1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
|
# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# Copyright 2011 Piston Cloud Computing, Inc.
# Copyright 2012 Red Hat, Inc.
# Copyright 2013 Nicira, Inc.
# All Rights Reserved
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import urllib
import netaddr
from neutronclient.common import exceptions as n_exc
from neutronclient.neutron import v2_0 as neutronv20
from oslo_log import log as logging
from oslo_utils import encodeutils
from oslo_utils import excutils
from oslo_utils import netutils
from oslo_utils import uuidutils
from webob import exc
from nova import context as nova_context
from nova import exception
from nova.i18n import _
from nova.network import neutron as neutronapi
from nova.objects import security_group as security_group_obj
from nova import utils
LOG = logging.getLogger(__name__)
# NOTE: Neutron client has a max URL length of 8192, so we have
# to limit the number of IDs we include in any single search. Really
# doesn't seem to be any point in making this a config value.
MAX_SEARCH_IDS = 150
def validate_id(id):
if not uuidutils.is_uuid_like(id):
msg = _("Security group id should be uuid")
raise exception.Invalid(msg)
return id
def validate_name(
context: nova_context.RequestContext,
name: str):
"""Validate a security group name and return the corresponding UUID.
:param context: The nova request context.
:param name: The name of the security group.
:raises NoUniqueMatch: If there is no unique match for the provided name.
:raises SecurityGroupNotFound: If there's no match for the provided name.
:raises NeutronClientException: For all other exceptions.
"""
neutron = neutronapi.get_client(context)
try:
return neutronv20.find_resourceid_by_name_or_id(
neutron, 'security_group', name, context.project_id)
except n_exc.NeutronClientNoUniqueMatch as e:
raise exception.NoUniqueMatch(str(e))
except n_exc.NeutronClientException as e:
if e.status_code == 404:
LOG.debug('Neutron security group %s not found', name)
raise exception.SecurityGroupNotFound(str(e))
else:
LOG.error('Neutron Error: %s', e)
raise e
def parse_cidr(cidr):
if not cidr:
return '0.0.0.0/0'
try:
cidr = encodeutils.safe_decode(urllib.parse.unquote(cidr))
except Exception:
raise exception.InvalidCidr(cidr=cidr)
if not netutils.is_valid_cidr(cidr):
raise exception.InvalidCidr(cidr=cidr)
return cidr
def new_group_ingress_rule(grantee_group_id, protocol, from_port,
to_port):
return _new_ingress_rule(
protocol, from_port, to_port, group_id=grantee_group_id)
def new_cidr_ingress_rule(grantee_cidr, protocol, from_port, to_port):
return _new_ingress_rule(
protocol, from_port, to_port, cidr=grantee_cidr)
def _new_ingress_rule(ip_protocol, from_port, to_port,
group_id=None, cidr=None):
values = {}
if group_id:
values['group_id'] = group_id
# Open everything if an explicit port range or type/code are not
# specified, but only if a source group was specified.
ip_proto_upper = ip_protocol.upper() if ip_protocol else ''
if (ip_proto_upper == 'ICMP' and
from_port is None and to_port is None):
from_port = -1
to_port = -1
elif (ip_proto_upper in ['TCP', 'UDP'] and from_port is None and
to_port is None):
from_port = 1
to_port = 65535
elif cidr:
values['cidr'] = cidr
if ip_protocol and from_port is not None and to_port is not None:
ip_protocol = str(ip_protocol)
try:
# Verify integer conversions
from_port = int(from_port)
to_port = int(to_port)
except ValueError:
if ip_protocol.upper() == 'ICMP':
raise exception.InvalidInput(reason=_("Type and"
" Code must be integers for ICMP protocol type"))
else:
raise exception.InvalidInput(reason=_("To and From ports "
"must be integers"))
if ip_protocol.upper() not in ['TCP', 'UDP', 'ICMP']:
raise exception.InvalidIpProtocol(protocol=ip_protocol)
# Verify that from_port must always be less than
# or equal to to_port
if (ip_protocol.upper() in ['TCP', 'UDP'] and
(from_port > to_port)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Former value cannot"
" be greater than the later")
# Verify valid TCP, UDP port ranges
if (ip_protocol.upper() in ['TCP', 'UDP'] and
(from_port < 1 or to_port > 65535)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="Valid %s ports should"
" be between 1-65535"
% ip_protocol.upper())
# Verify ICMP type and code
if (ip_protocol.upper() == "ICMP" and
(from_port < -1 or from_port > 255 or
to_port < -1 or to_port > 255)):
raise exception.InvalidPortRange(from_port=from_port,
to_port=to_port, msg="For ICMP, the"
" type:code must be valid")
values['protocol'] = ip_protocol
values['from_port'] = from_port
values['to_port'] = to_port
else:
# If cidr based filtering, protocol and ports are mandatory
if cidr:
return None
return values
def create_security_group_rule(context, security_group, new_rule):
if _rule_exists(security_group, new_rule):
msg = (_('This rule already exists in group %s') %
new_rule['parent_group_id'])
raise exception.Invalid(msg)
return add_rules(context, new_rule['parent_group_id'],
security_group['name'],
[new_rule])[0]
def _rule_exists(security_group, new_rule):
"""Indicates whether the specified rule is already
defined in the given security group.
