Launching VMs in a security group with a source group set with ecua2ools 1.3 causes VMs to fail to spawn
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
New
|
Undecided
|
Unassigned |
Bug Description
When adding a source-group to a security group, attempting to launch a VM in that security group causes VMs to fail to spawn with the following output:
(nova.exception): TRACE: Traceback (most recent call last):
(nova.exception): TRACE: File "/usr/lib/
(nova.exception): TRACE: return f(*args, **kw)
(nova.exception): TRACE: File "/usr/lib/
(nova.exception): TRACE: self.firewall_
(nova.exception): TRACE: File "/usr/lib/
(nova.exception): TRACE: self.add_
(nova.exception): TRACE: File "/usr/lib/
(nova.exception): TRACE: ipv4_rules, ipv6_rules = self.instance_
(nova.exception): TRACE: File "/usr/lib/
(nova.exception): TRACE: fw_rules += [' '.join(subrule)]
(nova.exception): TRACE: TypeError: sequence item 2: expected string, NoneType found
(nova.exception): TRACE:
2011-08-18 15:20:27,011 ERROR nova.compute.
(nova.compute.
(nova.compute.
(nova.compute.
(nova.compute.
(nova.compute.
(nova.compute.
(nova.compute.
Best as I can tell, this only happens with euca2ools 1.3. When using euca2ools 1.2, the rule gets created, but does not appear to be enforced.
To replicate, perform the following steps:
* Create a new security group:
euca-add-group -d "web group" web
* Allow the default group to the web group
euca-authorize -o default web
* Verify that the web group has the default group authorized:
GROUP kevin-test default default
PERMISSION kevin-test default ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
PERMISSION kevin-test default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
GROUP kevin-test web Web group
PERMISSION kevin-test web ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION kevin-test web ALLOWS GRPNAME default
* Attempt to launch a VM in the web group:
euca-run-instances ami-00000001 -g web
Checking the nova-compute log on the compute node the VM was assigned to should show the above listed stack trace.
tags: | added: security-group |
Re: When using euca2ools 1.2, the rule gets created, but does not appear to be enforced
See bug 826966, euca2ools 1.2 apparently doesn't support source groups.