networking-hyperv

Exception when trying to create the neutron port SG rules

Bug #1694432 reported by Ionut-Madalin Balutoiu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-hyperv
Fix Released
High
Claudiu Belu
os-win
Fix Released
Undecided
Unassigned

Bug Description

I'm using neutron-openvswitch-agent with the native hyperv firewall. The following exceptions are raised when trying to run a full tempests tests suite with 5 concurrent runners:
- http://paste.openstack.org/show/tJimUbUwwdc3eYEJQYV9/
- http://paste.openstack.org/show/AUqMXLOJIOoHn74Hyw3h/

NOTE(claudiub):

When an instance is being rebuilt, or shelved and unshelved, the VM gets destroyed and recreated, keeping the same neutron port. neutron-ovs-agent doesn't tear down the port, and doesn't notify the HyperVSecurityGroupsDriver that the switch port has been recreated in any way, which will cause issues when adding the security group rules; most notably, the default reject rules and the previously existing security group rules wouldn't be added.

This issue doesn't affect the neutron-hyperv-agent, which notifies the HyperVSecurityGroupsDriver when a port gets removed, updating its caches accordingly.

See original description
Ionut-Madalin Balutoiu (ionutbalutoiu)
summary: - "KeyError Exception" when trying to create the neutron port SG rules
+ Exception when trying to create the neutron port SG rules
description: updated
Revision history for this message
Claudiu Belu (cbelu) wrote :

Addressed by: https://review.openstack.org/#/c/469010/

description: updated
Changed in networking-hyperv:
importance: Undecided → High
assignee: nobody → Claudiu Belu (cbelu)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (master)

Reviewed: https://review.openstack.org/469010
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=d66301dcdd13ee24f5a0240aa57e094cfb8dd5af
Submitter: Jenkins
Branch: master

commit d66301dcdd13ee24f5a0240aa57e094cfb8dd5af
Author: Claudiu Belu <email address hidden>
Date: Tue May 30 10:42:48 2017 +0300

    SecurityGroups: Clears port from device cache

    When an instance is being rebuilt, or shelved and unshelved,
    the VM gets destroyed and recreated, keeping the same neutron port.

    neutron-ovs-agent doesn't tear down the port, and doesn't notify
    the HyperVSecurityGroupsDriver that the switch port has been recreated
    in any way, which will cause issues when adding the security group rules;
    most notably, the default reject rules and the previously existing
    security group rules wouldn't be added.

    This patch pops the _sec_group_rules and _security_ports caches before
    reraising the os_win.exceptions.NotFound exception, after which
    neutron-ovs-agent will retry the port binding.

    This issue doesn't affect the neutron-hyperv-agent, which notifies the
    HyperVSecurityGroupsDriver when a port gets removed, updating its
    caches accordingly.

    Closes-Bug: #1694432

    Change-Id: I9e7f41f9c5989af169fdfa0e014daf6450248f8a

Changed in networking-hyperv:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-hyperv (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/475585

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to networking-hyperv (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/475586

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-win (master)

Reviewed: https://review.openstack.org/469461
Committed: https://git.openstack.org/cgit/openstack/os-win/commit/?id=4f6176ae312e3195c39295d6b6fe564723e276d7
Submitter: Jenkins
Branch: master

commit 4f6176ae312e3195c39295d6b6fe564723e276d7
Author: Claudiu Belu <email address hidden>
Date: Wed May 31 14:56:41 2017 +0300

    raises exceptions.NotFound instead of x_wmi: Not Found

    When an instance is being rebuilt, or shelved and unshelved, the VM gets
    destroyed and recreated, keeping the same neutron port. If a reference to
    a non-existent object is passed to a WMI method (or no longer exists), an
    x_wmi: Not Found exception is raised.

    Adds decorators to the jobutils methods, which will reraise
    os_win.exceptions.NotFound exceptions instead of the x_wmi: Not found
    exceptions.

    Change-Id: Ic371cd1e2c2a54c4f386c02557bc9cdd9518bc9b
    Closes-Bug: #1694432

Changed in os-win:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-win (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/476884

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (stable/newton)

Reviewed: https://review.openstack.org/475586
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=81349172b77cedec32301d83ae71001ba66239a3
Submitter: Jenkins
Branch: stable/newton

commit 81349172b77cedec32301d83ae71001ba66239a3
Author: Claudiu Belu <email address hidden>
Date: Tue May 30 10:42:48 2017 +0300

    SecurityGroups: Clears port from device cache

    When an instance is being rebuilt, or shelved and unshelved,
    the VM gets destroyed and recreated, keeping the same neutron port.

    neutron-ovs-agent doesn't tear down the port, and doesn't notify
    the HyperVSecurityGroupsDriver that the switch port has been recreated
    in any way, which will cause issues when adding the security group rules;
    most notably, the default reject rules and the previously existing
    security group rules wouldn't be added.

    This patch pops the _sec_group_rules and _security_ports caches before
    reraising the os_win.exceptions.NotFound exception, after which
    neutron-ovs-agent will retry the port binding.

    This issue doesn't affect the neutron-hyperv-agent, which notifies the
    HyperVSecurityGroupsDriver when a port gets removed, updating its
    caches accordingly.

    Closes-Bug: #1694432

    Change-Id: I9e7f41f9c5989af169fdfa0e014daf6450248f8a
    (cherry picked from commit d66301dcdd13ee24f5a0240aa57e094cfb8dd5af)

tags: added: in-stable-newton
tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to networking-hyperv (stable/ocata)

Reviewed: https://review.openstack.org/475585
Committed: https://git.openstack.org/cgit/openstack/networking-hyperv/commit/?id=28900b4cff55648d719e84183a94b306e734c291
Submitter: Jenkins
Branch: stable/ocata

commit 28900b4cff55648d719e84183a94b306e734c291
Author: Claudiu Belu <email address hidden>
Date: Tue May 30 10:42:48 2017 +0300

    SecurityGroups: Clears port from device cache

    When an instance is being rebuilt, or shelved and unshelved,
    the VM gets destroyed and recreated, keeping the same neutron port.

    neutron-ovs-agent doesn't tear down the port, and doesn't notify
    the HyperVSecurityGroupsDriver that the switch port has been recreated
    in any way, which will cause issues when adding the security group rules;
    most notably, the default reject rules and the previously existing
    security group rules wouldn't be added.

    This patch pops the _sec_group_rules and _security_ports caches before
    reraising the os_win.exceptions.NotFound exception, after which
    neutron-ovs-agent will retry the port binding.

    This issue doesn't affect the neutron-hyperv-agent, which notifies the
    HyperVSecurityGroupsDriver when a port gets removed, updating its
    caches accordingly.

    Closes-Bug: #1694432

    Change-Id: I9e7f41f9c5989af169fdfa0e014daf6450248f8a
    (cherry picked from commit d66301dcdd13ee24f5a0240aa57e094cfb8dd5af)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-win (stable/ocata)

Reviewed: https://review.openstack.org/476884
Committed: https://git.openstack.org/cgit/openstack/os-win/commit/?id=eaef62b7281c2457984a4f109aa05fd040b4b7fb
Submitter: Jenkins
Branch: stable/ocata

commit eaef62b7281c2457984a4f109aa05fd040b4b7fb
Author: Claudiu Belu <email address hidden>
Date: Wed May 31 14:56:41 2017 +0300

    raises exceptions.NotFound instead of x_wmi: Not Found

    When an instance is being rebuilt, or shelved and unshelved, the VM gets
    destroyed and recreated, keeping the same neutron port. If a reference to
    a non-existent object is passed to a WMI method (or no longer exists), an
    x_wmi: Not Found exception is raised.

    Adds decorators to the jobutils methods, which will reraise
    os_win.exceptions.NotFound exceptions instead of the x_wmi: Not found
    exceptions.

    Conflicts:
            os_win/_utils.py

    (cherry-picked from 4f6176ae312e3195c39295d6b6fe564723e276d7)

    Change-Id: Ic371cd1e2c2a54c4f386c02557bc9cdd9518bc9b
    Closes-Bug: #1694432

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-win 1.4.2

This issue was fixed in the openstack/os-win 1.4.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/os-win 2.1.0

This issue was fixed in the openstack/os-win 2.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-hyperv 5.0.0

This issue was fixed in the openstack/networking-hyperv 5.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/networking-hyperv ocata-eol

This issue was fixed in the openstack/networking-hyperv ocata-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.