octavia

fully-populated load balancer create API can leak vip ports

Bug #2015320 reported by Gregory Thiemonge on 2023-04-05

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	octavia	Confirmed	Low	Unassigned

Bug Description

Originally reported in https://storyboard.openstack.org/#!/story/2010671

When creating a fully populated load balancer, if a validation step fails for one of its resources (listener, pool, etc...), an exception is raised, the LB is not created in the DB, but a VIP port is created in neutron, and not deleted.

Can be reproduced with this script:

import openstack

conn = openstack.connect()

subnet = conn.network.find_subnet("public-subnet")

tree = {
    "vip_subnet_id": subnet.id,
    "listeners": [{
        "protocol": "TERMINATED_HTTPS",
        "protocol_port": 443,
    }]
}

conn.load_balancer.create_load_balancer(**tree)

# Before

$ openstack loadbalancer list -f value | wc -l
0
$ openstack port list -f value -c Name | grep octavia
octavia-health-manager-standalone-listen-port

# Creating the LB
$ python test_lb_create.py
Traceback (most recent call last):
  File "/home/cloud-user/test_lb_create.py", line 15, in <module>
    conn.load_balancer.create_load_balancer(**tree)
  File "/opt/stack/openstacksdk/openstack/load_balancer/v2/_proxy.py", line 61, in create_load_balancer
    return self._create(_lb.LoadBalancer, **attrs)
  File "/opt/stack/openstacksdk/openstack/proxy.py", line 581, in _create
    return res.create(self, base_path=base_path)
  File "/opt/stack/openstacksdk/openstack/resource.py", line 1487, in create
    self._translate_response(response, has_body=has_body)
  File "/opt/stack/openstacksdk/openstack/resource.py", line 1254, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/opt/stack/openstacksdk/openstack/exceptions.py", line 233, in raise_from_response
    raise cls(
openstack.exceptions.BadRequestException: BadRequestException: 400: Client Error for url: http://192.168.1.101/load-balancer/v2.0/lbaas/loadbalancers, Validation failure: An SNI or default certificate container reference must be provided for TERMINATED_HTTPS protocol listeners.

# After
$ openstack loadbalancer list -f value | wc -l
0
$ openstack port list -f value -c Name | grep octavia
octavia-health-manager-standalone-listen-port
octavia-lb-81755e98-5bdb-49c2-bb35-9a4beb1cdd18

The port octavia-lb-81755e98-5bdb-49c2-bb35-9a4beb1cdd18 was created but it is not linked to any LBs.

Gregory Thiemonge (gthiemonge) on 2023-04-06

Changed in octavia:
importance:	Undecided → Medium
status:	New → Confirmed
importance:	Medium → Low

Revision history for this message

Gregory Thiemonge (gthiemonge) wrote on 2024-03-12:

WIP patch: https://review.opendev.org/c/openstack/octavia/+/887593

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.