[openstack-dev] [Neutron] UniqueConstraint for name and tenant_id in security group

Cory Benfield Cory.Benfield at metaswitch.com
Fri Dec 12 09:07:25 UTC 2014

On Thu, Dec 11, 2014 at 23:05:01, Mathieu Gagné wrote:
> When no security group is provided, Nova will default to the "default"
> security group. However due to the fact 2 security groups had the same
> name, nova-compute got confused, put the instance in ERROR state and
> logged this traceback [1]:
>    NoUniqueMatch: Multiple security groups found matching 'default'.
> Use
> an ID to be more specific.

We've hit this in our automated testing in the past as well. Similarly, we have no idea how we managed to achieve this, but it's clearly something that the APIs allow you to do. That feels unwise.

> - the instance request should be blocked before it ends up on a compute
> node with nova-compute. It shouldn't be the job of nova-compute to
> find
> out issues about duplicated names. It should be the job of nova-api.
> Don't waste your time scheduling and spawning an instance that will
> never spawn with success.
> - From an end user perspective, this means "nova boot" returns no error
> and it's only later that the user is informed of the confusion with
> security group names.
> - Why does it have to crash with a traceback? IMO, traceback means "we
> didn't think about this use case, here is more information on how to
> find the source". As an operator, I don't care about the traceback if
> it's a known limitation of Nova/Neutron. Don't pollute my logs with
> "normal exceptions". (Log rationalization anyone?)

+1 to all of this.

More information about the OpenStack-dev mailing list