OpenStack Compute (nova)

should not add default security group to quantum unless api-request had it

Bug #1175464 reported by Aaron Rosen
142
This bug affects 25 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Sahid Orentino
Liberty
Fix Released
Medium
Unassigned
Mitaka
Fix Released
High
Unassigned

Bug Description

when booting an instance nova-api automatically adds a default security group if one is not specified, though we shouldn't be doing this and instead quantum should handle be handing this. This actually causes an issue for plugins that implement the port_security_api and have port_security_enabled=False on a network.

https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/contrib/security_groups.py#L498
https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/contrib/security_groups.py#L511

Aaron Rosen (arosen)
Changed in nova:
assignee: nobody → Aaron Rosen (arosen)
Russell Bryant (russellb)
tags: added: network
Revision history for this message
Joshua Hesketh (joshua.hesketh) wrote :

Setting to in progress since assigned.

Changed in nova:
status: New → In Progress
Aaron Rosen (arosen)
Changed in nova:
status: In Progress → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/59578

Aaron Rosen (arosen)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
Bhuvan Arumugam (bhuvan) wrote :

Aaron, the below error occur when creating a server using nova or neutron+nova when port_security_enabled=False for the network.
SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.

The error don't occur with the patch https://review.openstack.org/59578. With this patch we could create a server using nova or neutron+nova with port_security_enabled=False.

* neutorn+nova: the port is created directly using neutron and port id is passed to nova to create the server.

Hopefully the patch is merged soon.

Revision history for this message
Bhuvan Arumugam (bhuvan) wrote :

Aaron, any luck with revising the patch to validate using api?
https://review.openstack.org/59578

Aaron Rosen (arosen)
tags: added: icehouse-rc-potential
Thierry Carrez (ttx)
tags: added: icehouse-backport-potential
removed: icehouse-rc-potential
Revision history for this message
Bhuvan Arumugam (bhuvan) wrote :

Aaron, FYI. With patch set 12 in https://review.openstack.org/#/c/59578/, the following unit tests fail. This is in our environment.

Traceback (most recent call last):
 File "nova/tests/network/test_neutronv2.py", line 1331, in test_validate_networks_port_no_subnet_id_psec_enabled_false
   api.validate_networks(self.context, requested_networks, 1)
 File "nova/network/neutronv2/api.py", line 664, in validate_networks
   neutron=neutron)
 File "nova/network/neutronv2/api.py", line 120, in _get_available_networks
   nets = neutron.list_networks(**search_opts).get('networks', [])
 File "<http://ci.isg.apple.com/jenkins/job/csi-nova-merge/ws/.tox/py26/lib/python2.6/site-packages/mox.py",> line 1002, in __call__
   expected_method = self._VerifyMethodCall()
 File "<http://ci.isg.apple.com/jenkins/job/csi-nova-merge/ws/.tox/py26/lib/python2.6/site-packages/mox.py",> line 1049, in _VerifyMethodCall
   expected = self._PopNextMethod()
 File "<http://ci.isg.apple.com/jenkins/job/csi-nova-merge/ws/.tox/py26/lib/python2.6/site-packages/mox.py",> line 1035, in _PopNextMethod
   raise UnexpectedMethodCallError(self, None)
UnexpectedMethodCallError: Unexpected method call Client.list_networks(id=['my_netid1']) -> None

Stephen Gordon (sgordon)
tags: added: nfv
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/99181

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Aaron Rosen (<email address hidden>) on branch: master
Review: https://review.openstack.org/99181

Brent Eagles (beagles)
tags: added: neutron
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Aaron Rosen (<email address hidden>) on branch: master
Review: https://review.openstack.org/59578

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Sean Dague (<email address hidden>) on branch: master
Review: https://review.openstack.org/59578
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Matt Riedemann (mriedem) wrote :

Note a similar issue here: https://review.openstack.org/#/c/151184/

Oleg made a change which broke nova boot with neutron if you specified a port_id because the default security group was always added by the nova API. Not adding the default security group is the correct change, but the fix from arosen has been abandoned and not worked on.

Changed in nova:
assignee: Aaron Rosen (arosen) → nobody
Sean Dague (sdague)
Changed in nova:
status: Triaged → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/173204

Changed in nova:
assignee: nobody → Feodor Tersin (ftersin)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/200046

Maru Newby (maru)
tags: added: kilo-backport-potential
removed: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/278369

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/284095

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/173204
Reason: We're going with this fix:

https://review.openstack.org/#/c/284095/

Matt Riedemann (mriedem)
Changed in nova:
assignee: Feodor Tersin (ftersin) → sahid (sahid-ferdjaoui)
importance: Medium → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/278369
Reason: This is a duplicate of https://review.openstack.org/#/c/173204/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (stable/mitaka)

Related fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/306470

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.openstack.org/284095
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ee7a01982611cdf8012a308fa49722146c51497f
Submitter: Jenkins
Branch: master

commit ee7a01982611cdf8012a308fa49722146c51497f
Author: Sahid Orentino Ferdjaoui <email address hidden>
Date: Wed Feb 24 06:55:30 2016 -0500

    network: make nova to handle port_security_enabled=False

    In somes cases we need to have network without any security rules
    applied, unfortunatly nova does not provide way to remove l3
    assignements and always at least expose the default security group.
    This commit updates code to clear security groups applied to the
    network when option port_security_enabled=False is activated on the
    network.

