OpenStack Compute (nova)

security groups are not attached to an instance if port-id is specified during boot

Bug #1373774 reported by Oleg Bondarev on 2014-09-25

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Oleg Bondarev	OpenStack Compute (nova) 2015.1.0 "kilo"

Bug Description

Creation of server with command
‘nova boot --image <image> --flavor m1.medium --nic port-id=<port-id> --security-groups <sec_grp> <name>’
fails to attach the security group to the port/instance. The response payload has the security group added but only default security group is attached to the instance.
Separate action has to be performed on the instance to add sec_grp, and it is successful. Supplying the same with ‘--nic net-id=<net-id>’ works as expected

Tags:

Revision history for this message

Sean Dague (sdague) wrote on 2014-09-25:

Oleg, do you know if this if is falling down in novaclient or on the nova side? I see you have assigned it to yourself, so I'm assuming you are going to dive deeper into this one.

Changed in nova:
status:	New → Incomplete
importance:	Undecided → High

Revision history for this message

Oleg Bondarev (obondarev) wrote on 2014-09-25:

Sean, this is a nova side issue. I have a fix, will add a unit test and submit the fix later today

Revision history for this message

Simon Pasquier (simon-pasquier) wrote on 2014-09-25:

This "behavior" exists for a long time. It was already spotted in the Heat project (see http://git.openstack.org/cgit/openstack/heat/commit/?id=5c5e36de3737a85bec5023c94265e6bbaf6ad78e). At that time, it was decided to take a defensive approach in Heat and let Nova intact.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-25: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124059

Changed in nova:
status:	Incomplete → In Progress

Revision history for this message

Phil Day (philip-day) wrote on 2014-09-25:

I think the expectation is that if a user is already interaction with Neutron to create ports then they should do the security group assignment in Neutron as well.

The trouble I see with supporting this way of assigning security groups is what should the correct behavior be if the user passes more than one port into the Nova boot command ? In the case where Nova is creating the ports it kind of feels (just) Ok to assign the security groups to all the ports. In the case where the ports have already been created then it doesn’t feel right to me that Nova modifies them.

Revision history for this message

Oleg Bondarev (obondarev) wrote on 2014-09-26:

Link to the ML discussion: http://lists.openstack.org/pipermail/openstack-dev/2014-September/047225.html

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-23: Change abandoned on nova (master)

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/124059
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-29: Fix merged to nova (master)

Reviewed: https://review.openstack.org/124059
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=d8cafb9a6efb95b78609aca8fcb3532c33a1788f
Submitter: Jenkins
Branch: master

commit d8cafb9a6efb95b78609aca8fcb3532c33a1788f
Author: Oleg Bondarev <email address hidden>
Date: Thu Sep 25 13:32:53 2014 +0400

Raise if sec-groups and port id are provided on boot

    Currently in case port_id is provided on instance boot
    security groups parameter is ignored. Need to clearly state
    that specifying both parameters is not allowed and that Neutron
    should be used for configuring security groups on port

Closes-bug: #1373774

Change-Id: I701faba1b37a7106cf86f7abf8e55f7289e1ff3b

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in nova:
milestone:	none → kilo-2
status:	Fix Committed → Fix Released

Revision history for this message

Matt Riedemann (mriedem) wrote on 2015-02-06:

Note that this was reverted:

https://review.openstack.org/#/c/151184/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-09: Fix proposed to nova (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/154068

Thierry Carrez (ttx) on 2015-04-30

Changed in nova:
milestone:	kilo-2 → 2015.1.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-18: Change abandoned on nova (master)

#11

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/154068
Reason: This patch has been stalled for quite a while, so I am going to abandon it to keep the code review queue sane. Please restore the change when it is ready for review.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1425294

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.