nova-compute-proxy charm does not enable security group.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Nova Compute Proxy Charm |
Invalid
|
High
|
Unassigned | ||
| Ubuntu on IBM z Systems |
Invalid
|
High
|
Unassigned | ||
| Juju Charms Collection |
Invalid
|
Undecided
|
Skipper Bug Screeners | ||
Bug Description
#======
The Frobisher Nova nodes which instantiated by Openstack via the nova-compute-proxy charm does not enable the security group.
By some investigation, I found the this compute node configuration created by Juju. It set security group as false.
[root@zs93k24 ~]# cat cat /etc/neutron/
cat: cat: No such file or directory
# mitaka
#######
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
# Config generated by nova-compute-proxy charm
#######
[ovs]
enable_tunneling = True
local_ip = xx.xx.xx.xx
bridge_mappings =
[agent]
tunnel_types = gre
l2_population = False
enable_
prevent_
[securitygroup]
enable_
[root@zs93k24 ~]#
But we did not disable security group on the juju config side.
(env) liwbj@zs95k5:
application: nova-compute-proxy
charm: nova-compute-proxy
settings:
disable-
default: true
description: |
Disable neutron based security groups - setting this configuration option
will override any settings configured via the neutron-api charm.
.
BE CAREFUL - this option allows you to disable all port level security within
an OpenStack cloud.
type: boolean
value: false
I checked the source code of juju
(env) liwbj@zs95k5:
# mitaka
.......
[securitygroup]
{% if neutron_
enable_
firewall_driver = neutron.
{% else -%}
enable_
{% endif -%}
(env) liwbj@zs95k5:
true
(env) liwbj@zs95k5:
I think the juju configuration is correct, but got the incorrect result.
Could you help me take a look for this issue? If you need more bug information, please let me know.
#=== Steps to Reproduce =======
#======
1. Deploy OpenStack control plane via Canonical distribution (Juju)
2. Deploy at least 2 Frobisher zKVM compute nodes via nova-compute-proxy charm
3. Check the /etc/neutron/
#=== Host Details =======
#======
# hostname -f
# cat /etc/system-release
# Add dbginfo and other related log files.
[root@zs93k24 ~]# hostname -f
zs93k24
[root@zs93k24 ~]#
[root@zs93k24 ~]# cat /etc/system-release
KVM for IBM z Systems release 1.1.3-beta4.3 (Z)
[root@zs93k24
== =======
I found that Juju has ability to change the configuration on openvswitch_
Manually change the openvswitch_
Then modify the juju config to false
(env) liwbj@zs95k5:~$ juju config neutron-api neutron-
WARNING the configuration setting "neutron-
(env) liwbj@zs95k5:~$ juju config neutron-api neutron-
(env) liwbj@zs95k5:~$ juju config neutron-api neutron-
false
(env) liwbj@zs95k5:~$ juju status
Then I can find the openvswitch_
[root@zs93k24 ml2]# cat /etc/neutron/
[securitygroup]
enable_
[root@zs93k24 ml2]#
On opposite way, I manually changed enable_
[root@zs93k24 ml2]# cat openvswitch_
# mitaka
#######
# [ WARNING ]
# Configuration file maintained by Juju. Local changes may be overwritten.
# Config generated by nova-compute-proxy charm
#######
[ovs]
enable_tunneling = True
local_ip = 10.20.95.79
bridge_mappings =
[agent]
tunnel_types = gre
l2_population = False
enable_
prevent_
[securitygroup]
enable_
firewall_driver = neutron.
[root@zs93k24 ml2]#
Set the juju config is also true
(env) liwbj@zs95k5:~$ juju config neutron-api neutron-
(env) liwbj@zs95k5:~$ juju config neutron-api neutron-
true
(env) liwbj@zs95k5:~$ juju status
But juju also changed openvswitch_
[root@zs93k24 ml2]# cat /etc/neutron/
[securitygroup]
enable_
[root@zs93k24 ml2]#
So the conclusion is that no matter what do I set on juju config, juju will set enable_
=======
There are two issues regarding security group settings with the nova compute proxy:
a) changing the charm value is not changing the agent.ini value, and
b) the charm default should be to enable security groups
so it seems like the juju charm configs can be updated successfully, but the changed config is not refelcted in the openvswitch_
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #1 |
| tags: | added: architecture-s39064 bugnameltc-149928 severity-critical targetmilestone-inin--- |
| Changed in ubuntu: | |
| assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
| affects: | ubuntu → linux (Ubuntu) |
| affects: | linux (Ubuntu) → charms |
| tags: | added: openstack-ibm |
| tags: | added: s390x |
| bugproxy (bugproxy) wrote | #2 |
| tags: |
added: severity-high removed: severity-critical |
| Changed in charm-nova-compute-proxy: | |
| status: | New → Confirmed |
| James Page (james-page) wrote | #3 |
| Changed in charms: | |
| status: | New → Invalid |
| Changed in charm-nova-compute-proxy: | |
| importance: | Undecided → High |
| status: | Confirmed → Triaged |
| Changed in ubuntu-z-systems: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Andrew McLeod (admcleod) wrote | #4 |
| bugproxy (bugproxy) wrote | #5 |
| bugproxy (bugproxy) wrote | #6 |
| Changed in charm-nova-compute-proxy: | |
| status: | Triaged → Invalid |
| Changed in ubuntu-z-systems: | |
| status: | Triaged → Invalid |
| bugproxy (bugproxy) wrote | #7 |
------- Comment From <email address hidden> 2016-12-19 08:52 EDT-------
Canonical please assign to the right component
Target project nova-compute-proxy charm:
https:/
Many thanks