no equivalent for "nova list-secgroup <server>"

Bug #1606221 reported by Blair Bethwaite on 2016-07-25
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
python-openstackclient
In Progress
Medium
Rajasi Kulkarni

Bug Description

As an operator and support agent I need this functionality so that I can (as admin) inspect security group config on instances as the first step of diagnosing many common issues. Also very important when responding to security incidents.

Steve Martinelli (stevemar) wrote :

Running ``openstack security group list`` doesn't fit your needs? Are you looking for the server filtering functionality?

Hi Steve,

Unless I missed something then no, "security group list" is not equivalent. And yes, I want a list of the groups currently applied to a server. Now that I look at the API docs it seems like this is a Neutron-Nova functionality gap...

The legacy Nova API:
http://developer.openstack.org/api-ref/compute/?expanded=list-security-groups-by-server-detail#list-security-groups-by-server

...is deprecated for calls to Neutron, but the relevant Neutron v2 extensions don't seem to provide anything equivalent:
http://developer.openstack.org/api-ref/networking/v2-ext/index.html?expanded=list-security-groups-detail#security_groups

I think this is potentially a major feature gap for operators. Consider the admin workflow to investigate what ACLs are applied to any particular in-use IP address:

1) find the instance:
openstack server list --all-projects --ip <ip-address>

2) now I have the instance id I can look at the details:
openstack server show 1bc2c483-d299-4a87-ad22-8e7e4cbfff50
+--------------------------------------+----------------------------------------------------------+
| Field | Value |
+--------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | AUTO
...
|
| OS-EXT-SRV-ATTR:instance_name | instance-0001b984 |
...
| flavor | m1.large (4) |
...
| security_groups | [{u'name': u'default'}] |
| status | ACTIVE |
...
+--------------------------------------+----------------------------------------------------------+

OK, so now I want to know the details of that security group. I can't query it by name. Looks like I can do an 'openstack security group list' and grep for the project id but on our cloud that takes 1-2 mins to return and ends up not working because of what looks like a unicode issue:

openstack security group list | grep 8f5b0e8a672a4c7f8d475dcc91354420
'ascii' codec can't encode character u'\u201d' in position 10605961: ordinal not in range(128)

:-(

Changed in python-openstackclient:
assignee: nobody → Rajasi Kulkarni (rajasi-kulkarni)
Changed in python-openstackclient:
status: New → In Progress
Changed in python-openstackclient:
assignee: Rajasi Kulkarni (rajasi-kulkarni) → nobody
status: In Progress → New

How about adding a command like "openstack server list security group" to list security groups of a server?

Richard Theis (rtheis) on 2016-10-03
tags: added: network

Please check proposed fix here:
https://review.openstack.org/#/c/390379/

Changed in python-openstackclient:
assignee: nobody → Rajasi Kulkarni (rajasi-kulkarni)
Dean Troyer (dtroyer) wrote :

The proposed review needs to be re-worked to implement the listing as a --server filter to the 'security group list' command.

Changed in python-openstackclient:
status: New → In Progress
importance: Undecided → Medium
Rui Chen (kiwik-chenrui) wrote :

Hi Rajasi Kulkarni, are you working on the bug? I would like to finish the patch.

Hi Rui Chen, I am working on this bug. I will send my patch for review.

Rui Chen (kiwik-chenrui) wrote :

Thank your replying, feel free to add me in review list : ) Rajasi

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers