yahoo-eng-team team mailing list archive

[Sean Dague <sean@xxxxxxxxx>]

I'm going to assume vish's bug fixes a bunch of this.

** Changed in: nova
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1050979

Title:
  "deleting" instances prevent security group deletion

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  After bug 938853, bug 817872 have been fixed, it's not possible to
  delete a security group if some instances are still using it.

  This can be problematic in case of compute host failures. If such node
  goes down, instances will remain in the database. The only thing that
  the user can do is to schedule their deletion (task_state - >
  deleting). This will remove them once the compute service is available
  again, but until then security groups removal will not work.

  I propose a change that should work for iptables-based deployment, but
  needs some review for other backends.

  It should be safe to drop the security group association when the instance is marked as "deleting". The host does not need knowledge of the specific group to cleanup iptables, since every element related to the instance will be in its own chain. If the instance is scheduled for deletion it doesn't need (and may not be able) to receive notifications about other hosts in its security group.
  I can't see any reason to keep the instance <-> security group connection once deletion is scheduled.

  (This may be a separate class of bugs, rather than just a security
  groups specific issue. Deleting other elements connected to instance
  in "deleting" state could be verified.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1050979/+subscriptions