← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1294346] [NEW] When creating Neutron Security Group Rules with a Protocol other than TCP/UDP/ICMP, breaks nova secgroup-* calls

 

Public bug reported:

With the following set in /etc/nova/nova.conf:

security_group_api=neutron

You can view security groups and rules that have been created in Neutron
with nova secgroup-* commands.

If you create a Neutron Security Group rule with a different protocol
though, nova secgroup-* calls fail with a 500 and a lot of stack trace
in /var/log/nova/nova-api-os-compute.log:

<snip>
014-03-18 20:23:46.599 25278 TRACE nova.api.openstack   File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_groups.py", line 215, in _format_security_group_rule
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack     sg_rule['from_port'] = rule['from_port']
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack KeyError: 'from_port'
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack
2014-03-18 20:23:46.600 25278 INFO nova.api.openstack [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] http://10.240.0.100:8774/v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups returned with HTTP 500
2014-03-18 20:23:46.601 25278 INFO nova.osapi_compute.wsgi.server [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] 10.240.0.100 "GET /v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups HTTP/1.1" status: 500 len: 335 time: 0.0474379

To recreate:

# Test nova secgroup-list works

nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id                                   | Name        | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default     | default     |
+--------------------------------------+-------------+-------------+


# Add rule with a different protocol

neutron security-group-rule-create --direction ingress --protocol 50 --remote-ip-prefix 0.0.0.0/0 ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field             | Value                                |
+-------------------+--------------------------------------+
| direction         | ingress                              |
| ethertype         | IPv4                                 |
| id                | d98e83cf-2aab-4eec-89ed-f9aa4d00d57b |
| port_range_max    |                                      |
| port_range_min    |                                      |
| protocol          | 50                                   |
| remote_group_id   |                                      |
| remote_ip_prefix  | 0.0.0.0/0                            |
| security_group_id | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 |
| tenant_id         | 1be2c0f9589d4822856a9ac2e16f0406     |
+-------------------+--------------------------------------+

# Test
neutron security-group-list # works
nova secgroup-list # now errors

# Delete rule

neutron security-group-rule-delete d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
Deleted security_group_rule: d98e83cf-2aab-4eec-89ed-f9aa4d00d57b

# Test nova again

nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id                                   | Name        | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default     | default     |
+--------------------------------------+-------------+-------------+

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1294346

Title:
  When creating Neutron Security Group Rules with a Protocol other than
  TCP/UDP/ICMP, breaks nova secgroup-* calls

Status in OpenStack Compute (Nova):
  New

Bug description:
  With the following set in /etc/nova/nova.conf:

  security_group_api=neutron

  You can view security groups and rules that have been created in
  Neutron with nova secgroup-* commands.

  If you create a Neutron Security Group rule with a different protocol
  though, nova secgroup-* calls fail with a 500 and a lot of stack trace
  in /var/log/nova/nova-api-os-compute.log:

  <snip>
  014-03-18 20:23:46.599 25278 TRACE nova.api.openstack   File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_groups.py", line 215, in _format_security_group_rule
  2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack     sg_rule['from_port'] = rule['from_port']
  2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack KeyError: 'from_port'
  2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack
  2014-03-18 20:23:46.600 25278 INFO nova.api.openstack [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] http://10.240.0.100:8774/v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups returned with HTTP 500
  2014-03-18 20:23:46.601 25278 INFO nova.osapi_compute.wsgi.server [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] 10.240.0.100 "GET /v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups HTTP/1.1" status: 500 len: 335 time: 0.0474379

  To recreate:

  # Test nova secgroup-list works

  nova secgroup-list
  +--------------------------------------+-------------+-------------+
  | Id                                   | Name        | Description |
  +--------------------------------------+-------------+-------------+
  | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default     | default     |
  +--------------------------------------+-------------+-------------+

  
  # Add rule with a different protocol

  neutron security-group-rule-create --direction ingress --protocol 50 --remote-ip-prefix 0.0.0.0/0 ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9
  Created a new security_group_rule:
  +-------------------+--------------------------------------+
  | Field             | Value                                |
  +-------------------+--------------------------------------+
  | direction         | ingress                              |
  | ethertype         | IPv4                                 |
  | id                | d98e83cf-2aab-4eec-89ed-f9aa4d00d57b |
  | port_range_max    |                                      |
  | port_range_min    |                                      |
  | protocol          | 50                                   |
  | remote_group_id   |                                      |
  | remote_ip_prefix  | 0.0.0.0/0                            |
  | security_group_id | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 |
  | tenant_id         | 1be2c0f9589d4822856a9ac2e16f0406     |
  +-------------------+--------------------------------------+

  # Test
  neutron security-group-list # works
  nova secgroup-list # now errors

  # Delete rule

  neutron security-group-rule-delete d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
  Deleted security_group_rule: d98e83cf-2aab-4eec-89ed-f9aa4d00d57b

  # Test nova again

  nova secgroup-list
  +--------------------------------------+-------------+-------------+
  | Id                                   | Name        | Description |
  +--------------------------------------+-------------+-------------+
  | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default     | default     |
  +--------------------------------------+-------------+-------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1294346/+subscriptions


Follow ups

References