stack-update fails when new resources added to OS::Heat::AccessPolicy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Tomas Sedovic | ||
tripleo |
Fix Released
|
High
|
Tomas Sedovic |
Bug Description
We've hit this bug in TripleO: https:/
We start with an AccessPolicy that has two allowed resources (OS::Nova::Server and AWS::AutoScalin
ComputeAccess
Properties:
AllowedRe
- NovaCompute0
- NovaCompute0Config
Type: OS::Heat:
We ask Heat to create the stack. Then we add another pair of resources (NovaCompute1 and NovaCompute1Config identical to the previous ones) and update ComputAccessPol
ComputeAccess
Properties:
AllowedRe
- NovaCompute0
- NovaCompute0Config
- NovaCompute1
- NovaCompute1Config
Type: OS::Heat:
and do a stack-update with this new template.
The operation fails during the ComputeAccessPolicy update.
Heat event log: http://
stack trace from heat-engine: http://
The reason as far as I can see is this:
1. AccessPolicy validates on creation that the stack has all the AllowedResources:
2. AccessPolicy is created/updated before OS::Nova::Server resources (at least in our case)
3. This is not a problem because the AllowedResources don't have to be CREATE_COMPLETE or even CREATE_IN_PROGRESS yet -- they just have to be known to the stack
4. Updating AccessPolicy causes a replacement so this is verified during update, too
5. During stack-update, the ComputeAccessPolicy resource starts owned by the new stack (which is aware of the new NovaCompute1 and NovaCompute1Config resources):
6. However, right before the resource gets created, its internal reference to the owning stack is switched from the new stack to the current stack (which doesn't know about NovaCompute1 and NovaCompute1Con
The line above looks completely harmless, but it silently modifies the right-hand side of the assignment:
This means that this:
is now executed within the context of `existing_stack` and causes `AccessPolicy.
As an aside, however we end up fixing this (I'd like to have a look at it on Monday unless someone picks it up first), I think we should in general clean up any operator overloading that doesn't follow the expected behaviour (in this case assignment modifying the value being assigned). It violates the principle of least astonishment, explicit better than implicit and is just plain hard to understand.
Changed in tripleo: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in heat: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → icehouse-rc1 |
Changed in tripleo: | |
status: | Confirmed → Fix Committed |
assignee: | nobody → Tomas Sedovic (tsedovic) |
Changed in tripleo: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | icehouse-rc1 → 2014.1 |
Excerpts from Tomas Sedovic's message of 2014-02-28 19:49:24 UTC: /bugs.launchpad .net/tripleo/ +bug/1279011 g::LaunchConfig uration) : licy: :AccessPolicy icy's AllowedResources to include these as well: licy: :AccessPolicy paste.openstack .org/show/ 64344/ paste.openstack .org/show/ 70606/ /github. com/openstack/ heat/blob/ e8eddb87d34aa9f e2a2f5abcb75d9b 27f86f1a68/ heat/engine/ resources/ user.py# L321 /github. com/openstack/ heat/blob/ e8eddb87d34aa9f e2a2f5abcb75d9b 27f86f1a68/ heat/engine/ update. py#L189 fig): /github. com/openstack/ heat/blob/ e8eddb87d34aa9f e2a2f5abcb75d9b 27f86f1a68/ heat/engine/ update. py#L123 /github. com/openstack/ heat/blob/ e8eddb87d34aa9f e2a2f5abcb75d9b 27f86f1a68/ heat/engine/ parser. py#L263 /github. com/openstack/ heat/blob/ e8eddb87d34aa9f e2a2f5abcb75d9b 27f86f1a68/ heat/engine/ update. py#L124 handle_ create` to raise an exception (since all this
> Public bug reported:
>
> We've hit this bug in TripleO:
> https:/
>
> We start with an AccessPolicy that has two allowed resources
> (OS::Nova::Server and AWS::AutoScalin
>
> ComputeAccessPo
> Properties:
> AllowedResources:
> - NovaCompute0
> - NovaCompute0Config
> Type: OS::Heat:
>
> We ask Heat to create the stack. Then we add another pair of resources
> (NovaCompute1 and NovaCompute1Config identical to the previous ones) and
> update ComputAccessPol
>
> ComputeAccessPo
> Properties:
> AllowedResources:
> - NovaCompute0
> - NovaCompute0Config
> - NovaCompute1
> - NovaCompute1Config
> Type: OS::Heat:
>
> and do a stack-update with this new template.
>
> The operation fails during the ComputeAccessPolicy update.
>
> Heat event log: http://
>
> stack trace from heat-engine: http://
>
> The reason as far as I can see is this:
>
> 1. AccessPolicy validates on creation that the stack has all the
> AllowedResources:
>
> https:/
>
> 2. AccessPolicy is created/updated before OS::Nova::Server resources (at least in our case)
> 3. This is not a problem because the AllowedResources don't have to be CREATE_COMPLETE or even CREATE_IN_PROGRESS yet -- they just have to be known to the stack
> 4. Updating AccessPolicy causes a replacement so this is verified during update, too
> 5. During stack-update, the ComputeAccessPolicy resource starts owned by the new stack (which is aware of the new NovaCompute1 and NovaCompute1Config resources):
>
> https:/
>
> 6. However, right before the resource gets created, its internal
> reference to the owning stack is switched from the new stack to the
> current stack (which doesn't know about NovaCompute1 and
> NovaCompute1Con
>
> https:/
>
> The line above looks completely harmless, but it silently modifies the
> right-hand side of the assignment:
>
> https:/
>
> This means that this:
>
> https:/
>
> is now executed within the context of `existing_stack` and causes
> `AccessPolicy.
> happens before the AllowedResources are created).
>
> As an aside, however we end up fixing this (I'd like to have a look at
> it on Monday unless someone picks it up first), I think we should in
> general clean up any operator overloading that doesn't follow the
> expected behaviour (in this case assignment modifying the value bei...