Reviewed: https://review.opendev.org/701565 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=936bd67aa42b2e06241d309315b895c9c9c49dcc Submitter: Zuul Branch: master
commit 936bd67aa42b2e06241d309315b895c9c9c49dcc Author: Rodolfo Alonso Hernandez <[email protected]> Date: Wed Jan 8 13:31:29 2020 +0000 Check "security_group_rule" quota during security group creation The tracked resources quota check is done at the beginning of an API call to the Neutron server. The API call contains a resource and an action over the resource. In case of creation, the server checks if the number of items requested fits in the existing quota. In case of security group creation, the tracked resource checked is "security_group". But "SecurityGroupDbMixin.create_security_group" method also creates several default rules for the new group and the quota for "security_group_rule" is not enforced. This patch checks the number of security group rules being created ("delta") and checks in the plugin method (not in the API method) if there is enough room for those new rules (tracked resource "security_group_rule"). Change-Id: I0a9b91b09d6260ff96fdba2f0a455de53bbc1f00 Closes-Bug: #1858680 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1858680 Title: Succeed to create new security group, even if security group rule quota is exceeded Status in neutron: Fix Released Bug description: Description of problem: Even if the quota for SG rules is exhausted, new security groups (with two default rules by default) can be created successfully. How to reproduce: OS_PROJECT_NAME=admin CREATED=`openstack security group list --project $OS_PROJECT_NAME -f \ json | jq -r '.[] | .ID' | xargs -I {} openstack security \ group rule list {} -f value | wc -l` let "CREATED +=1" SG=`openstack security group list --project $OS_PROJECT_NAME -f json \ | jq -r '.[0] | .ID'` QUOTA=`openstack quota show $OS_PROJECT_NAME -f json | jq -r '. \ "secgroup-rules"]'` for ((i=CREATED; i<=QUOTA; i++)); do PORT=`printf "%04d" $i` openstack security group rule create --ingress --protocol tcp \ --dst-port 5$PORT:5$PORT $SG done openstack security group create --project $OS_PROJECT_NAME \ sec_group_with_excess_rules Actual results: The number of SG rules after the last command exceeds in 2 the maximum quota assigned for SG rules. Related bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1787933 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1858680/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
