unsafe set reference in neutron iptables code

Bug #1696874 reported by Kevin Benton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Kevin Benton

Bug Description

:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent [req-21b216b4-9e00-4f16-aa90-fc05f875e23f - - - - -] Error while processing VIF ports
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 1825, in rpc_loop
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent ovs_restarted)
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py", line 1574, in process_network_ports
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 303, in setup_port_filters
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.refresh_firewall(updated_devices)
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 142, in decorated_function
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/securitygroups_rpc.py", line 257, in refresh_firewall
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.firewall.update_port_filter(device)
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.gen.next()
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/firewall.py", line 110, in defer_apply
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 844, in filter_defer_apply_off
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self._remove_conntrack_entries_from_sg_updates()
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 829, in _remove_conntrack_entries_from_sg_updates
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent self._clean_deleted_sg_rule_conntrack_entries()
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/dist-packages/neutron/agent/linux/iptables_firewall.py", line 779, in _clean_deleted_sg_rule_conntrack_entries
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent for sg_id in self.updated_rule_sg_ids:
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent RuntimeError: Set changed size during iteration
:2017-06-01 14:26:28.528 13973 ERROR neutron.plugins.ml2.drivers.openvswitch.agent.ovs_neutron_agent

Changed in neutron:
assignee: nobody → Kevin Benton (kevinbenton)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/472473

Changed in neutron:
status: New → In Progress
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/472473
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e51ae07aecd14b8270f5e14175f943a5abc8caa6
Submitter: Jenkins
Branch: master

commit e51ae07aecd14b8270f5e14175f943a5abc8caa6
Author: Kevin Benton <email address hidden>
Date: Thu Jun 8 16:10:45 2017 -0700

    Don't iterate updated_rule_sg_ids or updated_sg_members

    updated_rule_sg_ids and updated_sg_members can be updated
    concurrently by an RPC security_group_updated cast from the
    server which will result in a RuntimeError due to set
    size changing during iteration.

    This adjusts the logic to just iterate over a copy of the set.

    Change-Id: I0a7cf13157de256403cfd6196f64fafdfa65f180
    Closes-Bug: #1696874

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/473304

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/473305

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/473306

tags: added: neutron-proactive-backport-potential
tags: added: neutron-easy-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/mitaka)

Change abandoned by Kevin Benton (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/473306

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/newton)

Reviewed: https://review.openstack.org/473305
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3c0f4b7390e2204eaee9e821baa393a81095c4d5
Submitter: Jenkins
Branch: stable/newton

commit 3c0f4b7390e2204eaee9e821baa393a81095c4d5
Author: Kevin Benton <email address hidden>
Date: Thu Jun 8 16:10:45 2017 -0700

    Don't iterate updated_rule_sg_ids or updated_sg_members

    updated_rule_sg_ids and updated_sg_members can be updated
    concurrently by an RPC security_group_updated cast from the
    server which will result in a RuntimeError due to set
    size changing during iteration.

    This adjusts the logic to just iterate over a copy of the set.

    Change-Id: I0a7cf13157de256403cfd6196f64fafdfa65f180
    Closes-Bug: #1696874
    (cherry picked from commit e51ae07aecd14b8270f5e14175f943a5abc8caa6)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ocata)

Reviewed: https://review.openstack.org/473304
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=96657be885275969a0feadde6255697b43e01590
Submitter: Jenkins
Branch: stable/ocata

commit 96657be885275969a0feadde6255697b43e01590
Author: Kevin Benton <email address hidden>
Date: Thu Jun 8 16:10:45 2017 -0700

    Don't iterate updated_rule_sg_ids or updated_sg_members

    updated_rule_sg_ids and updated_sg_members can be updated
    concurrently by an RPC security_group_updated cast from the
    server which will result in a RuntimeError due to set
    size changing during iteration.

    This adjusts the logic to just iterate over a copy of the set.

    Change-Id: I0a7cf13157de256403cfd6196f64fafdfa65f180
    Closes-Bug: #1696874
    (cherry picked from commit e51ae07aecd14b8270f5e14175f943a5abc8caa6)

tags: added: in-stable-ocata
tags: removed: neutron-easy-proactive-backport-potential neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 11.0.0.0b3

This issue was fixed in the openstack/neutron 11.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 9.4.1

This issue was fixed in the openstack/neutron 9.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 10.0.3

This issue was fixed in the openstack/neutron 10.0.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.