OpenStack Compute (nova)

neutron port security-group not properly updated on nova interface-attach

Bug #1406431 reported by Siva Kollipara
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Expired
Undecided
Unassigned

Bug Description

With the reference implementation, there exists a problem when using 'nova-interface-attach' using 'net-id' parameter. The neutron port created for this operation does not inherit the instance's security-groups, but instead uses just the 'default' security-group.

Steps to recreate:

[root@osnode2 ~(keystone_admin)]# neutron net-list
+--------------------------------------+---------+-----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+-----------------------------------------------------+
| e98cdc79-f385-498e-be99-5bf879f26741 | datanw | 42d6b5a9-b415-41db-911e-89956df77852 192.168.0.0/24 |
| 2b9cc6e2-e50d-494b-87cd-0520013f9cdb | public2 | 6987510e-495b-4d45-bba2-327f362a04a4 10.10.0.0/21 |
+--------------------------------------+---------+-----------------------------------------------------+

[root@osnode2 ~(keystone_admin)]# neutron security-group-list
+--------------------------------------+-----------+-------------+
| id | name | description |
+--------------------------------------+-----------+-------------+
| 66a6bae9-2249-42f0-9c8e-fa058224adff | default | default |
| 85ee063b-f688-45ad-b35c-a2f102943d32 | custom_sg | custom_sg |
+--------------------------------------+-----------+-------------+

[root@osnode2 ~(keystone_admin)]# nova boot --flavor m1.tiny --image cirros --nic net-id=2b9cc6e2-e50d-494b-87cd-0520013f9cdb cirros_vm --security_groups custom_sg

[root@osnode2 ~(keystone_admin)]# nova show cirros_vm
+--------------------------------------+----------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | osnode2 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | osnode2 |
| OS-EXT-SRV-ATTR:instance_name | instance-000000c5 |
| OS-EXT-STS:power_state | 1 |
| OS-EXT-STS:task_state | - |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2014-12-25T01:57:02.000000 |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2014-12-25T01:56:51Z |
| flavor | m1.tiny (1) |
| hostId | 5b3db263e5f581e1e5141018ab5f81f1ab313bbd9514f9e64ee6d3d9 |
| id | d6221cd5-1e02-4759-9412-1f238b511667 |
| image | cirros (58dcb5ba-2882-4069-9f9a-be671f8f11c6) |
| key_name | - |
| metadata | {} |
| name | cirros_vm |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| public2 network | 10.10.5.136 |
| security_groups | custom_sg |
| status | ACTIVE |
| tenant_id | f32c4fd3c6524d1da40762071934b583 |
| updated | 2014-12-25T01:57:02Z |
| user_id | 4ded56cb1d504a828a3bef0c74ea6d1d |
+--------------------------------------+----------------------------------------------------------+

[root@osnode2 ~(keystone_admin)]# neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 39cd7f64-c7a7-45ad-9f98-c9da43672227 | | fa:16:3e:72:04:dc | {"subnet_id": "6987510e-495b-4d45-bba2-327f362a04a4", "ip_address": "10.10.5.136"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+

[root@osnode2 ~(keystone_admin)]# nova interface-attach --net-id e98cdc79-f385-498e-be99-5bf879f26741 cirros_vm

[root@osnode2 ~(keystone_admin)]# neutron port-list
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
| 39cd7f64-c7a7-45ad-9f98-c9da43672227 | | fa:16:3e:72:04:dc | {"subnet_id": "6987510e-495b-4d45-bba2-327f362a04a4", "ip_address": "10.10.5.136"} |
| b9971da7-313f-4b0a-ba14-1f481fbdf723 | | fa:16:3e:43:4b:28 | {"subnet_id": "42d6b5a9-b415-41db-911e-89956df77852", "ip_address": "192.168.0.5"} |
+--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
[root@osnode2 ~(keystone_admin)]# neutron port-show b9971da7-313f-4b0a-ba14-1f481fbdf723
+-----------------------+------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | osnode2 |
| binding:profile | {} |
| binding:vif_details | {"port_filter": true, "ovs_hybrid_plug": true} |
| binding:vif_type | ovs |
| binding:vnic_type | normal |
| device_id | d6221cd5-1e02-4759-9412-1f238b511667 |
| device_owner | compute:None |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "42d6b5a9-b415-41db-911e-89956df77852", "ip_address": "192.168.0.5"} |
| id | b9971da7-313f-4b0a-ba14-1f481fbdf723 |
| mac_address | fa:16:3e:43:4b:28 |
| name | |
| network_id | e98cdc79-f385-498e-be99-5bf879f26741 |
| security_groups | 66a6bae9-2249-42f0-9c8e-fa058224adff |
| status | ACTIVE |
| tenant_id | f32c4fd3c6524d1da40762071934b583 |
+-----------------------+------------------------------------------------------------------------------------+

The newly created port uses the 'default' security-group instead of the instance's security-group 'custom_sg'.

Revision history for this message
Siva Kollipara (skollipa) wrote :
Download full text (5.2 KiB)

Currently, the workaround is to perform a 'neutron-port-create' with the required security-groups and then associate the port with the instance via the 'nova-interface-attach' using the 'port-id' parameter.

[root@osnode2 nova(keystone_admin)]# neutron port-create --security-group custom_sg datanw
Created a new port:
+-----------------------+-------------------------------------------------------------------------------------+
| Field | Value |
 +-----------------------+-------------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "42d6b5a9-b415-41db-911e-89956df77852", "ip_address": "192.168.0.17"} |
| id | 6ad96b2b-eca8-4efa-bebb-97d123a7bf87 |
| mac_address | fa:16:3e:da:cd:b6 |
| name | |
| network_id | e98cdc79-f385-498e-be99-5bf879f26741 |
| security_groups | 85ee063b-f688-45ad-b35c-a2f102943d32 |
| status | DOWN |
| tenant_id | f32c4fd3c6524d1da40762071934b583 |
 +-----------------------+-------------------------------------------------------------------------------------+

[root@osnode2 nova(keystone_admin)]# nova interface-attach --port-id 6ad96b2b-eca8-4efa-bebb-97d123a7bf87 cirros_vm

[root@osnode2 nova(keystone_admin)]# neutron port-show 6ad96b2b-eca8-4efa-bebb-97d123a7bf87
+-----------------------+-------------------------------------------------------------------------------------+
| Field | Value |
 +-----------------------+---------------------------------------------------------------------...

Read more...

Changed in nova:
assignee: nobody → Siva Kollipara (skollipa)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/144398

Changed in nova:
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Siva Kollipara (skollipa) → Praveen Yalagandula (ypraveen-5)
Davanum Srinivas (DIMS) (dims-v)
Changed in nova:
importance: Undecided → Critical
importance: Critical → Low
Davanum Srinivas (DIMS) (dims-v)
Changed in nova:
assignee: Praveen Yalagandula (ypraveen-5) → nobody
status: In Progress → Confirmed
John Garbutt (johngarbutt)
tags: added: network
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by John Garbutt (<email address hidden>) on branch: master
Review: https://review.openstack.org/144398
Reason: This patch seems to have stalled, lets abandon it.
Please restore the patch if that is no longer true.

Any questions, please catch me via email or on IRC johnthetubaguy

Alan Pevec (apevec)
tags: removed: icehouse-backport-potential juno-backport-potential
Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote : Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
  Only still supported release names are valid (LIBERTY, MITAKA, OCATA, NEWTON).
  Valid example: CONFIRMED FOR: LIBERTY

Changed in nova:
importance: Low → Undecided
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.