Description of problem: when booting an instance nova-api automatically adds a default security group if one is not specified, though we shouldn't be doing this and instead quantum should handle be handing this. This actually causes an issue for plugins that implement the port_security_api and have port_security_enabled=False on a network. upstream bug: https://bugs.launchpad.net/nova/+bug/1175464 Version-Release number of selected component (if applicable): openstack-nova-compute-2015.1.1-1.el7ost.noarch How reproducible: always Steps to Reproduce: 1. Create a network with port_security_enabled=False: [root@overcloud-controller-0 ~]# neutron net-create test-port-security-disable -- --port_security_enabled=False Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | f035c5d8-40eb-4bda-8897-66ff3d9a0392 | | mtu | 0 | | name | test-port-security-disable | | port_security_enabled | False | | provider:network_type | vxlan | | provider:physical_network | | | provider:segmentation_id | 8 | | router:external | False | | shared | False | | status | ACTIVE | | subnets | | | tenant_id | c5cb88bd612949a5afaed8acf79350ef | +---------------------------+--------------------------------------+ 2. Create a subnet: neutron subnet-create test-port-security-disable 172.28.0.0/24 3. Launch a VM using the network created above: nova boot --flavor m1.small --image cirros.qcow2 --nic net-id=f035c5d8-40eb-4bda-8897-66ff3d9a0392 vm-port-security-disabled 4. Then VM launch fails, from compute node , we see errors like: [root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security" 2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups. Actual results: 4. Then VM launch fails, from compute node , we see errors like: [root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security" 2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups. Expected results: Instance starts without errors
To get a DHCP server to work from an instance, the thing they were trying to do was right: neutron net-create test-port-security-disable -- --port_security_enabled=False Once you disable port security, you can serve DHCP from an instance, and instances can get any IP they want (because their source IP ins not going to be filtered by neutron)... But as eduard pointed out at point 4. [root@overcloud-compute-0 ~]# grep 92e83f34-c17d-4b37-815c-e93bd67c6eee /var/log/nova/nova-compute.log | grep " Security" 2015-12-06 20:08:37.852 17015 TRACE nova.compute.manager [instance: 92e83f34-c17d-4b37-815c-e93bd67c6eee] SecurityGroupCannotBeApplied: Network requires port_security_enabled and subnet associated in order to apply security groups. Nova should not try to apply or verify anything related to security groups when network has port security disabled. Could we see the neutron/server.log to verify neutron server is not complaining under the hood for some reason?
Unfortunately Nova badly handle this port-security-enabled=False's option since Nova always set at least default security group. I'm currently working to provide a patch which should to makes Nova handle this option in a better way. Currently as a workaround you can continue to create network without to set port-security-enabled=False then use some commands from Neutron to update the port allocated to the instance. # neutron net-create net1 # neutron subnet-create net1 172.28.0.0/24 # nova boot --flavor m1.small --image cirros.qcow2 --nic net-id=<id-net1> i1 # neutron port-update <port-i1-id> --no-security-groups --port-security-enabled=False With <id-net1> Uniq ID of network created and <port-i1-id> Uniq id of port allocated to network <id-net1> for instance "i1". Please let me know any feedback. Thanks, s.
Sahid, Thank you for the test build! Can you verify if they need to update to all of those packages built? Or only update the openstack-nova-compute and python-nova packages? Also, as I'm catching up on understanding the history, I have the following questions: 1. Is this behavior we're experiencing indeed caused by the fix on bz1167496? 2. Is this disabling port-security a recommended practice or use case? Are there any security ramifications we should relay to the customer or potential issues with future updates?
Created attachment 1144583 [details] server.log TRACES
The fix as now been approved. I don't think we can consider that sure the fact it will be backported in upstream-stable so we should to clone this bug for RHOS8 and RHOS9. In that time i'm working on providing hotfix soon.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1198
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days