neutron

For networks shared beetwen multiple tenants (net-create --shared) there's no 'default' security group

Bug #1171997 reported by Tomasz Paszkowski on 2013-04-23

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Aaron Rosen	neutron 2013.2 "havana"
	Grizzly	Fix Released	Medium	Aaron Rosen	neutron 2013.1.2

Bug Description

In environment where single network (net-create --shared) is shared beetwen multiple tenants, all tenants except one who is owning network are unable to spawn new instances as there's no 'default' security group for them.

2013-04-23 15:45:00.100 ERROR nova.compute.manager [req-077e253e-9fe4-4dee-adfc-4535996a19e5 3735b2c7b83d43b4be0b9a4c4ae1d2ae 4d979b29cec04703aa67ec6ee70efd97] [instance: 4631ea86-c258-4928-9b2d-ae15a9eb94b6] Error: ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 831, in _run_instance\n requested_networks, macs, security_groups)\n', ' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1075, in _allocate_network\n instance=instance)\n', ' File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__\n self.gen.next()\n', ' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1071, in _allocate_network\n security_groups=security_groups)\n', ' File "/usr/lib/python2.7/site-packages/nova/network/api.py", line 46, in wrapper\n res = f(self, context, *args, **kwargs)\n', ' File "/usr/lib/python2.7/site-packages/nova/network/quantumv2/api.py", line 212, in allocate_for_instance\n security_group_id=security_group)\n', 'SecurityGroupNotFound: Security group default not found.\n']
2013-04-23 15:45:00.123 ERROR nova.scheduler.filter_scheduler [req-077e253e-9fe4-4dee-adfc-4535996a19e5 3735b2c7b83d43b4be0b9a4c4ae1d2ae 4d979b29cec04703aa67ec6ee70efd97] [instance: 4631ea86-c258-4928-9b2d-ae15a9eb94b6] Error from last host: linux-tsn9 (node linux-tsn9): [u'Traceback (most recent call last):\n', u' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 831, in _run_instance\n requested_networks, macs, security_groups)\n', u' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1075, in _allocate_network\n instance=instance)\n', u' File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__\n self.gen.next()\n', u' File "/usr/lib/python2.7/site-packages/nova/compute/manager.py", line 1071, in _allocate_network\n security_groups=security_groups)\n', u' File "/usr/lib/python2.7/site-packages/nova/network/api.py", line 46, in wrapper\n res = f(self, context, *args, **kwargs)\n', u' File "/usr/lib/python2.7/site-packages/nova/network/quantumv2/api.py", line 212, in allocate_for_instance\n security_group_id=security_group)\n', u'SecurityGroupNotFound: Security group default not found.\n']

Tags:

Mark McClain (markmcclain) on 2013-04-25

tags:

added: sg-fw

Revision history for this message

Aaron Rosen (arosen) wrote on 2013-04-25:

Hi,

I which plugin are you using? I tested this with OVS and wasn't able to reproduce:

Hi,

I which plugin are you using? I tested this with OVS and wasn't able to reproduce:

$ quantum port-show adae2775-fe06-4d7e-a1b6-6d6bba9522b5
+-----------------+-----------------------------------------------------------------------------------+
| Field           | Value                                                                             |
+-----------------+-----------------------------------------------------------------------------------+
| admin_state_up  | True                                                                              |
| device_id       | 42db0dfd-b1e8-409e-9e14-ff5284c140c0                                              |
| device_owner    | compute:None                                                                      |
| fixed_ips       | {"subnet_id": "19d64df4-c85d-4ed4-b706-cb84a6ef663d", "ip_address": "23.23.23.2"} |
| id              | adae2775-fe06-4d7e-a1b6-6d6bba9522b5                                              |
| mac_address     | fa:16:3e:8a:72:90                                                                 |
| name            |                                                                                   |
| network_id      | f97f3160-5a5d-43c0-a884-9dea4e6802a4                                              |
| security_groups | 28d96f12-c19a-41d8-bd63-71b72c010235                                              |
| status          | ACTIVE                                                                            |
| tenant_id       | 1da517566c1147ea930086de3e945ff8                                                  |
+-----------------+-----------------------------------------------------------------------------------+
arosen@arosen-laptop:/opt/stack/quantum/quantum/plugins/linuxbridge$ quantum net-show sha
+-----------------+--------------------------------------+
| Field           | Value                                |
+-----------------+--------------------------------------+
| admin_state_up  | True                                 |
| id              | f97f3160-5a5d-43c0-a884-9dea4e6802a4 |
| name            | sha                                  |
| router:external | False                                |
| shared          | True                                 |
| status          | ACTIVE                               |
| subnets         | 19d64df4-c85d-4ed4-b706-cb84a6ef663d |
| tenant_id       | 81ed5d500bae4b52a62045084e8a38da     |
+-----------------+--------------------------------------+
arosen@arosen-laptop:/opt/stack/quantum/quantum/plugins/linuxbridge$ quantum security-group-list
+--------------------------------------+---------+-------------+
| id                                   | name    | description |
+--------------------------------------+---------+-------------+
| 28d96f12-c19a-41d8-bd63-71b72c010235 | default | default     |

