neutron

Deployment has security group with empty tenant id

Bug #1867101 reported by LIU Yulong
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Unassigned

Bug Description

ENV: devstack, master

$ openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+---------+------------------------+----------------------------------+------+
| 2661ae74-f946-4ef9-b676-fe9be4274c1b | default | Default security group | | [] |
| 535018b5-7038-46f2-8f0e-2a6e193788aa | default | Default security group | ae05deb7a16c485986c3666b65f71c71 | [] |
| c5d1b354-9896-4e2c-aeab-67c8cd20a489 | default | Default security group | 972c01461f1b4441b8d8648691bb89ff | [] |
+--------------------------------------+---------+------------------------+----------------------------------+------+

The empty project id (tenant id) causes some mechanism_driver like ODL failed to init, and log errors.

Revision history for this message
Lajos Katona (lajos-katona) wrote :

The strange is that the "location" field in security-group details contains the tenant_id/project_id:
$ openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
 +--------------------------------------+---------+------------------------+----------------------------------+------+
| 08335af7-aaee-443b-aa2a-8697c13d672c | default | Default security group | 952ef8f7f01e47f184f44229baedbc8c | [] |
| 1877373e-75ed-40a6-8127-3e125866f972 | default | Default security group | aaefbfb3fd5a4fa88fda11f170027d2d | [] |
| 375dab72-112d-40cc-84e2-85a503e1990c | default | Default security group | | [] |
 +--------------------------------------+---------+------------------------+----------------------------------+------+
$ openstack security group show 375dab72-112d-40cc-84e2-85a503e1990c
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
 +-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
....
| location | cloud='', project.domain_id='default', project.domain_name=, project.id='aaefbfb3fd5a4fa88fda11f170027d2d', project.name='demo', region_name='RegionOne', zone= |
| name | default |
| project_id | |
| revision_number | 1 |
 ....
+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

After deleting all the sec-groups and listing them all the problem disappears, and all sec-groups have tenant_id/project_id

Revision history for this message
Bernard Cafarelli (bcafarel) wrote :

Marking confirmed as both Yulong and Lajos see it, I suppose this is only seen in devstack+networking-odl devstacks? I just restacked and my (single) security group is OK

Changed in neutron:
status: New → Triaged
Revision history for this message
Lajos Katona (lajos-katona) wrote :

I saw it in an "odl-less" devstack, so this is something general, not related to odl or other SDN backend.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello:

This happens when, in a fresh deployment, a router is created (for example, this is what happens during the devstack post installation phase, when the network config is initialized).

By default, there are not default security groups per project. But when a network or a port are created, the handler "_ensure_default_security_group_handler" will enforce the creation of this default SG [1].

When the GW port is assigned to a router, this port has no project_id [2]. When this port is created, the project_id (tenant_id) is "" (empty string). This empty string is used then to create the default SG in [1].

"location" is a parameter retrieved by the OSC and informs about the caller's project [3], not the object [3].

Regards.

[1]https://github.com/openstack/neutron/blob/master/neutron/db/securitygroups_db.py#L846
[2]https://github.com/openstack/neutron/blob/master/neutron/db/l3_db.py#L294
[3]http://paste.openstack.org/show/791874/

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Sorry, I didn't make a conclusion.

I think this behavior is the expected one. When created, we'll have a default SG for project "". This SG will be used for, for example, those router ports created without "project_id".

Regards.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Hello:

Is this bug still valid?

Regards!

Revision history for this message
Brian Haley (brian-haley) wrote :

This doesn't happen any more, might have been fixed with bug 1987410, will close. Please re-open if necessary.

Changed in neutron:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.