yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1846559] [NEW] Handling Down Cells in nova - security_groups can be in the response for GET /servers/detail

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date: Thu, 03 Oct 2019 19:42:00 -0000
Reply-to: Bug 1846559 <1846559@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

- [x] This doc is inaccurate in this way:

This came up during a review to remove nova-net usage from functional
tests and enhance the neutron fixture used in those tests:

https://review.opendev.org/#/c/685927/2/nova/tests/functional/test_servers.py@1264

In summary, GET /servers/detail responses for servers in a down cell may
include a "security_groups" key because the API proxies that information
from neutron only using the server id (the neutron security group driver
finds the ports from that server id and the security groups from the
ports). None of the security group information about a server, when
using neutron, is cached with the server in the cell database unlike the
port information (VIFs i.e. instance.info_cache.network_info).

As a result, the doc is wrong for the keys it says can be returned from
a GET /servers/detail response in a down cell scenario since it doesn't
include 'security_groups'. The linked patch above shows that with the
changed sample:

https://review.opendev.org/#/c/685927/2/doc/api_samples/servers/v2.69
/servers-details-resp.json

Also note that this is not the same for the GET /servers/{server_id}
(show) case because that returns from the view builder here:

https://github.com/openstack/nova/blob/867401e575d2b27b9bc63ceda41cd85233545cd5/nova/api/openstack/compute/views/servers.py#L210

without including any security group information.

Note that fixing the API to be consistent between show and detail would
require a microversion and is likely not worth a new microversion of
that, a user can get security group information from the networking API
directly with something like this:

  GET /v2.0/ports?device_id=<server_id>&fields=security_groups

And from the ports response the client can get the security groups by
id.

This bug is just to update the down cell API guide docs.

-----------------------------------
Release: 19.1.0.dev1588 on 2019-09-24 00:12:44
SHA: 2b15e162546ff5aa6458b2d1b2422a775e92b785
Source: https://opendev.org/openstack/nova/src/api-guide/source/down_cells.rst
URL: https://docs.openstack.org/api-guide/compute/down_cells.html

** Affects: nova
     Importance: Medium
         Status: Confirmed


** Tags: api-guide cells doc

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1846559

Title:
  Handling Down Cells in nova - security_groups can be in the response
  for GET /servers/detail

Status in OpenStack Compute (nova):
  Confirmed

Bug description:
  - [x] This doc is inaccurate in this way:

  This came up during a review to remove nova-net usage from functional
  tests and enhance the neutron fixture used in those tests:

  https://review.opendev.org/#/c/685927/2/nova/tests/functional/test_servers.py@1264

  In summary, GET /servers/detail responses for servers in a down cell
  may include a "security_groups" key because the API proxies that
  information from neutron only using the server id (the neutron
  security group driver finds the ports from that server id and the
  security groups from the ports). None of the security group
  information about a server, when using neutron, is cached with the
  server in the cell database unlike the port information (VIFs i.e.
  instance.info_cache.network_info).

  As a result, the doc is wrong for the keys it says can be returned
  from a GET /servers/detail response in a down cell scenario since it
  doesn't include 'security_groups'. The linked patch above shows that
  with the changed sample:

  https://review.opendev.org/#/c/685927/2/doc/api_samples/servers/v2.69
  /servers-details-resp.json

  Also note that this is not the same for the GET /servers/{server_id}
  (show) case because that returns from the view builder here:

  https://github.com/openstack/nova/blob/867401e575d2b27b9bc63ceda41cd85233545cd5/nova/api/openstack/compute/views/servers.py#L210

  without including any security group information.

  Note that fixing the API to be consistent between show and detail
  would require a microversion and is likely not worth a new
  microversion of that, a user can get security group information from
  the networking API directly with something like this:

    GET /v2.0/ports?device_id=<server_id>&fields=security_groups

  And from the ports response the client can get the security groups by
  id.

  This bug is just to update the down cell API guide docs.

  -----------------------------------
  Release: 19.1.0.dev1588 on 2019-09-24 00:12:44
  SHA: 2b15e162546ff5aa6458b2d1b2422a775e92b785
  Source: https://opendev.org/openstack/nova/src/api-guide/source/down_cells.rst
  URL: https://docs.openstack.org/api-guide/compute/down_cells.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1846559/+subscriptions
Follow ups

[Bug 1846559] Re: Handling Down Cells in nova - security_groups can be in the response for GET /servers/detail
From: OpenStack Infra, 2019-10-11