Reviewed: https://review.openstack.org/571245
Committed:
https://git.openstack.org/cgit/openstack/nova/commit/?id=8c216608194c89d281e8d2b66abd1e50e2405b01
Submitter: Zuul
Branch:master
commit 8c216608194c89d281e8d2b66abd1e50e2405b01
Author: Matt Riedemann
Date: Wed May 30 12:07:53 2018 -0400
Use instance project/user when creating RequestSpec during resize reschedule
When rescheduling from a failed cold migrate / resize, the compute
service does not pass the request spec back to conductor so we
create one based on the in-scope variables.
This introduces a problem for some scheduler filters like the
AggregateMultiTenancyIsolation filter since it will create the
RequestSpec using the project and user information from the current
context, which for a cold migrate is the admin and might not be
the owner of the instance (which could be in some other project).
So the AggregateMultiTenancyIsolation filter might reject the
request or select a host that fits an aggregate for the admin but
not the end user.
This fixes the problem by using the instance project/user information
when constructing the RequestSpec which will take priority over
the context in RequestSpec.from_components().
Long-term we need the compute service to pass the request spec back
to the conductor during a reschedule, but we do this first since we
can backport it.
Change-Id: Iaaf7f68d6874fd5d6e737e7d2bc589ea4a048fee
Closes-Bug: #1774205
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1774205
Title:
AggregateMultiTenancyIsolation uses wrong tenant_id during cold
migrate
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) ocata series:
Triaged
Status in OpenStack Compute (nova) pike series:
New
Status in OpenStack Compute (nova) queens series:
New
Bug description:
The details are in this mailing list thread:
http://lists.openstack.org/pipermail/openstack-
operators/2018-May/015347.html
But essentially the case is:
* There are 3 compute hosts.
* compute1 and compute2 are in a host aggregate and a given tenant is
restricted to that aggregate
* The user creates a server on compute1
* The admin attempts to cold migrate the server which fails in the
AggregateMultiTenancyIsolation filter because it says the tenant_id in the
request is not part of the matching host aggregate.
The reason is because the cold migrate task in the conductor replaces
the original request spec, which had the instance project_id in it,
and uses the current context, which is the admin (which could be in a
different project):
https://github.com/openstack/nova/blob/stable/ocata/nova/conductor/tasks/migrate.py#L50
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1774205/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
