Hi, Thank you for moving it to the mailing list.
>> Nova operations (list/show/boot) will fail. due to Nuetron client raises >> NotFound security_group exception. I submit a patch for Nova to fix nova >> show/list failure. See https://review.openstack.org/#/c/52597/ Regarding on this point, security group extension is not supported by some Neutron plugins and I think it is some kind of configuration issues. IMO it is better to keep raising an exception (or at least ERROR level log should be recorded) to find this kind of configuration mismatch. If neutron plugin does not support security group extension, security_group_driver in nova.conf should be "nova". IMO, similarly if NoopFirewallDriver is used in neutron agent, Neutron security group does nothing and security_group_driver in nova.conf should be "nova" to make security group work. An alternative is to change nova security group driver to check if security group extension is enabled in Neutron and if it is not supported not to issue API calls to Neutron related to security group. I think both approaches should work even after nova-network is removed (in the future). > IMHO there's some confusion in bug #1124117 and in the patch in review > #23160 about how a noop driver is expected to work. I believe a noop driver > should look like it is present (in the list of available extensions), but > does nothing. The patch in review #23160 believes an other way and makes the > noop driver look like as if it wasn't even present. Which may lead to your > current bug. When firewall_driver is set to NoopFirwallDriver in Neutron agent, uses can create security group and its rules, but no packet filtering is enforced. If neutron security group is enabled, users should expect packet filtering is enabled I think this behavior is confusing from Neutron API perspective, and if no packet filtering is enforced, we cannot say security group feature is provided. This is the background of the change. On the other hand, we can consider NoopFirewallDriver means just packet filtering is disabled. I understand there is a need to disable security group completely for debugging or some cases. (Nova security group implementation takes this approach, but it is not a reason.) When we discuss this topic, we need to consider it from the two views: API perspective and agent behavior perspective. When I wrote the patch, my vote was to keep consistent between API level and its actual behavior, but I am open to the community consensus. Which is better or is there any alternative? Thanks, Akihiro On Tue, Oct 22, 2013 at 9:29 PM, Bence Romsics <[email protected]> wrote: > Hi Eric, > > Instead of the new patch you may consider reverting an old one: > https://review.openstack.org/#/c/23160/ > https://bugs.launchpad.net/neutron/+bug/1124117 > > IMHO there's some confusion in bug #1124117 and in the patch in review > #23160 about how a noop driver is expected to work. I believe a noop driver > should look like it is present (in the list of available extensions), but > does nothing. The patch in review #23160 believes an other way and makes the > noop driver look like as if it wasn't even present. Which may lead to your > current bug. > > Best regards, > Bence Romsics > > > On Sat, Oct 19, 2013 at 10:09 AM, Chang Bo Guo <[email protected]> wrote: >> >> Hi ALL, >> >> There is bug https://bugs.launchpad.net/python-neutronclient/+bug/1232965. >> >> When set "firewall_driver = neutron.agent.firewall.NoopFirewallDriver" in >> /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini , >> Nova operations (list/show/boot) will fail. due to Nuetron client raises >> NotFound security_group exception. I submit a patch for Nova to fix nova >> show/list failure. See https://review.openstack.org/#/c/52597/ >> >> My question is , which side (Neutron, NeutronClient ,Nova) should fix this >> , what's the best solution , current I just catch the exception and return >> empty list of security_group . >> >> Any thoughts ? >> >> Best Regards >> ----------- >> Eric Guo 郭长波 >> Cloud Solutions and Openstack Development >> China System & Technology Laboratories (CSTL), IBM >> Tel:86-10-82452019 >> Internet Mail: [email protected] >> _______________________________________________ >> OpenStack-dev mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