"""
for rule in security_group['rules']:
keys = ('group_id', 'cidr', 'from_port', 'to_port', 'protocol')
for key in keys:
if rule.get(key) != new_rule.get(key):
break
else:
return rule.get('id') or True
return False
def validate_property(value, property, allowed):
"""Validate given security group property.
:param value: the value to validate, as a string or unicode
:param property: the property, either 'name' or 'description'
:param allowed: the range of characters allowed, but not used because
Neutron is allowing any characters.
"""
utils.check_string_length(value, name=property, min_length=0,
max_length=255)
def populate_security_groups(security_groups):
"""Build and return a SecurityGroupList.
:param security_groups: list of requested security group names or uuids
:type security_groups: list
:returns: nova.objects.security_group.SecurityGroupList
"""
if not security_groups:
# Make sure it's an empty SecurityGroupList and not None
return security_group_obj.SecurityGroupList()
return security_group_obj.make_secgroup_list(security_groups)
def create_security_group(context, name, description):
neutron = neutronapi.get_client(context)
body = _make_neutron_security_group_dict(name, description)
try:
security_group = neutron.create_security_group(
body).get('security_group')
except n_exc.BadRequest as e:
raise exception.Invalid(str(e))
except n_exc.NeutronClientException as e:
LOG.exception("Neutron Error creating security group %s", name)
if e.status_code == 401:
# TODO(arosen) Cannot raise generic response from neutron here
# as this error code could be related to bad input or over
# quota
raise exc.HTTPBadRequest()
elif e.status_code == 409:
raise exception.SecurityGroupLimitExceeded(str(e))
raise e
return _convert_to_nova_security_group_format(security_group)
def update_security_group(context, security_group, name, description):
neutron = neutronapi.get_client(context)
body = _make_neutron_security_group_dict(name, description)
try:
security_group = neutron.update_security_group(
security_group['id'], body).get('security_group')
except n_exc.NeutronClientException as e:
LOG.exception("Neutron Error updating security group %s", name)
if e.status_code == 401:
# TODO(arosen) Cannot raise generic response from neutron here
# as this error code could be related to bad input or over
# quota
raise exc.HTTPBadRequest()
raise e
return _convert_to_nova_security_group_format(security_group)
def _convert_to_nova_security_group_format(security_group):
nova_group = {}
nova_group['id'] = security_group['id']
nova_group['description'] = security_group['description']
nova_group['name'] = security_group['name']
nova_group['project_id'] = security_group['tenant_id']
nova_group['rules'] = []
for rule in security_group.get('security_group_rules', []):
if rule['direction'] == 'ingress':
nova_group['rules'].append(
_convert_to_nova_security_group_rule_format(rule))
return nova_group
def _convert_to_nova_security_group_rule_format(rule):
nova_rule = {}
nova_rule['id'] = rule['id']
nova_rule['parent_group_id'] = rule['security_group_id']
nova_rule['protocol'] = rule['protocol']
if (nova_rule['protocol'] and rule.get('port_range_min') is None and
rule.get('port_range_max') is None):
if rule['protocol'].upper() in ['TCP', 'UDP']:
nova_rule['from_port'] = 1
nova_rule['to_port'] = 65535
else:
nova_rule['from_port'] = -1
nova_rule['to_port'] = -1
else:
nova_rule['from_port'] = rule.get('port_range_min')
nova_rule['to_port'] = rule.get('port_range_max')
nova_rule['group_id'] = rule['remote_group_id']
nova_rule['cidr'] = parse_cidr(rule.get('remote_ip_prefix'))
return nova_rule
def get(context, id):
neutron = neutronapi.get_client(context)
try:
group = neutron.show_security_group(id).get('security_group')
return _convert_to_nova_security_group_format(group)
except n_exc.NeutronClientException as e:
if e.status_code == 404:
LOG.debug('Neutron security group %s not found', id)
raise exception.SecurityGroupNotFound(str(e))
else:
LOG.error("Neutron Error: %s", e)
raise e
def list(context, project, search_opts=None):
"""Returns list of security group rules owned by tenant."""
