OpenStack Compute (nova)

Unable to launch an instance on a network where port-security-enabled=False

Bug #1554728 reported by Chirag Shahani
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
New
Undecided
Chirag Shahani

Bug Description

Create a network with port-security-enabled=False.
stack@whiskey:~$ neutron net-show n
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | nova |
| id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| mtu | 1450 |
| name | n |
| port_security_enabled | False |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1019 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5 |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+---------------------------+--------------------------------------+

create a subnet under this network

stack@whiskey:~$ neutron subnet-show s
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| allocation_pools | {"start": "2.2.2.2", "end": "2.2.2.254"} |
| cidr | 2.2.2.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 2.2.2.1 |
| host_routes | |
| id | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | s |
| network_id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| subnetpool_id | |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+-------------------+------------------------------------------+

Now, create a port under this subnet:

stack@whiskey:~$ neutron port-show p
+-----------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "57fb945b-92d2-4cf3-b7a0-dd43e96b88d5", "ip_address": "2.2.2.3"} |
| id | 33095bd6-3a5c-4ccd-9e4f-046fb7f9272e |
| mac_address | fa:16:3e:f0:46:ae |
| name | p |
| network_id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| port_security_enabled | False |
| security_groups | |
| status | DOWN |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+-----------------------+--------------------------------------------------------------------------------+

As expected the port created has no security groups associated with it.

Now, doing a nova boot on this port, results in the VM getting into error state. is that the expected behavior?

stack@whiskey:~$ nova boot vm --flavor 1 --image cirros-0.3.4-x86_64-uec --nic port-id=33095bd6-3a5c-4ccd-9e4f-046fb7f9272e
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hostname | vm |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-00000005 |
| OS-EXT-SRV-ATTR:kernel_id | bf0aba00-f8b8-4e18-b1d9-26027a4d9243 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | 425fc8cb-59cc-4f22-b004-e434fbd48283 |
| OS-EXT-SRV-ATTR:reservation_id | r-g4kmf8y4 |
| OS-EXT-SRV-ATTR:root_device_name | - |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | rWeLbfy4aFkH |
| config_drive | |
| created | 2016-03-08T20:39:19Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 01ded4ae-b87c-458a-97b0-c628db3a2b2e |
| image | cirros-0.3.4-x86_64-uec (996b8839-9347-4711-93a1-d9a0a84b5e49) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | vm |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
| updated | 2016-03-08T20:39:19Z |
| user_id | acae4fa2499f4841807aa37ee79eef19 |
+--------------------------------------+----------------------------------------------------------------+
stack@whiskey:~$ nova list
+--------------------------------------+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+----------+
| 01ded4ae-b87c-458a-97b0-c628db3a2b2e | vm | ERROR | - | NOSTATE | |
+--------------------------------------+------+--------+------------+-------------+----------+

Logs on n-cpu:

 _http_log_response /usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py:254
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Instance failed to spawn
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Traceback (most recent call last):
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 2188, in _build_resources
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] yield resources
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 2034, in _build_and_run_instance
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] block_device_info=block_device_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2726, in spawn
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] admin_pass=admin_password)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 3219, in _create_image
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] content=files, extra_md=extra_md, network_info=network_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/api/metadata/base.py", line 160, in __init__
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self.network_metadata = netutils.get_network_metadata(network_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/netutils.py", line 194, in get_network_metadata
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] if not network_info:
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 523, in __len__
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return self._sync_wrapper(fn, *args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 510, in _sync_wrapper
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 542, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self[:] = self._gt.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 175, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return self._exit_event.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 125, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] current.throw(*self._exc)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 214, in main
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] result = function(*args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/utils.py", line 1160, in context_wrapper
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return func(*args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 1581, in _allocate_network_async
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] six.reraise(*exc_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 1564, in _allocate_network_async
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] bind_host_id=bind_host_id)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/neutronv2/api.py", line 633, in allocate_for_instance
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] raise exception.SecurityGroupCannotBeApplied()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]
2016-03-08 12:39:21.097 18805 INFO nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Terminating instance

I can however boot a vm on a port where port_security_enabled=False under a network where the port_security_enabled=true as expected.

I was not expecting that an instance cannot be launched under a network where the value of port_security_enabled is false. Is that the expected behavior? If yes what's the reason? We don't need security-groups when port-security-enabled=false, correct? Why should vm boot be blocked then on such a network?

Revision history for this message
Chirag Shahani (chirag-shahani) wrote :

If this is a bug, I could take this up to fix this. Please assign this to me if this is a valid bug.

Chirag Shahani (chirag-shahani)
Changed in neutron:
assignee: nobody → Chirag Shahani (chirag-shahani)
Revision history for this message
Sean M. Collins (scollins) wrote :

Looks like for some reason the nova CLI or API request adds the default security group to the instance, and therefore the port. Which is why that error occurred. There might be a way to specify that an instance to be launched should not be part of any security groups when spawned, but overall I think this is a bug, since we stated that port security is disabled on the network your port is associated with.

Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Seams like nova issue. Moving to another project.

affects: neutron → nova
Revision history for this message
Sridhar Gaddam (sridhargaddam) wrote :

I have seen this issue earlier. IMO this needs to be fixed in Nova.
As a temporary work-around when I modified nova.conf, I was able to get past the error.

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Revision history for this message
Matt Riedemann (mriedem) wrote :

Is this the same issue? https://review.openstack.org/#/c/173204/

Revision history for this message
Matt Riedemann (mriedem) wrote :

And https://review.openstack.org/#/c/284095/

Revision history for this message
Matt Riedemann (mriedem) wrote :

Yeah this is a known latent issue, it's a duplicate of bug 1175464. There is that patch for it, but it got stuck on the fact that if we don't add the default security group it's a backward incompatible API change.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.