yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #81483
[Bug 1858680] Re: Succeed to create new security group, even if security group rule quota is exceeded
Reviewed: https://review.opendev.org/701565
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=936bd67aa42b2e06241d309315b895c9c9c49dcc
Submitter: Zuul
Branch: master
commit 936bd67aa42b2e06241d309315b895c9c9c49dcc
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date: Wed Jan 8 13:31:29 2020 +0000
Check "security_group_rule" quota during security group creation
The tracked resources quota check is done at the beginning of an API
call to the Neutron server. The API call contains a resource and an
action over the resource. In case of creation, the server checks if
the number of items requested fits in the existing quota.
In case of security group creation, the tracked resource checked is
"security_group". But "SecurityGroupDbMixin.create_security_group"
method also creates several default rules for the new group and the
quota for "security_group_rule" is not enforced.
This patch checks the number of security group rules being created
("delta") and checks in the plugin method (not in the API method) if
there is enough room for those new rules (tracked resource
"security_group_rule").
Change-Id: I0a9b91b09d6260ff96fdba2f0a455de53bbc1f00
Closes-Bug: #1858680
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1858680
Title:
Succeed to create new security group, even if security group rule
quota is exceeded
Status in neutron:
Fix Released
Bug description:
Description of problem:
Even if the quota for SG rules is exhausted, new security groups (with two default rules by default) can be created successfully.
How to reproduce:
OS_PROJECT_NAME=admin
CREATED=`openstack security group list --project $OS_PROJECT_NAME -f \
json | jq -r '.[] | .ID' | xargs -I {} openstack security \
group rule list {} -f value | wc -l`
let "CREATED +=1"
SG=`openstack security group list --project $OS_PROJECT_NAME -f json \
| jq -r '.[0] | .ID'`
QUOTA=`openstack quota show $OS_PROJECT_NAME -f json | jq -r '. \
"secgroup-rules"]'`
for ((i=CREATED; i<=QUOTA; i++)); do
PORT=`printf "%04d" $i`
openstack security group rule create --ingress --protocol tcp \
--dst-port 5$PORT:5$PORT $SG
done
openstack security group create --project $OS_PROJECT_NAME \
sec_group_with_excess_rules
Actual results:
The number of SG rules after the last command exceeds in 2 the maximum quota assigned for SG rules.
Related bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1787933
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1858680/+subscriptions
References