OpenStack Compute (nova)

Couldn't run instance with existing port when default security group is absent

Bug #1384347 reported by Feodor Tersin on 2014-10-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Undecided	Unassigned

Bug Description

If default security group in tenant is deleted (admin has appropriate permissions) then launching an instance with Neutron port fails at allocate network resources stage:

ERROR nova.compute.manager [-] Instance failed network setup after 1 attempt(s)
TRACE nova.compute.manager Traceback (most recent call last):
TRACE nova.compute.manager File "/opt/stack/nova/nova/compute/manager.py", line 1528, in _allocate_network_async
TRACE nova.compute.manager dhcp_options=dhcp_options)
TRACE nova.compute.manager File "/opt/stack/nova/nova/network/neutronv2/api.py", line 294, in allocate_for_instance
TRACE nova.compute.manager security_group_id=security_group)
TRACE nova.compute.manager SecurityGroupNotFound: Security group default not found.

Steps to reproduce:
0. Delete the default security group with admin account.
1. Create custom security group
2. Create a network and a subnet
3. Create a port in the subnet with the custom security group
4. Launch an instance with the port (and don't specify any security group)

Launch command is accepted successfully, but 'nova show' command returns the instance in error state.

Christopher Yeoh (cyeoh-0) on 2014-10-23

Changed in nova:
status:	New → Confirmed

ugvddm (271025598-9) on 2014-10-23

Changed in nova:
assignee:	nobody → ugvddm (271025598-9)

Revision history for this message

ugvddm (271025598-9) wrote on 2014-10-24:

Hi Feodor,

I can't reproduce your issue in my devstack , what's your openstack version?

Revision history for this message

Feodor Tersin (ftersin) wrote on 2014-10-24:

I got it in Icehouse. Now i've not reproduced it in my local devstack (between juno-3 and juno-rc1).

Though some features in source code still lead to the error (_create_instance in compute/api.py still adds 'default' group if no group s passed, and allocate_for_instance in network/newtronv2/api.py still raise the exception if any of passed groups doesn't exist), the steps mentioned above don't lead to the error. An instance is launched successfully.

The reason is that a new default group is created at once when existed one is deleted.
Try to list security groups after deleting default group. You'll find a new one.

Thus this bug isn't actual for modern OS versions.

Revision history for this message

ugvddm (271025598-9) wrote on 2014-10-25:

yes it is, I have found your said that we can't delete the defualt group, thus we should change it to "invalid".

Changed in nova:
status:	Confirmed → Invalid

ugvddm (271025598-9) on 2014-10-30

Changed in nova:
assignee:	ugvddm (271025598-9) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.