OpenStack Compute (nova)

removeSecurityGroup action returns 500 when there are multiple security groups with the same name

Bug #1889655 reported by Pavlo Shchelokovskyy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Pavlo Shchelokovskyy

Bug Description

according to OpenStack Compute api ref a security group name can be supplied in the request to remove a security group from the server.

Nova correctly handles a case of adding security group to a server when there are multiple security groups with the requested name and returns HTTP409 Conflict.

However it fails in the same scenario when removing security group from the server (for example when a security group with a duplicate name was added after server was created), returning HTTP500.

reproduce script for current DevStack/master

#!/usr/bin/env bash
set -ex
# repro on DevStack
export OS_CLOUD=devstack
TOKEN=$(openstack token issue -f value -c id)
# openstackclient catalog list/show are not very bash-friendly, only with jq :-/
computeapi=$(openstack catalog show compute | grep public | awk '{print $4}')
# adjust image, flavor and network to your liking
serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id)
openstack security group create dummy
openstack server add security group dummy dummy
openstack security group create dummy
# smart clients (openstackclient, openstacksdk) use some sort of pre-validation
# or name-to-id resolving first, so using raw curl to demonstrate.
curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \
    -X POST $computeapi/servers/$serverid/action \
    -d '{"removeSecurityGroup":{"name":"dummy"}}' \
    -H "Content-Type: application/json" \
    -H "X-Auth-Token: $TOKEN"

the last command returns
{"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}}

The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`,
methods `add_to_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618
vs `remove_from_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679

the latter does not handle NeutronClientNoUniqueMatch exception

OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: nobody → Pavlo Shchelokovskyy (pshchelo)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 23.0.0.0rc1

This issue was fixed in the openstack/nova 23.0.0.0rc1 release candidate.

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

can be closed

Pavlo Shchelokovskyy (pshchelo)
Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.