Revision history for this message

Tomasz Paszkowski (tpaszkowski) wrote on 2013-04-25:

hi Aaron, I'm using linuxbridge plugin.

Revision history for this message

Aaron Rosen (arosen) wrote on 2013-04-25:

Hi Tomasz,

I think I see a way this can happen. If you do quantum net-create foo; quantum net-delete foo; and then boot a vm does it work? It looks like the function get security_groups() doesn't create the default security group.

This usually happens in the call to create_network() or create_port() but since your tenant hasn't made those calls yet it hasn't yet been created since it's a shared network.

Thanks for the report.

Revision history for this message

Tomasz Paszkowski (tpaszkowski) wrote on 2013-04-29:

AAron Rosen, yes you're 100% right :-) Thanks for investigating this :-)

Gary Kotton (garyk) on 2013-04-29

tags:

added: grizzly-backport-potential

Aaron Rosen (arosen) on 2013-04-29

Changed in quantum:
assignee:	nobody → Aaron Rosen (arosen)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-04-30: Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/27792

Changed in quantum:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-14: Fix merged to quantum (master)

Reviewed: https://review.openstack.org/27792
Committed: http://github.com/openstack/quantum/commit/acf44dba26ca8dca47bfb5fb2916807f9f4e2060
Submitter: Jenkins
Branch: master

commit acf44dba26ca8dca47bfb5fb2916807f9f4e2060
Author: Aaron Rosen <email address hidden>
Date: Mon Apr 29 19:49:36 2013 -0700

get_security_groups now creates default security group

    If one called get_security_groups() previously the default security
    group would not be created until the tenant created a network. This
    exposed a bug when an admin creates a shared network and a tenant tried
    to boot a vm on it without having any networks.

Fixes bug 1171997

Change-Id: I899203424c03353a1ee6567c9ddbaecd7dc25001

Changed in quantum:
status:	In Progress → Fix Committed

Aaron Rosen (arosen) on 2013-05-14

Changed in quantum:
milestone:	none → 2013.1.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-14: Fix proposed to quantum (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/29146

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-21: Fix merged to quantum (stable/grizzly)

Reviewed: https://review.openstack.org/29146
Committed: http://github.com/openstack/quantum/commit/c7a02b25560f8f5ce47f34792557b61014756155
Submitter: Jenkins
Branch: stable/grizzly

commit c7a02b25560f8f5ce47f34792557b61014756155
Author: Aaron Rosen <email address hidden>
Date: Mon Apr 29 19:49:36 2013 -0700

get_security_groups now creates default security group

Fixes bug 1171997

Change-Id: I899203424c03353a1ee6567c9ddbaecd7dc25001

tags:

added: in-stable-grizzly

Aaron Rosen (arosen) on 2013-05-23

Changed in quantum:
importance:	Undecided → Medium

Thierry Carrez (ttx) on 2013-05-29

Changed in quantum:
status:	Fix Committed → Fix Released
milestone:	2013.1.2 → havana-1

Adam Gandelman (gandelman-a) on 2013-06-05

tags:

removed: grizzly-backport-potential

Alan Pevec (apevec) on 2013-08-06

tags:

removed: in-stable-grizzly

Thierry Carrez (ttx) on 2013-10-17

Changed in neutron:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1148538

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.