OpenStack Compute (nova)

Nova-Quantum SecurityGroup API should enforce unique group names

Bug #1161472 reported by Phil Day
18
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Aaron Rosen
OpenStack Compute (nova) 2014.1 "icehouse"

Bug Description

The API calls create instance boot and add Instance to Security Group accept a security group name rather than an ID.

In Nova Security Group Names are constrained to be unique.

In Quantum Security Group Names are not constrained to be unique - so if two groups are created with the same name it becomes impossible to add instances to them via the Nova API.

To maintain backwards compatibility with Nova Security Groups, and to avoid issues during Instance Creation or when adding Instances to a Security Group the NovaQauntumSecurityGroupAPI should enforce uniqueness of Group Names. This will provide consistency for users of the Nova API (it will still be possible to break this model by creating SecGroups with non-unique names in Quantum).

The longer term solution would be for the Nova API to work with SecurityGroup IDs (which are always unique) rather than Names.

Forcing Quantum (which is already using uuids for Security groups) to also impose unique names to satisfy Nova does not feel like a good fix.

Revision history for this message
Russell Bryant (russellb) wrote :

This seems like something we need to fix in the v3 API, which should be focused on using Quantum for networking.

Russell Bryant (russellb)
Changed in nova:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Aaron Rosen (arosen) wrote :

seems to be a duplicate of https://bugs.launchpad.net/nova/+bug/1161473

I don't thing this is true:

arosen@arosen-laptop:~/devstack$ quantum security-group-list
+--------------------------------------+---------+-------------+
| id | name | description |
 +--------------------------------------+---------+-------------+
| 1594d578-63da-46da-b361-5f64aa14e585 | default | default |
| 2d553576-6759-4962-b060-d6b35d6052c3 | foobar | |
| af8e86a4-30cd-4bc7-a4ca-aa0871c11021 | foobar | |
 +--------------------------------------+---------+-------------+

arosen@arosen-laptop:~/devstack$ nova boot --nic net-id=e3183a93-7622-484e-8cb2-bdedf8c5fa46 --flavor 1 --image cirros-0.3.1-x86_64-uec --security_groups af8e86a4-30cd-4bc7-a4ca-aa0871c11021 myvm
+-----------------------------+------------------------------------------------------+
| Property | Value |
 +-----------------------------+------------------------------------------------------+
| status | BUILD |
| updated | 2013-06-01T03:13:30Z |
| OS-EXT-STS:task_state | scheduling |
| key_name | None |
| image | cirros-0.3.1-x86_64-uec |
| hostId | |
| OS-EXT-STS:vm_state | building |
| flavor | m1.tiny |
| id | 67b01ba9-074f-408d-b0b7-d0220517e095 |
| security_groups | [{u'name': u'af8e86a4-30cd-4bc7-a4ca-aa0871c11021'}] |
| user_id | dc12c3721b1a42bab4f73cb38725f26d |
| name | myvm |
| adminPass | kEBwjHA6a9y3 |
| tenant_id | 547fbcde144f494c8f5a57f259e147dd |
| created | 2013-06-01T03:13:29Z |
| OS-DCF:diskConfig | MANUAL |
| metadata | {} |
| accessIPv4 | |
| accessIPv6 | |
| progress | 0 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-AZ:availability_zone | nova |
| config_drive | |
 +-----------------------------+------------------------------------------------------+

Changed in nova:
status: Confirmed → Incomplete
Aaron Rosen (arosen)
tags: added: network
Aaron Rosen (arosen)
Changed in nova:
status: Incomplete → Invalid
Revision history for this message
Phil Day (philip-day) wrote :

The example you used was passing in a security group ID (which will always be unique), but the create call allows either a name or an ID to be passed in. In he case of a name being used then the bug is still valid.

Changed in nova:
status: Invalid → Confirmed
Aaron Rosen (arosen)
Changed in nova:
assignee: nobody → Aaron Rosen (arosen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/34825

Changed in nova:
status: Confirmed → In Progress
Aaron Rosen (arosen)
Changed in nova:
milestone: none → havana-rc1
Russell Bryant (russellb)
Changed in nova:
milestone: havana-rc1 → none
tags: added: havana-rc-potential
Thierry Carrez (ttx)
tags: added: havana-backport-potential
removed: havana-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/34825
Committed: http://github.com/openstack/nova/commit/76abe2a749a63c4234f63665ef9a7bf6dba0b5f9
Submitter: Jenkins
Branch: master

commit 76abe2a749a63c4234f63665ef9a7bf6dba0b5f9
Author: Aaron Rosen <email address hidden>
Date: Thu Sep 12 16:37:39 2013 -0700

    Raise better exception if duplicate security groups

    Previously a 500 error was raised if one was trying to launch an instance
    with a security group that shared the same name as another security group.
    With this patch a more clear error message is raised.

    Closes-bug: #1161472

    Change-Id: I285bedbb2e0b3f4cd24cfa3a9b17131ad0200afa

Changed in nova:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in nova:
milestone: none → icehouse-2
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.