Succeed to create new security group, even if security group rule quota is exceeded
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Rodolfo Alonso |
Bug Description
Description of problem:
Even if the quota for SG rules is exhausted, new security groups (with two default rules by default) can be created successfully.
How to reproduce:
OS_PROJECT_
CREATED=
json | jq -r '.[] | .ID' | xargs -I {} openstack security \
group rule list {} -f value | wc -l`
let "CREATED +=1"
SG=`openstack security group list --project $OS_PROJECT_NAME -f json \
| jq -r '.[0] | .ID'`
QUOTA=`openstack quota show $OS_PROJECT_NAME -f json | jq -r '. \
"secgroup-
for ((i=CREATED; i<=QUOTA; i++)); do
PORT=`printf "%04d" $i`
openstack security group rule create --ingress --protocol tcp \
--dst-port 5$PORT:5$PORT $SG
done
openstack security group create --project $OS_PROJECT_NAME \
sec_
Actual results:
The number of SG rules after the last command exceeds in 2 the maximum quota assigned for SG rules.
Related bugs: https:/
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Medium |
tags: | added: sg-fw |
Hello:
First of all, this is happening when the SG "is_default" flag is True. Then, when a SG group is created, two new rules (ingress and egress) are created.
The problem I found was the way the quota is enforced (actually when the quota is checked). When an API call arrives, "api.v2. resource. Resource. resource" is called. In this case, the action used is "create" and it will call "api.v2. base.Controller .create" and then "api.v2. base.Controller ._create" . This method will check the quota for the resource being created [1].
The problem here is that when a SG rule is created, the resource checked is "security_ group_rule" and the related quota is enforced. But when a new SG group is created, the resource checked is "security_group", not "security_ group_rule" .
We can:
- In the resource check (same as the current code), add some kind of logic to handle resources and sub resources. But in this case we don't know if the SG is going to need those two new SG rules.
- Add a quota reservation check in the plugin, when the DB registers are created. This will delay the command failure and will generate a DB rollback to delete the SG register, but will know exactly if the SG rules are needed or not.
Regards.
[1] https:/ /github. com/openstack/ neutron/ blob/ac63c570a1 c630ac4405e4caf 3d516d069165d69 /neutron/ api/v2/ base.py# L481-L487