OpenStack Compute (nova)

attach quantum security group to an existing vm failed

Bug #1189059 reported by daniels
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Aaron Rosen
OpenStack Compute (nova) 2013.2 "havana"
Grizzly
Fix Released
Medium
Aaron Rosen
OpenStack Compute (nova) 2013.1.3

Bug Description

i set the following in nova.conf

security_group_api=quantum
firewall_driver=nova.virt.firewall.NoopFirewallDriver

it works, but when i try to attach a security group to an exist vm , api throw an error :

"Network requires port_security_enabled and subnet associated in order to apply security groups."

we are not useing nvp in our environemnt yet.

my vm is boot with a subnet_id specified.

how to reproduce this bug

1. enable quantum security group
add the following to lines in nova.conf

security_group_api=quantum
firewall_driver=nova.virt.firewall.NoopFirewallDriver

2. boot a vm

3. attach security group to a vm .

nova add-secgroup 24891d97-8d0e-4e99-9537-c8f8291913d0 d11

24891d97-8d0e-4e99-9537-c8f8291913d0 is my vm id
d11 is my security group name .

error message returned :

ERROR: Network requires port_security_enabled and subnet associated in order to apply security groups. (HTTP 400) (Request-ID: req-94cb2d54-858b-4843-af53-b373c88bcdc0)

Tags: network
Revision history for this message
daniels (danxcai) wrote :

Aaron i tried you patch below

--- a/nova/network/security_group/quantum_driver.py
+++ b/nova/network/security_group/quantum_driver.py
@@ -340,8 +340,9 @@ class SecurityGroupAPI(security_group_base.SecurityGroupBase):
         has_ip = port.get('fixed_ips')
         if port_security_enabled and has_ip:
             return True
- else:
- return False
+ elif 'port_security_enabled' not in port and has_ip:
+ return True
+ return False

     @wrap_check_security_groups_policy
     def add_to_instance(self, context, instance, security_group_name):

  however it still doesn't work .

here is my debug info after patch your patch , it may help for you to debug

(Pdb) p port
{u'status': u'ACTIVE', u'name': u'', u'admin_state_up': True, u'network_id': u'5332f0f7-3156-4961-aa67-0b8507265fa5', u'tenant_id': u'b082fcb819db4104bb6d3dc18bcc4f17', u'device_owner': u'compute:None', u'mac_address': u'fa:16:3e:6d:e9:94', u'fixed_ips': [{u'subnet_id': u'83afd693-7e36-41e9-b896-9d8b0d89d255', u'ip_address': u'192.168.6.100'}], u'id': u'9f20fb74-9adb-4563-9c08-5bf8aa3932ec', u'security_groups': [u'0acc8258-bd9f-4f87-b051-a94dbc1504eb'], u'device_id': u'24891d97-8d0e-4e99-9537-c8f8291913d0'}
(Pdb) n
> /usr/lib/python2.7/dist-packages/nova/network/security_group/quantum_driver.py(322)_has_security_group_requirements()
 -> has_ip = port.get('fixed_ips')
(Pdb) l
317
318 def _has_security_group_requirements(self, port):
319 import pdb
320 pdb.set_trace()
321 port_security_enabled = port.get('port_security_enabled')
322 -> has_ip = port.get('fixed_ips')
323 if port_security_enabled and has_ip:
324 return True
325 elif 'port_security_enabled' not in port and has_ip:
326 return True
327 return False
(Pdb) p port_security_enabled
None
(Pdb) p port.get('port_security_enabled')
None

Revision history for this message
daniels (danxcai) wrote :

and thanks for you workarount , i wil test it .

quantum port-update dc9551ff-09cf-4a23-a478-5ec25c362770 --security_groups list=true 552a8cdc-4a3e-4d6f-86d7-a444e1e187e1 a7ff9ccd-dcc6-4d2a-8006-17d14f5a3a47

Aaron Rosen (arosen)
no longer affects: quantum
Changed in nova:
assignee: nobody → Aaron Rosen (arosen)
tags: added: grizzly-backport-potential network
Revision history for this message
daniels (danxcai) wrote :

here is the test result .

the following command will replace the original security group

 quantum port-update 9f20fb74-9adb-4563-9c08-5bf8aa3932ec --security_groups list=true 5902febc-e793-4b09-8073-567226d83d79

if you need the same function as nova add-secgroup ,
original security group id should be specified explicitly

quantum port-update 9f20fb74-9adb-4563-9c08-5bf8aa3932ec --security_groups list=true 6e2031f0-7dad-4fa4-b58c-e5d9bffba237 0acc8258-bd9f-4f87-b051-a94dbc1504eb

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/32288

Changed in nova:
status: New → In Progress
Revision history for this message
Aaron Rosen (arosen) wrote :

That patch should fix the issue. In your pdb output:

(Pdb) p port
{u'status': u'ACTIVE', u'name': u'', u'admin_state_up': True, u'network_id': u'5332f0f7-3156-4961-aa67-0b8507265fa5', u'tenant_id': u'b082fcb819db4104bb6d3dc18bcc4f17', u'device_owner': u'compute:None', u'mac_address': u'fa:16:3e:6d:e9:94', u'fixed_ips': [{u'subnet_id': u'83afd693-7e36-41e9-b896-9d8b0d89d255', u'ip_address': u'192.168.6.100'}], u'id': u'9f20fb74-9adb-4563-9c08-5bf8aa3932ec', u'security_groups': [u'0acc8258-bd9f-4f87-b051-a94dbc1504eb'], u'device_id': u'24891d97-8d0e-4e99-9537-c8f8291913d0'}

This it should return true by this:
325 elif 'port_security_enabled' not in port and has_ip:
326 return True

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/32288
Committed: http://github.com/openstack/nova/commit/eddab7ba0e45c47fa8503b29484ce296f46c0d27
Submitter: Jenkins
Branch: master

commit eddab7ba0e45c47fa8503b29484ce296f46c0d27
Author: Aaron Rosen <email address hidden>
Date: Sat Jun 8 19:58:58 2013 -0700

    Fix assumed port has port_security_enabled

    Previously if adding a security group to an instance it would fail
    if the port did not contain port_security_enabled=True. This patch
    also changes the unit tests so that networks by default are not
    associated with port_security_enabled=True because this is only true
    if a plugin is running the port_security extension.

    Fixes bug 1189059

    Change-Id: Ieebb7aafba01c18164b86a01a3c289a6957321e4

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/32679

Revision history for this message
Jordan Pittier (jordan-pittier) wrote :

As a side effect this patch makes the Tempest test tempest.api.compute.security_groups.test_security_groups:SecurityGroupsTestJSON.test_server_security_groups to work in a *Quantum* environment. Without the patch the test was failing with this message :

tempest.common.rest_client: INFO: Request: POST http://10.1.59.157:8774/v2/e7c02428179546dfb289975b0736a3b5/servers/91664b60-c95d-4d29-a828-e318fae6ef5a/action
tempest.common.rest_client: DEBUG: Request Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<Token omitted>'}
tempest.common.rest_client: DEBUG: Request Body: {"addSecurityGroup": {"name": "sg167766569"}}
tempest.common.rest_client: INFO: Response Status: 400
tempest.common.rest_client: DEBUG: Response Headers: {'date': 'Wed, 12 Jun 2013 10:10:13 GMT', 'content-length': '139', 'content-type': 'application/json; charset=UTF-8', 'x-compute-request-id': 'req-057d0509-7429-4a77-b0b6-f321638bb312'}
tempest.common.rest_client: DEBUG: Response Body: {"badRequest": {"message": "Network requires port_security_enabled and subnet associated in order to apply security groups.", "code": 400}}

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/32679
Committed: http://github.com/openstack/nova/commit/61fc52948f26656c4bec4a09ee3daa16153f991b
Submitter: Jenkins
Branch: stable/grizzly

commit 61fc52948f26656c4bec4a09ee3daa16153f991b
Author: Aaron Rosen <email address hidden>
Date: Sat Jun 8 19:58:58 2013 -0700

    Fix assumed port has port_security_enabled

    Previously if adding a security group to an instance it would fail
    if the port did not contain port_security_enabled=True. This patch
    also changes the unit tests so that networks by default are not
    associated with port_security_enabled=True because this is only true
    if a plugin is running the port_security extension.

    Fixes bug 1189059

    Change-Id: Ieebb7aafba01c18164b86a01a3c289a6957321e4
    (cherry picked from commit eddab7ba0e45c47fa8503b29484ce296f46c0d27)

tags: added: in-stable-grizzly
Thierry Carrez (ttx)
Changed in nova:
milestone: none → havana-2
status: Fix Committed → Fix Released
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential in-stable-grizzly
Changed in nova:
importance: Undecided → Medium
Thierry Carrez (ttx)
Changed in nova:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.