Juniper Openstack

openstack port set e8dbb90b-4e1d-4f65-a752-804c503ae7f2 --allowed-address ip-address=x.x.x.x does not work.

Bug #1697000 reported by Slobodan Blatnjak
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
Undecided
Keyur R. Golani
Juniper Openstack r3.2.4.0
R4.0
Fix Committed
Undecided
Keyur R. Golani
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Undecided
Keyur R. Golani
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

Using the openstack client you cannot set an allowed addresspair when a port has been created without an allowed address pair.
e.g.:
 # openstack port create --network xxx-xxx-xxx bla
 # openstack port set xxx-xxxx-xxx-xxxx-xxxxx --allowed-address ip-address=1.1.1.2
'NoneType' object is not iterable

This is because the neutron/contrail plugin (3.2.1) will not return a value for allowed_address_pairs in the JSON reply.
Example response body from contrail neutron:
RESP BODY: {"port": {"status": "ACTIVE", "name": "XXXXXX", "admin_state_up": true, "network_id": "XXXXXX", "tenant_id": "XXXXXX", "binding:vnic_type": "normal", "device_owner": "compute:None", "mac_address": "00:00:00:00", "port_security_enabled": true, "fixed_ips": [{"subnet_id": "XXXXXXXXX", "ip_address": "XXXXXX"}], "id": "XXXXXXX", "security_groups": ["XXXXXXXX"], "device_id": "XXXX"}}

While regular neutron will include an emply list for allowed_address_pair by default.
Example response body from regular, non-contrail, neutron:
RESP BODY: {"port": {"status": "ACTIVE", "binding:host_id": "", "allowed_address_pairs": [], "extra_dhcp_opts": [], "device_owner": "", "binding:profile": {}, "fixed_ips": [{"subnet_id": "ZZZZZZ", "ip_address": "ZZZZZZ"}], "id": "ZZZZZZ", "security_groups": ["ZZZZZZZ"], "device_id": "", "name": "ZZZZZZZ", "admin_state_up": true, "network_id": "ZZZZZZ", "tenant_id": "ZZZZZZ", "binding:vif_details": {}, "binding:vnic_type": "normal", "binding:vif_type": "unbound", "mac_address": "00:00:00:00"}}

As you can see "allowed_address_pairs": [] is in the "regular" neutron reply by default while it is not for contrail-neutron implementation.
My guess is that other fields missing default values will have the same issue (like extra_dhcp_opts)

Note that the command will work with the old "neutron cli" but that is deprecated.

Slobodan Blatnjak (sblatnjak)
information type: Public → Public Security
Jeba Paulaiyan (jebap)
tags: added: config
Revision history for this message
Slobodan Blatnjak (sblatnjak) wrote :

"openstack port create" was introduced in Newton.

Could it be fixed here in https://github.com/Juniper/contrail-neutron-plugin/blob/master/neutron_plugin_contrail/plugins/opencontrail/vnc_client/vmi_res_handler.py?

    def _get_allowed_adress_pairs(vmi_obj):
        allowed_address_pairs = (
            vmi_obj.get_virtual_machine_interface_allowed_address_pairs())
        if (allowed_address_pairs and
                allowed_address_pairs.allowed_address_pair):
            address_pairs = []
            for aap in allowed_address_pairs.allowed_address_pair:
                pair = {}
                pair['mac_address'] = aap.mac
                if aap.ip.get_ip_prefix_len() == 32:
                    pair['ip_address'] = '%s' % (aap.ip.get_ip_prefix())
                else:
                    pair['ip_address'] = '%s/%s' % (aap.ip.get_ip_prefix(),
                                                    aap.ip.get_ip_prefix_len())
                address_pairs.append(pair)
            return address_pairs

by moving address_pairs = [] before the if clause "if (allowed_address_pairs and
                allowed_address_pairs.allowed_address_pair):"
and "return address_pairs" out of the if clause

This could make it returning allowed_address_pairs[] in the vmi response even if it's not set.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33460
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
Keyur R. Golani (keyurrgolani) wrote :

Yes. I am fixing that same value at another place so that it is fixed from the base only.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/33460
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/33492
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/33493
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33460
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33492
Committed: http://github.com/Juniper/contrail-controller/commit/e54bdc594eb100ec4139f58091eb34430b037408
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit e54bdc594eb100ec4139f58091eb34430b037408
Author: Keyur Golani <email address hidden>
Date: Thu Jul 6 13:37:08 2017 -0700

Fixed issue with allowed IPs

Change-Id: I2a80977c3f36bea52fdbcd8c6f0a9fd3aa2121af
Closes-Bug: #1697000

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/33493
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/33460
Submitter: Keyur R. Golani (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/33493
Committed: http://github.com/Juniper/contrail-controller/commit/3822548b64c0906586a962275705d7cdafa4f6b4
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 3822548b64c0906586a962275705d7cdafa4f6b4
Author: Keyur Golani <email address hidden>
Date: Thu Jul 6 13:37:08 2017 -0700

Fixed NoneType issue with Allowed IPs

While creating a new port, the allowed_address_pairs parameter of
the port structure was only set if the allowed_address_pairs is
mentioned in the input parameters. Due to this, at the time of
updating port with allowed_address_pairs the code tried to
iterate NoneType object and generated and error.

Made sure that at the time of creating port, allowed_address_pairs
is an empty list if not mentioned in input parameters instead
of None.

Wrote testcase to instantiate a port object and assert that the value
of allowed_address_pairs is not None.

Closes-Bug: #1697000
Change-Id: I2a80977c3f36bea52fdbcd8c6f0a9fd3aa2121af

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/33460
Committed: http://github.com/Juniper/contrail-controller/commit/55345b8f7cbc2e36141874dbbecbb978cb24197e
Submitter: Zuul (<email address hidden>)
Branch: master

commit 55345b8f7cbc2e36141874dbbecbb978cb24197e
Author: Keyur Golani <email address hidden>
Date: Thu Jul 6 13:37:08 2017 -0700

Fixed NoneType issue with Allowed IPs

While creating a new port, the allowed_address_pairs parameter of
the port structure was only set if the allowed_address_pairs is
mentioned in the input parameters. Due to this, at the time of
updating port with allowed_address_pairs the code tried to
iterate NoneType object and generated and error.

Made sure that at the time of creating port, allowed_address_pairs
is an empty list if not mentioned in input parameters instead
of None.

Wrote testcase to instantiate a port object and assert that the value
of allowed_address_pairs is not None.

Closes-Bug: #1697000
Change-Id: I2a80977c3f36bea52fdbcd8c6f0a9fd3aa2121af

Jim Reilly (jpreilly)
tags: added: att-aic-contrail
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.