yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1937084] Re: Nova thinks deleted volume is still attached

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1937084@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Nov 2021 09:50:44 -0000
Reply-to: Bug 1937084 <1937084@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/cinder/+/801913
Committed: https://opendev.org/openstack/cinder/commit/2ec2222841f6116707fe25bdcdae6ad6c2b9beb7
Submitter: "Zuul (22348)"
Branch:    master

commit 2ec2222841f6116707fe25bdcdae6ad6c2b9beb7
Author: Gorka Eguileor <geguileo@xxxxxxxxxx>
Date:   Wed Jul 21 15:20:38 2021 +0200

    Fix: Race between attachment and volume deletion
    
    There are cases where requests to delete an attachment made by Nova can
    race other third-party requests to delete the overall volume.
    
    This has been observed when running cinder-csi, where it first requests
    that Nova detaches a volume before itself requesting that the overall
    volume is deleted once it becomes `available`.
    
    This is a cinder race condition, and like most race conditions is not
    simple to explain.
    
    Some context on the issue:
    
    - Cinder API uses the volume "status" field as a locking mechanism to
      prevent concurrent request processing on the same volume.
    
    - Most cinder operations are asynchronous, so the API returns before the
      operation has been completed by the cinder-volume service, but the
      attachment operations such as creating/updating/deleting an attachment
      are synchronous, so the API only returns to the caller after the
      cinder-volume service has completed the operation.
    
    - Our current code **incorrectly** modifies the status of the volume
      both on the cinder-volume and the cinder-api services on the
      attachment delete operation.
    
    The actual set of events that leads to the issue reported in this bug
    are:
    
    [Cinder-CSI]
    - Requests Nova to detach volume (Request R1)
    
    [Nova]
    - R1: Asks cinder-api to delete the attachment and **waits**
    
    [Cinder-API]
    - R1: Checks the status of the volume
    - R1: Sends terminate connection request (R1) to cinder-volume and
      **waits**
    
    [Cinder-Volume]
    - R1: Ask the driver to terminate the connection
    - R1: The driver asks the backend to unmap and unexport the volume
    - R1: The last attachment is removed from the DB and the status of the
          volume is changed in the DB to "available"
    
    [Cinder-CSI]
    - Checks that there are no attachments in the volume and asks Cinder to
      delete it (Request R2)
    
    [Cinder-API]
    
    - R2: Check that the volume's status is valid. It doesn't have
      attachments and is available, so it can be deleted.
    - R2: Tell cinder-volume to delete the volume and return immediately.
    
    [Cinder-Volume]
    - R2: Volume is deleted and DB entry is deleted
    - R1: Finish the termination of the connection
    
    [Cinder-API]
    - R1: Now that cinder-volume has finished the termination the code
      continues
    - R1: Try to modify the volume in the DB
    - R1: DB layer raises VolumeNotFound since the volume has been deleted
      from the DB
    - R1: VolumeNotFound is converted to HTTP 404 status code which is
      returned to Nova
    
    [Nova]
    - R1: Cinder responds with 404 on the attachment delete request
    - R1: Nova leaves the volume as attached, since the attachment delete
      failed
    
    At this point the Cinder and Nova DBs are out of sync, because Nova
    thinks that the attachment is connected and Cinder has detached the
    volume and even deleted it.
    
    Hardening is also being done on the Nova side [2] to accept that the
    volume attachment may be gone.
    
    This patch fixes the issue mentioned above, but there is a request on
    Cinder-CSI [1] to use Nova as the source of truth regarding its
    attachments that, when implemented, would also fix the issue.
    
    [1]: https://github.com/kubernetes/cloud-provider-openstack/issues/1645
    [2]: https://review.opendev.org/q/topic:%2522bug/1937084%2522+project:openstack/nova
    
    Closes-Bug: #1937084
    Change-Id: Iaf149dadad5791e81a3c0efd089d0ee66a1a5614


** Changed in: cinder
       Status: In Progress => Fix Released

** Bug watch added: github.com/kubernetes/cloud-provider-openstack/issues #1645
   https://github.com/kubernetes/cloud-provider-openstack/issues/1645

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1937084

Title:
  Nova thinks deleted volume is still attached

Status in Cinder:
  Fix Released
Status in OpenStack Compute (nova):
  In Progress

Bug description:
  There are cases where a cinder volume no longer exists yet nova still
  thinks it is attached to an instance and we cannot detach it anymore.

  This has been observed when running cinder-csi, where it makes a
  volume delete request as soon as  the volume status says its
  available.

  This is a cinder race condition, and like most race conditions is not
  simple to explain.

  Some context on the issue:

  - Cinder API uses the volume "status" field as a locking mechanism to prevent concurrent request processing on the same volume.
  - Most cinder operations are asynchronous, so the API returns before the operation has been completed by the cinder-volume service, but the attachment operations such as creating/updating/deleting an attachment are synchronous, so the API only returns to the caller after the cinder-volume service has completed the operation.
  - Our current code **incorrectly** modifies the status of the volume both on the cinder-volume and the cinder-api services on the attachment delete operation.

  The actual set of events that leads to the issue reported in this BZ
  are:

  [Cinder-CSI]
  - Requests Nova to detach volume (Request R1)

  [Nova]
  - R1: Asks cinder-api to delete the attachment and **waits**

  [Cinder-API]
  - R1: Checks the status of the volume
  - R1: Sends terminate connection request (R1) to cinder-volume and **waits**

  [Cinder-Volume]
  - R1: Ask the driver to terminate the connection
  - R1: The driver asks the backend to unmap and unexport the volume
  - R1: The status of the volume is changed in the DB to "available"

  [Cinder-CSI]
  - Asks Cinder to delete the volume (Request R2)

  [Cinder-API]
  - R2: Check that the volume's status is valid.  It's available so it can be deleted.
  - R2: Tell cinder-volume to delete the volume and return immediately.

  [Cinder-Volume]
  - R2: Volume is deleted and DB entry is deleted
  - R1: Finish the termination of the connection

  [Cinder-API]
  - R1: Now that cinder-volume has finished the termination the code continues
  - R1: Try to modify the volume in the DB
  - R1: DB layer raises VolumeNotFound since the volume has been deleted from the DB
  - R1: VolumeNotFound is converted to HTTP 404 status code which is returned to Nova

  [Nova]
  - R1: Cinder responds with 404 on the attachment delete request
  - R1: Nova leaves the volume as attached, since the attachment delete failed

  At this point the Cinder and Nova DBs are out of sync, because Nova
  thinks that the attachment is connected and Cinder has detached the
  volume and even deleted it.

  **This is caused by a Cinder bug**, but there is some robustification
  work that could be done in Nova, since the volume could be left in a
  "detached from instance" state (since the os-brick call succeeded),
  and a second detach request could directly skip the os-brick call and
  when it sees that the volume or the attachment no longer exists in
  Cinder it can proceed to remove it from the instance's XML.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1937084/+subscriptions