← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1554728] Re: Unable to launch an instance on a network where port-security-enabled=False

 

Seams like nova issue. Moving to another project.

** Project changed: neutron => nova

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1554728

Title:
  Unable to launch an instance on a network where port-security-
  enabled=False

Status in OpenStack Compute (nova):
  New

Bug description:
  Create a network with port-security-enabled=False.
  stack@whiskey:~$ neutron net-show n
  +---------------------------+--------------------------------------+
  | Field                     | Value                                |
  +---------------------------+--------------------------------------+
  | admin_state_up            | True                                 |
  | availability_zone_hints   |                                      |
  | availability_zones        | nova                                 |
  | id                        | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
  | mtu                       | 1450                                 |
  | name                      | n                                    |
  | port_security_enabled     | False                                |
  | provider:network_type     | vxlan                                |
  | provider:physical_network |                                      |
  | provider:segmentation_id  | 1019                                 |
  | router:external           | False                                |
  | shared                    | False                                |
  | status                    | ACTIVE                               |
  | subnets                   | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5 |
  | tenant_id                 | 96df521a0afe46128044cf6ee20e4843     |
  +---------------------------+--------------------------------------+

  create a subnet under this network

  stack@whiskey:~$ neutron subnet-show s
  +-------------------+------------------------------------------+
  | Field             | Value                                    |
  +-------------------+------------------------------------------+
  | allocation_pools  | {"start": "2.2.2.2", "end": "2.2.2.254"} |
  | cidr              | 2.2.2.0/24                               |
  | dns_nameservers   |                                          |
  | enable_dhcp       | True                                     |
  | gateway_ip        | 2.2.2.1                                  |
  | host_routes       |                                          |
  | id                | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5     |
  | ip_version        | 4                                        |
  | ipv6_address_mode |                                          |
  | ipv6_ra_mode      |                                          |
  | name              | s                                        |
  | network_id        | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4     |
  | subnetpool_id     |                                          |
  | tenant_id         | 96df521a0afe46128044cf6ee20e4843         |
  +-------------------+------------------------------------------+

  
  Now, create a port under this subnet:

  stack@whiskey:~$ neutron port-show p
  +-----------------------+--------------------------------------------------------------------------------+
  | Field                 | Value                                                                          |
  +-----------------------+--------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                           |
  | allowed_address_pairs |                                                                                |
  | binding:host_id       |                                                                                |
  | binding:profile       | {}                                                                             |
  | binding:vif_details   | {}                                                                             |
  | binding:vif_type      | unbound                                                                        |
  | binding:vnic_type     | normal                                                                         |
  | device_id             |                                                                                |
  | device_owner          |                                                                                |
  | dns_name              |                                                                                |
  | extra_dhcp_opts       |                                                                                |
  | fixed_ips             | {"subnet_id": "57fb945b-92d2-4cf3-b7a0-dd43e96b88d5", "ip_address": "2.2.2.3"} |
  | id                    | 33095bd6-3a5c-4ccd-9e4f-046fb7f9272e                                           |
  | mac_address           | fa:16:3e:f0:46:ae                                                              |
  | name                  | p                                                                              |
  | network_id            | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4                                           |
  | port_security_enabled | False                                                                          |
  | security_groups       |                                                                                |
  | status                | DOWN                                                                           |
  | tenant_id             | 96df521a0afe46128044cf6ee20e4843                                               |
  +-----------------------+--------------------------------------------------------------------------------+

  As expected the port created has no security groups associated with
  it.

  Now, doing a nova boot on this port, results in the VM getting into
  error state. is that the expected behavior?

  stack@whiskey:~$ nova boot vm --flavor 1 --image cirros-0.3.4-x86_64-uec --nic port-id=33095bd6-3a5c-4ccd-9e4f-046fb7f9272e
  +--------------------------------------+----------------------------------------------------------------+
  | Property                             | Value                                                          |
  +--------------------------------------+----------------------------------------------------------------+
  | OS-DCF:diskConfig                    | MANUAL                                                         |
  | OS-EXT-AZ:availability_zone          |                                                                |
  | OS-EXT-SRV-ATTR:host                 | -                                                              |
  | OS-EXT-SRV-ATTR:hostname             | vm                                                             |
  | OS-EXT-SRV-ATTR:hypervisor_hostname  | -                                                              |
  | OS-EXT-SRV-ATTR:instance_name        | instance-00000005                                              |
  | OS-EXT-SRV-ATTR:kernel_id            | bf0aba00-f8b8-4e18-b1d9-26027a4d9243                           |
  | OS-EXT-SRV-ATTR:launch_index         | 0                                                              |
  | OS-EXT-SRV-ATTR:ramdisk_id           | 425fc8cb-59cc-4f22-b004-e434fbd48283                           |
  | OS-EXT-SRV-ATTR:reservation_id       | r-g4kmf8y4                                                     |
  | OS-EXT-SRV-ATTR:root_device_name     | -                                                              |
  | OS-EXT-SRV-ATTR:user_data            | -                                                              |
  | OS-EXT-STS:power_state               | 0                                                              |
  | OS-EXT-STS:task_state                | scheduling                                                     |
  | OS-EXT-STS:vm_state                  | building                                                       |
  | OS-SRV-USG:launched_at               | -                                                              |
  | OS-SRV-USG:terminated_at             | -                                                              |
  | accessIPv4                           |                                                                |
  | accessIPv6                           |                                                                |
  | adminPass                            | rWeLbfy4aFkH                                                   |
  | config_drive                         |                                                                |
  | created                              | 2016-03-08T20:39:19Z                                           |
  | flavor                               | m1.tiny (1)                                                    |
  | hostId                               |                                                                |
  | id                                   | 01ded4ae-b87c-458a-97b0-c628db3a2b2e                           |
  | image                                | cirros-0.3.4-x86_64-uec (996b8839-9347-4711-93a1-d9a0a84b5e49) |
  | key_name                             | -                                                              |
  | locked                               | False                                                          |
  | metadata                             | {}                                                             |
  | name                                 | vm                                                             |
  | os-extended-volumes:volumes_attached | []                                                             |
  | progress                             | 0                                                              |
  | security_groups                      | default                                                        |
  | status                               | BUILD                                                          |
  | tenant_id                            | 96df521a0afe46128044cf6ee20e4843                               |
  | updated                              | 2016-03-08T20:39:19Z                                           |
  | user_id                              | acae4fa2499f4841807aa37ee79eef19                               |
  +--------------------------------------+----------------------------------------------------------------+
  stack@whiskey:~$ nova list
  +--------------------------------------+------+--------+------------+-------------+----------+
  | ID                                   | Name | Status | Task State | Power State | Networks |
  +--------------------------------------+------+--------+------------+-------------+----------+
  | 01ded4ae-b87c-458a-97b0-c628db3a2b2e | vm   | ERROR  | -          | NOSTATE     |          |
  +--------------------------------------+------+--------+------------+-------------+----------+

  
  Logs on n-cpu:

   _http_log_response /usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py:254
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Instance failed to spawn
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Traceback (most recent call last):
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/compute/manager.py", line 2188, in _build_resources
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     yield resources
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/compute/manager.py", line 2034, in _build_and_run_instance
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     block_device_info=block_device_info)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2726, in spawn
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     admin_pass=admin_password)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 3219, in _create_image
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     content=files, extra_md=extra_md, network_info=network_info)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/api/metadata/base.py", line 160, in __init__
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     self.network_metadata = netutils.get_network_metadata(network_info)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/virt/netutils.py", line 194, in get_network_metadata
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     if not network_info:
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/network/model.py", line 523, in __len__
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     return self._sync_wrapper(fn, *args, **kwargs)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/network/model.py", line 510, in _sync_wrapper
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     self.wait()
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/network/model.py", line 542, in wait
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     self[:] = self._gt.wait()
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 175, in wait
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     return self._exit_event.wait()
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 125, in wait
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     current.throw(*self._exc)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 214, in main
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     result = function(*args, **kwargs)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/utils.py", line 1160, in context_wrapper
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     return func(*args, **kwargs)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/compute/manager.py", line 1581, in _allocate_network_async
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     six.reraise(*exc_info)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/compute/manager.py", line 1564, in _allocate_network_async
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     bind_host_id=bind_host_id)
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]   File "/opt/stack/nova/nova/network/neutronv2/api.py", line 633, in allocate_for_instance
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]     raise exception.SecurityGroupCannotBeApplied()
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.
  2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]
  2016-03-08 12:39:21.097 18805 INFO nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Terminating instance


  
  I can however boot a vm on a port where port_security_enabled=False under a network where the port_security_enabled=true as expected.

  I was not expecting that an instance cannot be launched under a
  network where the value of port_security_enabled is false. Is that the
  expected behavior? If yes what's the reason? We don't need security-
  groups when port-security-enabled=false, correct? Why should vm boot
  be blocked then on such a network?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1554728/+subscriptions


References