OpenStack Heat

The SecurityGroups property of an Instance resource doesn't get applied

Bug #1164913 reported by Simon Pasquier on 2013-04-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Medium	Jeff Peeler	OpenStack Heat 2013.2 "havana"

Bug Description

How to reproduce

Create a stack using that template
{
"AWSTemplateFormatVersion" : "2010-09-09",

"Description" : "Template for testing creation of VPC resources",

"Parameters" : {

    "KeyName" : {
      "Description" : "Name of and existing EC2 KeyPair to enable SSH access to the instance",
      "Type" : "String"
    },

    "InstanceType" : {
      "Description" : "EC2 instance type",
      "Type" : "String",
      "Default" : "t1.micro",
      "AllowedValues" : [ "t1.micro", "m1.small", "m1.large", "m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "c1.medium", "c1.xlarge", "cc1.4xlarge" ],
      "ConstraintDescription" : "must be a valid EC2 instance type."
    },

    "LinuxDistribution": {
      "Description" : "Distribution of choice",
      "Type": "String",
      "Default": "cirros-0.3.1-x86_64-uec"
    }

"Resources" : {

    "myVpc" : {
      "Type" : "AWS::EC2::VPC",
      "Properties" : {
        "CidrBlock" : "20.0.0.0/16"
      }
    },

    "mySubnet" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "myVpc" },
        "CidrBlock" : "20.0.0.0/24"
      }
    },

    "InstanceSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "GroupDescription" : "Enable ICMP + SSH access via port 22",
        "SecurityGroupIngress" : [
          {"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"}
        ]
      }
    },

    "myNetworkInterface": {
      "Type" : "AWS::EC2::NetworkInterface",
      "Properties" : {
        "SubnetId" : { "Ref" : "mySubnet" },
        "Description" : "myInstance interface"
      }
    },

    "myInstance" : {
      "Type" : "AWS::EC2::Instance",
      "Properties" : {
        "ImageId" : { "Ref" : "LinuxDistribution" },
        "KeyName" : { "Ref" : "KeyName" },
        "SecurityGroups" : [ {"Ref" : "InstanceSecurityGroup"} ],
        "NetworkInterfaces" : [{ "NetworkInterfaceId": { "Ref" : "myNetworkInterface" }, "DeviceIndex" : "0" }],
        "InstanceType" : { "Ref": "InstanceType" }
      }
    }
  },

  "Outputs" : {
    "InstanceId" : {
      "Value" : { "Ref" : "myInstance" },
      "Description" : "Instance Id of newly created instance"
    }
  }
}

All resources are created without error but when looking at the nova instance, the security group is not applied:
$ nova show myStack10.myInstance
+-------------------------------------+----------------------------------------------------------------+
| Property | Value |
+-------------------------------------+----------------------------------------------------------------+
| status | ACTIVE |
| updated | 2013-04-05T09:39:16Z |
| OS-EXT-STS:task_state | None |
| OS-EXT-SRV-ATTR:host | controller |
| key_name | itadmin |
| image | cirros-0.3.1-x86_64-uec (44de0c5f-9f98-45b8-bedf-4b4080f943db) |
| hostId | b7590f36f34a1a351389925f76d6707b68f00277c8e818400232c877 |
| OS-EXT-STS:vm_state | active |
| OS-EXT-SRV-ATTR:instance_name | instance-0000000c |
| OS-EXT-SRV-ATTR:hypervisor_hostname | controller |
| flavor | m1.tiny (1) |
| id | c2e2143d-d6cc-4bfe-bd94-00ba273f9590 |
| security_groups | [{u'name': u'default'}] |
| user_id | 497c0bf2aa4640708da7fd7d357ac4c3 |
| name | myStack10.myInstance |
| created | 2013-04-05T09:38:47Z |
| tenant_id | c6d33695fa364bfa978f13d44f416145 |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| myStack10.myVpc network | 20.0.0.2 |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
+-------------------------------------+----------------------------------------------------------------+

Not sure if it is a Heat bug or a Nova bug because the logs show that the security_groups parameter is correctly passed to the Nova API.

Environment: devstack with Quantum.

Revision history for this message

Simon Pasquier (simon-pasquier) wrote on 2013-04-05:

It doesn't fail when the NetworkInterfaces property isn't defined.

Steve Baker (steve-stevebaker) on 2013-04-08

Changed in heat:
assignee:	nobody → Jeff Peeler (jpeeler-z)

Steven Hardy (shardy) on 2013-04-22

Changed in heat:
milestone:	none → havana-1
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-26: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27574

Changed in heat:
status:	Triaged → In Progress

Revision history for this message

Jeff Peeler (jpeeler-z) wrote on 2013-04-26:

In addition to the above proposed fix, the NetworkInterface needs to utilize the GroupSet property to set the security group. For reference:

"myNetworkInterface": {
      "Type" : "AWS::EC2::NetworkInterface",
      "Properties" : {
        "GroupSet" : [ {"Ref" : "InstanceSecurityGroup"} ],
        "SubnetId" : { "Ref" : "mySubnet" },
        "Description" : "myInstance interface"
      }
    },

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-08: Fix merged to heat (master)

Reviewed: https://review.openstack.org/27574
Committed: http://github.com/openstack/heat/commit/bafd8b80f25ca25a1919226f1daba4e21857e851
Submitter: Jenkins
Branch: master

commit bafd8b80f25ca25a1919226f1daba4e21857e851
Author: Jeff Peeler <email address hidden>
Date: Fri Apr 26 12:04:20 2013 -0400

Fix GroupSet assignment to use resource id instead of name

This allows the security groups to be passed to Quantum in the
expected format.

Change-Id: I7925bfdb71a076b4a2ecdeee396abf42d111ef8c
Fixes: bug #1164913

Changed in heat:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-15: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/29229

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-15:

Fix proposed to branch: master
Review: https://review.openstack.org/29230

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-15: Fix merged to heat (master)

Reviewed: https://review.openstack.org/29230
Committed: http://github.com/openstack/heat/commit/2ef60a648468978f40563c81bebcdb9990219ca2
Submitter: Jenkins
Branch: master

commit 2ef60a648468978f40563c81bebcdb9990219ca2
Author: Zane Bitter <email address hidden>
Date: Wed May 15 15:59:38 2013 +0200

Clean up VPC unit tests

     - Ensure that stacks are cleaned up on failure.
     - Add a test for the case where an something other than a valid reference
       is passed as the GroupSet.
     - Add a test for the case where no GroupSet is passed.

Ref bug #1164913

Change-Id: I7637ed7969f23662643756da4a49627a2b40de20

Thierry Carrez (ttx) on 2013-05-29

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in heat:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.