OpenStack Compute (nova)

Delete security group that contains instances should not be allowed

Bug #817872 reported by Rohit Karajgi
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Russell Bryant
OpenStack Compute (nova) 2012.1 "essex"

Bug Description

If I try to use euca-delete-group to delete a security group that contains running instances, I am allowed to do so.
Expected Output: An error should be thrown saying the group is in use by instance(s).
This may also have potential impact on other instance related functionality.

Note: Amazon EC2 api implementation 'ec2-delete-group' behaves correctly in this scenario and returns a fault.

Tags: ec2
Revision history for this message
Rohit Karajgi (rohitk) wrote :

Refer: http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/index.html?ApiReference-cmd-DeleteSecurityGroup.html

Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
Thierry Carrez (ttx)
tags: added: security-group
tags: removed: security-group
John Tran (jtran)
Changed in nova:
assignee: nobody → John Tran (jtran)
Revision history for this message
John Tran (jtran) wrote :

Rohit, I started putting the code in to check for instances upon deletion , but it's unclear to me - how do you remove instances from the security group prior to deleting the security group?

Chuck Short (zulcss)
tags: added: ec2
Revision history for this message
Rupak Ganguly (rupakg) wrote :

John,
   This is the closest I could find: http://docs.amazonwebservices.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-ModifyInstanceAttribute.html. But notice that you change the security group but cannot remove a security group from an instance. The only thing you can do is terminate all the instances and then delete the security group. I think we should still put in the check for instances upon deletion and raise an exception.

Revision history for this message
Russell Bryant (russellb) wrote :

Since this hasn't seen activity for a while, I'm going to take a stab at it.

Changed in nova:
assignee: John Tran (jtran) → Russell Bryant (russellb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/4154

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/4154
Committed: http://github.com/openstack/nova/commit/3dc539bcb0d9031f81076ac2e1870918400150ed
Submitter: Jenkins
Branch: master

commit 3dc539bcb0d9031f81076ac2e1870918400150ed
Author: Russell Bryant <email address hidden>
Date: Fri Feb 10 19:01:10 2012 -0500

    Don't allow EC2 removal of security group in use.

    Fix bug 817872.

    This patch modifies the behavior of removing security groups via the EC2
    API to better match the EC2 API spec. The EC2 documentation says that a
    group that is still in use can not be removed.

    A new function has been added to the db API to find out whether a
    particular security group is still in use. "In use" is defined as
    applied to an active instance, or applied to another group that has not
    been deleted.

    Unit tests have been updated to ensure that an error is raised when
    these conditions are hit.

    Change-Id: I5b3fdf1da213b04084fe266c1a6ed92e01cf1e19

Changed in nova:
status: In Progress → Fix Committed
Russell Bryant (russellb)
Changed in nova:
milestone: none → essex-4
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: essex-4 → 2012.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.