python-neutronclient

Can't use nova when configuring neutron.agent.firewall.NoopFirewallDriver in neutron plugins

Bug #1232965 reported by Xiang Hui on 2013-09-30

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Won't Fix	Undecided	Unassigned
	python-neutronclient	Fix Released	Undecided	Xiang Hui	python-neutronclient 2.3.0-2.3.4

Bug Description

OS : RHEL6.4
OpenStack version : Havana

If setting "firewall_driver = neutron.agent.firewall.NoopFirewallDriver" in vi /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini, some functions of Nova are lost.

[root@oxianghui v2_0]# nova list
ERROR: The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-7c2bc0a7-e413-48e9-9865-d743d5ab0497)

The error log:

2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack Traceback (most recent call last):
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 112, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return req.get_response(self.application)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/request.py", line 1296, in send
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack application, catch_exc_info=False)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/request.py", line 1260, in call_application
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack app_iter = application(self.environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 144, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return resp(environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 539, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return self.app(env, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 144, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return resp(environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 144, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return resp(environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/routes/middleware.py", line 131, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack response = self.app(environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 144, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return resp(environ, start_response)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 130, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack resp = self.call_func(req, *args, **self.kwargs)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/webob/dec.py", line 195, in call_func
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return self.func(req, *args, **kwargs)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/wsgi.py", line 912, in __call__
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack content_type, body, accept)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/wsgi.py", line 997, in _process_stack
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack request, action_args)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/wsgi.py", line 885, in post_process_extensions
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack **action_args)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/compute/contrib/security_groups.py", line 583, in detail
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack self._extend_servers(req, list(resp_obj.obj['servers']))
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/api/openstack/compute/contrib/security_groups.py", line 533, in _extend_servers
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack .get_instances_security_groups_bindings(context))
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/nova/network/security_group/neutron_driver.py", line 288, in get_instances_security_groups_bindings
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack security_groups = neutron.list_security_groups().get('security_groups')
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 108, in with_params
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack ret = self.function(instance, *args, **kwargs)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 468, in list_security_groups
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack security_groups = self.list('security_groups',
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1199, in list
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack headers=headers, params=params)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1212, in _pagination
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack linkrel = 'previous'
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1185, in get
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack return self.retry_request("DELETE", action, body=body,
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1170, in retry_request
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack """
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1113, in do_request
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack httplib.CREATED,
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 1083, in _handle_fault_response
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack except Exception:
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack File "/usr/lib/python2.6/site-packages/neutronclient/v2_0/client.py", line 88, in exception_handler_v20
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack message=message)
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack NeutronClientException: 404 Not Found
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack
2013-09-29 07:23:08.200 7666 TRACE nova.api.openstack The resource could not be found.

The root cause is that the extension of security groups is not loaded if setting "firewall_driver = neutron.agent.firewall.NoopFirewallDriver" in neutron, the python-neutronclient will raise an exception as "Not Found".
Nova have referred the function "list_security_groups" of neutron in some functions.
I think Nova should be independent with Neutron as a OpenStack module.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-30: Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/48879

Changed in python-neutronclient:
assignee:	nobody → Xiang Hui (xianghui)
status:	New → In Progress

Revision history for this message

ChangBo Guo(gcb) (glongwave) wrote on 2013-10-18:

In this situation : nova list /boot/ show will fail due to getting NeutronClientException raised by neturon client.

Revision history for this message

Matt Riedemann (mriedem) wrote on 2013-11-05:

The neutronclient patch was abandoned and the nova patch is here: https://review.openstack.org/#/c/52597/

tags:	added: network
Changed in nova:
status:	New → In Progress
assignee:	nobody → ChangBo Guo (guochbo)
Changed in python-neutronclient:
status:	In Progress → Invalid

Revision history for this message

ChangBo Guo(gcb) (glongwave) wrote on 2013-11-18:

After talk with Akihiro Motoki
1) create instance with security_group.2)then set firewall to disable it . 3) run command nova show/list.
This is not valid test Scenario.

We should always enable or disable neutron security_groups.

Changed in nova:
status:	In Progress → Invalid

Revision history for this message

Sheldon Hearn (sheldonh) wrote on 2013-11-21:

The RHEL/Centos/Fedora install guide currently leads you to this bug:

"Regardless of which firewall driver you chose when you configure the network and compute nodes, set this driver as the No-Op firewall. The difference is that this is a Nova firewall, and because Neutron handles the Firewall, you must tell Nova not to use one."

http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.dedicated-controller-node.html

Looks like a show stopper to me.

Revision history for this message

Sheldon Hearn (sheldonh) wrote on 2013-11-21:

It's a bug in the install guide: http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.install-plug-in-controller.ovs.gre.html#comment-1132665540

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-11-22:

Thanks Sheldon for your effort, I think this bug should be reset to valid to give an obvious indication in the install guide,
or users and operator may feel frustrated about the security group.

Changed in python-neutronclient:
status:	Invalid → Confirmed

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-11-22:

https://review.openstack.org/#/c/57842/

Changed in python-neutronclient:
status:	Confirmed → In Progress

Revision history for this message

Xiang Hui (xianghui) wrote on 2013-11-26:

https://review.openstack.org/#/c/58212/

Changed in python-neutronclient:
status:	In Progress → Fix Committed
Changed in nova:
status:	Invalid → Confirmed

Brent Eagles (beagles) on 2014-08-11

tags:

added: neutron

Akihiro Motoki (amotoki) on 2014-10-17

Changed in python-neutronclient:
milestone:	none → 2.3.0-2.3.4
status:	Fix Committed → Fix Released

Davanum Srinivas (DIMS) (dims-v) on 2016-03-04

Changed in nova:
status:	Confirmed → Incomplete

Revision history for this message

Sean Dague (sdague) wrote on 2016-04-18:

#10

The last real action on this bug was 3 years ago, closing

Changed in nova:
status:	Incomplete → Won't Fix
assignee:	ChangBo Guo(gcb) (glongwave) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix included in openstack/openstack-manuals 15.0.0

#11

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.