Commit https://review.openstack.org/#/c/124059/ has introduced bug, where Nova can not boot VM.
Steps to reproduce:
1) Create port in Neutron
2) Boot Vm without security group, but with port:
nova --debug boot tt --image=25a15f92-6bbe-43d6-8da5-b015966a4bd1 --flavor=100 --nic port-id=01e02c22-6ea3-4fe6-8cfe-407a06b634a0
...
REQ: curl -i 'http://172.18.198.52:8774/v2/35b86f321c03497fbfa1c0fdf98a3426/servers' -X POST -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Project-Id: demo" -H "X-Auth-Token: {SHA1}696ac31a35c12934a64485459b0a95a48a9ab4dd" -d '{"server": {"name": "tt", "imageRef": "25a15f92-6bbe-43d6-8da5-b015966a4bd1", "flavorRef": "100", "max_count": 1, "min_count": 1, "networks": [{"port": "01e02c22-6ea3-4fe6-8cfe-407a06b634a0"}]}}'
...
Trace as a result:
2015-01-29 12:14:03.338 ERROR nova.compute.manager [-] Instance failed network setup after 1 attempt(s)
2015-01-29 12:14:03.338 TRACE nova.compute.manager Traceback (most recent call last):
2015-01-29 12:14:03.338 TRACE nova.compute.manager File "/opt/stack/nova/nova/compute/manager.py", line 1677, in _allocate_network_async
2015-01-29 12:14:03.338 TRACE nova.compute.manager dhcp_options=dhcp_options)
2015-01-29 12:14:03.338 TRACE nova.compute.manager File "/opt/stack/nova/nova/network/neutronv2/api.py", line 457, in allocate_for_instance
2015-01-29 12:14:03.338 TRACE nova.compute.manager raise exception.SecurityGroupNotAllowedTogetherWithPort()
2015-01-29 12:14:03.338 TRACE nova.compute.manager SecurityGroupNotAllowedTogetherWithPort: It's not allowed to specify security groups if port_id is provided on instance boot. Neutron should be used to configure security groups on port.
2015-01-29 12:14:03.338 TRACE nova.compute.manager
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/eventlet/hubs/poll.py", line 115, in wait
listener.cb(fileno)
File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 214, in main
result = function(*args, **kwargs)
File "/opt/stack/nova/nova/compute/manager.py", line 1677, in _allocate_network_async
dhcp_options=dhcp_options)
File "/opt/stack/nova/nova/network/neutronv2/api.py", line 457, in allocate_for_instance
raise exception.SecurityGroupNotAllowedTogetherWithPort()
SecurityGroupNotAllowedTogetherWithPort: It's not allowed to specify security groups if port_id is provided on instance boot. Neutron should be used to configure security groups on port.
Removing descriptor: 19
2015-01-29 12:14:03.529 DEB
2015-01-29 12:14:03.710 INFO nova.virt.libvirt.driver [-] [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] Using config drive
2015-01-29 12:14:03.763 ERROR nova.compute.manager [-] [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] Instance failed to spawn
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] Traceback (most recent call last):
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/compute/manager.py", line 2303, in _build_resources
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] yield resources
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/compute/manager.py", line 2173, in _build_and_run_instance
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] flavor=flavor)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2309, in spawn
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] admin_pass=admin_password)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2783, in _create_image
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] content=files, extra_md=extra_md, network_info=network_info)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/api/metadata/base.py", line 159, in __init__
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] ec2utils.get_ip_info_for_instance_from_nw_info(network_info)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/api/ec2/ec2utils.py", line 152, in get_ip_info_for_instance_from_nw_info
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] fixed_ips = nw_info.fixed_ips()
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/network/model.py", line 450, in _sync_wrapper
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] self.wait()
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/network/model.py", line 482, in wait
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] self[:] = self._gt.wait()
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 175, in wait
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] return self._exit_event.wait()
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 125, in wait
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] current.throw(*self._exc)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 214, in main
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] result = function(*args, **kwargs)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/compute/manager.py", line 1677, in _allocate_network_async
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] dhcp_options=dhcp_options)
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] File "/opt/stack/nova/nova/network/neutronv2/api.py", line 457, in allocate_for_instance
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] raise exception.SecurityGroupNotAllowedTogetherWithPort()
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800] SecurityGroupNotAllowedTogetherWithPort: It's not allowed to specify security groups if port_id is provided on instance boot. Neutron should be used to configure security groups on port.
2015-01-29 12:14:03.763 TRACE nova.compute.manager [instance: c4892579-e32b-44ca-b8c7-72f3e04c6800]
Reason of bug - Nova raises error in case security group is provided. And it is always provided, because Nova pushes in "default" security group in case None is provided with request, see:
https://github.com/openstack/nova/blob/37af08116249dee64a7d688b06fff509422911ac/nova/api/openstack/compute/servers.py#L515
Quick review: in nova/compute/
This value seems to propagate unmolested to the code in question, suggesting that, when called from this path at least, security_groups will never be empty.