[SRU]_heal_instance_info_cache periodic task bases on port list from nova db, not from neutron server

Can we pass some kind of force_refresh parameter (which defaults to existing behavior) which will do the full refresh and then the _heal_instance_info_cache would be the only thing that passes True for that?

I worry about all of the spaghetti code in there and existing usage by different callers, but the heal instance info cache periodic task is meant to be a full refresh based on latest information from neutron, so it seems reasonable to do it in that case.

For me its okey to do force_refresh=False and use it only in _heal_instance_info_caches. I'll propose fix doing it. Thanks!

This fix is in conflict with bugfix: 46922068ac167f492dd303efb359d0c649d69118.
We need to think twice how to fix it.

commit 46922068ac167f492dd303efb359d0c649d69118
Author: Aaron Rosen <email address hidden>
Date: Thu Dec 5 17:28:17 2013 -0800

    Make network_cache more robust with neutron

    Currently, nova treats neutron as the source of truth for which ports are
    attached to an instance which is a false assumption. Because of this
    if someone creates a port in neutron with a device_id that matches one
    of their existing instance_ids that port will eventually show up in
    nova list (through the periodic heal task).

    This problem usually manifests it's self when nova-compute
    calls to neutron to create a port and the request times out (though
    the port is actually created in neutron). When this occurs the instance
    can be rescheduled on another compute node which it will call out to
    neutron again to create a port. In this case two ports will show
    up in the network_cache table (since they have the same instance_id) though
    only one port is attached to the instance.

    This patch addresses this issue by only adding ports to network_cache
    if nova successfully allocated the port (or it was passed in). This
    way these ghost ports are avoided. A follow up patch will come later
    that garbage collects these ports.

    Closes-bug: #1258620
    Closes-bug: #1272195

    Change-Id: I961c224d95291727c8614174de07805a0d0a9e46

We ran into this issue too.

We tried to fix bug https://bugs.launchpad.net/keystone/+bug/968696 by changing policy.json. And at some point of time our service users had incorrect permissions. We noticed that network information disappeared from "openstack server list". But even after we fixed service user permissions, network information was not restored.

Investigation revealed that periodic jobs query list of ports from neutron. Neutron returned empty list because of bad service user permissions. Nova successfully deleted the ports from info_cache. We noticed that and restored permissions. Neutron started to return non-empty list again, but nova did not consume it.

We managed to fix it by changing code and forcing nova to record ports from the list.

This bug might be caused by commit https://github.com/openstack/nova/commit/8694c1619d774bb8a6c23ed4c0f33df2084849bc
Nova never repopulate instance_info_cache if it is empty.

That commit from arosen is from 2013, and this is fixed I think since then:

"""
This problem usually manifests it's self when nova-compute
     calls to neutron to create a port and the request times out (though
     the port is actually created in neutron). When this occurs the instance
     can be rescheduled on another compute node which it will call out to
     neutron again to create a port. In this case two ports will show
     up in the network_cache table (since they have the same instance_id) though
     only one port is attached to the instance.
"""

via this change:

https://review.openstack.org/#/c/520248/

So nova will cleanup ports created during a failed build prior to rescheduling.

So I think we should add a force_refresh flag to the _heal_instance_info_cache flow so that we refresh from neutron rather than the nova db.

FWIW, our public cloud team (Huawei) reported the exact same issue as from comment 4 where the policy changed on the neutron side which resulted in returning no ports for the instance, so nova wiped out the entries from the cache and the heal periodic task didn't fix it.

Fix proposed to branch: master
Review: https://review.openstack.org/591607

Related fix proposed to branch: master
Review: https://review.openstack.org/614167

Hi i have a customer that filed a downstream bug for this on newton.

i have been able to reproduce this without any db surgery however i did have to use
curl to send a raw command to neutron api.

i could try and create a function test for this if that helped.

currently the only workaround i have found is to delete teh neutorn ports
and create new ones. when the instance is in this broken state you cannot use
add/remove port to fix it.

paste bin log of script execution
http://paste.openstack.org/show/735818/

repro scipt below.
------------------------------------------------------------------------
#!/bin/bash

set -x

IMAGE="cirros-0.3.5-x86_64-disk"
NETWORK="private"
FLAVOR="m1.nano"
TEMP_TOKEN=$(openstack token issue -c id -f value)
SERVER=$(openstack server create --image ${IMAGE} --flavor ${FLAVOR} --network ${NETWORK} -c id -f value --wait repro-bug)
openstack server show ${SERVER}
PORT_ID=$(openstack port list --device-id ${SERVER} -f value -c id)
openstack port show ${PORT_ID}

#wait for it to be fully up
sleep 10

NEUTRON_ENDPOINT=$(openstack endpoint list --service network -f value -c URL)
curl -X PUT -H "X-Auth-Token:${TEMP_TOKEN}" -d '{ "port":{"device_id":"","device_owner":"", "binding:host_id":"" }}' "${NEUTRON_ENDPOINT}v2.0/ports/${PORT_ID}" | python -mjson.tool
# after this curl command nova and neutron will diagree as to the state of the port.

openstack server reboot --hard --wait ${SERVER}
# after the vm is rebooted the vm will not have an interface attached
openstack server show ${SERVER}
openstack port show ${PORT_ID}

#try to fix the issue by attaching the port again
openstack server add port ${SERVER} ${PORT_ID}
# note this will result in fixing the port in neutron but it will be broken on the nova side
# as a result the vm will still not have an interface attach but nuetron will say it is.
openstack server show ${SERVER}
openstack port show ${PORT_ID}

# wait for nova to have time to try and attach the interface
sleep 30
openstack server reboot --hard --wait ${SERVER}

set +x

I saw this over IRC last night:

(5:12:51 PM) pacharya_: Hi need some help with nova instance info cache table. Due to some network connectivity issues nova received empty list during the heal instance info cache periodic task and instance cache table got updated with same.
(5:13:12 PM) pacharya_: now the list and get API for that instance does not have any IPs listed
(5:13:20 PM) pacharya_: Does anyone know how to fix this?

Reviewed: https://review.openstack.org/614167
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3534471c578eda6236e79f43153788c4725a5634
Submitter: Zuul
Branch: master

commit 3534471c578eda6236e79f43153788c4725a5634
Author: Maciej Jozefczyk <email address hidden>
Date: Tue Oct 30 09:58:30 2018 +0000

    Add fill_virtual_interface_list online_data_migration script

    In change [1] we modified _heal_instance_info_cache periodic task
    to use Neutron point of view while rebuilding InstanceInfoCache
    objects.
    The crucial point was how we know the previous order of ports, if
    the cache was broken. We decided to use VirtualInterfaceList objects
    as source of port order.
    For instances older than Newton VirtualInterface objects doesn't
    exist, so we need to introduce a way of creating it.
    This script should be executed while upgrading to Stein release.

    [1] https://review.openstack.org/#/c/591607

    Change-Id: Ic26d4ce3d071691a621d3c925dc5cd436b2005f1
    Related-Bug: 1751923

Reviewed: https://review.openstack.org/591607
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ba44c155ce1dcefede9741722a0525820d6da2b8
Submitter: Zuul
Branch: master

commit ba44c155ce1dcefede9741722a0525820d6da2b8
Author: Matt Riedemann <email address hidden>
Date: Tue Aug 14 17:57:53 2018 +0800

    Force refresh instance info_cache during heal

    If the instance info_cache is corrupted somehow, like during
    a host reboot and the ports aren't wired up properly or
    a mistaken policy change in neutron results in nova resetting
    the info_cache to an empty list, the _heal_instance_info_cache
    is meant to fix it (once the current state of the ports for
    the instance in neutron is corrected). However, the task is
    currently only refreshing the cache *based* on the current contents
    of the cache, which defeats the purpose of neutron being the source
    of truth for the ports attached to the instance.

    This change makes the _heal_instance_info_cache periodic task
    pass a "force_refresh" kwarg, which defaults to False for backward
    compatibility with other methods that refresh the cache after
    operations like attach/detach interface, and if True will make
    nova get the current state of the ports for the instance from neutron
    and fully rebuild the info_cache.

    To not lose port order in info_cache this change takes original order
    from nova historical data that are stored as VirtualInterfaceList
    objects. For ports that are not registered as VirtualInterfaces
    objects it will add them at the end of port_order list. Due to this
    for instances older than Newton another patch was introduced to fill
    missing VirtualInterface objects in the DB [1].

    Long-term we should be able to refactor some of the older refresh
    code which leverages the cache to instead use the refresh_vif_id
    kwarg so that we do targeted cache updates when we do things like
    attach and detach ports, but that's a change for another day.

    [1] https://review.openstack.org/#/c/614167

    Co-Authored-By: Maciej Jozefczyk <email address hidden>
    Change-Id: I629415236b2447128ae9a980d4ebe730a082c461
    Closes-Bug: #1751923

Related fix proposed to branch: master
Review: https://review.openstack.org/640516

This issue was fixed in the openstack/nova 19.0.0.0rc1 release candidate.

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/653040

Change abandoned by Mohammed Naser (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/653040

I also hit this issue on our Queens cloud were 232 vms were affected. I created local backports for Q and R and tested Q backport in our cloud and can confirm that it did automatically resolve the problem i.e. the periodic task eventually re-healed all the caches correctly. Therefore I would like to propose this for backport to Q & R.

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/679271

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/679274

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.opendev.org/640516

Status changed to 'Confirmed' because the bug affects multiple users.

We just had ~220 instances lose their ip addresses on one of our Queens clouds. Is anyone still working on a fix for this issue?

for what its worth this has been partially backported downstream in redhat osp

we backported only the self healying and not the online data migration which had a bug in it.

so https://review.opendev.org/#/c/591607/ can be safely backport ported but https://review.opendev.org/#/c/614167/20 has a bug and should not be backported.

Hello,

I've prepared a PPA for testing the proposed patch on B/Queens
https://launchpad.net/~niedbalski/+archive/ubuntu/lp1751923/+packages

Attached is the debdiff for bionic.

Since Queens is populating the virtual_interfaces table as standard I think we should proceed with this SRU - https://pastebin.ubuntu.com/p/BdCPsVKGk5/ - since it will provide a clean fix for Queens clouds.

@corey anything in specific you need at my end to get this SRU reviewed?

@coreycb I think we have everything we need to proceed with this SRU now. Since Queens is the oldest release currently supported on Ubuntu and support for populating vif attach ordering required to rebuild the cache has been available since Newton I think the risk of anyone being impacted is very small. VMs created prior to Newton would need the patch [1] and eventually [2] backported from Stein but I don't see them as essential and given the impact of not having this fix asap I think it supersedes those which we can handle separately.

[1] https://github.com/openstack/nova/commit/3534471c578eda6236e79f43153788c4725a5634
[2] https://bugs.launchpad.net/nova/+bug/1825034

Restored the bug description to its original format and updated SRU info.

Thanks Jorge. Let's patch rocky as well for upgrade purposes.

New nova packages including this fix have been uploaded to rocky-staging and the bionic unapproved queue:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/rocky-staging/+packages?field.name_filter=nova
https://launchpad.net/ubuntu/bionic/+queue?queue_state=1&queue_text=nova

Hello Maciej, or anyone else affected,

Accepted nova into rocky-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:rocky-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-rocky-needed to verification-rocky-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-rocky-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I'm a bit worried about the aforementioned regression potential here, but I'll accept it seeing that this was accepted by the OpenStack team. Since I'd best prefer if the SRUs were as safe as possible, offering fallback functionality in case the system is old. I assume this would require the additional commits cherry-picked?

Anyway, let's proceed for now.

Hello Maciej, or anyone else affected,

Accepted nova into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nova/2:17.0.13-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Maciej, or anyone else affected,

Accepted nova into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I am in the process to verify bionic/rocky/queens releases.

Hello,

I've verified that this problem doesn't reproduces with the package contained in proposed.

1) Deployed this bundle of bionic-queens

Upgraded to the following version:

root@juju-51d6ad-1751923-6:/home/ubuntu# dpkg -l | grep nova
ii nova-api-os-compute 2:17.0.13-0ubuntu3 all OpenStack Compute - OpenStack Compute API frontend
ii nova-common 2:17.0.13-0ubuntu3 all OpenStack Compute - common files
ii nova-conductor 2:17.0.13-0ubuntu3 all OpenStack Compute - conductor service
ii nova-placement-api 2:17.0.13-0ubuntu3 all OpenStack Compute - placement API frontend
ii nova-scheduler 2:17.0.13-0ubuntu3 all OpenStack Compute - virtual machine scheduler
ii python-nova 2:17.0.13-0ubuntu3 all OpenStack Compute Python libraries

root@juju-51d6ad-1751923-7:/home/ubuntu# dpkg -l | grep nova
ii nova-api-metadata 2:17.0.13-0ubuntu3 all OpenStack Compute - metadata API frontend
ii nova-common 2:17.0.13-0ubuntu3 all OpenStack Compute - common files
ii nova-compute 2:17.0.13-0ubuntu3 all OpenStack Compute - compute node base
ii nova-compute-kvm 2:17.0.13-0ubuntu3 all OpenStack Compute - compute node (KVM)
ii nova-compute-libvirt 2:17.0.13-0ubuntu3 all OpenStack Compute - compute node libvirt support
ii python-nova 2:17.0.13-0ubuntu3 all OpenStack Compute Python libraries
ii python-novaclient 2:9.1.1-0ubuntu1 all client library for OpenStack Compute API - Python 2.7
ii python3-novaclient 2:9.1.1-0ubuntu1 all client library for OpenStack Compute API - 3.x

root@juju-51d6ad-1751923-6:/home/ubuntu# systemctl status nova*|grep -i active
   Active: active (running) since Fri 2021-08-27 22:02:25 UTC; 1h 7min ago
   Active: active (running) since Fri 2021-08-27 22:02:12 UTC; 1h 8min ago
   Active: active (running) since Fri 2021-08-27 22:02:25 UTC; 1h 7min ago

3) Created a server with 4 private ports, 1 public one.

ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack$ openstack server list
+--------------------------------------+---------------+--------+-------------------------------------------------------------------------------+--------+-----------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+---------------+--------+-------------------------------------------------------------------------------+--------+-----------+
| 5843e6b5-e1a7-4208-9f19-1d051c032afb | cirros-23...

This bug was fixed in the package nova - 2:17.0.13-0ubuntu3

---------------
nova (2:17.0.13-0ubuntu3) bionic; urgency=medium

  * Force refresh instance info_cache during heal (LP: #1751923):
    - d/p/0001-Force-refresh-instance-info_cache-during-heal.patch
    - d/p/0002-remove-deprecated-test_list_vifs_neutron_notimplemented.patch

 -- Jorge Niedbalski <email address hidden> Mon, 17 May 2021 14:25:43 -0400

The verification of the Stable Release Update for nova has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Verified rocky-proposed using [Test Plan] with output as follows:

# apt-cache policy nova-common
nova-common:
  Installed: 2:18.3.0-0ubuntu1~cloud3
  Candidate: 2:18.3.0-0ubuntu1~cloud3
  Version table:
 *** 2:18.3.0-0ubuntu1~cloud3 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu bionic-proposed/rocky/main amd64 Packages
        100 /var/lib/dpkg/status
     2:17.0.13-0ubuntu3 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
     2:17.0.10-0ubuntu2.1 500
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2:17.0.1-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

I also tested by manually deleting the network_info for a vm then waiting for the periodic task to run - https://pastebin.ubuntu.com/p/7gmZQsvC8H/

The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package nova - 2:18.3.0-0ubuntu1~cloud3
---------------

 nova (2:18.3.0-0ubuntu1~cloud3) bionic-rocky; urgency=medium
 .
   * Force refresh instance info_cache during heal (LP: #1751923):
     - d/p/0001-Force-refresh-instance-info_cache-during-heal.patch

The verification of the Stable Release Update for nova has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package nova - 2:17.0.13-0ubuntu3~cloud0
---------------

 nova (2:17.0.13-0ubuntu3~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 nova (2:17.0.13-0ubuntu3) bionic; urgency=medium
 .
   * Force refresh instance info_cache during heal (LP: #1751923):
     - d/p/0001-Force-refresh-instance-info_cache-during-heal.patch
     - d/p/0002-remove-deprecated-test_list_vifs_neutron_notimplemented.patch

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/queens
Review: https://review.opendev.org/c/openstack/nova/+/679274
Reason: This branch transitioned to End of Life for this project, open patches needs to be closed to be able to delete the branch.

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/rocky
Review: https://review.opendev.org/c/openstack/nova/+/679271
Reason: This branch transitioned to End of Life for this project, open patches needs to be closed to be able to delete the branch.