OpenStack Compute (Nova)

using source groups (-o) with security groups causes a lazy load exception

Reported by Kevin Bringard on 2011-09-26
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
Vish Ishaya
Diablo
Undecided
Unassigned
nova (Ubuntu)
High
Unassigned

Bug Description

When launching an instance in a security group with a source group set (using euca-authorize -o) I am seeing the following error:

2011-09-25 17:52:00,337 DEBUG nova.virt.libvirt.firewall [-] Adding security group rule: <nova.db.sqlalchemy.models.SecurityGroupIngressRule object at 0x3ec0990> from (pid=25335) instance_rules /usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py:650
2011-09-25 17:52:00,344 ERROR nova.exception [-] Uncaught exception
(nova.exception): TRACE: Traceback (most recent call last):
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/exception.py", line 98, in wrapped
(nova.exception): TRACE: return f(*args, **kw)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/compute/manager.py", line 216, in refresh_security_group_rules
(nova.exception): TRACE: return self.driver.refresh_security_group_rules(security_group_id)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/connection.py", line 1504, in refresh_security_group_rules
(nova.exception): TRACE: self.firewall_driver.refresh_security_group_rules(security_group_id)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py", line 726, in refresh_security_group_rules
(nova.exception): TRACE: self.do_refresh_security_group_rules(security_group)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/utils.py", line 685, in inner
(nova.exception): TRACE: retval = f(*args, **kwargs)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py", line 733, in do_refresh_security_group_rules
(nova.exception): TRACE: self.add_filters_for_instance(instance)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py", line 582, in add_filters_for_instance
(nova.exception): TRACE: ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py", line 702, in instance_rules
(nova.exception): TRACE: for instance in rule['grantee_group']['instances']:
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/nova/db/sqlalchemy/models.py", line 76, in __getitem__
(nova.exception): TRACE: return getattr(self, key)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/attributes.py", line 163, in __get__
(nova.exception): TRACE: instance_dict(instance))
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/attributes.py", line 383, in get
(nova.exception): TRACE: value = callable_(passive=passive)
(nova.exception): TRACE: File "/usr/lib/python2.7/dist-packages/sqlalchemy/orm/strategies.py", line 595, in __call__
(nova.exception): TRACE: (mapperutil.state_str(state), self.key)
(nova.exception): TRACE: DetachedInstanceError: Parent instance <SecurityGroup at 0x3ec0810> is not bound to a Session; lazy load operation of attribute 'instances' cannot proceed
(nova.exception): TRACE:
2011-09-25 17:52:00,344 ERROR nova.rpc [-] Exception during message handling
(nova.rpc): TRACE: Traceback (most recent call last):
(nova.rpc): TRACE: File "/usr/lib/python2.7/dist-packages/nova/rpc/impl_kombu.py", line 620, in _process_data
(nova.rpc): TRACE: rval = node_func(context=ctxt, **node_args)
(nova.rpc): TRACE: File "/usr/lib/python2.7/dist-packages/nova/exception.py", line 129, in wrapped
(nova.rpc): TRACE: raise Error(str(e))
(nova.rpc): TRACE: Error: Parent instance <SecurityGroup at 0x3ec0810> is not bound to a Session; lazy load operation of attribute 'instances' cannot proceed
(nova.rpc): TRACE:

This causes the rules to stop applying at this point, causing problems with security groups.

tags: added: diablo-backport
Changed in nova:
importance: Undecided → High
status: New → In Progress
assignee: nobody → Vish Ishaya (vishvananda)
Scott Moser (smoser) on 2011-10-04
Changed in nova (Ubuntu):
milestone: none → ubuntu-11.10
status: New → Confirmed
importance: Undecided → High
Mark McLoughlin (markmc) wrote :

Fix for this is waiting for review in gerrit:

  https://review.openstack.org/#change,651

Reviewed: https://review.openstack.org/651
Committed: http://github.com/openstack/nova/commit/114ca0b2dc090270d8d20bd10b6e1e7a0b451db2
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit 114ca0b2dc090270d8d20bd10b6e1e7a0b451db2
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Sep 26 08:34:14 2011 -0700

    Fix the grantee group loading for source groups

    Fixes bug 859679.

    Change-Id: Ia0b90b8373a02955f23b6dda0495f01511762822

Reviewed: https://review.openstack.org/935
Committed: http://github.com/openstack/nova/commit/1f6b213d92e71de1eb669e9fb869d564066dadf5
Submitter: Jenkins
Branch: stable/diablo

 status fixcommitted
 done

commit 1f6b213d92e71de1eb669e9fb869d564066dadf5
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Sep 26 08:34:14 2011 -0700

    Fix the grantee group loading for source groups

    Fixes bug 859679.

    (cherry picked from commit 114ca0b2dc090270d8d20bd10b6e1e7a0b451db2)

    Change-Id: I92569ecc50fe3e9f17f633df03ee428587749a48

Mark McLoughlin (markmc) on 2011-10-27
Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2011-11-09
Changed in nova:
milestone: none → essex-1
Mark McLoughlin (markmc) on 2011-11-16
tags: removed: diablo-backport
Thierry Carrez (ttx) on 2011-11-17
Changed in nova:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~e2-0ubuntu1

---------------
nova (2012.1~e2-0ubuntu1) precise; urgency=low

  * New usptream release. Fixes the following bugs:
    (LP: #871278, #848643, #859679, #83199)
  * debian/nova-console.install: Fix empty package.
  * debian/patches, debian/pydist-overrides: Cleaner way
    of disabling unwanted python-dependencies.
  * debian/control:
    - Suggest python-keystone. (LP: #901881)
    - Update build dependencies.
  * debian/nova.conf: Use virtio networking by default.
    (LP: #904480)
  * debian/fix-traversal-via-image-register.patch: Dropped
    fixed upstream.
 -- Chuck Short <email address hidden> Fri, 16 Dec 2011 13:03:55 -0500

Changed in nova (Ubuntu):
status: Confirmed → Fix Released

Hello Kevin, or anyone else affected,

Accepted nova into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers