yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #47711
[Bug 1554728] Re: Unable to launch an instance on a network where port-security-enabled=False
Seams like nova issue. Moving to another project.
** Project changed: neutron => nova
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1554728
Title:
Unable to launch an instance on a network where port-security-
enabled=False
Status in OpenStack Compute (nova):
New
Bug description:
Create a network with port-security-enabled=False.
stack@whiskey:~$ neutron net-show n
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| availability_zone_hints | |
| availability_zones | nova |
| id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| mtu | 1450 |
| name | n |
| port_security_enabled | False |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1019 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5 |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+---------------------------+--------------------------------------+
create a subnet under this network
stack@whiskey:~$ neutron subnet-show s
+-------------------+------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------+
| allocation_pools | {"start": "2.2.2.2", "end": "2.2.2.254"} |
| cidr | 2.2.2.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 2.2.2.1 |
| host_routes | |
| id | 57fb945b-92d2-4cf3-b7a0-dd43e96b88d5 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | s |
| network_id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| subnetpool_id | |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+-------------------+------------------------------------------+
Now, create a port under this subnet:
stack@whiskey:~$ neutron port-show p
+-----------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:host_id | |
| binding:profile | {} |
| binding:vif_details | {} |
| binding:vif_type | unbound |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "57fb945b-92d2-4cf3-b7a0-dd43e96b88d5", "ip_address": "2.2.2.3"} |
| id | 33095bd6-3a5c-4ccd-9e4f-046fb7f9272e |
| mac_address | fa:16:3e:f0:46:ae |
| name | p |
| network_id | 45a84b0e-6bae-4a05-a0d2-5ec3d43ff5b4 |
| port_security_enabled | False |
| security_groups | |
| status | DOWN |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
+-----------------------+--------------------------------------------------------------------------------+
As expected the port created has no security groups associated with
it.
Now, doing a nova boot on this port, results in the VM getting into
error state. is that the expected behavior?
stack@whiskey:~$ nova boot vm --flavor 1 --image cirros-0.3.4-x86_64-uec --nic port-id=33095bd6-3a5c-4ccd-9e4f-046fb7f9272e
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hostname | vm |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-00000005 |
| OS-EXT-SRV-ATTR:kernel_id | bf0aba00-f8b8-4e18-b1d9-26027a4d9243 |
| OS-EXT-SRV-ATTR:launch_index | 0 |
| OS-EXT-SRV-ATTR:ramdisk_id | 425fc8cb-59cc-4f22-b004-e434fbd48283 |
| OS-EXT-SRV-ATTR:reservation_id | r-g4kmf8y4 |
| OS-EXT-SRV-ATTR:root_device_name | - |
| OS-EXT-SRV-ATTR:user_data | - |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | rWeLbfy4aFkH |
| config_drive | |
| created | 2016-03-08T20:39:19Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 01ded4ae-b87c-458a-97b0-c628db3a2b2e |
| image | cirros-0.3.4-x86_64-uec (996b8839-9347-4711-93a1-d9a0a84b5e49) |
| key_name | - |
| locked | False |
| metadata | {} |
| name | vm |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | 96df521a0afe46128044cf6ee20e4843 |
| updated | 2016-03-08T20:39:19Z |
| user_id | acae4fa2499f4841807aa37ee79eef19 |
+--------------------------------------+----------------------------------------------------------------+
stack@whiskey:~$ nova list
+--------------------------------------+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+----------+
| 01ded4ae-b87c-458a-97b0-c628db3a2b2e | vm | ERROR | - | NOSTATE | |
+--------------------------------------+------+--------+------------+-------------+----------+
Logs on n-cpu:
_http_log_response /usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py:254
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Instance failed to spawn
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Traceback (most recent call last):
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 2188, in _build_resources
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] yield resources
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 2034, in _build_and_run_instance
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] block_device_info=block_device_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2726, in spawn
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] admin_pass=admin_password)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 3219, in _create_image
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] content=files, extra_md=extra_md, network_info=network_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/api/metadata/base.py", line 160, in __init__
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self.network_metadata = netutils.get_network_metadata(network_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/virt/netutils.py", line 194, in get_network_metadata
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] if not network_info:
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 523, in __len__
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return self._sync_wrapper(fn, *args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 510, in _sync_wrapper
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/model.py", line 542, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] self[:] = self._gt.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 175, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return self._exit_event.wait()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 125, in wait
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] current.throw(*self._exc)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 214, in main
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] result = function(*args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/utils.py", line 1160, in context_wrapper
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] return func(*args, **kwargs)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 1581, in _allocate_network_async
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] six.reraise(*exc_info)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/compute/manager.py", line 1564, in _allocate_network_async
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] bind_host_id=bind_host_id)
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] File "/opt/stack/nova/nova/network/neutronv2/api.py", line 633, in allocate_for_instance
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] raise exception.SecurityGroupCannotBeApplied()
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.
2016-03-08 12:39:21.096 18805 ERROR nova.compute.manager [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e]
2016-03-08 12:39:21.097 18805 INFO nova.compute.manager [req-0ffe6000-fd2d-4eb0-99d6-cba841aa1542 admin demo] [instance: 01ded4ae-b87c-458a-97b0-c628db3a2b2e] Terminating instance
I can however boot a vm on a port where port_security_enabled=False under a network where the port_security_enabled=true as expected.
I was not expecting that an instance cannot be launched under a
network where the value of port_security_enabled is false. Is that the
expected behavior? If yes what's the reason? We don't need security-
groups when port-security-enabled=false, correct? Why should vm boot
be blocked then on such a network?
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1554728/+subscriptions
References