Bug 1291210 - backport to kilo: nova should not add default security group to quantum unless api-request had it [NEEDINFO]
backport to kilo: nova should not add default security group to quantum unles...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
high Severity high
: async
: 7.0 (Kilo)
Assigned To: Sahid Ferdjaoui
Prasanth Anbalagan
: ZStream
Depends On:
Blocks: 1331418 1331420
  Show dependency treegraph
 
Reported: 2015-12-14 05:08 EST by Eduard Barrera
Modified: 2016-06-01 08:25 EDT (History)
19 users (show)

See Also:
Fixed In Version: openstack-nova-2015.1.3-14.el7ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1331418 (view as bug list)
Environment:
Last Closed: 2016-06-01 08:25:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sferdjao: needinfo? (ebarrera)
sferdjao: needinfo? (ebarrera)


Attachments (Terms of Use)
server.log TRACES (472.32 KB, text/plain)
2016-04-07 03:31 EDT, Eduard Barrera
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1175464 None None None Never
OpenStack gerrit 284095 None None None 2016-02-24 10:56 EST

  None (edit)
Description Eduard Barrera 2015-12-14 05:08:39 EST
Description of problem:

when booting an instance nova-api automatically adds a default security group if one is not specified, though we shouldn't be doing this and instead quantum should handle be handing this. This actually causes an issue for plugins that implement the port_security_api and have port_security_enabled=False on a network.

upstream bug: https://bugs.launchpad.net/nova/+bug/1175464


Version-Release number of selected component (if applicable):

openstack-nova-compute-2015.1.1-1.el7ost.noarch

How reproducible:
always

Steps to Reproduce:

1. Create a network with port_security_enabled=False:
[root@overcloud-controller-0 ~]# neutron net-create test-port-security-disable -- --port_security_enabled=False
Created a new network:
+---------------------------+--------------------------------------+
| Field                     | Value                                |
+---------------------------+--------------------------------------+
| admin_state_up            | True                                 |
| id                        | f035c5d8-40eb-4bda-8897-66ff3d9a0392 |
| mtu                       | 0                                    |
| name                      | test-port-security-disable           |
| port_security_enabled     | False                                |
| provider:network_type     | vxlan                                |
| provider:physical_network |                                      |
| provider:segmentation_id  | 8                                    |
| router:external           | False                                |
| shared                    | False                                |
| status                    | ACTIVE                               |
| subnets                   |                                      |
| tenant_id                 | c5cb88bd612949a5afaed8acf79350ef     |
+---------------------------+--------------------------------------+

2. Create a subnet:
neutron subnet-create test-port-security-disable 172.28.0.0/24

3. Launch a VM using the network created above:
nova boot  --flavor m1.small --image cirros.qcow2 --nic net-id=f035c5d8-40eb-4bda-8897-66ff3d9a0392 vm-port-security-disabled

4. Then VM launch fails, from compute node , we see errors like:
[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.



Actual results:

4. Then VM launch fails, from compute node , we see errors like:
[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.



Expected results:
Instance starts without errors
Comment 9 Miguel Angel Ajo 2016-02-22 03:19:20 EST
To get a DHCP server to work from an instance, the thing they were trying to do was right:

neutron net-create test-port-security-disable -- --port_security_enabled=False

Once you disable port security, you can serve DHCP from an instance, and instances can get any IP they want (because their source IP ins not going to be filtered by neutron)...


But as eduard pointed out at point 4.

[root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security"
2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups.


Nova should not try to apply or verify anything related to security groups when network has port security disabled.

Could we see the neutron/server.log to verify neutron server is not complaining under the hood for some reason?
Comment 11 Sahid Ferdjaoui 2016-02-23 12:12:46 EST
Unfortunately Nova badly handle this port-security-enabled=False's option since Nova always set at least default security group. I'm currently working to provide a patch which should to makes Nova handle this option in a better way.

Currently as a workaround you can continue to create network without to set port-security-enabled=False then use some commands from Neutron to update the port allocated to the instance.

# neutron net-create net1
# neutron subnet-create net1 172.28.0.0/24
# nova boot --flavor m1.small --image cirros.qcow2 --nic net-id=<id-net1> i1
# neutron port-update <port-i1-id> --no-security-groups --port-security-enabled=False

With <id-net1> Uniq ID of network created and <port-i1-id> Uniq id of port allocated to network <id-net1> for instance "i1".

Please let me know any feedback.
Thanks,
s.
Comment 15 Terry Bowling 2016-02-24 12:04:19 EST
Sahid,

Thank you for the test build!  Can you verify if they need to update to all of those packages built?

Or only update the openstack-nova-compute and python-nova packages?

Also, as I'm catching up on understanding the history, I have the following questions:

  1. Is this behavior we're experiencing indeed caused by the fix on bz1167496?

  2. Is this disabling port-security a recommended practice or use case?  Are there any security ramifications we should relay to the customer or potential issues with future updates?
Comment 31 Eduard Barrera 2016-04-07 03:31 EDT
Created attachment 1144583 [details]
server.log TRACES
Comment 35 Sahid Ferdjaoui 2016-04-15 10:46:17 EDT
The fix as now been approved. I don't think we can consider that sure the fact it will be backported in upstream-stable so we should to clone this bug for RHOS8 and RHOS9.

In that time i'm working on providing hotfix soon.
Comment 42 errata-xmlrpc 2016-06-01 08:25:58 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1198

Note You need to log in before you can comment on or make changes to this bug.