OpenStack Compute (nova)

memcache client race

Bug #1291637 reported by Peter Feiner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Unassigned
OpenStack Identity (keystone)
Expired
Undecided
Unassigned

Bug Description

Nova uses thread-unsafe memcache client objects in multiple threads. For instance, nova-api's metadata WSGI server uses the same nova.api.metadata.handler.MetadataRequestHandler._cache object for every request. A memcache client object is thread unsafe because it has a single open socket connection to memcached. Thus the multiple threads will read from & write to the same socket fd.

Keystoneclient has the same bug. See https://bugs.launchpad.net/python-keystoneclient/+bug/1289074 for a patch to fix the problem.

Tags: api
Tracy Jones (tjones-i)
tags: added: api
Changed in nova:
milestone: none → icehouse-rc1
Revision history for this message
Dan Smith (danms) wrote :

Have you seen this actually happen in nova or are you assuming the same problem exists? Do you have a traceback equivalent to the keystone one for nova?

Revision history for this message
Peter Feiner (pete5) wrote : Re: [Bug 1291637] Re: memcache client race

Hi Dan,

I can't recall if I actually saw it in nova. I don't have a stack trace.

Peter

On Wed, Mar 19, 2014 at 12:56 PM, Dan Smith <email address hidden> wrote:
> Have you seen this actually happen in nova or are you assuming the same
> problem exists? Do you have a traceback equivalent to the keystone one
> for nova?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1291637
>
> Title:
> memcache client race
>
> Status in OpenStack Identity (Keystone):
> New
> Status in OpenStack Compute (Nova):
> New
>
> Bug description:
> Nova uses thread-unsafe memcache client objects in multiple threads.
> For instance, nova-api's metadata WSGI server uses the same
> nova.api.metadata.handler.MetadataRequestHandler._cache object for
> every request. A memcache client object is thread unsafe because it
> has a single open socket connection to memcached. Thus the multiple
> threads will read from & write to the same socket fd.
>
> Keystoneclient has the same bug. See https://bugs.launchpad.net
> /python-keystoneclient/+bug/1289074 for a patch to fix the problem.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1291637/+subscriptions

Revision history for this message
Tracy Jones (tjones-i) wrote :

well then i think we'll remove it from rc1 as we need more info here.

Changed in nova:
status: New → Incomplete
milestone: icehouse-rc1 → none
tags: added: icehouse-rc-potential
Revision history for this message
Thierry Carrez (ttx) wrote :

Is there anything more to fix in keystone than was just fixed ?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Andres Lagar-Cavilla (andreslc-x) wrote :

You have a cross-linked bug (with stack traces!) which has been deemed of critical importance and linked to a CVE security vulnerability.

You are reusing *identical* code.

You choose to ignore the risk because there is no stack trace.

(mindblown)

Revision history for this message
Dolph Mathews (dolph) wrote :

Admittedly I didn't look too deeply into this on nova's side, but it appears that nova would not be affected due to nova's implicit monkey patching of thread:

  https://github.com/openstack/nova/blob/0861fc2d22ae40b82dfe6fc0469db84339464923/nova/cmd/__init__.py

Similar to nova, keystone only avoids monkey patching thread for debugging purposes.

If there's a way to reproduce an issue here, I'm not aware of it. Please enlighten us!

Thierry Carrez (ttx)
tags: removed: icehouse-rc-potential
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
Joe Gordon (jogo)
Changed in nova:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.