yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #11783
[Bug 1294346] [NEW] When creating Neutron Security Group Rules with a Protocol other than TCP/UDP/ICMP, breaks nova secgroup-* calls
Public bug reported:
With the following set in /etc/nova/nova.conf:
security_group_api=neutron
You can view security groups and rules that have been created in Neutron
with nova secgroup-* commands.
If you create a Neutron Security Group rule with a different protocol
though, nova secgroup-* calls fail with a 500 and a lot of stack trace
in /var/log/nova/nova-api-os-compute.log:
<snip>
014-03-18 20:23:46.599 25278 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_groups.py", line 215, in _format_security_group_rule
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack sg_rule['from_port'] = rule['from_port']
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack KeyError: 'from_port'
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack
2014-03-18 20:23:46.600 25278 INFO nova.api.openstack [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] http://10.240.0.100:8774/v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups returned with HTTP 500
2014-03-18 20:23:46.601 25278 INFO nova.osapi_compute.wsgi.server [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] 10.240.0.100 "GET /v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups HTTP/1.1" status: 500 len: 335 time: 0.0474379
To recreate:
# Test nova secgroup-list works
nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+
# Add rule with a different protocol
neutron security-group-rule-create --direction ingress --protocol 50 --remote-ip-prefix 0.0.0.0/0 ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | d98e83cf-2aab-4eec-89ed-f9aa4d00d57b |
| port_range_max | |
| port_range_min | |
| protocol | 50 |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 |
| tenant_id | 1be2c0f9589d4822856a9ac2e16f0406 |
+-------------------+--------------------------------------+
# Test
neutron security-group-list # works
nova secgroup-list # now errors
# Delete rule
neutron security-group-rule-delete d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
Deleted security_group_rule: d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
# Test nova again
nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1294346
Title:
When creating Neutron Security Group Rules with a Protocol other than
TCP/UDP/ICMP, breaks nova secgroup-* calls
Status in OpenStack Compute (Nova):
New
Bug description:
With the following set in /etc/nova/nova.conf:
security_group_api=neutron
You can view security groups and rules that have been created in
Neutron with nova secgroup-* commands.
If you create a Neutron Security Group rule with a different protocol
though, nova secgroup-* calls fail with a 500 and a lot of stack trace
in /var/log/nova/nova-api-os-compute.log:
<snip>
014-03-18 20:23:46.599 25278 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/contrib/security_groups.py", line 215, in _format_security_group_rule
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack sg_rule['from_port'] = rule['from_port']
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack KeyError: 'from_port'
2014-03-18 20:23:46.599 25278 TRACE nova.api.openstack
2014-03-18 20:23:46.600 25278 INFO nova.api.openstack [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] http://10.240.0.100:8774/v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups returned with HTTP 500
2014-03-18 20:23:46.601 25278 INFO nova.osapi_compute.wsgi.server [req-507402d7-788e-413a-a005-b852e1b7efa2 3d0524290859416f886f49a2973ab616 1be2c0f9589d4822856a9ac2e16f0406] 10.240.0.100 "GET /v2/1be2c0f9589d4822856a9ac2e16f0406/os-security-groups HTTP/1.1" status: 500 len: 335 time: 0.0474379
To recreate:
# Test nova secgroup-list works
nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+
# Add rule with a different protocol
neutron security-group-rule-create --direction ingress --protocol 50 --remote-ip-prefix 0.0.0.0/0 ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9
Created a new security_group_rule:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| direction | ingress |
| ethertype | IPv4 |
| id | d98e83cf-2aab-4eec-89ed-f9aa4d00d57b |
| port_range_max | |
| port_range_min | |
| protocol | 50 |
| remote_group_id | |
| remote_ip_prefix | 0.0.0.0/0 |
| security_group_id | ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 |
| tenant_id | 1be2c0f9589d4822856a9ac2e16f0406 |
+-------------------+--------------------------------------+
# Test
neutron security-group-list # works
nova secgroup-list # now errors
# Delete rule
neutron security-group-rule-delete d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
Deleted security_group_rule: d98e83cf-2aab-4eec-89ed-f9aa4d00d57b
# Test nova again
nova secgroup-list
+--------------------------------------+-------------+-------------+
| Id | Name | Description |
+--------------------------------------+-------------+-------------+
| ebfd4f04-00f7-459e-8f5b-e6f03aa2fec9 | default | default |
+--------------------------------------+-------------+-------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1294346/+subscriptions
Follow ups
References