Security group in profile are not applied

Bug #1828112 reported by Duc Truong
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
senlin
In Progress
Critical
Duc Truong

Bug Description

When creating a cluster using a profile that has security groups specified like this, the nodes are created only belonging to the default security group.

type: os.nova.server
version: 1.0
properties:
  name: cirros_server
  flavor: 1
  image: "cirros-0.4.0-x86_64-disk"
  networks:
   - network: private
  metadata:
    test_key: test_value
  security_groups:
    - 46f7acd4-109a-446c-b6b3-325a7f2b8b07
    - 30e334ff-57d6-4c40-bc09-9489f0e3b5b6
  user_data: |
    #!/bin/sh
    echo 'hello, world' > /tmp/test_file

The problem is that Senlin creates the port manually on a network and then passes those ports to the server create API. When doing so, the server create API will ignore the passed in security groups as per its API documentation (https://developer.openstack.org/api-ref/compute/?expanded=create-or-update-metadata-items-detail,delete-metadata-item-detail,create-server-detail#create-server):

Requested security groups are not applied to pre-existing ports.

To workaround this problem, the security groups have to be specified as part of each network:

type: os.nova.server
version: 1.0
properties:
  name: cirros_server
  flavor: 1
  image: "cirros-0.4.0-x86_64-disk"
  networks:
   - network: private
     security_groups:
       - 46f7acd4-109a-446c-b6b3-325a7f2b8b07
       - 30e334ff-57d6-4c40-bc09-9489f0e3b5b6
  metadata:
    test_key: test_value
  user_data: |
    #!/bin/sh
    echo 'hello, world' > /tmp/test_file

Changed in senlin:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Duc Truong (dtruong)
Revision history for this message
Bo Tran (ministry.nd) wrote :

I think in here have a problem.. because i was try make a server with a profile like this above profile in last month. And, i was saw server created with security group.

Revision history for this message
Duc Truong (dtruong) wrote :

@Bo Tran, can you explain what you mean by this:

I think in here have a problem.. because i was try make a server with a profile like this above profile in last month. And, i was saw server created with security group.

Are you saying that the workaround wherethe security_groups are inside networks does not work?

Revision history for this message
Bo Tran (ministry.nd) wrote :
Download full text (4.6 KiB)

Nope, that is my wrong remember. But, current i was resolved this problem by:

I don't use security_groups property not in each network. We can still use security_groups like:
type: os.nova.server
version: 1.0
properties:
  name: cirros_server
  flavor: 1
  image: "cirros-0.4.0-x86_64-disk"
  networks:
   - network: private
  metadata:
    test_key: test_value
  security_groups:
    - 46f7acd4-109a-446c-b6b3-325a7f2b8b07
    - 30e334ff-57d6-4c40-bc09-9489f0e3b5b6
  user_data: |
    #!/bin/sh
    echo 'hello, world' > /tmp/test_file

because in code, we create server with security groups is wrong order step.
I here: https://github.com/openstack/senlin/blob/master/senlin/profiles/os/nova/server.py#L868
we maybe change code like:

secgroups = self.properties[self.SECURITY_GROUPS]
if secgroups:
    kwargs['security_groups'] = [{'name': sg} for sg in secgroups]
    port_security_groups = [
        self.network(obj).security_group_find(
            sg).id for sg in secgroups]
else:
    port_security_groups = None

ports = self._create_ports_from_properties(
    obj, networks, 'create', port_security_groups)
kwargs['networks'] = [
    {'port': port['id']} for port in ports]

and in function `_create_ports_from_properties`: https://github.com/openstack/senlin/blob/master/senlin/profiles/os/nova/server.py#L720
we maybe change code to create port with port_security_groups attr. and in this function. we will create a port with security groups.

We add a function _create_port like:

def _create_port(self, obj, net_spec, security_groups=None):
    """Fetch or create a port.

    :param obj: The node object.
    :param net_spec: The parameters to create a port.
    :returns: Created port object and error message.
    """
    port_id = net_spec.get(self.PORT, None)
    if port_id:
        try:
            port = self.network(obj).port_find(port_id)
            return port, None
        except exc.InternalError as ex:
            return None, ex
    port_attr = {
        'network_id': net_spec.get(self.NETWORK),
    }
    fixed_ip = net_spec.get(self.FIXED_IP, None)
    if fixed_ip:
        port_attr['fixed_ips'] = [fixed_ip]
    if security_groups:
        port_attr['security_groups'] = security_groups
    try:
        port = self.network(obj).port_create(**port_attr)
        return port, None
    except exc.InternalError as ex:
        return None, ex

(this function is same _get_port function), and in _create_ports_from_properties function, we will use _create_port function to create a port with sec_groups and return.
def _create_ports_from_properties(self, obj, networks, action_type,
                                  port_security_groups=None):
    """Create or find ports based on networks property.

    :param obj: The node object.
    :param networks: The networks property used for node.
    :param action_type: Either 'create' or 'update'.

    :returns: A list of created port's attributes.
    """
    internal_ports = obj.data.get('internal_ports', [])
    if not networks:
        return []

    for net_spec in networks:
        net = self._validate_network(obj, net_spec, action_type)
        # Create port
        port, ex = self._create_port(
       ...

Read more...

Revision history for this message
Jonathan Harris (jharris1729) wrote :

I am having an issue with security groups as well.

When I create a cluster with profile like:

type: os.nova.server
version: 1.0
properties:
  flavor: r1.1
  image: dev-build-15
  networks:
     - network: dev
       security_groups:
         - group1
         - group2

  user_data: |
    #!/bin/bash

    echo "hello" > /tmp/test

I get the desired effect, with security groups set in all nodes

However, when I run openstack cluster update with a profile like

type: os.nova.server
version: 1.0
properties:
  flavor: r1.1
  image: dev-build-15
  networks:
     - network: dev
       security_groups:
         - group1
         - group2
         - group3

  user_data: |
    #!/bin/bash

    echo "hello" > /tmp/test

suddenly the security groups on all nodes are set to only default.

I have also tried a profile like

type: os.nova.server
version: 1.0
properties:
  flavor: r1.1
  image: dev-build-15
  networks:
     - network: dev
  security_groups:
     - group1
     - group2

  user_data: |
    #!/bin/bash

    echo "hello" > /tmp/test

But this just results in default only sec groups, regardless of whether it is cluster create or cluster update

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.