yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83451
[Bug 1889655] [NEW] removeSecurityGroup action returns 500 when there are multiple security groups with the same name
Public bug reported:
according to OpenStack Compute api ref a security group name can be
supplied in the request to remove a security group from the server.
Nova correctly handles a case of adding security group to a server when
there are multiple security groups with the requested name and returns
HTTP409 Conflict.
However it fails in the same scenario when removing security group from
the server (for example when a security group with a duplicate name was
added after server was created), returning HTTP500.
reproduce script for current DevStack/master
#!/usr/bin/env bash
set -ex
# repro on DevStack
export OS_CLOUD=devstack
TOKEN=$(openstack token issue -f value -c id)
# openstackclient catalog list/show are not very bash-friendly, only with jq :-/
computeapi=$(openstack catalog show compute | grep public | awk '{print $4}')
# adjust image, flavor and network to your liking
serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id)
openstack security group create dummy
openstack server add security group dummy dummy
openstack security group create dummy
# smart clients (openstackclient, openstacksdk) use some sort of pre-validation
# or name-to-id resolving first, so using raw curl to demonstrate.
curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \
-X POST $computeapi/servers/$serverid/action \
-d '{"removeSecurityGroup":{"name":"dummy"}}' \
-H "Content-Type: application/json" \
-H "X-Auth-Token: $TOKEN"
the last command returns
{"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}}
The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`,
methods `add_to_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618
vs `remove_from_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679
the latter does not handle NeutronClientNoUniqueMatch exception
** Affects: nova
Importance: Undecided
Assignee: Pavlo Shchelokovskyy (pshchelo)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1889655
Title:
removeSecurityGroup action returns 500 when there are multiple
security groups with the same name
Status in OpenStack Compute (nova):
In Progress
Bug description:
according to OpenStack Compute api ref a security group name can be
supplied in the request to remove a security group from the server.
Nova correctly handles a case of adding security group to a server
when there are multiple security groups with the requested name and
returns HTTP409 Conflict.
However it fails in the same scenario when removing security group
from the server (for example when a security group with a duplicate
name was added after server was created), returning HTTP500.
reproduce script for current DevStack/master
#!/usr/bin/env bash
set -ex
# repro on DevStack
export OS_CLOUD=devstack
TOKEN=$(openstack token issue -f value -c id)
# openstackclient catalog list/show are not very bash-friendly, only with jq :-/
computeapi=$(openstack catalog show compute | grep public | awk '{print $4}')
# adjust image, flavor and network to your liking
serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id)
openstack security group create dummy
openstack server add security group dummy dummy
openstack security group create dummy
# smart clients (openstackclient, openstacksdk) use some sort of pre-validation
# or name-to-id resolving first, so using raw curl to demonstrate.
curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \
-X POST $computeapi/servers/$serverid/action \
-d '{"removeSecurityGroup":{"name":"dummy"}}' \
-H "Content-Type: application/json" \
-H "X-Auth-Token: $TOKEN"
the last command returns
{"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}}
The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`,
methods `add_to_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618
vs `remove_from_instance`
https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679
the latter does not handle NeutronClientNoUniqueMatch exception
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1889655/+subscriptions
Follow ups
