← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1858680] Re: Succeed to create new security group, even if security group rule quota is exceeded

 

Reviewed:  https://review.opendev.org/701565
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=936bd67aa42b2e06241d309315b895c9c9c49dcc
Submitter: Zuul
Branch:    master

commit 936bd67aa42b2e06241d309315b895c9c9c49dcc
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Wed Jan 8 13:31:29 2020 +0000

    Check "security_group_rule" quota during security group creation
    
    The tracked resources quota check is done at the beginning of an API
    call to the Neutron server. The API call contains a resource and an
    action over the resource. In case of creation, the server checks if
    the number of items requested fits in the existing quota.
    
    In case of security group creation, the tracked resource checked is
    "security_group". But "SecurityGroupDbMixin.create_security_group"
    method also creates several default rules for the new group and the
    quota for "security_group_rule" is not enforced.
    
    This patch checks the number of security group rules being created
    ("delta") and checks in the plugin method (not in the API method) if
    there is enough room for those new rules (tracked resource
    "security_group_rule").
    
    Change-Id: I0a9b91b09d6260ff96fdba2f0a455de53bbc1f00
    Closes-Bug: #1858680


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1858680

Title:
  Succeed to create new security group, even if security group rule
  quota is exceeded

Status in neutron:
  Fix Released

Bug description:
  Description of problem:
  Even if the quota for SG rules is exhausted, new security groups (with two default rules by default) can be created successfully.

  How to reproduce:
    OS_PROJECT_NAME=admin
    CREATED=`openstack security group list --project $OS_PROJECT_NAME -f \
      json | jq -r '.[] | .ID' |     xargs -I {} openstack security \
      group rule list {} -f value | wc -l`
    let "CREATED +=1"
    SG=`openstack security group list --project $OS_PROJECT_NAME -f json \
      | jq -r '.[0] | .ID'`
    QUOTA=`openstack quota show $OS_PROJECT_NAME -f json | jq -r '. \
      "secgroup-rules"]'`

    for ((i=CREATED; i<=QUOTA; i++)); do
      PORT=`printf "%04d" $i`
      openstack security group rule create --ingress --protocol tcp \
        --dst-port 5$PORT:5$PORT $SG
    done

    openstack security group create --project $OS_PROJECT_NAME \
      sec_group_with_excess_rules

  Actual results:
  The number of SG rules after the last command exceeds in 2 the maximum quota assigned for SG rules.

  Related bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1787933

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1858680/+subscriptions


References