Need to test security groups with source-group rules

Bug #1118617 reported by Andrea Frittoli
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Won't Fix
Wishlist
Andrea Frittoli

Bug Description

Related to nova issue https://bugs.launchpad.net/nova/+bug/1118608: source-groupe rules with destination group indentical to source group cause VM to fail.

This scenario shall be tested both in test_security_group_rules.py (creating the rule) as well as in some test spawning a test with such a rule in.

description: updated
Revision history for this message
Kashyap Chamarthy (kashyapc) wrote :
Download full text (4.2 KiB)

Ok, I just tried to test it (from the referenced

1/ Create a group
=========
[kashyap@foobar devstack-2]$ nova secgroup-create test test
+----+------+-------------+
| Id | Name | Description |
+----+------+-------------+
| 2 | test | test |
+----+------+-------------+
=========

2/ Add a rule
=========
[kashyap@foobar devstack-2]$ nova secgroup-add-group-rule test test icmp -1 -1
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
| ICMP | -1 | -1 | | test |
+-------------+-----------+---------+----------+--------------+
[kashyap@foobar devstack-2]$
=========

3/ Get an image and add it to glance
=========
[kashyap@foobar ~]$ wget -c http://mattdm.fedorapeople.org/cloud-images/Fedora18-Cloud-x86_64-latest.qcow2
[kashyap@foobar ~]$ glance image-create --name fedora18 --is-public true \
> --disk-format qcow2 --container-format bare \
> < Fedora18-Cloud-x86_64-latest.qcow2
=========
[kashyap@foobar devstack-2]$ glance image-list
+--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+
| a43e5eed-9fdd-4522-a29e-e6a308d72e66 | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active |
| 2c1607d6-0d4a-4ea8-8750-d57599ad4030 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active |
| 1dc216f7-3eec-4b06-83d3-fb625bb2d7ac | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active |
| 0863717d-5d8a-4b48-a8a3-10af4cdfb9fb | fedora18 | qcow2 | bare | 228196352 | active |
+--------------------------------------+---------------------------------+-------------+------------------+-----------+--------+
[kashyap@foobar devstack-2]$
=========

4/ Boot an instance:
=========
[kashyap@foobar devstack-2]$ nova boot --image 0863717d-5d8a-4b48-a8a3-10af4cdfb9fb --flavor 1 \
> --security-group test f18vm1
=========
At this point, it's kind of just hung there

From a different terminal, I see the state:
=========
[kashyap@foobar devstack-2]$ nova list
+--------------------------------------+--------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+--------+--------+------------+-------------+----------+
| 206eb180-bf85-4c25-b209-522f1a1b6eef | f18vm1 | BUILD | scheduling | NOSTATE | |
+--------------------------------------+--------+--------+------------+-------------+----------+
=========

Result:
~~~~~~
After a long time, the above"nova boot" times out with:

ERROR: HTTPConnectionPool(host='<IPADDR-DIFFERENT-THAN-br100', port=8774): Request timed out. (timeout=600.0)

...

Read more...

Revision history for this message
Andrea Frittoli (andrea-frittoli) wrote :

The fix for the original bug on nova side has been released in G3, so it looks like some different issue here.
One more reason for having tests for this in tempest.

Revision history for this message
Kashyap Chamarthy (kashyapc) wrote :

This was on Fedora-19. Can anyone reproduce this ?

Revision history for this message
Attila Fazekas (afazekas) wrote :

@Kashyap: It worked for me on F18

Changed in tempest:
importance: Undecided → Medium
status: New → Confirmed
Changed in tempest:
assignee: nobody → Andrea Frittoli (andrea-frittoli)
Revision history for this message
Andrea Frittoli (andrea-frittoli) wrote :

There is a test now for source group rule (test_security_group_rules_create_with_optional_arguments) but that does not cover the case of source and destination group being the same as in https://bugs.launchpad.net/nova/+bug/1118608

Changed in tempest:
status: Confirmed → In Progress
Sean Dague (sdague)
Changed in tempest:
importance: Medium → Wishlist
Revision history for this message
Yaroslav Lobankov (ylobankov) wrote :

I see that this bug is "In progress" since 2013-12-12, but unfortunately there is no link to the patch. Could anyone please provide the missing link? I just want to understand whether or not the issue is solved.

Revision history for this message
Andrea Frittoli (andrea-frittoli) wrote :

This bug was targeted to nova network SG functionality. I don't think this is valid anymore.

Changed in tempest:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.