OpenStack Compute (nova)

default security groups listing doesn't work when neutron is managing security groups

Bug #1326958 reported by Matt Fischer on 2014-06-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Aaron Rosen	OpenStack Compute (nova) 2014.2 "juno"

Bug Description

Neutron does not seem to implement the default security groups calls, so when neutron is managing security groups, nova tries to pass the call off to it (I think) and fails. I think this bug is really against neutron and nova, but I'm not sure where to start. I'm not sure if anyone else is trying to use this call or not and maybe it should just be dropped. The API doesn't support it and the docs on it are wrong.

http://docs.openstack.org/api/openstack-compute/2/content/ext-os-security-group-default-rules.html (note that the example URLs in that doc are missing the word "default")

curl -i 'http://1.2.3.4:8774/v2/f5ad8f41cd8540ca83b6998b83bf9bba/os-security-group-default-rules' -X GET -H "X-Auth-Project-Id: admin" -H "Accept: application/json" -H "X-Auth-Token: 487b898af056401b806786623e3c2656"

2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack Traceback (most recent call last):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/__init__.py", line 125, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return req.get_response(self.application)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1320, in send
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack application, catch_exc_info=False)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1284, in call_application
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack app_iter = application(self.environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 582, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.app(env, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 131, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack response = self.app(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return resp(environ, start_response)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 130, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack resp = self.call_func(req, *args, **self.kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 195, in call_func
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return self.func(req, *args, **kwargs)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 917, in __call__
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack content_type, body, accept)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 983, in _process_stack
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack action_result = self.dispatch(meth, request, action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 1070, in dispatch
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack return method(req=request, **action_args)
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_group_default_rules.py", line 181, in index
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack for rule in self.security_group_api.get_all_default_rules(context):
2014-06-05 20:31:24.643 9148 TRACE nova.api.openstack AttributeError: 'NativeNeutronSecurityGroupAPI' object has no attribute 'get_all_default_rules'

See original description

Tags:

Matt Fischer (mfisch) on 2014-06-05

description:

updated

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-06-06:

The default security group rules was a way to automatically populate the "default" security group that was created automatically when a project was created (usually on the first request for a security group for that project).

This is useful for deployments where all projects should start with a specific set of security group rules.

Should Neutron continue this pattern forward? I'm not sure.

The way I see it there are 2 ways to approach this:

1. Neutron does not implement the default security gorup logic, Nova stops supporting this feature and doesn't pass the requests on for Neutron
2. Neutron implements the same concept as a 'Default' security group that is pre-populated with some rules

This appears to be a bug against Neutron if anything.

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-06-06:

This is a useful feature for us as an operator, so I'd like to see option 2. I've added Neutron as an affected project. Depending on how the discussion goes we can remove Nova as affected.

Aaron Rosen (arosen) on 2014-06-06

no longer affects:	neutron
Changed in nova:
status:	New → Confirmed

Aaron Rosen (arosen) on 2014-06-06

tags:

added: network

Revision history for this message

Aaron Rosen (arosen) wrote on 2014-06-11:

is there no nova cli support for this command?

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-06-11:

No, there is not. I'm working on adding it to the API and will file the lack of CLI support as a later bug.

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-06-11:

arosen: https://bugs.launchpad.net/python-novaclient/+bug/1328992

Revision history for this message

Aaron Rosen (arosen) wrote on 2014-06-11:

Thanks, do you also have a nova.conf that enabled this? I tried added:
enabled_apis = ec2,osapi_compute,metadata,os-security-group-default-rules

but now i'm getting an error about /etc/nova/api-paste.ini

Aaron Rosen (arosen) on 2014-06-11

Changed in nova:
assignee:	nobody → Aaron Rosen (arosen)
importance:	Undecided → Medium

Aaron Rosen (arosen) on 2014-06-11

tags:

added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-11: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/99450

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-24: Fix merged to nova (master)

Reviewed: https://review.openstack.org/99450
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=def40cfd88dd1f64559b0328a886c507cd310027
Submitter: Jenkins
Branch: master

commit def40cfd88dd1f64559b0328a886c507cd310027
Author: Aaron Rosen <email address hidden>
Date: Wed Jun 11 11:46:47 2014 -0700

Raise NotImplemented default-security-group-rule api with neutron

    Neutron currently does not implement the nova extension
    default-security-group-rule which allows an admin to set which rules are in
    the default security group when a tenant is onboarded. Implementing this
    type of functionality should be done in neutron directly as proxying the
    api calls to do this from nova is not possible as neutron creates the
    default security group itself. Previously, if one tried to use this api
    with neutron a 500 error was raised, now a 501 error is raised.

Change-Id: I6d1bb1c9c2d79278a85b96aea800b4b1f3489225
Closes-bug: 1326958

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-25: Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/109764

Brent Eagles (beagles) on 2014-08-11

tags:

added: neutron

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-22: Change abandoned on nova (stable/icehouse)

#10

Change abandoned by Aaron Rosen (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/109764

Thierry Carrez (ttx) on 2014-09-05

Changed in nova:
milestone:	none → juno-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in nova:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.