OpenStack Compute (nova)

Handling Down Cells in nova - security_groups can be in the response for GET /servers/detail

Bug #1846559 reported by Matt Riedemann on 2019-10-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Takashi Natsume

Bug Description

- [x] This doc is inaccurate in this way:

This came up during a review to remove nova-net usage from functional tests and enhance the neutron fixture used in those tests:

https://review.opendev.org/#/c/685927/2/nova/tests/functional/test_servers.py@1264

In summary, GET /servers/detail responses for servers in a down cell may include a "security_groups" key because the API proxies that information from neutron only using the server id (the neutron security group driver finds the ports from that server id and the security groups from the ports). None of the security group information about a server, when using neutron, is cached with the server in the cell database unlike the port information (VIFs i.e. instance.info_cache.network_info).

As a result, the doc is wrong for the keys it says can be returned from a GET /servers/detail response in a down cell scenario since it doesn't include 'security_groups'. The linked patch above shows that with the changed sample:

https://review.opendev.org/#/c/685927/2/doc/api_samples/servers/v2.69/servers-details-resp.json

Also note that this is not the same for the GET /servers/{server_id} (show) case because that returns from the view builder here:

https://github.com/openstack/nova/blob/867401e575d2b27b9bc63ceda41cd85233545cd5/nova/api/openstack/compute/views/servers.py#L210

without including any security group information.

Note that fixing the API to be consistent between show and detail would require a microversion and is likely not worth a new microversion of that, a user can get security group information from the networking API directly with something like this:

GET /v2.0/ports?device_id=<server_id>&fields=security_groups

And from the ports response the client can get the security groups by id.

This bug is just to update the down cell API guide docs.

-----------------------------------
Release: 19.1.0.dev1588 on 2019-09-24 00:12:44
SHA: 2b15e162546ff5aa6458b2d1b2422a775e92b785
Source: https://opendev.org/openstack/nova/src/api-guide/source/down_cells.rst
URL: https://docs.openstack.org/api-guide/compute/down_cells.html

Tags:

Takashi Natsume (natsume-takashi) on 2019-10-04

Changed in nova:
assignee:	nobody → Takashi NATSUME (natsume-takashi)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-04: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/686520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-11: Fix merged to nova (master)

Reviewed: https://review.opendev.org/686520
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9a5da9252434b65df5757730e5bc24e3a8f0297a
Submitter: Zuul
Branch: master

commit 9a5da9252434b65df5757730e5bc24e3a8f0297a
Author: Takashi NATSUME <email address hidden>
Date: Fri Oct 4 12:44:30 2019 +0900

api-guide: Fix available info in handling down cells

    Add the 'security_groups' parameter as available infomation
    in the "List Servers Detailed" API (GET /servers/detail)
    when there is a down cell.

Change-Id: I9653a46478c80b343a5a5f8d6b1607688538b1d5
CLoses-Bug: #1846559

Changed in nova:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.