default security groups listing doesn't work when neutron is managing security groups

Bug #1326958 reported by Matt Fischer
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Aaron Rosen

Bug Description

Neutron does not seem to implement the default security groups calls, so when neutron is managing security groups, nova tries to pass the call off to it (I think) and fails. I think this bug is really against neutron and nova, but I'm not sure where to start. I'm not sure if anyone else is trying to use this call or not and maybe it should just be dropped. The API doesn't support it and the docs on it are wrong.

http://docs.openstack.org/api/openstack-compute/2/content/ext-os-security-group-default-rules.html (note that the example URLs in that doc are missing the word "default")

curl -i 'http://1.2.3.4:8774/v2/f5ad8f41cd8540ca83b6998b83bf9bba/os-security-group-default-rules' -X GET -H "X-Auth-Project-Id: admin" -H "Accept: application/json" -H "X-Auth-Token: 487b898af056401b806786623e3c2656"

2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack Traceback (most recent call last):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/__init__.py", line 125, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return req.get_response(self.application)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1320, in send
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack application, catch_exc_info=False)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1284, in call_application
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack app_iter = application(self.environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 582, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.app(env, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 131, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack response = self.app(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 130, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack resp = self.call_func(req, *args, **self.kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 195, in call_func
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.func(req, *args, **kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 917, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack content_type, body, accept)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 983, in _process_stack
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack action_result = self.dispatch(meth, request, action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 1070, in dispatch
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return method(req=request, **action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_group_default_rules.py", line 181, in index
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack for rule in self.security_group_api.get_all_default_rules(context):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack AttributeError: 'NativeNeutronSecurityGroupAPI' object has no attribute 'get_all_default_rules'

Matt Fischer (mfisch)
description: updated
Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

The default security group rules was a way to automatically populate the "default" security group that was created automatically when a project was created (usually on the first request for a security group for that project).

This is useful for deployments where all projects should start with a specific set of security group rules.

Should Neutron continue this pattern forward? I'm not sure.

The way I see it there are 2 ways to approach this:

1. Neutron does not implement the default security gorup logic, Nova stops supporting this feature and doesn't pass the requests on for Neutron
2. Neutron implements the same concept as a 'Default' security group that is pre-populated with some rules

This appears to be a bug against Neutron if anything.

Revision history for this message
Matt Fischer (mfisch) wrote :

This is a useful feature for us as an operator, so I'd like to see option 2. I've added Neutron as an affected project. Depending on how the discussion goes we can remove Nova as affected.

Aaron Rosen (arosen)
no longer affects: neutron
Changed in nova:
status: New → Confirmed
Aaron Rosen (arosen)
tags: added: network
Revision history for this message
Aaron Rosen (arosen) wrote :

is there no nova cli support for this command?

Revision history for this message
Matt Fischer (mfisch) wrote :

No, there is not. I'm working on adding it to the API and will file the lack of CLI support as a later bug.

Revision history for this message
Matt Fischer (mfisch) wrote :
Revision history for this message
Aaron Rosen (arosen) wrote :

Thanks, do you also have a nova.conf that enabled this? I tried added:
enabled_apis = ec2,osapi_compute,metadata,os-security-group-default-rules

but now i'm getting an error about /etc/nova/api-paste.ini

Aaron Rosen (arosen)
Changed in nova:
assignee: nobody → Aaron Rosen (arosen)
importance: Undecided → Medium
Aaron Rosen (arosen)
tags: added: icehouse-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99450

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/99450
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=def40cfd88dd1f64559b0328a886c507cd310027
Submitter: Jenkins
Branch: master

commit def40cfd88dd1f64559b0328a886c507cd310027
Author: Aaron Rosen <email address hidden>
Date: Wed Jun 11 11:46:47 2014 -0700

    Raise NotImplemented default-security-group-rule api with neutron

    Neutron currently does not implement the nova extension
    default-security-group-rule which allows an admin to set which rules are in
    the default security group when a tenant is onboarded. Implementing this
    type of functionality should be done in neutron directly as proxying the
    api calls to do this from nova is not possible as neutron creates the
    default security group itself. Previously, if one tried to use this api
    with neutron a 500 error was raised, now a 501 error is raised.

    Change-Id: I6d1bb1c9c2d79278a85b96aea800b4b1f3489225
    Closes-bug: 1326958

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/109764

Brent Eagles (beagles)
tags: added: neutron
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/icehouse)

Change abandoned by Aaron Rosen (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/109764

Thierry Carrez (ttx)
Changed in nova:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.