neutron = neutronapi.get_client(context)
params = {}
search_opts = search_opts if search_opts else {}
# NOTE(jeffrey4l): list all the security groups when following
# conditions are met
# * names and ids don't exist.
# * it is admin context and all_tenants exist in search_opts.
# * project is not specified.
list_all_tenants = (context.is_admin and
'all_tenants' in search_opts)
# NOTE(jeffrey4l): neutron doesn't have `all-tenants` concept.
# All the security group will be returned if the project/tenant
# id is not passed.
if not list_all_tenants:
params['tenant_id'] = project
try:
security_groups = neutron.list_security_groups(**params).get(
'security_groups')
except n_exc.NeutronClientException:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error getting security groups")
converted_rules = []
for security_group in security_groups:
converted_rules.append(
_convert_to_nova_security_group_format(security_group))
return converted_rules
def destroy(context, security_group):
"""This function deletes a security group."""
neutron = neutronapi.get_client(context)
try:
neutron.delete_security_group(security_group['id'])
except n_exc.NeutronClientException as e:
if e.status_code == 404:
raise exception.SecurityGroupNotFound(str(e))
elif e.status_code == 409:
raise exception.Invalid(str(e))
else:
LOG.error("Neutron Error: %s", e)
raise e
def add_rules(context, id, name, vals):
"""Add security group rule(s) to security group.
Note: the Nova security group API doesn't support adding multiple
security group rules at once but the EC2 one does. Therefore,
this function is written to support both. Multiple rules are
installed to a security group in neutron using bulk support.
"""
neutron = neutronapi.get_client(context)
body = _make_neutron_security_group_rules_list(vals)
try:
rules = neutron.create_security_group_rule(
body).get('security_group_rules')
except n_exc.NeutronClientException as e:
if e.status_code == 404:
LOG.exception("Neutron Error getting security group %s", name)
raise exception.SecurityGroupNotFound(str(e))
elif e.status_code == 409:
LOG.exception("Neutron Error adding rules to security "
"group %s", name)
raise exception.SecurityGroupLimitExceeded(str(e))
elif e.status_code == 400:
LOG.exception("Neutron Error: %s", e)
raise exception.Invalid(str(e))
else:
raise e
converted_rules = []
for rule in rules:
converted_rules.append(
_convert_to_nova_security_group_rule_format(rule))
return converted_rules
def _make_neutron_security_group_dict(name, description):
return {'security_group': {'name': name,
'description': description}}
def _make_neutron_security_group_rules_list(rules):
new_rules = []
for rule in rules:
new_rule = {}
# nova only supports ingress rules so all rules are ingress.
new_rule['direction'] = "ingress"
new_rule['protocol'] = rule.get('protocol')
