Juniper Openstack

security-group-rule quota limit is set per security group not per tenant

Bug #1365463 reported by Kumar Harsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R1.1
Fix Released
Undecided
Sachin Bansal
Juniper Openstack r1.20
Trunk
Fix Released
Undecided
Sachin Bansal

Bug Description

Build R1.10 31 ubuntu havana

security-group-rule quota limit is set per security group not per tenant also on reaching quota limit internal server error is seen .

root@nodeg38:~# neutron quota-show
+---------------------+-------+
| Field | Value |
+---------------------+-------+
| floatingip | 2 |
| nat_instance | -1 |
| network | 3 |
| port | 5 |
| route_table | 10 |
| router | 10 |
| security_group | 5 |
| security_group_rule | 10 |
| subnet | 3 |
+---------------------+-------+

root@nodeg38:~# neutron security-group-list
+--------------------------------------+-------------+----------------------+
| id | name | description |
+--------------------------------------+-------------+----------------------+
| ee5bed64-4357-4a57-9691-3afcaf59c428 | default | |
| 920dc8a8-5388-49a4-bf88-a47851be628a | sg1 | sg1 |
| 1ef1fd2e-6fce-4fea-919d-ab680b7ae348 | test_secgrp | test security group |

+--------------------------------------+-------------+----------------------+

test_secgrp has 9 rules added on adding 10th rule neutron exception is seen .

root@nodeg38:~# neutron security-group-show 1ef1fd2e-6fce-4fea-919d-ab680b7ae348
+----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | test security group |
| id | 1ef1fd2e-6fce-4fea-919d-ab680b7ae348 |
| name | test_secgrp |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "any", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "268566a0-d0a3-4da3-83d0-bd6261a9a72c"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "icmp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "5925c1cd-81f1-4a6e-98d2-edb940e290e8"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "udp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 1, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "c0e47792-2a43-4abc-b9d6-daa8a20c9e32"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "icmp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "5e653a1e-1890-462b-9fca-cd5fdcb72851"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 443, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 443, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "f44c74dc-c63b-4c4c-b8b6-7511c6052586"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 3306, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 3306, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "feb572ff-29e0-41f3-8449-fdbc21f431a8"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 25, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 25, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "048ccbcb-a584-4bf5-b353-5a6879565907"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 995, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 995, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "d321c25d-ace3-4726-a432-850a30b64fac"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 465, "security_group_id": "1ef1fd2e-6fce-4fea-919d-ab680b7ae348", "port_range_min": 465, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "5992b8d9-ea29-436a-8b3b-e7393012ec0a"} |
| tenant_id | 9fa7f46ace7c4f5ca745ea237562ad68 |
+----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
root@nodeg38:~#

sg1 has 4 rules .
root@nodeg38:~# neutron security-group-show 920dc8a8-5388-49a4-bf88-a47851be628a
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | sg1 |
| id | 920dc8a8-5388-49a4-bf88-a47851be628a |
| name | sg1 |
| security_group_rules | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "any", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "920dc8a8-5388-49a4-bf88-a47851be628a", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "c7af2c16-d814-4b36-8928-ac4f84aa7805"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "icmp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "920dc8a8-5388-49a4-bf88-a47851be628a", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "bf5b6175-f095-4a64-841d-399ff2b7af82"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "920dc8a8-5388-49a4-bf88-a47851be628a", "port_range_min": 1, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "bc101330-a2ee-4ddc-98dd-7ac235d58ba0"} |
| | {"remote_group_id": null, "direction": "ingress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "tcp", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "920dc8a8-5388-49a4-bf88-a47851be628a", "port_range_min": 1, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "f3431429-f014-431b-b2c4-fbb039f10024"} |
| tenant_id | 9fa7f46ace7c4f5ca745ea237562ad68 |
+----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
root@nodeg38:~#

default already has 2 rules :
root@nodeg38:~# neutron security-group-show ee5bed64-4357-4a57-9691-3afcaf59c428
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| description | |
| id | ee5bed64-4357-4a57-9691-3afcaf59c428 |
| name | default |
| security_group_rules | {"remote_group_id": "ee5bed64-4357-4a57-9691-3afcaf59c428", "direction": "ingress", "remote_ip_prefix": null, "protocol": "any", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "ee5bed64-4357-4a57-9691-3afcaf59c428", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "428a79f8-26ff-4401-b016-914bdc9f2138"} |
| | {"remote_group_id": null, "direction": "egress", "remote_ip_prefix": "0.0.0.0/0", "protocol": "any", "ethertype": "IPv4", "port_range_max": 65535, "security_group_id": "ee5bed64-4357-4a57-9691-3afcaf59c428", "port_range_min": 0, "tenant_id": "9fa7f46ace7c4f5ca745ea237562ad68", "id": "7e8bf392-021a-4c74-bb44-d36a3d845270"} |
| tenant_id | 9fa7f46ace7c4f5ca745ea237562ad68 |
+----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Sudheendra Rao (sudheendra-k)
information type: Proprietary → Public
Revision history for this message
Sachin Bansal (sbansal) wrote :

https://github.com/Juniper/contrail-controller/commit/0b0f714273e9134b98aabc499a55b639a67023d9

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/3341
Committed: http://github.org/Juniper/contrail-controller/commit/d30e52e88ec8e7ff2095f155e55550d688cb360b
Submitter: Zuul
Branch: R1.10

commit d30e52e88ec8e7ff2095f155e55550d688cb360b
Author: Sachin Bansal <email address hidden>
Date: Mon Sep 22 10:38:02 2014 -0700

Check against security group rules in all groups while checking for quota

Change-Id: If654d928dfecdbc4ab3464777cb9e4cba17b7333
Closes-Bug: 1365463
(cherry picked from commit 0b0f714273e9134b98aabc499a55b639a67023d9)

Revision history for this message
Kumar Harsh (hkumar) wrote :

Build 52 Ubuntu havana

Still on reaching quota limit internal server error is seen .

2014-10-15 22:03:39,724 - ERROR - Quantum Exception while creating SG Rule {'direction': 'ingress', 'protocol': 'tcp', 'security_group_id': u'43719e29-815f-4e2f-ad4d-a09461a6798d'}
Traceback (most recent call last):
  File "/root/home/hkumar/contrail-test/fixtures/quantum_test.py", line 218, in create_security_group_rule
    {'security_group_rule': sg_rule_dict})
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 108, in with_params
    ret = self.function(instance, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 628, in create_security_group_rule
    return self.post(self.security_group_rules_path, body=body)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1334, in post
    headers=headers, params=params)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1257, in do_request
    self._handle_fault_response(status_code, replybody)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 1227, in _handle_fault_response
    exception_handler_v20(status_code, des_error_body)
  File "/usr/lib/python2.7/dist-packages/neutronclient/v2_0/client.py", line 81, in exception_handler_v20
    message=error_dict)
NeutronClientException: Request Failed: internal server error while processing your request.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/3804
Committed: http://github.org/Juniper/contrail-controller/commit/1f955045878315fd4c2d1400d1a7b8d109a0547b
Submitter: Zuul
Branch: R1.10

commit 1f955045878315fd4c2d1400d1a7b8d109a0547b
Author: Sachin Bansal <email address hidden>
Date: Wed Oct 15 16:00:18 2014 -0700

Catch PermissionDenied exception on security_group_update so that we can return proper error when sg rule quota is exceeded.

Change-Id: I1ebfe45a50521653ec92f115e12b692cc554dec4
Closes-Bug: 1365463

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/3805
Committed: http://github.org/Juniper/contrail-controller/commit/ee83a141f20c95680d8e0d42dd35e4c76874736a
Submitter: Zuul
Branch: master

commit ee83a141f20c95680d8e0d42dd35e4c76874736a
Author: Sachin Bansal <email address hidden>
Date: Wed Oct 15 16:00:18 2014 -0700

Catch PermissionDenied exception on security_group_update so that we can return proper error when sg rule quota is exceeded.

Change-Id: I1ebfe45a50521653ec92f115e12b692cc554dec4
Closes-Bug: 1365463

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.