OpenStack Compute (nova)

Launching VMs in a security group with a source group set with ecua2ools 1.3 causes VMs to fail to spawn

Bug #828841 reported by Kevin Bringard
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
New
Undecided
Unassigned

Bug Description

When adding a source-group to a security group, attempting to launch a VM in that security group causes VMs to fail to spawn with the following output:

(nova.exception): TRACE: Traceback (most recent call last):
(nova.exception): TRACE: File "/usr/lib/pymodules/python2.7/nova/exception.py", line 98, in wrapped
(nova.exception): TRACE: return f(*args, **kw)
(nova.exception): TRACE: File "/usr/lib/pymodules/python2.7/nova/virt/libvirt/connection.py", line 586, in spawn
(nova.exception): TRACE: self.firewall_driver.prepare_instance_filter(instance, network_info)
(nova.exception): TRACE: File "/usr/lib/pymodules/python2.7/nova/virt/libvirt/firewall.py", line 546, in prepare_instance_filter
(nova.exception): TRACE: self.add_filters_for_instance(instance)
(nova.exception): TRACE: File "/usr/lib/pymodules/python2.7/nova/virt/libvirt/firewall.py", line 582, in add_filters_for_instance
(nova.exception): TRACE: ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
(nova.exception): TRACE: File "/usr/lib/pymodules/python2.7/nova/virt/libvirt/firewall.py", line 707, in instance_rules
(nova.exception): TRACE: fw_rules += [' '.join(subrule)]
(nova.exception): TRACE: TypeError: sequence item 2: expected string, NoneType found
(nova.exception): TRACE:
2011-08-18 15:20:27,011 ERROR nova.compute.manager [-] Instance '46' failed to spawn. Is virtualization enabled in the BIOS? Details: sequence item 2: expected string, NoneType found
(nova.compute.manager): TRACE: Traceback (most recent call last):
(nova.compute.manager): TRACE: File "/usr/lib/pymodules/python2.7/nova/compute/manager.py", line 437, in _run_instance
(nova.compute.manager): TRACE: network_info, block_device_info)
(nova.compute.manager): TRACE: File "/usr/lib/pymodules/python2.7/nova/exception.py", line 129, in wrapped
(nova.compute.manager): TRACE: raise Error(str(e))
(nova.compute.manager): TRACE: Error: sequence item 2: expected string, NoneType found
(nova.compute.manager): TRACE:

Best as I can tell, this only happens with euca2ools 1.3. When using euca2ools 1.2, the rule gets created, but does not appear to be enforced.

To replicate, perform the following steps:

* Create a new security group:
euca-add-group -d "web group" web

* Allow the default group to the web group
euca-authorize -o default web

* Verify that the web group has the default group authorized:
GROUP kevin-test default default
PERMISSION kevin-test default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
PERMISSION kevin-test default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
GROUP kevin-test web Web group
PERMISSION kevin-test web ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION kevin-test web ALLOWS GRPNAME default

* Attempt to launch a VM in the web group:
euca-run-instances ami-00000001 -g web

Checking the nova-compute log on the compute node the VM was assigned to should show the above listed stack trace.

Revision history for this message
Thierry Carrez (ttx) wrote :

Re: When using euca2ools 1.2, the rule gets created, but does not appear to be enforced
See bug 826966, euca2ools 1.2 apparently doesn't support source groups.

Revision history for this message
Kevin Bringard (kbringard) wrote :

Thanks, Thierry, that definitely explains why the trace/crash only happens when creating the rule with euca2ools 1.3.

Thierry Carrez (ttx)
tags: added: security-group
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.