Open Stack

Hi,

Thank you for moving it to the mailing list.

>> Nova operations (list/show/boot) will fail. due to Nuetron client raises
>> NotFound security_group exception. I submit a patch for Nova to fix nova
>> show/list failure. See https://review.openstack.org/#/c/52597/

Regarding on this point, security group extension is not supported by
some Neutron plugins
and I think it is some kind of configuration issues.

IMO it is better to keep raising an exception (or at least ERROR level
log should be recorded)
to find this kind of configuration mismatch.
If neutron plugin does not support security group extension,
security_group_driver in nova.conf should be "nova".
IMO, similarly if NoopFirewallDriver is used in neutron agent, Neutron
security group does nothing
and security_group_driver in nova.conf should be "nova" to make
security group work.

An alternative is to change nova security group driver to check if
security group extension is enabled in Neutron
and if it is not supported not to issue API calls to Neutron related
to security group.

I think both approaches should work even after nova-network is removed
(in the future).

> IMHO there's some confusion in bug #1124117 and in the patch in review
> #23160 about how a noop driver is expected to work. I believe a noop driver
> should look like it is present (in the list of available extensions), but
> does nothing. The patch in review #23160 believes an other way and makes the
> noop driver look like as if it wasn't even present. Which may lead to your
> current bug.

When firewall_driver is set to NoopFirwallDriver in Neutron agent,
uses can create security group and its rules, but no packet filtering
is enforced.
If neutron security group is enabled, users should expect packet
filtering is enabled
I think this behavior is confusing from Neutron API perspective,
and if no packet filtering is enforced, we cannot say security group
feature is provided.
This is the background of the change.

On the other hand, we can consider NoopFirewallDriver means just
packet filtering is disabled.
I understand there is a need to disable security group completely for
debugging or some cases.
(Nova security group implementation takes this approach, but it is not
a reason.)

When we discuss this topic, we need to consider it from the two views:
API perspective and agent behavior perspective.
When I wrote the patch, my vote was to keep consistent between API
level and its actual behavior,
but I am open to the community consensus.

Which is better or is there any alternative?

Thanks,
Akihiro

On Tue, Oct 22, 2013 at 9:29 PM, Bence Romsics <rubasov at gmail.com> wrote:
> Hi Eric,
>
> Instead of the new patch you may consider reverting an old one:
> https://review.openstack.org/#/c/23160/
> https://bugs.launchpad.net/neutron/+bug/1124117
>
> IMHO there's some confusion in bug #1124117 and in the patch in review
> #23160 about how a noop driver is expected to work. I believe a noop driver
> should look like it is present (in the list of available extensions), but
> does nothing. The patch in review #23160 believes an other way and makes the
> noop driver look like as if it wasn't even present. Which may lead to your
> current bug.
>
> Best regards,
> Bence Romsics
>
>
> On Sat, Oct 19, 2013 at 10:09 AM, Chang Bo Guo <guochbo at cn.ibm.com> wrote:
>>
>> Hi ALL,
>>
>> There is bug https://bugs.launchpad.net/python-neutronclient/+bug/1232965.
>>
>> When set "firewall_driver = neutron.agent.firewall.NoopFirewallDriver" in
>> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini ,
>> Nova operations (list/show/boot) will fail. due to Nuetron client raises
>> NotFound security_group exception. I submit a patch for Nova to fix nova
>> show/list failure. See https://review.openstack.org/#/c/52597/
>>
>> My question is , which side (Neutron, NeutronClient ,Nova) should fix this
>> , what's the best solution , current I just catch the exception and return
>> empty list of security_group .
>>
>> Any thoughts ?
>>
>> Best Regards
>> -----------
>> Eric Guo  郭长波
>> Cloud Solutions and Openstack Development
>> China System & Technology Laboratories (CSTL), IBM
>> Tel:86-10-82452019
>> Internet Mail: guochbo at cn.ibm.com
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>