yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1945310] Re: Live migration and interface detach with non admin user is broken for Servers with port having resource request

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1945310@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Nov 2021 12:42:52 -0000
Reply-to: Bug 1945310 <1945310@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/nova/+/811396
Committed: https://opendev.org/openstack/nova/commit/49b481ec98087351ce1366d3afb9f4a79cd16ae3
Submitter: "Zuul (22348)"
Branch:    master

commit 49b481ec98087351ce1366d3afb9f4a79cd16ae3
Author: Balazs Gibizer <balazs.gibizer@xxxxxxxx>
Date:   Tue Sep 28 12:53:08 2021 +0200

    Query ports with admin client to get resource_request
    
    The port.resource_request field is admin only. Nova depends on the
    value of this field to do a proper scheduling and resource allocation
    and deallocation for ports with resource request as well as to update
    the port.binding:profile.allocation field with the resource providers
    the requested resources are fulfilled from. However in some cases nova
    does not use a neutron admin client / elevated context to read the
    port. In this case neutron returns None for the port.resource_request
    field and nova thinks that the port has no resource request.
    
    This patch fixes all three places where previous testing showed that
    context elevation was missing.
    
    Change-Id: Icb35e20179572fb713a397b4605312cf3294b41b
    Closes-Bug: #1945310


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1945310

Title:
  Live migration and interface detach with non admin user is broken for
  Servers with port having resource request

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  The port.resource_request field is admin only. Nova depends on the
  value of this field to do a proper scheduling and resource allocation
  / deallocation for such ports as well as to update the
  port.binding:profile.allocation field with the resource providers the
  requested resources are fulfilled from. However in some cases[1][2][3]
  nova does not use a neutron admin client / elevated context to read
  the port. In this case neutron returns None for the
  port.resource_request field and nova thinks that the port has no
  resource request.

  This leads to the following bad behavior if the operation is called by a non admin user:
  * in case of live migration the resource allocation is correct but the port.binding:profile.allocation values still point to the resource providers on the old compute. This could leads to port binding failure

  * in case of interface detach operation the port is detached
  successfully but the resource allocation for the port is leaked in
  placement until the whole server is deleted.

  * in case of interface attach in a system where old (pre Xena)
  computes are present the interface attach is accepted even if the old
  compute cannot handle the attach of such port properly.

  I will push a set of reproduction tests soon.

  
  [1] https://github.com/openstack/nova/blob/e07bb310b674fb471a92edf3258e564f05534595/nova/network/neutron.py#L1049
  [2] https://github.com/openstack/nova/blob/e07bb310b674fb471a92edf3258e564f05534595/nova/network/neutron.py#L1727
  [3] https://github.com/openstack/nova/blob/e07bb310b674fb471a92edf3258e564f05534595/nova/compute/api.py#L5144

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1945310/+subscriptions

References

[Bug 1945310] [NEW] Live migration and interface detach with non admin user is broken for Servers with port having resource request
From: Balazs Gibizer, 2021-09-28