    Change-Id: I630008a9733624a9d9b59b7aa3b8b2a3f8985d61
    Closes-Bug: #1460630
    Related-Bug: #1175464

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/200046
Reason: This patch has been idle for a long time, so I am abandoning it to keep the review clean sane. If you're interested in still working on this patch, then please unabandon it and upload a new patchset.

Revision history for this message
Gabriel Assis Bezerra (gabriel-bezerra) wrote :

For those interested in having the backport of this bugfix for Kilo, find it at https://github.com/gabriel-bezerra/nova/tree/kilo-bug/1175464

https://github.com/gabriel-bezerra/nova/commit/d4cf5f180728abce809326f10278dacef5b3b6c1

Best regards,
Gabriel.

Revision history for this message
Gabriel Assis Bezerra (gabriel-bezerra) wrote :

This is patch is related: https://review.openstack.org/310920

I added that to the kilo back port as well: https://github.com/gabriel-bezerra/nova/tree/kilo-bug/1175464

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (stable/mitaka)

Reviewed: https://review.openstack.org/306470
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=84d5697c9e614c2bf299e213f5398e4ecf160400
Submitter: Jenkins
Branch: stable/mitaka

commit 84d5697c9e614c2bf299e213f5398e4ecf160400
Author: Sahid Orentino Ferdjaoui <email address hidden>
Date: Wed Feb 24 06:55:30 2016 -0500

    network: make nova to handle port_security_enabled=False

    In somes cases we need to have network without any security rules
    applied, unfortunatly nova does not provide way to remove l3
    assignements and always at least expose the default security group.
    This commit updates code to clear security groups applied to the
    network when option port_security_enabled=False is activated on the
    network.

    Change-Id: I630008a9733624a9d9b59b7aa3b8b2a3f8985d61
    Closes-Bug: #1460630
    Related-Bug: #1175464

tags: added: in-stable-mitaka
Revision history for this message
Siva Kollipara (skollipa) wrote :

On a related note, I am trying the following combinations: (where the port is allocated from that network and SG is short for '--security-group SG' )

(a) network.portsecurity=T, nova-boot-port.portsecurity=T/SG, nova-attach-port.portsecurity=F: ok

(b) network.portsecurity=T, nova-boot-port.portsecurity=F, nova-attach-port.portsecurity=T/SG: ok

(c) network.portsecurity=F, nova-boot-port.portsecurity=F (requires 306470, 310920), nova-attach-port.portsecurity=T/SG: ok

(d) network.portsecurity=F, nova-boot-port.portsecurity=T/SG: *fails* with SecurityGroupCannotBeApplied exception.

(e) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F: ok

(f) network.portsecurity=F, nova-boot-net.id=network.portsecurity=F/SG: as expected fails with SecurityGroupCannotBeApplied

(g) network.portsecurity=T, nova-boot-port.portsecurity=F/SG: ok, SG was ignored for the port

This is from the function _create_ports_for_instance() at network/neutronv2/api.py:680-700:
                if port_security_enabled:
                    <snip>
                else:
                    if security_group_ids:
                        raise exception.SecurityGroupCannotBeApplied()

I am wondering if the interface-attach of a port in (c) worked fine, then why should not the bootup using (d)?

the nova-boot in (c) is similar as (e) and behaving as such.
the nova-boot in (d) is *not* similar as (f) but behaving as such.

I suppose the check should be done only if the port is not provided in the API.
                if port_security_enabled:
                    <snip>
                else:
- if security_group_ids:
+ if security_group_ids and not request.port_id:
                        raise exception.SecurityGroupCannotBeApplied()

This change specifically allows (d) to succeed without impacting (f) or anything else.

Comments? Acceptable?

Revision history for this message
Siva Kollipara (skollipa) wrote :

adding the prior diff as an attachment

Revision history for this message
Sean Dague (sdague) wrote :

Fixed in https://review.openstack.org/#/c/306470/

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
Matt Riedemann (mriedem) wrote :

This was fixed in https://review.openstack.org/#/q/I630008a9733624a9d9b59b7aa3b8b2a3f8985d61,n,z

Revision history for this message
Matt Riedemann (mriedem) wrote :

If there are new issues let's open a new bug for this.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.