Public bug reported: according to OpenStack Compute api ref a security group name can be supplied in the request to remove a security group from the server.
Nova correctly handles a case of adding security group to a server when there are multiple security groups with the requested name and returns HTTP409 Conflict. However it fails in the same scenario when removing security group from the server (for example when a security group with a duplicate name was added after server was created), returning HTTP500. reproduce script for current DevStack/master #!/usr/bin/env bash set -ex # repro on DevStack export OS_CLOUD=devstack TOKEN=$(openstack token issue -f value -c id) # openstackclient catalog list/show are not very bash-friendly, only with jq :-/ computeapi=$(openstack catalog show compute | grep public | awk '{print $4}') # adjust image, flavor and network to your liking serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id) openstack security group create dummy openstack server add security group dummy dummy openstack security group create dummy # smart clients (openstackclient, openstacksdk) use some sort of pre-validation # or name-to-id resolving first, so using raw curl to demonstrate. curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \ -X POST $computeapi/servers/$serverid/action \ -d '{"removeSecurityGroup":{"name":"dummy"}}' \ -H "Content-Type: application/json" \ -H "X-Auth-Token: $TOKEN" the last command returns {"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}} The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`, methods `add_to_instance` https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618 vs `remove_from_instance` https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679 the latter does not handle NeutronClientNoUniqueMatch exception ** Affects: nova Importance: Undecided Assignee: Pavlo Shchelokovskyy (pshchelo) Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1889655 Title: removeSecurityGroup action returns 500 when there are multiple security groups with the same name Status in OpenStack Compute (nova): In Progress Bug description: according to OpenStack Compute api ref a security group name can be supplied in the request to remove a security group from the server. Nova correctly handles a case of adding security group to a server when there are multiple security groups with the requested name and returns HTTP409 Conflict. However it fails in the same scenario when removing security group from the server (for example when a security group with a duplicate name was added after server was created), returning HTTP500. reproduce script for current DevStack/master #!/usr/bin/env bash set -ex # repro on DevStack export OS_CLOUD=devstack TOKEN=$(openstack token issue -f value -c id) # openstackclient catalog list/show are not very bash-friendly, only with jq :-/ computeapi=$(openstack catalog show compute | grep public | awk '{print $4}') # adjust image, flavor and network to your liking serverid=$(openstack server create dummy --image cirros-0.5.1-x86_64-disk --flavor m1.nano --network private -f value -c id) openstack security group create dummy openstack server add security group dummy dummy openstack security group create dummy # smart clients (openstackclient, openstacksdk) use some sort of pre-validation # or name-to-id resolving first, so using raw curl to demonstrate. curl -g -i --cacert "/opt/stack/data/ca-bundle.pem" \ -X POST $computeapi/servers/$serverid/action \ -d '{"removeSecurityGroup":{"name":"dummy"}}' \ -H "Content-Type: application/json" \ -H "X-Auth-Token: $TOKEN" the last command returns {"computeFault": {"code": 500, "message": "Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.\n<class 'neutronclient.common.exceptions.NeutronClientNoUniqueMatch'>"}} The reason is that the logic handling such conflict was added to the security group adding code - but not to the removal one, see `nova/network/security_group_api.py`, methods `add_to_instance` https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L611-L618 vs `remove_from_instance` https://opendev.org/openstack/nova/src/commit/2f3a380c3c081fb022c8a2dcfdcc365733161cac/nova/network/security_group_api.py#L674-L679 the latter does not handle NeutronClientNoUniqueMatch exception To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1889655/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp