OpenStack Heat

Nested stacks can be used to create billions of resources

Bug #1215100 reported by Clint Byrum on 2013-08-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Clint Byrum	OpenStack Heat 2013.2 "havana"

Bug Description

Even once bug #1214239 is fixed, 3 levels of nesting a 10000 stack-stack could produce 1 trillion resources. Even if template sizes are limited to 256kB, that will allow 2500 stacks per nested stack, so 15 billion+ nested stacks.

We should impose a limit on the numer of resources per top level stack. I think 10000 would be a reasonable number and allow extremely complicated stacks to be deployed.

Steven Hardy (shardy) on 2013-08-28

Changed in heat:
milestone:	none → havana-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-29: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/44227

Changed in heat:
assignee:	nobody → Clint Byrum (clint-fewbar)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-08-29:

Fix proposed to branch: master
Review: https://review.openstack.org/44228

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-05:

Fix proposed to branch: master
Review: https://review.openstack.org/45343

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-06:

Fix proposed to branch: master
Review: https://review.openstack.org/45366

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-06:

Fix proposed to branch: master
Review: https://review.openstack.org/45462

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-16: Fix merged to heat (master)

Reviewed: https://review.openstack.org/44227
Committed: http://github.com/openstack/heat/commit/8f528704e154c9927c7f2bcd6bc25ea3fb100ae4
Submitter: Jenkins
Branch: master

commit 8f528704e154c9927c7f2bcd6bc25ea3fb100ae4
Author: Clint Byrum <email address hidden>
Date: Thu Sep 5 15:02:32 2013 -0700

Add methods to help calculate a stack's resources

    In order to limit a stack's size in future changes, we need to know
    how many resources are already in the stack. We also need to be able
    to find the root stack object of a nested stack.

Change-Id: Ib848bcd2e10d02dffc30dce45a2675a9f718fa7d
Related-Bug: #1215100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-20:

Reviewed: https://review.openstack.org/44228
Committed: http://github.com/openstack/heat/commit/ecf3954d2320fc79797d83873805168b8c837a8a
Submitter: Jenkins
Branch: master

commit ecf3954d2320fc79797d83873805168b8c837a8a
Author: Clint Byrum <email address hidden>
Date: Thu Sep 5 15:07:47 2013 -0700

Provide config option to limit resources per stack

    This provides an upper bounds on the number of resources a root level
    stack can contain. The limitation is only applied to the engine creation
    point so that existing stacks that are over the limit in the database
    will not cause problems. Nested stacks will be addressed in a follow-up
    patch.

Partial-Bug: #1215100
Change-Id: I1adcb22cf9bd5750b4ae3f219dd3264d1d02c1fc

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-20:

Reviewed: https://review.openstack.org/45343
Committed: http://github.com/openstack/heat/commit/ee154544a23ad61318b38b2cebc2cfef60e20b00
Submitter: Jenkins
Branch: master

commit ee154544a23ad61318b38b2cebc2cfef60e20b00
Author: Clint Byrum <email address hidden>
Date: Thu Sep 5 15:10:16 2013 -0700

Limit resources per stack in nested stacks

    In an earlier patch, the root stack creation was limited by the
    max_resources_per_stack config setting. Now we need to apply the same
    limit for nested stacks.

Change-Id: I2f871a5d5f4c51dd9cd7c93e94f8b0c8d87fa069
Partial-Bug: #1215100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-22:

Reviewed: https://review.openstack.org/45366
Committed: http://github.com/openstack/heat/commit/89bb14f49996c7a2bfe76d0067c46823be77b675
Submitter: Jenkins
Branch: master

commit 89bb14f49996c7a2bfe76d0067c46823be77b675
Author: Clint Byrum <email address hidden>
Date: Thu Sep 5 20:00:56 2013 -0700

Stop stack updates from exceeding resource limit

    Previous patches raise an error when a newly created stack would exceed
    the limit. This one applies the same logic during an update. Note that
    nested stack updates will be handled in another patch.

Change-Id: Ic5d32501f582640cb77629b902c32c8cb9c20b42
Partial-Bug: #1215100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-09-25:

#10

Reviewed: https://review.openstack.org/45462
Committed: http://github.com/openstack/heat/commit/f2ade590075138d524b14a2a909907ea01f346cd
Submitter: Jenkins
Branch: master

commit f2ade590075138d524b14a2a909907ea01f346cd
Author: Clint Byrum <email address hidden>
Date: Fri Sep 6 09:30:44 2013 -0700

Stop nested stack updates exceeding resource limit

This is the final way for a user to exceed the max_resources_per_stack
configuration value.

Fixes bug #1215100

Change-Id: I5e0f86c1ad6d74c2fcb3aa2de1028ec93b3e2dd6

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-10-03

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in heat:
milestone:	havana-rc1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.