| 2016-06-09 14:05:18 |
Adam Tengler |
description |
When we tried to create new port through neutron client with --no-security-groups flag we got Internal Server Error as return to our request, following error showed in /var/log/contrail/contrail-api.log:
global RefsExistError = <class 'cfgm_common.exceptions.RefsExistError'>
content = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"
<class 'cfgm_common.exceptions.RefsExistError'>: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a
__class__ = <class 'cfgm_common.exceptions.RefsExistError'>
__delattr__ = <method-wrapper '__delattr__' of RefsExistError object>
__dict__ = {}
__doc__ = None
__format__ = <built-in method __format__ of RefsExistError object>
__getattribute__ = <method-wrapper '__getattribute__' of RefsExistError object>
__getitem__ = <method-wrapper '__getitem__' of RefsExistError object>
__getslice__ = <method-wrapper '__getslice__' of RefsExistError object>
__hash__ = <method-wrapper '__hash__' of RefsExistError object>
__init__ = <method-wrapper '__init__' of RefsExistError object>
__module__ = 'cfgm_common.exceptions'
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of RefsExistError object>
__reduce_ex__ = <built-in method __reduce_ex__ of RefsExistError object>
__repr__ = <method-wrapper '__repr__' of RefsExistError object>
__setattr__ = <method-wrapper '__setattr__' of RefsExistError object>
__setstate__ = <built-in method __setstate__ of RefsExistError object>
__sizeof__ = <built-in method __sizeof__ of RefsExistError object>
__str__ = <method-wrapper '__str__' of RefsExistError object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__unicode__ = <built-in method __unicode__ of RefsExistError object>
__weakref__ = None
args = (u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a",)
message = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/vnc_openstack/__init__.py", line 964, in handler_trap_exception
response = handler(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 469, in plugin_http_post_port
return self.plugin_create_port(context, port)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 395, in plugin_create_port
net_info = cfgdb.port_create(context, port['resource'])
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 2220, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 3572, in port_create
port_obj = self._port_neutron_to_vnc(port_q, net_obj, CREATE)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1786, in _port_neutron_to_vnc
sg_obj = self._get_no_rule_security_group()
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1734, in _get_no_rule_security_group
sg_obj = self._create_no_rule_sg()
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1726, in _create_no_rule_sg
sg_uuid = self._vnc_lib.security_group_create(sg_obj)
File "/usr/lib/python2.7/dist-packages/vnc_api/gen/vnc_api_client_gen.py", line 4036, in security_group_create
data = json_body)
File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 497, in _request_server
retry_count=retry_count)
File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 542, in _request
raise RefsExistError(content)
RefsExistError: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a
After some investigation we found out that there is __no_rule__ security group already present in default OpenContrail tenant, but only user admin with role admin can use it. Also every time when we manually deleted __no_rule__ security group, port create with --no-security-groups flag succeeded once, no matter which user called this command, but failed again when called second time. After this group is created only user admin can work with it. It seems that no matter which user creates __no_rule__ security groups, it has permissions set to user admin, group admin.
Steps to reproduce this bug:
1. Source RC file for any user other than user admin
2. neutron port-create --no-security-groups NET_ID
3. neutron port-create --no-security-groups NET_ID
It may succeed the first time, when __no_rule__ security group is newly created, but it will always fail the next time.
Host OS: Ubuntu 14.04
OpenStack distribution: Kilo
neutron plugin: v2 |
When we tried to create new port through neutron client with --no-security-groups flag we got Internal Server Error as return to our request, following error showed in /var/log/contrail/contrail-api.log:
global RefsExistError = <class 'cfgm_common.exceptions.RefsExistError'>
content = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"
<class 'cfgm_common.exceptions.RefsExistError'>: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a
__class__ = <class 'cfgm_common.exceptions.RefsExistError'>
__delattr__ = <method-wrapper '__delattr__' of RefsExistError object>
__dict__ = {}
__doc__ = None
__format__ = <built-in method __format__ of RefsExistError object>
__getattribute__ = <method-wrapper '__getattribute__' of RefsExistError object>
__getitem__ = <method-wrapper '__getitem__' of RefsExistError object>
__getslice__ = <method-wrapper '__getslice__' of RefsExistError object>
__hash__ = <method-wrapper '__hash__' of RefsExistError object>
__init__ = <method-wrapper '__init__' of RefsExistError object>
__module__ = 'cfgm_common.exceptions'
__new__ = <built-in method __new__ of type object>
__reduce__ = <built-in method __reduce__ of RefsExistError object>
__reduce_ex__ = <built-in method __reduce_ex__ of RefsExistError object>
__repr__ = <method-wrapper '__repr__' of RefsExistError object>
__setattr__ = <method-wrapper '__setattr__' of RefsExistError object>
__setstate__ = <built-in method __setstate__ of RefsExistError object>
__sizeof__ = <built-in method __sizeof__ of RefsExistError object>
__str__ = <method-wrapper '__str__' of RefsExistError object>
__subclasshook__ = <built-in method __subclasshook__ of type object>
__unicode__ = <built-in method __unicode__ of RefsExistError object>
__weakref__ = None
args = (u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a",)
message = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/vnc_openstack/__init__.py", line 964, in handler_trap_exception
response = handler(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 469, in plugin_http_post_port
return self.plugin_create_port(context, port)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 395, in plugin_create_port
net_info = cfgdb.port_create(context, port['resource'])
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 2220, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 3572, in port_create
port_obj = self._port_neutron_to_vnc(port_q, net_obj, CREATE)
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1786, in _port_neutron_to_vnc
sg_obj = self._get_no_rule_security_group()
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1734, in _get_no_rule_security_group
sg_obj = self._create_no_rule_sg()
File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1726, in _create_no_rule_sg
sg_uuid = self._vnc_lib.security_group_create(sg_obj)
File "/usr/lib/python2.7/dist-packages/vnc_api/gen/vnc_api_client_gen.py", line 4036, in security_group_create
data = json_body)
File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 497, in _request_server
retry_count=retry_count)
File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 542, in _request
raise RefsExistError(content)
RefsExistError: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a
After some investigation we found out that there is __no_rule__ security group already present in default OpenContrail tenant, but only user admin with role admin can use it. Also every time when we manually deleted __no_rule__ security group, port create with --no-security-groups flag succeeded once, no matter which user called this command, but failed again when called second time. After this group is created only user admin can work with it. It seems that no matter which user creates __no_rule__ security groups, it has permissions set to user admin, group admin.
Steps to reproduce this bug:
1. Source RC file for any user other than user admin
2. neutron port-create --no-security-groups NET_ID
3. neutron port-create --no-security-groups NET_ID
It may succeed the first time, when __no_rule__ security group is newly created, but it will always fail the next time.
Host OS: Ubuntu 14.04
OpenStack distribution: Kilo
OpenContrail version: 2.21
neutron plugin: v2 |
|