# FIXME(arosen) Nova does not expose ethertype on security group
# rules. Therefore, in the case of self referential rules we
# should probably assume they want to allow both IPv4 and IPv6.
# Unfortunately, this would require adding two rules in neutron.
# The reason we do not do this is because when the user using the
# nova api wants to remove the rule we'd have to have some way to
# know that we should delete both of these rules in neutron.
# For now, self referential rules only support IPv4.
if not rule.get('cidr'):
new_rule['ethertype'] = 'IPv4'
else:
version = netaddr.IPNetwork(rule.get('cidr')).version
new_rule['ethertype'] = 'IPv6' if version == 6 else 'IPv4'
new_rule['remote_ip_prefix'] = rule.get('cidr')
new_rule['security_group_id'] = rule.get('parent_group_id')
new_rule['remote_group_id'] = rule.get('group_id')
if 'from_port' in rule and rule['from_port'] != -1:
new_rule['port_range_min'] = rule['from_port']
if 'to_port' in rule and rule['to_port'] != -1:
new_rule['port_range_max'] = rule['to_port']
new_rules.append(new_rule)
return {'security_group_rules': new_rules}
def remove_rules(context, security_group, rule_ids):
neutron = neutronapi.get_client(context)
rule_ids = set(rule_ids)
try:
# The ec2 api allows one to delete multiple security group rules
# at once. Since there is no bulk delete for neutron the best
# thing we can do is delete the rules one by one and hope this
# works.... :/
for rule_id in range(0, len(rule_ids)):
neutron.delete_security_group_rule(rule_ids.pop())
except n_exc.NeutronClientException:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error unable to delete %s", rule_ids)
def get_rule(context, id):
neutron = neutronapi.get_client(context)
try:
rule = neutron.show_security_group_rule(
id).get('security_group_rule')
except n_exc.NeutronClientException as e:
if e.status_code == 404:
LOG.debug("Neutron security group rule %s not found", id)
raise exception.SecurityGroupNotFound(str(e))
else:
LOG.error("Neutron Error: %s", e)
raise e
return _convert_to_nova_security_group_rule_format(rule)
def _get_ports_from_server_list(servers, neutron):
"""Returns a list of ports used by the servers."""
def _chunk_by_ids(servers, limit):
ids = []
for server in servers:
ids.append(server['id'])
if len(ids) >= limit:
yield ids
ids = []
if ids:
yield ids
# Note: Have to split the query up as the search criteria
# form part of the URL, which has a fixed max size
ports = []
for ids in _chunk_by_ids(servers, MAX_SEARCH_IDS):
search_opts = {'device_id': ids}
try:
ports.extend(neutron.list_ports(**search_opts).get('ports'))
except n_exc.PortNotFoundClient:
# There could be a race between deleting an instance and
# retrieving its port groups from Neutron. In this case
# PortNotFoundClient is raised and it can be safely ignored
LOG.debug("Port not found for device with id %s", ids)
return ports
def _get_secgroups_from_port_list(ports, neutron, fields=None):
"""Returns a dict of security groups keyed by their ids."""
def _chunk_by_ids(sg_ids, limit):
sg_id_list = []
for sg_id in sg_ids:
sg_id_list.append(sg_id)
if len(sg_id_list) >= limit:
yield sg_id_list
sg_id_list = []
if sg_id_list:
yield sg_id_list
# Find the set of unique SecGroup IDs to search for
sg_ids = set()
for port in ports:
sg_ids.update(port.get('security_groups', []))
# Note: Have to split the query up as the search criteria
# form part of the URL, which has a fixed max size
security_groups = {}
for sg_id_list in _chunk_by_ids(sg_ids, MAX_SEARCH_IDS):
sg_search_opts = {'id': sg_id_list}
if fields:
sg_search_opts['fields'] = fields
search_results = neutron.list_security_groups(**sg_search_opts)
for sg in search_results.get('security_groups'):
security_groups[sg['id']] = sg
return security_groups
def get_instances_security_groups_bindings(context, servers,
detailed=False):
"""Returns a dict(instance_id, [security_groups]) to allow obtaining
all of the instances and their security groups in one shot.
If detailed is False only the security group name is returned.
"""
neutron = neutronapi.get_client(context)
ports = _get_ports_from_server_list(servers, neutron)
# If detailed is True, we want all fields from the security groups
# including the potentially slow-to-join security_group_rules field.
# But if detailed is False, only get the id and name fields since
# that's all we'll use below.
fields = None if detailed else ['id', 'name']
security_groups = _get_secgroups_from_port_list(
ports, neutron, fields=fields)
instances_security_group_bindings = {}
for port in ports:
for port_sg_id in port.get('security_groups', []):
# Note: have to check we found port_sg as its possible
# the port has an SG that this user doesn't have access to
port_sg = security_groups.get(port_sg_id)
if port_sg:
if detailed:
sg_entry = _convert_to_nova_security_group_format(
port_sg)
instances_security_group_bindings.setdefault(
port['device_id'], []).append(sg_entry)
else:
# name is optional in neutron so if not specified
# return id
name = port_sg.get('name')
if not name:
name = port_sg.get('id')
sg_entry = {'name': name}
instances_security_group_bindings.setdefault(
port['device_id'], []).append(sg_entry)
return instances_security_group_bindings
def get_instance_security_groups(context, instance, detailed=False):
"""Returns the security groups that are associated with an instance.
If detailed is True then it also returns the full details of the
security groups associated with an instance, otherwise just the
security group name.
"""
servers = [{'id': instance.uuid}]
sg_bindings = get_instances_security_groups_bindings(
context, servers, detailed)
return sg_bindings.get(instance.uuid, [])
def _has_security_group_requirements(port):
port_security_enabled = port.get('port_security_enabled', True)
has_ip = port.get('fixed_ips')
deferred_ip = port.get('ip_allocation') == 'deferred'
if has_ip or deferred_ip:
return port_security_enabled
return False
def add_to_instance(context, instance, security_group_name):
"""Add security group to the instance."""
neutron = neutronapi.get_client(context)
try:
security_group_id = neutronv20.find_resourceid_by_name_or_id(
neutron, 'security_group',
security_group_name,
context.project_id)
except n_exc.NeutronClientNoUniqueMatch as e:
raise exception.NoUniqueMatch(str(e))
except n_exc.NeutronClientException as e:
if e.status_code == 404:
msg = (_("Security group %(name)s is not found for "
"project %(project)s") %
{'name': security_group_name,
'project': context.project_id})
raise exception.SecurityGroupNotFound(msg)
else:
raise e
params = {'device_id': instance.uuid}
try:
ports = neutron.list_ports(**params).get('ports')
except n_exc.NeutronClientException:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error:")
if not ports:
msg = (_("instance_id %s could not be found as device id on"
" any ports") % instance.uuid)
raise exception.SecurityGroupNotFound(msg)
for port in ports:
if not _has_security_group_requirements(port):
LOG.warning("Cannot add security group %(name)s to "
"%(instance)s since the port %(port_id)s "
"does not meet security requirements",
{'name': security_group_name,
'instance': instance.uuid,
'port_id': port['id']})
raise exception.SecurityGroupCannotBeApplied()
if 'security_groups' not in port:
port['security_groups'] = []
port['security_groups'].append(security_group_id)
updated_port = {'security_groups': port['security_groups']}
try:
LOG.info("Adding security group %(security_group_id)s to "
"port %(port_id)s",
{'security_group_id': security_group_id,
'port_id': port['id']})
neutron.update_port(port['id'], {'port': updated_port})
except n_exc.NeutronClientException as e:
if e.status_code == 400:
raise exception.SecurityGroupCannotBeApplied(str(e))
else:
raise e
except Exception:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error:")
def remove_from_instance(context, instance, security_group_name):
"""Remove the security group associated with the instance."""
neutron = neutronapi.get_client(context)
try:
security_group_id = neutronv20.find_resourceid_by_name_or_id(
neutron, 'security_group',
security_group_name,
context.project_id)
except n_exc.NeutronClientNoUniqueMatch as e:
raise exception.NoUniqueMatch(e)
except n_exc.NeutronClientException as e:
if e.status_code == 404:
msg = (_("Security group %(name)s is not found for "
"project %(project)s") %
{'name': security_group_name,
'project': context.project_id})
raise exception.SecurityGroupNotFound(msg)
else:
raise e
params = {'device_id': instance.uuid}
try:
ports = neutron.list_ports(**params).get('ports')
except n_exc.NeutronClientException:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error:")
if not ports:
msg = (_("instance_id %s could not be found as device id on"
" any ports") % instance.uuid)
raise exception.SecurityGroupNotFound(msg)
found_security_group = False
for port in ports:
try:
port.get('security_groups', []).remove(security_group_id)
except ValueError:
# When removing a security group from an instance the security
# group should be on both ports since it was added this way if
# done through the nova api. In case it is not a 404 is only
# raised if the security group is not found on any of the
# ports on the instance.
continue
updated_port = {'security_groups': port['security_groups']}
try:
LOG.info("Removing security group %(security_group_id)s from "
"port %(port_id)s",
{'security_group_id': security_group_id,
'port_id': port['id']})
neutron.update_port(port['id'], {'port': updated_port})
found_security_group = True
except Exception:
with excutils.save_and_reraise_exception():
LOG.exception("Neutron Error:")
if not found_security_group:
msg = (_("Security group %(security_group_name)s not associated "
"with the instance %(instance)s") %
{'security_group_name': security_group_name,
'instance': instance.uuid})
raise exception.SecurityGroupNotFound(msg)
|
