Murano

Murano does not work in environments with security groups disabled in Neutron

  1. Series mitaka
  2. Bug #1593253
Bug #1593253 reported by Alexander Tivelkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Fix Released
High
Alexander Tivelkov
Murano newton-2 "n2"
Mitaka
Fix Committed
High
Unassigned
Murano 2.0.x "2.0.x"
Newton
Fix Released
High
Alexander Tivelkov
Murano newton-2 "n2"

Bug Description

In the environment with disabled Neutron Security Groups feature (Neutron not having a "security-group" extension) Murano is unable to deploy any application which needs to create security rules: the attempt to generate a Heat stack fails with error:
[heatclient.exc.HTTPBadRequest]: ERROR: HEAT-E99001 Service neutron is not available for resource type OS::Neutron::SecurityGroup, reason: Service endpoint not in service catalog.

Alexander Tivelkov (ativelkov)
Changed in murano:
status: New → Confirmed
Serg Melikyan (smelikyan)
Changed in murano:
importance: Undecided → High
Valerii Kovalchuk (vakovalchuk)
Changed in murano:
milestone: none → newton-2
Alexander Tivelkov (ativelkov)
Changed in murano:
assignee: nobody → Alexander Tivelkov (ativelkov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/331105

Changed in murano:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (master)

Reviewed: https://review.openstack.org/331105
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=f25776a5c3b5d6622deb000fa5a350610958b8df
Submitter: Jenkins
Branch: master

commit f25776a5c3b5d6622deb000fa5a350610958b8df
Author: Alexander Tivelkov <email address hidden>
Date: Fri Jun 17 14:51:35 2016 +0300

    Fixed inability to deploy if security groups are disabled

    Existing implementation of Neutron-based networking assumed that the
    neutron's security groups are used to manage VM accessibility.
    However there may exist environments with disabled security-group
    extension in Neutron and thus relying on something else to restrict
    the traffic. Murano could not operate in such environments since it
    always was attempting to create resources of type
    OS::Neutron::SecurityGroup and attach VMs' ports to this resource.

    This is addressed by introducing a new subclass of
    SecurityGroupManager - DummySecurityGroupManager, which actually does
    nothing but silently ignores the calls to create security rules. This
    new security manager is instantiated instead of
    NeutronSecurityGroupManager for Neutron-based networks in cases if the
    'security-group' extension is not present in Neutron's configuration.
    If it is instantiated a warning message is reported to the end-user to
    notify them that security requirements of the application were
    ignored.

    Change-Id: Ia3bc6c17f9ca0a4b8bf8c272481760a8c81b27b7
    Closes-bug: #1593253

Changed in murano:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/334832

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (stable/mitaka)

Reviewed: https://review.openstack.org/334832
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=b12f7c9973b6154d4f4ed13c27dd6019581c6ee6
Submitter: Jenkins
Branch: stable/mitaka

commit b12f7c9973b6154d4f4ed13c27dd6019581c6ee6
Author: Alexander Tivelkov <email address hidden>
Date: Fri Jun 17 14:51:35 2016 +0300

    Fixed inability to deploy if security groups are disabled

    Existing implementation of Neutron-based networking assumed that the
    neutron's security groups are used to manage VM accessibility.
    However there may exist environments with disabled security-group
    extension in Neutron and thus relying on something else to restrict
    the traffic. Murano could not operate in such environments since it
    always was attempting to create resources of type
    OS::Neutron::SecurityGroup and attach VMs' ports to this resource.

    This is addressed by introducing a new subclass of
    SecurityGroupManager - DummySecurityGroupManager, which actually does
    nothing but silently ignores the calls to create security rules. This
    new security manager is instantiated instead of
    NeutronSecurityGroupManager for Neutron-based networks in cases if the
    'security-group' extension is not present in Neutron's configuration.
    If it is instantiated a warning message is reported to the end-user to
    notify them that security requirements of the application were
    ignored.

    Change-Id: Ia3bc6c17f9ca0a4b8bf8c272481760a8c81b27b7
    Closes-bug: #1593253

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/murano 3.0.0.0b2

This issue was fixed in the openstack/murano 3.0.0.0b2 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/murano 2.0.2

This issue was fixed in the openstack/murano 2.0.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.