OpenStack Compute (nova)

The output of security group rules does not include egress rules.

Bug #1267140 reported by Nir Magnezi
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Verónica Musso

Bug Description

The output of security group rules does not include egress rules.

Description of problem:
=======================
The output of security group rules does not include egress rules.

Version-Release number of selected component (if applicable):
=============================================================
Tested on RHEL
Icehouse: python-nova-2014.1-0.5.b1.el6.noarch

How reproducible:
=================
Always

Steps to Reproduce:
===================
1. Add an egress security group rule (I did it via horizon)
2. via CLI: nova secgroup-list-rules <sec group name>

Actual results:
===============
List of ingress rules.

Expected results:
=================
List of both ingress and egress rules.

Matt Fischer (mfisch)
Changed in python-novaclient:
status: New → Confirmed
Verónica Musso (veronica-a-musso)
Changed in python-novaclient:
assignee: nobody → Verónica Musso (veronica-a-musso)
Revision history for this message
Verónica Musso (veronica-a-musso) wrote :

I've checked Nova and CLI outputs and the error belongs to the first one. Then, I am changing the affected project.

affects: python-novaclient → nova
Revision history for this message
Verónica Musso (veronica-a-musso) wrote :

I've found the line where the security groups rules are included:

https://github.com/openstack/nova/blob/master/nova/network/security_group/neutron_driver.py#L96

As you can see, there is an specific 'if' sentence to include only the 'ingress' rules. Then, the exclusion of the 'egress' rules seems to be on purpose, not a bug.

Could someone confirm it?

Revision history for this message
Ramy Asselin (ramy-asselin) wrote :

I'm looking at this and it seems nova-networking doesn't support egress rules? So the conversion line quoted is to compensate for that?

Revision history for this message
Russell Bryant (russellb) wrote :

Right, nova-network only supported ingress rules, so nova API matches that. If you want egress rules, you should use the Neutron API.

Changed in nova:
status: Confirmed → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/316379

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.openstack.org/316379
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=31e798dc21408b72f4fdfd74a2ba4c4847795474
Submitter: Jenkins
Branch: master

commit 31e798dc21408b72f4fdfd74a2ba4c4847795474
Author: Matt Riedemann <email address hidden>
Date: Sat May 14 11:48:14 2016 -0400

    Add a note about egress rules to os-security-group-rules api-ref

    There have been at least a couple of bugs about not being able
    to create egress security group rules in Nova, which is because
    nova-network does not support them. Neutron does, but Nova does
    not proxy this to Neutron, nor will it.

    So add a note in the api-ref docs for creating security group
    rules about the egress rule limitation with nova-network.

    Change-Id: Idc79cd1718b52db8611fd108b23f176f925221a6
    Related-Bug: #1579749
    Related-Bug: #1267140

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.