yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #21433
[Bug 1050979] Re: "deleting" instances prevent security group deletion
I'm going to assume vish's bug fixes a bunch of this.
** Changed in: nova
Status: Incomplete => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1050979
Title:
"deleting" instances prevent security group deletion
Status in OpenStack Compute (Nova):
Invalid
Bug description:
After bug 938853, bug 817872 have been fixed, it's not possible to
delete a security group if some instances are still using it.
This can be problematic in case of compute host failures. If such node
goes down, instances will remain in the database. The only thing that
the user can do is to schedule their deletion (task_state - >
deleting). This will remove them once the compute service is available
again, but until then security groups removal will not work.
I propose a change that should work for iptables-based deployment, but
needs some review for other backends.
It should be safe to drop the security group association when the instance is marked as "deleting". The host does not need knowledge of the specific group to cleanup iptables, since every element related to the instance will be in its own chain. If the instance is scheduled for deletion it doesn't need (and may not be able) to receive notifications about other hosts in its security group.
I can't see any reason to keep the instance <-> security group connection once deletion is scheduled.
(This may be a separate class of bugs, rather than just a security
groups specific issue. Deleting other elements connected to instance
in "deleting" state could be verified.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1050979/+subscriptions