Bug 1291210 - backport to kilo: nova should not add default security group to quantum unless api-request had it
Summary: backport to kilo: nova should not add default security group to quantum unles...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: async
: 7.0 (Kilo)
Assignee: Sahid Ferdjaoui
QA Contact: Prasanth Anbalagan
URL:
Whiteboard:
Depends On:
Blocks: 1331418 1331420
TreeView+ depends on / blocked
 
Reported: 2015-12-14 10:08 UTC by Eduard Barrera
Modified: 2023-09-14 03:20 UTC (History)
19 users (show)

Fixed In Version: openstack-nova-2015.1.3-14.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1331418 (view as bug list)
Environment:
Last Closed: 2016-06-01 12:25:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
server.log TRACES (472.32 KB, text/plain)
2016-04-07 07:31 UTC, Eduard Barrera
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1175464 0 None None None Never
OpenStack gerrit 284095 0 'None' MERGED network: make nova to handle port_security_enabled=False 2020-09-09 04:53:28 UTC
Red Hat Issue Tracker OSP-28587 0 None None None 2023-09-14 03:20:21 UTC
Red Hat Product Errata RHBA-2016:1198 0 normal SHIPPED_LIVE openstack-nova bug fix advisory 2016-06-01 16:16:38 UTC

Description Eduard Barrera 2015-12-14 10:08:39 UTC
Description of problem:

when booting an instance nova-api automatically adds a default security group if one is not specified, though we shouldn't be doing this and instead quantum should handle be handing this. This actually causes an issue for plugins that implement the port_security_api and have port_security_enabled=False on a network.

upstream bug: https://bugs.launchpad.net/nova/+bug/1175464


Version-Release number of selected component (if applicable):

openstack-nova-compute-2015.1.1-1.el7ost.noarch

How reproducible:
always

Steps to Reproduce:

1. Create a network with port_security_enabled=False:
[root@overcloud-controller-0 ~]# neutron net-create test-port-security-disable -- --port_security_enabled=False
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | f035c5d8-40eb-4bda-8897-66ff3d9a0392 |
| mtu                       | 0                                    |
| name                      | test-port-security-disable           |
| port_security_enabled     | False                                |
| provider:network_type     | vxlan                                |
| provider:physical_network |                                      |
| provider:segmentation_id  | 8                                    |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | c5cb88bd612949a5afaed8acf79350ef     |
+---------------------------+--------------------------------------+

2. Create a subnet:
neutron subnet-create test-port-security-disable 172.28.0.0/24

3. Launch a VM using the network created above:
nova boot  --flavor m1.small --image cirros.qcow2 --nic net-id=f035c5d8-40eb-4bda-8897-66ff3d9a0392 vm-port-security-disabled

4. Then VM launch fails, from compute node , we see errors like:
[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.



Actual results:

4. Then VM launch fails, from compute node , we see errors like:
[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.



Expected results:
Instance starts without errors

Comment 9 Miguel Angel Ajo 2016-02-22 08:19:20 UTC
To get a DHCP server to work from an instance, the thing they were trying to do was right:

neutron net-create test-port-security-disable -- --port_security_enabled=False

Once you disable port security, you can serve DHCP from an instance, and instances can get any IP they want (because their source IP ins not going to be filtered by neutron)...


But as eduard pointed out at point 4.

[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.


Nova should not try to apply or verify anything related to security groups when network has port security disabled.

Could we see the neutron/server.log to verify neutron server is not complaining under the hood for some reason?

Comment 11 Sahid Ferdjaoui 2016-02-23 17:12:46 UTC
Unfortunately Nova badly handle this port-security-enabled=False's option since Nova always set at least default security group. I'm currently working to provide a patch which should to makes Nova handle this option in a better way.

Currently as a workaround you can continue to create network without to set port-security-enabled=False then use some commands from Neutron to update the port allocated to the instance.

# neutron net-create net1
# neutron subnet-create net1 172.28.0.0/24
# nova boot --flavor m1.small --image cirros.qcow2 --nic net-id=<id-net1> i1
# neutron port-update <port-i1-id> --no-security-groups --port-security-enabled=False

With <id-net1> Uniq ID of network created and <port-i1-id> Uniq id of port allocated to network <id-net1> for instance "i1".

Please let me know any feedback.
Thanks,
s.

Comment 15 Terry Bowling 2016-02-24 17:04:19 UTC
Sahid,

Thank you for the test build!  Can you verify if they need to update to all of those packages built?

Or only update the openstack-nova-compute and python-nova packages?

Also, as I'm catching up on understanding the history, I have the following questions:

  1. Is this behavior we're experiencing indeed caused by the fix on bz1167496?

  2. Is this disabling port-security a recommended practice or use case?  Are there any security ramifications we should relay to the customer or potential issues with future updates?

Comment 31 Eduard Barrera 2016-04-07 07:31:48 UTC
Created attachment 1144583 [details]
server.log TRACES

Comment 35 Sahid Ferdjaoui 2016-04-15 14:46:17 UTC
The fix as now been approved. I don't think we can consider that sure the fact it will be backported in upstream-stable so we should to clone this bug for RHOS8 and RHOS9.

In that time i'm working on providing hotfix soon.

Comment 42 errata-xmlrpc 2016-06-01 12:25:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1198

Comment 43 Red Hat Bugzilla 2023-09-14 03:14:43 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.