removeSecurityGroup action returns 500 when there are multiple security groups with the same name

Bug #1889655 reported by Pavlo Shchelokovskyy on 2020-07-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Undecided
Pavlo Shchelokovskyy

Bug Description

according to OpenStack Compute api ref a security group name can be supplied in the request to remove a security group from the server.

Nova correctly handles a case of adding security group to a server when there are multiple security groups with the requested name and returns HTTP409 Conflict.

However it fails in the same scenario when removing security group from the server (for example when a security group with a duplicate name was added after server was created), returning HTTP500.

reproduce script for current DevStack/master

#!/usr/bin/env bash
set -ex
# repro on DevStack
export OS_CLOUD=devstack
TOKEN=$(openstack token issue -f value -c id)
# openstackclient catalog list/show are not very bash-friendly, only with jq :-/
computeapi=$(openstack catalog show compute | grep public | awk '{print $4}')
# adjust image, flavor and network to your liking
serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id)
openstack security group create dummy
openstack server add security group dummy dummy
openstack security group create dummy
# smart clients (openstackclient, openstacksdk) use some sort of pre-validation
# or name-to-id resolving first, so using raw curl to demonstrate.
curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \
    -X POST $computeapi/servers/$serverid/action \
    -d '{"removeSecurityGroup":{"name":"dummy"}}' \
    -H "Content-Type: application/json" \
    -H "X-Auth-Token: $TOKEN"

the last command returns
{"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}}

The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`,
methods `add_to_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618
vs `remove_from_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679

the latter does not handle NeutronClientNoUniqueMatch exception

Changed in nova:
assignee: nobody → Pavlo Shchelokovskyy (pshchelo)
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers