DEBUG (shell:783) It is not allowed to create an interface on external network 49d0cb8a-2631-4308-89c4-cac502ef0bad (HTTP 403) (Request-ID: req-caacfa72-82f8-492a-8ce2-9476be8f3e0c)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 780, in main
    OpenStackComputeShell().main(map(strutils.safe_decode, sys.argv[1:]))
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 716, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/shell.py", line 433, in do_boot
    server = cs.servers.create(*boot_args, **boot_kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/servers.py", line 871, in create
    **boot_kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/servers.py", line 534, in _boot
    return_raw=return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 152, in _create
    _resp, body = self.api.client.post(url, body=body)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 312, in post
    return self._cs_request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 286, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 268, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 262, in request
    raise exceptions.from_response(resp, body, url, method)
Forbidden: It is not allowed to create an interface on external network 49d0cb8a-2631-4308-89c4-cac502ef0bad (HTTP 403) (Request-ID: req-afce2569-6902-4b25-a9b8-9ebf1a6ce1b9)
ERROR: It is not allowed to create an interface on external network 49d0cb8a-2631-4308-89c4-cac502ef0bad (HTTP 403) (Request-ID: req-afce2569-6902-4b25-a9b8-9ebf1a6ce1b9)

Expected results:
=================
This is what happens if:
1. The shared network is no longer marked as external.
2. The tenant itself has two networks.

(+ no network UUID is speficied in the 'nova boot' command)

DEBUG (shell:783) Multiple possible networks found, use a Network ID to be more specific. (HTTP 400) (Request-ID: req-a4e90abd-2ad7-4342-aa3c-1a9aa9f5e2a0)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 780, in main
    OpenStackComputeShell().main(map(strutils.safe_decode, sys.argv[1:]))
  File "/usr/lib/python2.7/site-packages/novaclient/shell.py", line 716, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/shell.py", line 433, in do_boot
    server = cs.servers.create(*boot_args, **boot_kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/servers.py", line 871, in create
    **boot_kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/v1_1/servers.py", line 534, in _boot
    return_raw=return_raw, **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/base.py", line 152, in _create
    _resp, body = self.api.client.post(url, body=body)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 312, in post
    return self._cs_request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 286, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 268, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/novaclient/client.py", line 262, in request
    raise exceptions.from_response(resp, body, url, method)
BadRequest: Multiple possible networks found, use a Network ID to be more specific. (HTTP 400) (Request-ID: req-a4e90abd-2ad7-4342-aa3c-1a9aa9f5e2a0)
ERROR: Multiple possible networks found, use a Network ID to be more specific. (HTTP 400) (Request-ID: req-a4e90abd-2ad7-4342-aa3c-1a9aa9f5e2a0)

Tags: neutron
Kanchan Gupta (kanchan-gupta1)
Changed in python-novaclient:
assignee: nobody → Kanchan Gupta (kanchan-gupta1)
Abhishek Talwar (abhishek-talwar)
Changed in python-novaclient:
assignee: Kanchan Gupta (kanchan-gupta1) → nobody
Kanchan Gupta (kanchan-gupta1)
Changed in python-novaclient:
assignee: nobody → Kanchan Gupta (kanchan-gupta1)
Revision history for this message
Kanchan Gupta (kanchan-gupta1) wrote :

I tried to replicate this bug on the following version:
Name: python-novaclient
Version: 2.18.2.dev42.g9758ffc

When I try to boot an instance within tenant B without the --nic option, It throws the expected error,
ERROR (BadRequest): Multiple possible networks found, use a Network ID to be more specific. (HTTP 400) (Request-ID:
req-dfc746f5-50c1-4b63-9137-66ec6e52cf91)

So, as per the expected reslut mentioned in the bug description it seems that it has been fixed.

Revision history for this message
melanie witt (melwitt) wrote :

This is a bug in nova neutronv2 api.

no longer affects: python-novaclient
Changed in nova:
assignee: nobody → melanie witt (melwitt)
importance: Undecided → Medium
status: New → Confirmed
tags: added: neutron
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/121330

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/121330
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3e11db0e3b832703feafe8317c0c12fb0a149e53
Submitter: Jenkins
Branch: master

commit 3e11db0e3b832703feafe8317c0c12fb0a149e53
Author: melanie witt <email address hidden>
Date: Sat Sep 13 08:04:12 2014 +0000

    check network ambiguity before external network auth

    This change refactors the logic in the neutronv2 api to check for
    network ambiguity before checking permission to attach external
    network. In the scenario when there is a network available in the
    client's tenant and an external shared network available in a
    different tenant, the client was receiving a Forbidden error
    because the external network was in the list of available networks
    even though the client did have access to the other network in the
    list.

    With this change, the client receives a NetworkAmbiguous error instead
    the same scenario, as they could succeed in booting an instance while
    specifying --nic with the net-id of the network they can access.

    Closes-Bug: #1364344

    Change-Id: Ia94c25ff0ffd6a368da272fc6d883986156a0362

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → juno-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-rc1 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.