OpenStack Compute (nova)

Quota reservation not rolled back if security group create fails

Bug #1043765 reported by Mark McLoughlin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Mark McLoughlin
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

In SecurityGroupAPI.create() we do the following (simplified):

        reservations = QUOTAS.reserve(context, security_groups=1)

        if self.db.security_group_exists(context, context.project_id, name):
            msg = _('Security group %s already exists') % name
            self.raise_group_already_exists(msg)

 try:
            self.db.security_group_create(context, group)
            QUOTAS.commit(context, reservations)
 except Exception:
            with excutils.save_and_reraise_exception():
                QUOTAS.rollback(context, reservations)

the problem is obvious, if you do:

  $> nova secgroup-create foo bar
  $> nova secgroup-create foo bar

the second one fails with:

  ERROR: Security group foo already exists (HTTP 400)

if you keep repeating it you get:

  ERROR: SecurityGroupLimitExceeded: Quota exceeded, too many security groups.

and, by default, you have to wait a day for the leaked reservations to expire.

Tags: quotas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12264

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/12264
Committed: http://github.com/openstack/nova/commit/2525afadd3475143040e6a4fe4021dc911a3f159
Submitter: Jenkins
Branch: master

commit 2525afadd3475143040e6a4fe4021dc911a3f159
Author: Mark McLoughlin <email address hidden>
Date: Fri Aug 31 16:49:06 2012 +0100

    Avoid leaking security group quota reservations

    Fixes bug #1043765

    If you attempt to create a security group where one already exists using
    that name, a security groups quota reservation is leaked. Fix by
    ensuring the reservation is rolled back in all failure cases.

    Add a check to the tests to ensure that a reservation isn't leaked in
    any of our sad path tests for security group creation.

    Change-Id: I22d6e4a0452d3ac7a23056b0a4aee6f7dd135e30

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.