Cinder

Unexpected cinder volumes export occurs after restarting cinder-volume

Bug #1381106 reported by Mitsuhiro Tanino on 2014-10-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Critical	Mitsuhiro Tanino	Cinder 2014.2 "juno"

Bug Description

When I restarted cinder-volume service, I noticed that all cinder volumes which use LVMISCSIDriver are exported via tgtd unexpectedly.
If the volumes are attached to nova instances, they should be exported via tgtd after restarting cinder-volume.
But the volumes which are not attached to instances must not be exported;
(a) Everyone can connect these volumes because the volumes are exported via tgtd
    without user and password authentication.
(b) Exported volume(LVMiSCSI) via tgtd can't delete from 'cinder delete'
    because the LV is locked by tgtd, therefore lvremove fails to
    delete target LV. This makes volume status as a deleting error.

Here is my cinder.conf and some logs.
http://paste.openstack.org/show/121028/

I think this is a patch of the root cause for this problem.
Originally, ensure_export() was only called if the volume status was 'in-use'.
This means that if a volume was attached to an instance, the volume was exported after restarting cinder-volume service.

However, after applying this patch, ensure_export() is called if the volume is 'available' status.
Despite the volume is not attached to specific instance but the volume is exported to outside.
This is wrong behavior.

In my understanding. ensure_export() must be called only the volume status is 'in-use'.

Commit
=========================================
commit ffefe18334a9456250e1b6ff88b7b47fb366f374
Author: Zhiteng Huang <email address hidden>
Date: Sat Aug 23 18:32:57 2014 +0000

-------
             for volume in volumes:
- if volume['status'] in ['in-use']:
+ # available volume should also be counted into allocated
+ if volume['status'] in ['in-use', 'available']:
                     # calculate allocated capacity for driver
- sum += volume['size']
- self.stats['allocated_capacity_gb'] = sum
+ self._count_allocated_capacity(ctxt, volume)
+
                     try:
                         self.driver.ensure_export(ctxt, volume)
                     except Exception as export_ex:
-------

See original description

Mitsuhiro Tanino (mitsuhiro-tanino) on 2014-10-14

Changed in cinder:
assignee:	nobody → Mitsuhiro Tanino (mitsuhiro-tanino)
summary:	- Unexpected cinder volumes export occur after restarting cinder-volume + Unexpected cinder volumes export occurs after restarting cinder-volume
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/128437

Changed in cinder:
status:	New → In Progress

Revision history for this message

Eric Harney (eharney) wrote on 2014-10-14:

Possible security implications due to tgtd ACL misconfiguration...

Changed in cinder:
importance:	Undecided → Critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/128437
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=e2f28b967910625432be0eab6a851adf53ac58ea
Submitter: Jenkins
Branch: master

commit e2f28b967910625432be0eab6a851adf53ac58ea
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.

This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.

    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <email address hidden>
    Closes-bug: #1381106

Changed in cinder:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix proposed to cinder (proposed/juno)

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/128483

John Griffith (john-griffith) on 2014-10-14

Changed in cinder:
milestone:	none → juno-rc3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-15: Fix merged to cinder (proposed/juno)

Reviewed: https://review.openstack.org/128483
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=f7ee62cc58d8b642af67510a310f6259492a4508
Submitter: Jenkins
Branch: proposed/juno

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.

    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <email address hidden>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

Changed in cinder:
status:	Fix Committed → Fix Released

Mitsuhiro Tanino (mitsuhiro-tanino) on 2014-10-15

description:	updated
description:	updated
description:	updated

Thierry Carrez (ttx) on 2014-10-16

Changed in cinder:
milestone:	juno-rc3 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/128920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-25: Change abandoned on cinder (master)

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/128920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to cinder (master)

Download full text (11.8 KiB)

Reviewed: https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch: master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication

    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.

    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <email address hidden>
Date: Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"

    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.

    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:25:28 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder

Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <email address hidden>
Date: Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean

...

Reviewed:  https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch:    master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Date:   Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication
    
    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.
    
    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
Date:   Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'
    
    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.
    
      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <zhithuang@ebaysf.com>
      Date: Sat Aug 23 18:32:57 2014 +0000
    
    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.
    
    This patch changes volume export behavior that exports a volume only if
    the volume status is 'in-use'.
    
    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <vbala@vmware.com>
Date:   Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"
    
    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.
    
    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:25:28 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder
    
    Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <singn@netapp.com>
Date:   Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean
    
    This patch fixes the issue of mock not getting
    cleaned for requests in unit tests.
    
    Closes-Bug: #1353506
    
    Change-Id: Iab401021d7f180ff1f2bf3ed79166699112cc367
    (cherry picked from commit 140956515327494a53de6ad09c35690624248f0a)

commit aaecfcf15e6b9defde5822453f2ae97aaf959408
Author: John Griffith <john.griffith8@gmail.com>
Date:   Tue Oct 7 11:49:58 2014 -0600

Make sure device support Direct before setting
    
    We added '-t none' option to the qemu-img convert operation
    in image_utils.py a while back to accomodate a couple of
    backend devices that didn't flush writes on disconnect.
    (Change: I7a04f683add8c23b9125fe837c4048ccc3ac224d)
    
    The only problem here is that some backend devices don't
    support Direct mode and raise an exception and fail when
    setting this option.
    
    This patch adds a simple check using dd to see if the dest
    supports the Direct flag and only sets '-t none' if the device
    does in fact support it.
    
    Additionally it was brought up that even yet other backends
    are using file devices not blk devices.  In their case setting
    Direct will still work, however it's sub-optimal as qemu-convert
    has internal mechanisms to make sure flushing etc are done
    correctly and efficiently for those devices.  So to accomodate
    that particular use case I'm also adding a check if blk dev
    that can be used for determining whether to set Direct for the
    qemu-convert process.
    
    Change-Id: I34127ac373ceadcfb6fc2662628b1a91eb7b0046
    Closes-Bug: 1375487
    (cherry picked from commit c42273fbc1983b146180c82b8a34b0d832a6f431)

commit a8cec39f8243fd4ee6c0a16fc0620d4b0980c749
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Wed Sep 24 18:51:07 2014 -0400

ZFSSA iSCSI vol create fails with vol type option
    
    Vol create with volume-type option is not working since
    volume_backend_name contains the class name as
    predefined string. No matter what was specified in cinder.conf
    as volume_backend_name, volume creation failed.
    Multi-backend option and using extra specs to create custom volumes
    won't work.
    The fix is to look whether volume_backend_name is part of the
    configuration or falls into the class name in case there is
    no backend name.
    
    Closes-Bug: 1373621
    DocImpact
    
    (cherry picked from commit 5c61d57d3693523e9cbf11bf0b5b09bafe699247)
    
    Change-Id: I1bc501dd4c5689d96c7beb720b64112df1770232

commit 04cd35fd88768ec0f5d23619cec2df4981ee7d8c
Author: Sean McGinnis <sean_mcginnis@dell.com>
Date:   Fri Sep 26 15:21:35 2014 -0500

Handle eqlx SSH connection close on abort.
    
    EqualLogic array CLI operation timeout causes the
    SSH thread to be aborted. This would cause SSH
    sessions to be orphaned and hit a max connection
    limit on the array. This fix catches these aborts
    and makes sure the connection is closed.
    
    Change-Id: I9392fd5dd79eb44f252bf50217f17cc473e6f2f0
    Closes-Bug: 1374613
    (cherry picked from commit 5cb23b67c53437fc51a6b37acac477fba4d6a7ab)

commit 787b328518b2eec8275956835ae16488644e7d87
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Tue Sep 16 11:23:36 2014 -0400

ZFSSA iSCSI driver cannot add multple initiators to a group
    
    All initiators defined in zfssa_initiator property would be
    added to the group.
    Also fixed some typos related to initiators error messages.
    
    Change-Id: Iec6c90702e5aafa153b4a7f1e429974ac450afc0
    Closes-Bug: #1369750
    (cherry picked from commit f94d671e627dd7b5143422ffe739418fcfb51a70)

commit c566767d6a5041d1d86b1e199028d78772ebc508
Author: Patrick East <patrick.east@purestorage.com>
Date:   Tue Sep 30 11:47:42 2014 -0700

Fix race condition in ISCSIConnector _disconnect_volume_multipath_iscsi
    
    This is a similar issue as seen in
    https://bugs.launchpad.net/cinder/+bug/1375382
    
    The list of devices returned by driver.get_all_block_devices() in
    _disconnect_volume_multipath_iscsi will potentially contain broken
    symlinks as the SCSI devices have been deleted from calling
    self._linuxscsi.remove_multipath_device(device_realpath) right before
    _disconnect_volume_multipath_iscsi but the udev rule for the symlink
    may not yet have completed.
    
    Adding in a check to os.path.exists() will ensure that we will not
    consider the broken symlinks as an “in use” device.
    
    Change-Id: I79c9627e9b47127d3765fcec5b7e3bacef179630
    Closes-Bug: #1375946
    (cherry picked from commit 4541521de576297d9b7d4115b040ff54773d9d50)

commit 40eff25fce9a350d1872b083503e4306242961de
Author: Clinton Knight <cknight@netapp.com>
Date:   Fri Sep 26 12:07:44 2014 -0400

Deprecate / obsolete NetApp volume extra specs
    
    The NetApp Data ONTAP (Cluster-mode) NFS & iSCSI drivers for Juno support
    the Cinder pools feature, but the drivers are reporting two qualified
    extra specs that must be converted to unqualified extra specs in order to
    be used by the Cinder scheduler's capability filter. Furthermore, there
    are four extra specs that must be deprecated due to having the pools
    feature.  Warnings will be logged during volume creation if any of the
    obsolete or deprecated extra specs are seen in the volume type.
    
    Change-Id: I4dbd667610e481356304a12b8dae84cff61aa9d9
    Closes-bug: 1374630
    (cherry picked from commit 4cb4be4122a44dc99d6f29f065cdd32ae86273ce)

commit 2601acaec8d3c154f7638db0e7dad307d0efcc48
Author: Vincent Hou <sbhou@cn.ibm.com>
Date:   Fri Sep 12 16:10:02 2014 +0800

IBM Storwize driver: Retype the volume with correct empty QoS
    
    * Currently for Storwzie driver, if the new type does not have QoS
    configurations, the old QoS configurations remain in the volume after
    retyping it. It should be retyped into a volume with empty QoS for the
    Storwize driver.
    * Refactor three dicts into one for better maintainance of the QoS keys
    for Storwize driver.
    
    DocImpact
    
    Change-Id: I2b2801a4ef72ef02c11392ed00b56f5263a8a7e4
    Closes-Bug: #1368595
    (cherry picked from commit 26de1b1d829849665dae921b8be739194b84515d)

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:57:01 2014 +0000

Sync latest processutils from oslo-incubator
    
    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    ------------------------------------------------
    
    oslo-incubator head:
    
    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <jenkins@review.openstack.org>
    Date:   Mon Sep 29 23:12:14 2014 +0000
    
        Merge "Script to list unreleased changes in all oslo projects"
    
    -----------------------------------------------
    
    The sync pulls in the following changes (newest to oldest):
    
    6a60f842 - Mask passwords in exceptions and error messages (SSH)
    
    -----------------------------------------------
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)

commit c70ef7d8d4d9479fe5d3f4a8387c4eac1dca274d
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Oct 6 16:09:05 2014 +0000

Updated from global requirements
    
    Change-Id: I116f04494e596e470f8fec242466ac5fe21b222c

commit 79afa849658f689a9105473fdfba1d993684d3df
Author: Lucian Petrut <lpetrut@cloudbasesolutions.com>
Date:   Tue Sep 30 11:58:22 2014 +0300

Windows SMBFS: Handle volume_name in _qemu_img_info
    
    The volume_name is now parsed to the _qemu_img_info wrapper. As
    this method is not prone to security issues because this driver
    does not support raw images (at least not yet), we don't have to
    perform any checks on the backing image file path.
    
    Thus, this method simply ignores this argument that will be parsed
    by the base class methods.
    
    Related-Bug: #1350504
    
    Change-Id: I801a6338250ec2dc631c4058543f7d0088b3e4d4
    (cherry picked from commit 5e0ce63d6df39dcad5a0ef35553369e49c67dfb8)

commit 608ecf565f99b9840095ecff424e396c4bae631a
Author: Eric Harney <eharney@redhat.com>
Date:   Tue Sep 9 16:20:24 2014 -0400

Refuse invalid qcow2 backing files
    
    Don't allow qcow2 files that are pointing to backing files outside of:
    
    volume-<id>
    volume-<id>.<snap-id>
    volume-<id>.tmp-snap-<snap-id>
    
    (optionally prefixed with /mnt/path)
    
    Closes-Bug: #1350504
    
    Change-Id: Ic89cffc93940b7b119cfcde3362f304c9f2875df
    (cherry picked from commit dca3c8323cf8cf12aa8ce4ba21f647ce631e8153)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.