OpenStack Compute (nova)

server list with IP filter doesn't work as expected

Bug #2006770 reported by kay on 2023-02-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Low	Unassigned

Bug Description

If a project has two servers with 10.10.10.10 and 10.10.10.109 IPs, the "curl -s 'https://nova:443/v2.1/servers?ip=10.10.10.10'" request returns two servers in a response.

This happens because neutron API has an "ip-substring-filtering" extension turned on:

$ curl -s "https://neutron/v2.0/extensions" -H "X-Auth-Token: ${OS_AUTH_TOKEN}" | jq -r '.extensions[]|select(.alias=="ip-substring-filtering")'
{
  "name": "IP address substring filtering",
  "alias": "ip-substring-filtering",
  "description": "Provides IP address substring filtering when listing ports",
  "updated": "2017-11-28T09:00:00-00:00",
  "links": []
}

And there is no possibility to filter IPs with an exact match like it's done with a "https://neutron/v2.0/ports?fixed_ips=ip_address%3D10.10.10.10" call.

----------------------------------------------------------------

Another problem is that ip/ip6 fields are marked as regexp in both SCHEMA and CLI:

https://github.com/openstack/nova/blob/49aa40394a4857a06191b05ea3b15913f328a8d0/nova/api/openstack/compute/schemas/servers.py#L638-L639 (values which are not regexp compatible are rejected on the early stage)

$ openstack server list --help | grep -- --ip
                             [--ip <ip-address-regex>]
                             [--ip6 <ip-address-regex>] [--name <name-regex>]
  --ip <ip-address-regex>
  --ip6 <ip-address-regex>

But they are not considered as regexp afterwards. Moreover the https://github.com/openstack/nova/blob/a2964417822bd1a4a83fa5c27282d2be1e18868a/nova/compute/api.py#L3028-L3039 mapping doesn't work, because "fixed_ip" is never allowed in "search_opts" map.

Changing "fixed_ip" key to an "ip" key (BTW, there is no "fixed_ip6" mapping, it also should be considered once someone decide to fix this issue) breaks substring filtering, because the filter finally becomes "'ip': '^10\\.10\\.10\\.10$'".

Therefore if there is no "substring filtering" neutron extension, the regexp filter mappings must consider this (or even be removed).

And the final call: there should be a way for a user to define whether user wants to use substr, exact match or regexp.

See also: https://stackoverflow.com/questions/64549906/how-openstack-client-get-server-list-with-accurate-ip-address

Tags:

Revision history for this message

Sylvain Bauza (sylvain-bauza) wrote on 2023-02-20:

Honestly, I don't know what to say here. When the query parameter was added, it was just for a convenient purpose for operators to prevent them to query Neutron first to get the list of ports but this was actually some kind of orchestration we try to avoid.

Keeping in mind that an instance can be booted with a port that doesn't have L3 connectivity, I'm not super happy with fixing all of this while it's better to say 'please rather directly call Neutron to get the list of ports that match your IP and then ask Nova to give you the list of instances that have those ports bound to them'.

I'd rather deprecate this IP address query param and provide a good api-ref documentation explaining what's the recommended way.
As a sidenote, since IP substring filtering is a Neutron extension which is not provided for all clouds, we can't and shouldn't rely on it for getting answers.

Putting the report to Opinion but we'll debate it in the next weeks.

Changed in nova:
status:	New → Opinion
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.