neutron

Port update failed with 500 when trying to recreate default security group

Bug #1718282 reported by Ihar Hrachyshka on 2017-09-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Kevin Benton

Bug Description

On port update, default security group may be missing. In this case, port update will first create the group, then proceed to port object. The problem is that when it recreates the group, it uses AFTER_UPDATE event, which contradicts the transactional semantics of _ensure_default_security_group_handler.

Logs wise, we get this in neutron-server log:

Sep 14 12:03:03.604813 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: WARNING neutron.plugins.ml2.ovo_rpc [None req-71600acd-c114-4dbd-a599-a9126fae14fb tempest-NetworkDefaultSecGroupTest-1846858447 tempest-NetworkDefaultSecGroupTest-1846858447] This handler is supposed to handle AFTER events, as in 'AFTER it's committed', not BEFORE. Offending resource event: security_group, after_create. Location:

And then later:

Sep 14 12:03:04.038599 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/new/neutron/neutron/plugins/ml2/plugin.py", line 1332, in update_port
Sep 14 12:03:04.038761 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation context.session.expire(port_db)
Sep 14 12:03:04.038924 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1533, in expire
Sep 14 12:03:04.039083 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation self._expire_state(state, attribute_names)
Sep 14 12:03:04.039243 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1536, in _expire_state
Sep 14 12:03:04.039406 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation self._validate_persistent(state)
Sep 14 12:03:04.041280 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/orm/session.py", line 1976, in _validate_persistent
Sep 14 12:03:04.041453 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation state_str(state))
Sep 14 12:03:04.041658 ubuntu-xenial-2-node-rax-dfw-10932230 neutron-server[30503]: ERROR neutron.pecan_wsgi.hooks.translation InvalidRequestError: Instance '<Port at 0x7fec2d31a190>' is not persistent within this Session

Logs can be found in: http://logs.openstack.org/21/504021/1/check/gate-tempest-dsvm-neutron-dvr-multinode-scenario-ubuntu-xenial-nv/c6647c4/logs/screen-q-svc.txt.gz#_Sep_14_12_03_04_041658

Tags:

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2017-09-19:

For the record, this bug was originally reported in Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1493175

Changed in neutron:
importance:	Undecided → High
status:	New → Confirmed
assignee:	nobody → Kevin Benton (kevinbenton)
tags:	added: gate-failure sg-fw
tags:	added: db

Revision history for this message

Ihar Hrachyshka (ihar-hrachyshka) wrote on 2017-09-19:

Fix: https://review.openstack.org/505390

OpenStack Infra (hudson-openstack) on 2017-09-21

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-27: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/505390
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=017185496c9f3f30b4b819ead86dd5bfe5a72597
Submitter: Jenkins
Branch: master

commit 017185496c9f3f30b4b819ead86dd5bfe5a72597
Author: Kevin Benton <email address hidden>
Date: Tue Sep 19 12:41:47 2017 -0700

Ensure default security group before port update

    The default security group can be deleted and updating
    a port will recreate it. However, we should do this in
    the BEFORE_UPDATE event handler rather than waiting for
    it to happen inside of the port update transaction which
    violates the transaction semantics of the security group
    callbacks.

Closes-Bug: #1718282
Change-Id: I1ce8b558b0a831adcebead512d97554173423955

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-27: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/507926

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-06: Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/507926
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f0a71fb0cedaa0a7a34519b80d4337fc92a27bba
Submitter: Jenkins
Branch: stable/pike

commit f0a71fb0cedaa0a7a34519b80d4337fc92a27bba
Author: Kevin Benton <email address hidden>
Date: Tue Sep 19 12:41:47 2017 -0700

Ensure default security group before port update

    Closes-Bug: #1718282
    Change-Id: I1ce8b558b0a831adcebead512d97554173423955
    (cherry picked from commit 017185496c9f3f30b4b819ead86dd5bfe5a72597)