show server, security_groups does not say which interface

Bug #1476435 reported by alex kang
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

OS is Kilo.

A VM assigned multiple interfaces.

After successfully booted. The server_show command result (attached) will show each interface's add, version and mac on the addresses attributes.

However, the security_groups show a list of security_groups being applied to the VM, not which interface.

It is possible to have different security_groups assigned to interface based on the network an interface attached to.

We need to enhance the security_groups, like the addresses field to indicating which interface, the security_groups belong to.

Here is a return from a server-show command:

In [60]: j1.nova('server-show', u'77d4e009-13ee-47d9-97f0-ded27915e4dc')
OS-Nova:2015-07-20,17:38:36 server_show args=[u'77d4e009-13ee-47d9-97f0-ded27915e4dc'] kwargs={}
{u'OS-DCF:diskConfig': u'MANUAL',
 u'OS-EXT-AZ:availability_zone': u'nova',
 u'OS-EXT-STS:power_state': 1,
 u'OS-EXT-STS:task_state': None,
 u'OS-EXT-STS:vm_state': u'active',
 u'OS-SRV-USG:launched_at': u'2015-07-20T17:26:48.000000',
 u'OS-SRV-USG:terminated_at': None,
 u'accessIPv4': u'',
 u'accessIPv6': u'',
 u'addresses': {u'j1-hill-network': [{u'OS-EXT-IPS-MAC:mac_addr': u'fa:16:3e:5d:9d:43',
    u'OS-EXT-IPS:type': u'fixed',
    u'addr': u'',
    u'version': 4}],
  u'j1-top-network': [{u'OS-EXT-IPS-MAC:mac_addr': u'fa:16:3e:df:40:df',
    u'OS-EXT-IPS:type': u'fixed',
    u'addr': u'',
    u'version': 4}]},
 u'config_drive': u'',
 u'created': u'2015-07-20T17:24:19Z',
 u'flavor': {u'id': u'2',
  u'links': [{u'href': u'',
    u'rel': u'bookmark'}]},
 u'hostId': u'9d8ad1717b82e57214f5e68857ca5a39c011c79efd1a2458cbe17320',
 u'id': u'77d4e009-13ee-47d9-97f0-ded27915e4dc',
 u'image': {u'id': u'71bc5bfa-438a-4481-9d00-090dab9be1c4',
  u'links': [{u'href': u'',
    u'rel': u'bookmark'}]},
 u'key_name': None,
 u'links': [{u'href': u'',
   u'rel': u'self'},
  {u'href': u'',
   u'rel': u'bookmark'}],
 u'metadata': {},
 u'name': u'j1-hill-top',
 u'os-extended-volumes:volumes_attached': [],
 u'progress': 0,
 u'security_groups': [{u'name': u'default'}, {u'name': u'default'}],
 u'status': u'ACTIVE',
 u'tenant_id': u'33e12c344b4b419c9db184d992c273b0',
 u'updated': u'2015-07-20T17:26:48Z',
 u'user_id': u'1bec88c0341745dca4402678e8bd3dbe'}

In [61]:

Changed in nova:
assignee: nobody → Amandeep (rattenpal-amandeep)
Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

@Amandeep (rattenpal-amandeep):

Since you are set as assignee, I switch the status to "In Progress".

Changed in nova:
status: New → In Progress
Changed in nova:
status: In Progress → Confirmed
Revision history for this message
John Garbutt (johngarbutt) wrote :

So this is fun. Nova-network only applies security groups per VM, neutron does it per port.

I think the correct fix is to stop returning the security groups at all, it's basically a neutron proxy, which we are trying to deprecate.

In reality this will be easier once we have finally removed nova-network, as it's currently useful for nova-net people.

Either way, this needs a new microversion and as such needs a spec to approve that change. It's probably going to roll into a remove network proxy API spec.

tags: added: api neutron
Changed in nova:
importance: Undecided → Wishlist
Sean Dague (sdague)
Changed in nova:
assignee: Amandeep (rattenpal-amandeep) → nobody
Revision history for this message
Sean Dague (sdague) wrote :

Automatically discovered version kilo in description. If this is incorrect, please update the description to include 'nova version: ...'

tags: added: openstack-version.kilo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.