| Summary: | backport to kilo: nova should not add default security group to quantum unless api-request had it | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Sahid Ferdjaoui <sferdjao> |
| Component: | openstack-nova | Assignee: | Sahid Ferdjaoui <sferdjao> |
| Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.0 (Mitaka) | CC: | berrange, bschmaus, dasmith, dcadzow, dmaley, ebarrera, eglynn, jschluet, kchamart, kimi.zhang, majopela, mlopes, nlevinki, panbalag, sbauza, scorcora, sferdjao, sgordon, skinjo, srevivo, tbowling, vromanso |
| Target Milestone: | ga | Keywords: | FeatureBackport |
| Target Release: | 9.0 (Mitaka) | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-nova-13.0.0-2.el7ost | Doc Type: | Bug Fix |
| Doc Text: |
Previously, when booting instances, the nova API automatically added a default security group if nothing was specified, which should not be done on a network with option 'port_security_enabled=False'
Consequently, the boot process would fail for users booting an instance that was attached to a network with port security disabled.
With this update, nova no longer adds a default security group to a port created for an instance on a network with port_security_enabled=False
As a result, the boot process works as expected, and the port attached to the instance does not have a default security group attached.
NOTE: a known bug in the dashboard still indicates that a default security group is attached to the instance, but this only occurs during the first attempt at booting the instance.
|
Story Points: | --- |
| Clone Of: | 1331418 | Environment: | |
| Last Closed: | 2016-08-11 12:18:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1291210, 1331418 | ||
| Bug Blocks: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1597.html |
Verified as follows, ************ VERSION ************ [root@serverA ~(keystone_admin)]# yum list installed | grep openstack-nova openstack-nova-api.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-cert.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-common.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-compute.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-conductor.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-console.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-novncproxy.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle openstack-nova-scheduler.noarch 1:13.0.0-4.el7ost @rhelosp-9.0-puddle [root@serverA ~(keystone_admin)]# ********* LOGS ********* [root@serverA ~(keystone_admin)]# neutron net-create test-port-security-disable --port_security_enabled=False Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | availability_zone_hints | | | availability_zones | | | created_at | 2016-05-18T19:04:00 | | description | | | id | 01ed1df6-10e2-4d09-bb6d-3312e8532189 | | ipv4_address_scope | | | ipv6_address_scope | | | mtu | 1450 | | name | test-port-security-disable | | port_security_enabled | False | | provider:network_type | vxlan | | provider:physical_network | | | provider:segmentation_id | 37 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tags | | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated_at | 2016-05-18T19:04:00 | +---------------------------+--------------------------------------+ [root@serverA ~(keystone_admin)]# neutron subnet-create test-port-security-disable 172.28.0.0/24 Created a new subnet: +-------------------+------------------------------------------------+ | Field | Value | +-------------------+------------------------------------------------+ | allocation_pools | {"start": "172.28.0.2", "end": "172.28.0.254"} | | cidr | 172.28.0.0/24 | | created_at | 2016-05-18T19:04:13 | | description | | | dns_nameservers | | | enable_dhcp | True | | gateway_ip | 172.28.0.1 | | host_routes | | | id | 2af4eec5-ea95-4162-8b3a-174271ef3d3e | | ip_version | 4 | | ipv6_address_mode | | | ipv6_ra_mode | | | name | | | network_id | 01ed1df6-10e2-4d09-bb6d-3312e8532189 | | subnetpool_id | | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated_at | 2016-05-18T19:04:13 | +-------------------+------------------------------------------------+ [root@serverA ~(keystone_admin)]# nova boot --flavor m1.small --image cirros --nic net-id=01ed1df6-10e2-4d09-bb6d-3312e8532189 vm-port-security-disabled +--------------------------------------+-----------------------------------------------+ | Property | Value | +--------------------------------------+-----------------------------------------------+ | OS-DCF:diskConfig | MANUAL | | OS-EXT-AZ:availability_zone | | | OS-EXT-SRV-ATTR:host | - | | OS-EXT-SRV-ATTR:hypervisor_hostname | - | | OS-EXT-SRV-ATTR:instance_name | instance-00000001 | | OS-EXT-STS:power_state | 0 | | OS-EXT-STS:task_state | scheduling | | OS-EXT-STS:vm_state | building | | OS-SRV-USG:launched_at | - | | OS-SRV-USG:terminated_at | - | | accessIPv4 | | | accessIPv6 | | | adminPass | Sa6uho9m7SAF | | config_drive | | | created | 2016-05-18T19:05:46Z | | flavor | m1.small (2) | | hostId | | | id | 8ff06103-2d76-44df-b967-0dbefc54c76a | | image | cirros (5a2803b6-eb55-4f31-b0df-52410f8e5074) | | key_name | - | | metadata | {} | | name | vm-port-security-disabled | | os-extended-volumes:volumes_attached | [] | | progress | 0 | | security_groups | default | | status | BUILD | | tenant_id | f26351a310404d62bc33af8ee8ce39b7 | | updated | 2016-05-18T19:05:46Z | | user_id | 4efa7a9b2626458fa8c58af588b572e7 | +--------------------------------------+-----------------------------------------------+ [root@serverA ~(keystone_admin)]# [root@serverA ~(keystone_admin)]# nova list +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ | 8ff06103-2d76-44df-b967-0dbefc54c76a | vm-port-security-disabled | ACTIVE | - | Running | test-port-security-disable=172.28.0.3 | +--------------------------------------+---------------------------+--------+------------+-------------+---------------------------------------+ [root@serverA ~(keystone_admin)]#