yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1774205] Re: AggregateMultiTenancyIsolation uses wrong tenant_id during cold migrate

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1774205@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2018 17:07:30 -0000
Reply-to: Bug 1774205 <1774205@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/571245
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=8c216608194c89d281e8d2b66abd1e50e2405b01
Submitter: Zuul
Branch:    master

commit 8c216608194c89d281e8d2b66abd1e50e2405b01
Author: Matt Riedemann <mriedem.os@xxxxxxxxx>
Date:   Wed May 30 12:07:53 2018 -0400

    Use instance project/user when creating RequestSpec during resize reschedule
    
    When rescheduling from a failed cold migrate / resize, the compute
    service does not pass the request spec back to conductor so we
    create one based on the in-scope variables.
    
    This introduces a problem for some scheduler filters like the
    AggregateMultiTenancyIsolation filter since it will create the
    RequestSpec using the project and user information from the current
    context, which for a cold migrate is the admin and might not be
    the owner of the instance (which could be in some other project).
    So the AggregateMultiTenancyIsolation filter might reject the
    request or select a host that fits an aggregate for the admin but
    not the end user.
    
    This fixes the problem by using the instance project/user information
    when constructing the RequestSpec which will take priority over
    the context in RequestSpec.from_components().
    
    Long-term we need the compute service to pass the request spec back
    to the conductor during a reschedule, but we do this first since we
    can backport it.
    
    Change-Id: Iaaf7f68d6874fd5d6e737e7d2bc589ea4a048fee
    Closes-Bug: #1774205


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1774205

Title:
  AggregateMultiTenancyIsolation uses wrong tenant_id during cold
  migrate

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) ocata series:
  Triaged
Status in OpenStack Compute (nova) pike series:
  New
Status in OpenStack Compute (nova) queens series:
  New

Bug description:
  The details are in this mailing list thread:

  http://lists.openstack.org/pipermail/openstack-
  operators/2018-May/015347.html

  But essentially the case is:

  * There are 3 compute hosts.
  * compute1 and compute2 are in a host aggregate and a given tenant is restricted to that aggregate
  * The user creates a server on compute1
  * The admin attempts to cold migrate the server which fails in the AggregateMultiTenancyIsolation filter because it says the tenant_id in the request is not part of the matching host aggregate.

  The reason is because the cold migrate task in the conductor replaces
  the original request spec, which had the instance project_id in it,
  and uses the current context, which is the admin (which could be in a
  different project):

  https://github.com/openstack/nova/blob/stable/ocata/nova/conductor/tasks/migrate.py#L50

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1774205/+subscriptions

References

[Bug 1774205] [NEW] AggregateMultiTenancyIsolation uses wrong tenant_id during cold migrate
From: Matt Riedemann, 2018-05-30