OpenStack Compute (nova)

Return 409 at neutron-client conflict

Bug #2056195 reported by Gökhan Kocak on 2024-03-05

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	Rajesh Tailor

Bug Description

Description
===========
When attaching a stateless and stateful security group to a VM, nova returns a 500 error but it's a user issue and a 409 conflict error should be returned.

Steps to reproduce
==================

1. create network
2. create VM "test-vm" attached to the network
3. may create a statefull security group, but default group should already do
4. openstack securit group create --stateless stateless-group
5. openstack server add security group test-vm stateless-group

Expected result
===============
Nova forwards the 409 error from Neutron with the error description from Neutron.

Actual result
=============
Nova returns:
Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.
<class 'neutronclient.common.exceptions.Conflict'> (HTTP 500) (Request-ID: req-c6bbaf50-99b7-4108-98f0-808dfee84933)

Environment
===========

1. Exact version of OpenStack you are running. See the following
list for all releases: http://docs.openstack.org/releases/

# nova-api --version
26.2.2 (Zed)

3. Which networking type did you use?
(For example: nova-network, Neutron with OpenVSwitch, ...)

Neutron with OVN

Logs & Configs
==============
Stacktrace:

Traceback (most recent call last):,
  File "/usr/local/lib/python3.10/site-packages/nova/api/openstack/wsgi.py", line 658, in wrapped,
    return f(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/nova/api/openstack/compute/security_groups.py", line 437, in _addSecurityGroup,
    return security_group_api.add_to_instance(context, instance,,
  File "/usr/local/lib/python3.10/site-packages/nova/network/security_group_api.py", line 653, in add_to_instance,
    raise e,
  File "/usr/local/lib/python3.10/site-packages/nova/network/security_group_api.py", line 648, in add_to_instance,
    neutron.update_port(port['id'], {'port': updated_port}),
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 828, in update_port,
    return self._update_resource(self.port_path % (port), body=body,,
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 2548, in _update_resource,
    return self.put(path, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 365, in put,
    return self.retry_request("PUT", action, body=body,,
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 333, in retry_request,
    return self.do_request(method, action, body=body,,
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 297, in do_request,
    self._handle_fault_response(status_code, replybody, resp),
  File "/usr/local/lib/python3.10/site-packages/nova/network/neutron.py", line 196, in wrapper,
    ret = obj(*args, **kwargs),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 272, in _handle_fault_response,
    exception_handler_v20(status_code, error_body),
  File "/usr/local/lib/python3.10/site-packages/neutronclient/v2_0/client.py", line 90, in exception_handler_v20,
    raise client_exc(message=error_message,, neutronclient.common.exceptions.Conflict:
Error Cannot apply both stateful and stateless security groups on the same port at the same time while attempting the operation.,
Neutron server returns request_ids: ['req-1007ffaa-3501-4566-9ad9-c540931138f0']

Tags:

Revision history for this message

Sylvain Bauza (sylvain-bauza) wrote on 2024-03-11:

This appears to me a configuration issue as said in the exception :
Error Cannot apply both stateful and stateless security groups on the same port at the same time while attempting the operation.,
Neutron server returns request_ids: ['req-1007ffaa-3501-4566-9ad9-c540931138f0']

I don't think this is a bug in Nova, so closing the bug accordinly but feel free to reopen if if you can prove the contrary.

Changed in nova:
status:	New → Invalid

Revision history for this message

Gökhan Kocak (goekhanski) wrote on 2024-03-11 (last edit on 2024-03-12):

The error message is caused by the users doing something wrongly. This is not a bug in Nova.

But I think the users should get the message that they are doing something wrongly, and therefore Nova should throw the users a 409 client error (conflict) instead of a 500 server error (internal server error). This I regard as a bug in Nova.

The way it is implemented currently is that because the users get the 500 error, so they think that something is wrong on the server side. The users need to know that they are doing something wrong.

Gökhan Kocak (goekhanski) on 2024-03-12

Changed in nova:
status:	Invalid → New

Revision history for this message

Sylvain Bauza (sylvain-bauza) wrote on 2024-03-12:

Okay, I see your point, triaging the bug then.

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Low
tags:	added: api low-hanging-fruit
tags:	added: network

Rajesh Tailor (ratailor) on 2024-03-26

Changed in nova:
assignee:	nobody → Rajesh Tailor (ratailor)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-05-03: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/918048

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-02: Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/918048
Committed: https://opendev.org/openstack/nova/commit/88b661b0780ee534630c2d345ffd4545158db806
Submitter: "Zuul (22348)"
Branch: master

commit 88b661b0780ee534630c2d345ffd4545158db806
Author: Rajesh Tailor <email address hidden>
Date: Sat Apr 20 15:37:50 2024 +0530

Handle neutron-client conflict

    When user tries to add stateless and stateful security
    groups on same port, neutron raises SecurityGroupConflict (409),
    but nova doesnot handle it and raises InternalServerError (500).

As it appears to be invalid operation from user, so user should get
the message that they are doing wrong.

    This changes catches SecurityGroupConflict from neutron
    client and raises newly added nova exception
    SecurityGroupConnectionStateConflict with 409 error code.

Closes-Bug: #2056195
Change-Id: Ifad28fdd536ff0a4b30e786b2fcbc5a55987a13a

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-02: Fix proposed to nova (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/nova/+/927732

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.