OpenStack Compute (nova)

When creating Neutron Security Group Rules with a Protocol other than TCP/UDP/ICMP, breaks nova secgroup-* calls

Bug #1294346 reported by Kevin Jackson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Aaron Rosen
OpenStack Compute (nova) 2014.1 "icehouse"
Havana
Fix Released
Undecided
Unassigned
OpenStack Compute (nova) 2013.2.4

Bug Description

With the following set in /etc/nova/nova.conf:

security_group_api=neutron

You can view security groups and rules that have been created in Neutron with nova secgroup-* commands.

If you create a Neutron Security Group rule with a different protocol though, nova secgroup-* calls fail with a 500 and a lot of stack trace in /var/log/nova/nova-api-os-compute.log:

<snip>
014-03-18 20:23:46.599 25278 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_groups.py", line 215, in _format_security_group_rule
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack sg_rule['from_port'] = rule['from_port']
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack KeyError: 'from_port'
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack
2014-03-18 20:23:46.600 25278 INFO nova.api.openstack [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] http://10.240.0.100:8774/v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups returned with HTTP 500
2014-03-18 20:23:46.601 25278 INFO nova.osapi_compute.wsgi.server [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] 10.240.0.100 "GET /v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups HTTP/1.1" status: 500 len: 335 time: 0.0474379

To recreate:

# Test nova secgroup-list works

nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+

# Add rule with a different protocol

neutron security-group-rule-create --direction ingress --protocol 50 --remote-ip-prefix 0.0.0.0/0 ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | d98e83cf-2aab-4eec-89ed-f9aa4d00d57b |
| port_range_max | |
| port_range_min | |
| protocol | 50 |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 |
| tenant_id | 1be2c0f9589d4822856a9ac2e16f0406 |
+-------------------+--------------------------------------+

# Test
neutron security-group-list # works
nova secgroup-list # now errors

# Delete rule

neutron security-group-rule-delete d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
Deleted security_group_rule: d98e83cf-2aab-4eec-89ed-f9aa4d00d57b

# Test nova again

nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+

Aaron Rosen (arosen)
tags: added: network
Changed in nova:
assignee: nobody → Aaron Rosen (arosen)
importance: Undecided → High
status: New → Confirmed
Aaron Rosen (arosen)
tags: added: havana-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/81432

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/81432
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3ad414597043979b8d73c17c05e666cff33a9b88
Submitter: Jenkins
Branch: master

commit 3ad414597043979b8d73c17c05e666cff33a9b88
Author: Aaron Rosen <email address hidden>
Date: Tue Mar 18 21:14:35 2014 -0700

    Fix KeyError if neutron security group is not TCP/UDP/ICMP and no ports

    Previously, if a neutron security group rule was created that was not
    TCP/UDP/ICMP and did not contain a port_range_min/max retrieving it from
    nova-api would result in a KeyError in nova-api. This patch resolves
    this issue.

    Change-Id: I6284a7a8690aec9509b63f7cbd18812e09ef3fdd
    Closes-bug: #1294346

Changed in nova:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in nova:
milestone: none → icehouse-rc1
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: icehouse-rc1 → 2014.1
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to nova (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/91228

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/havana)

Reviewed: https://review.openstack.org/91228
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a3a955507d9d4b3e2688847fe45f88a26be3e8cc
Submitter: Jenkins
Branch: stable/havana

commit a3a955507d9d4b3e2688847fe45f88a26be3e8cc
Author: Aaron Rosen <email address hidden>
Date: Tue Mar 18 21:14:35 2014 -0700

    Fix KeyError if neutron security group is not TCP/UDP/ICMP and no ports

    Previously, if a neutron security group rule was created that was not
    TCP/UDP/ICMP and did not contain a port_range_min/max retrieving it from
    nova-api would result in a KeyError in nova-api. This patch resolves
    this issue.

    Change-Id: I6284a7a8690aec9509b63f7cbd18812e09ef3fdd
    Closes-bug: #1294346
    (cherry picked from commit 3ad414597043979b8d73c17c05e666cff33a9b88)

tags: added: in-stable-havana
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.