nova-compute crashes when applying a security group rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Soren Hansen |
Bug Description
After upgrading nova-compute from 2011.3~
Restarting nova-compute has the same effect each time of the daemon crashing.
Crash/error log:
2011-08-31 19:04:52,680 DEBUG nova.virt.
2011-08-31 19:04:52,680 INFO nova.virt.
2011-08-31 19:04:52,680 INFO nova.virt.
2011-08-31 19:04:52,680 DEBUG nova.virt.
2011-08-31 19:04:52,715 INFO nova.virt.
2011-08-31 19:04:52,770 INFO nova.virt.
2011-08-31 19:04:52,771 CRITICAL nova [-] sequence item 2: expected string, NoneType found
(nova): TRACE: Traceback (most recent call last):
(nova): TRACE: File "/usr/bin/
(nova): TRACE: service.wait()
(nova): TRACE: File "/usr/lib/
(nova): TRACE: _launcher.wait()
(nova): TRACE: File "/usr/lib/
(nova): TRACE: service.wait()
(nova): TRACE: File "/usr/lib/
(nova): TRACE: return self._exit_
(nova): TRACE: File "/usr/lib/
(nova): TRACE: return hubs.get_
(nova): TRACE: File "/usr/lib/
(nova): TRACE: return self.greenlet.
(nova): TRACE: File "/usr/lib/
(nova): TRACE: result = function(*args, **kwargs)
(nova): TRACE: File "/usr/lib/
(nova): TRACE: server.start()
(nova): TRACE: File "/usr/lib/
(nova): TRACE: self.manager.
(nova): TRACE: File "/usr/lib/
(nova): TRACE: net_info)
(nova): TRACE: File "/usr/lib/
(nova): TRACE: network_info)
(nova): TRACE: File "/usr/lib/
(nova): TRACE: self.add_
(nova): TRACE: File "/usr/lib/
(nova): TRACE: ipv4_rules, ipv6_rules = self.instance_
(nova): TRACE: File "/usr/lib/
(nova): TRACE: fw_rules += [' '.join(subrule)]
(nova): TRACE: TypeError: sequence item 2: expected string, NoneType found
(nova): TRACE:
Instance user's security groups:
$ euca-describe-
GROUP user_project default default
GROUP user_project app-internal Ensemble group for internal
PERMISSION user_project app-internal ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
PERMISSION user_project app-internal ALLOWS GRPNAME app-internal
GROUP user_project app-internal-0 Ensemble group for internal machine 0
GROUP user_project app-internal-1 Ensemble group for internal machine 1
GROUP user_project app-internal-2 Ensemble group for internal machine 2
Related branches
- Dan Prince (community): Abstain
- Vish Ishaya (community): Approve
- Christopher MacGown (community): Approve
- Rick Harris (community): Approve
-
Diff: 152 lines (+78/-6)5 files modifiednova/api/ec2/cloud.py (+17/-4)
nova/db/sqlalchemy/api.py (+2/-0)
nova/tests/api/ec2/test_cloud.py (+55/-0)
nova/tests/test_api.py (+1/-1)
nova/virt/libvirt/firewall.py (+3/-1)
- OpenStack release team: Pending requested
-
Diff: 152 lines (+78/-6)5 files modifiednova/api/ec2/cloud.py (+17/-4)
nova/db/sqlalchemy/api.py (+2/-0)
nova/tests/test_api.py (+1/-1)
nova/tests/test_cloud.py (+55/-0)
nova/virt/libvirt/firewall.py (+3/-1)
Changed in nova: | |
importance: | Undecided → High |
Changed in nova: | |
status: | New → Triaged |
tags: | added: security-group |
Changed in nova: | |
milestone: | none → 2011.3 |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
status: | Fix Committed → Fix Released |
I have tracked this down to security groups.
Steps to reproduce:
1. Add a group:
$ euca-add-group user -d "test group"
2. Authorize the group:
$ euca-authorize --source-group user user
3. Show the groups: groups
$ euca-describe-
GROUP user_project user test group
PERMISSION user_project user ALLOWS GRPNAME user
GROUP user_project default default
PERMISSION user_project default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
4. Start an instance with this security group
5. Stop and start nova-compute
6. nova-compute crashes
The resulting database record is:
sql> SELECT * FROM security_ group_rules WHERE protocol IS NULL; ------- ------- -+----- ------- +------ ------+ ------- --+---- -+----- ------- -----+- ------- --+---- ------- +------ ---+--- ---+--- ------- + ------- ------- -+----- ------- +------ ------+ ------- --+---- -+----- ------- -----+- ------- --+---- ------- +------ ---+--- ---+--- ------- + ------- ------- -+----- ------- +------ ------+ ------- --+---- -+----- ------- -----+- ------- --+---- ------- +------ ---+--- ---+--- ------- +
+------
| created_at | updated_at | deleted_at | deleted | id | parent_group_id | protocol | from_port | to_port | cidr | group_id |
+------
| 2011-08-19 05:57:43 | NULL | NULL | 0 | 154 | 78 | NULL | NULL | NULL | NULL | 78 |
+------
The NULL protocol results in the following args in nova/virt/ libvirt/ firewall. py:
args: ['-j ACCEPT', '-p', None]
Resulting in nova-compute crashing.
Temporary Workaround:
Delete the authorization.