show server, security_groups does not say which interface

Bug #1476435 reported by alex kang
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

OS is Kilo.

A VM assigned multiple interfaces.

After successfully booted. The server_show command result (attached) will show each interface's add, version and mac on the addresses attributes.

However, the security_groups show a list of security_groups being applied to the VM, not which interface.

It is possible to have different security_groups assigned to interface based on the network an interface attached to.

We need to enhance the security_groups, like the addresses field to indicating which interface, the security_groups belong to.

Here is a return from a server-show command:

In [60]: j1.nova('server-show', u'77d4e009-13ee-47d9-97f0-ded27915e4dc')
OS-Nova:2015-07-20,17:38:36 server_show args=[u'77d4e009-13ee-47d9-97f0-ded27915e4dc'] kwargs={}
{u'OS-DCF:diskConfig': u'MANUAL',
 u'OS-EXT-AZ:availability_zone': u'nova',
 u'OS-EXT-STS:power_state': 1,
 u'OS-EXT-STS:task_state': None,
 u'OS-EXT-STS:vm_state': u'active',
 u'OS-SRV-USG:launched_at': u'2015-07-20T17:26:48.000000',
 u'OS-SRV-USG:terminated_at': None,
 u'accessIPv4': u'',
 u'accessIPv6': u'',
 u'addresses': {u'j1-hill-network': [{u'OS-EXT-IPS-MAC:mac_addr': u'fa:16:3e:5d:9d:43',
    u'OS-EXT-IPS:type': u'fixed',
    u'addr': u'',
    u'version': 4}],
  u'j1-top-network': [{u'OS-EXT-IPS-MAC:mac_addr': u'fa:16:3e:df:40:df',
    u'OS-EXT-IPS:type': u'fixed',
    u'addr': u'',
    u'version': 4}]},
 u'config_drive': u'',
 u'created': u'2015-07-20T17:24:19Z',
 u'flavor': {u'id': u'2',
  u'links': [{u'href': u'',
    u'rel': u'bookmark'}]},
 u'hostId': u'9d8ad1717b82e57214f5e68857ca5a39c011c79efd1a2458cbe17320',
 u'id': u'77d4e009-13ee-47d9-97f0-ded27915e4dc',
 u'image': {u'id': u'71bc5bfa-438a-4481-9d00-090dab9be1c4',
  u'links': [{u'href': u'',
    u'rel': u'bookmark'}]},
 u'key_name': None,
 u'links': [{u'href': u'',
   u'rel': u'self'},
  {u'href': u'',
   u'rel': u'bookmark'}],
 u'metadata': {},
 u'name': u'j1-hill-top',
 u'os-extended-volumes:volumes_attached': [],
 u'progress': 0,
 u'security_groups': [{u'name': u'default'}, {u'name': u'default'}],
 u'status': u'ACTIVE',
 u'tenant_id': u'33e12c344b4b419c9db184d992c273b0',
 u'updated': u'2015-07-20T17:26:48Z',
 u'user_id': u'1bec88c0341745dca4402678e8bd3dbe'}

In [61]:

Changed in nova:
assignee: nobody → Amandeep (rattenpal-amandeep)
Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

@Amandeep (rattenpal-amandeep):

Since you are set as assignee, I switch the status to "In Progress".

Changed in nova:
status: New → In Progress
Changed in nova:
status: In Progress → Confirmed
Revision history for this message
John Garbutt (johngarbutt) wrote :

So this is fun. Nova-network only applies security groups per VM, neutron does it per port.

I think the correct fix is to stop returning the security groups at all, it's basically a neutron proxy, which we are trying to deprecate.

In reality this will be easier once we have finally removed nova-network, as it's currently useful for nova-net people.

Either way, this needs a new microversion and as such needs a spec to approve that change. It's probably going to roll into a remove network proxy API spec.

tags: added: api neutron
Changed in nova:
importance: Undecided → Wishlist
Sean Dague (sdague)
Changed in nova:
assignee: Amandeep (rattenpal-amandeep) → nobody
Revision history for this message
Sean Dague (sdague) wrote :

Automatically discovered version kilo in description. If this is incorrect, please update the description to include 'nova version: ...'

tags: added: openstack-version.kilo
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers