[Yahoo-eng-team] [Bug 1843708] Re: [SRU] Key-pair is not updated during the rebuild

[Launchpad Bug Tracker]

This bug was fixed in the package nova - 2:17.0.13-0ubuntu5.4

---------------
nova (2:17.0.13-0ubuntu5.4) bionic; urgency=medium

  * Update keypairs when saving an instance (LP: #1843708)
    - d/p/objects-Update-keypairs-when-saving-an-instance.patch

 -- Zhang Hua <joshua.zh...@canonical.com>  Thu, 27 Apr 2023 04:21:53
+0800

** Changed in: nova (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1843708

Title:
  [SRU] Key-pair is not updated during the rebuild

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive rocky series:
  Won't Fix
Status in Ubuntu Cloud Archive stein series:
  Fix Released
Status in Ubuntu Cloud Archive train series:
  Fix Released
Status in Ubuntu Cloud Archive ussuri series:
  Fix Released
Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) queens series:
  Fix Released
Status in OpenStack Compute (nova) rocky series:
  Fix Released
Status in OpenStack Compute (nova) stein series:
  Fix Released
Status in OpenStack Compute (nova) train series:
  Fix Released
Status in OpenStack Compute (nova) ussuri series:
  Fix Released
Status in nova package in Ubuntu:
  Invalid
Status in nova source package in Bionic:
  Fix Released
Status in nova source package in Focal:
  Fix Released

Bug description:
  [Impact]

  During rebuilds, the customer was unable to update the instance's
  keypair.

  [Test Case]

  - create a bionic openstack test env

  - choose the key 'testkey' to create an instance

  openstack keypair create mykey --public-key ~/.ssh/id_rsa.pub 
  openstack keypair create testkey --public-key /home/ubuntu/testkey.pub
  openstack server create --flavor m1.small --image jammy --key-name testkey 
--network=$(openstack network show private -f value -c id)  i1

  - create a new instance from the snapshot and choose a different
  keypair 'mykey' at rebuild time

  openstack --os-compute-api-version 2.54 server rebuild --image jammy 
--key-name mykey --name i1 i1
  sudo ip netns exec qrouter-xxx ssh ubuntu@192.168.21.4 -i ~/testkey.priv -v
  sudo ip netns exec qrouter-xxx ssh ubuntu@192.168.21.4 -i ~/id_rsa -v

  the new instance should accept the new key and reject the old key, but
  the result is the new instance rejects the new key but old key still
  works.

  [Regression Potential]

  This fix 6a7a78a44 is already in stable/queens and all versions since
  queens, bionic uses 17.0.13 rather than stable/queens, we just SRU
  this fix to 17.0.13 so there can't be any regression theoretically. On
  the other hand, code change is limited to _save_keypairs according to
  
https://review.opendev.org/c/openstack/nova/+/683043/19/nova/objects/instance.py
  so the regressions is also limited in _save_keypairs . The test will
  also ensure that other logic beyond _save_keypairs. I have tested this
  fix, it works. so I think it's safe.

  [Others]

  Original Bug Description Below
  ===========

  When we want to rebuild an instance and change the keypair we can specified 
it with :
  openstack --os-compute-api-version 2.54 server rebuild --image "Debian 10" 
--key-name key1 instance1

  This comes from this implementation :
  https://review.opendev.org/#/c/379128/
  
https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/rebuild-keypair-reset.html

  But when rebuilding the instance, Cloud-Init will set the key in 
authorized_keys from
  http://169.254.169.254/openstack/latest/meta_data.json

  And this meta_data.json uses the keys from instance_extra tables
  But the keypair will be updated in the 'instances' table but not in the 
'instance_extra' table.

  So the keypair is not updated inside the VM

  May be this is the function for saving the keypair, but the save() do nothing 
:
  
https://opendev.org/openstack/nova/src/branch/master/nova/objects/instance.py#L714

  Steps to reproduce
  ==================

  - Deploy a DevStack
  - Boot an instance with keypair key1
  - Rebuild it with key2
  - A nova show will show the key_name key2, keypairs object in table 
instance_extra is not updated and you cannot connect with key2 to the instance

  Expected result
  ===============
  Connecte to the Vm with the new keypair added during the rebuild call

  Actual result
  =============
  The keypair added during the rebuild call is not set in the VM

  Environment
  ===========
  I tested it on a Devstack from master and we have the behaviour.
  NOVA : commit 5fa49cd0b8b6015aa61b4312b2ce1ae780c42c64

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1843708/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp