octavia

Octavia creates security groups on Load Balancer ports

Bug #1627780 reported by Graham Hayes on 2016-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	octavia	Expired	Undecided	Unassigned

Bug Description

When creating a new load balancer, the vip_port has a security group attached to it.

This is completely different to other LBaaS v2 providers.

This security group is returned from the neutron port-show command.

When a user (without admin rights) goes to update the port, by adding a new security group,
the command will fail, and give a 404, as the project making the update cannot see the group.

It will return:

{"NeutronError": {"message": "Security group d033769b-afbe-4984-ad43-d81b8be0814a does not exist", "type": "SecurityGroupNotFound", "detail": ""}}

Octavia, should:

A: stay out of security groups (this is the best option)
B: create the security group in the port owners project (not so good)
C: create the port in the projects default group. (at least is it consistent with other providers, but worse)

Revision history for this message

Graham Hayes (grahamhayes) wrote on 2016-09-26:

This is releated to https://bugs.launchpad.net/neutron/+bug/1295424

Revision history for this message

Michael Johnson (johnsom) wrote on 2016-09-28:

Can you provide a use case? What is it you are trying to change with the SG?

Currently Octavia manages this on behalf of the user by opening only the ports configured on the load balancer.

Changed in octavia:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-11-28:

[Expired for octavia because there has been no activity for 60 days.]

Changed in octavia:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.