Deleting port doesnt delete dns records
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Undecided
|
Miguel Lavalle |
Bug Description
Environment: Ubuntu 16.04.3 LTS, Ocata
Summary:
For each new stack created records automatically created for each instance,
on the other hand, deleting the stack doesn't trigger the deletion of those records.
We have configured internal dns integration using designate,
creating instance /port triggers record creation, deleting instance /port triggers record deletion.
However, while creating a heat stack, record creation works great for each instance that is part of the stack, but deleting the stack does not trigger record deletion.
Miguel Lavalle (minsel) wrote : | #1 |
Mark Ts (madved4ik) wrote : | #2 |
Hi,
Thank you for your quick reply.
Yes, Port data is being sent by Neutron to Designate,
And yes, the ports are being deleted properly.
Miguel Lavalle (minsel) wrote : | #3 |
Hi Mark,
Some questions:
1) If you create and delete the instance manually (no Heat), the records are sent and removed from Designate correctly, right?
2) When creating and deleting the instance with Heat, are you using the same user / project_id as in the manual case?
3) In the Heat case, how about the PTR records? Are they removed correctly?
4) Do you have access the the Neutron server log? At the time of the instance / port deletion with Heat, can you see a traceback reporting problems deleting the record from Designate?
Hirofumi Ichihara (ichihara-hirofumi) wrote : | #4 |
We need more information as Miguel commented.
Changed in neutron: | |
status: | New → Incomplete |
Mark Ts (madved4ik) wrote : | #5 |
- neutronlogs.txt Edit (64.2 KiB, text/plain)
Hi Miguel,
1) Yes.
2) Yes, I've tried with the same user&project and with different users on different projects.
3) Nope, they aren't removed.
4) In logs, while debug enabled, i can see the port deletion initiated after deleting the stack,
no error regarding the record deletion.
You can find the logs I've collected after stack deletion attached, maybe I missed something?
Launchpad Janitor (janitor) wrote : | #6 |
[Expired for neutron because there has been no activity for 60 days.]
Changed in neutron: | |
status: | Incomplete → Expired |
Changed in neutron: | |
status: | Expired → New |
Dr. Jens Harbott (j-harbott) wrote : | #7 |
Some more questions:
1. Am I right in assuming that you are talking about DNS records that correspond to floating IPs that are associated to an instance? I.e. scenario #1 as described in https:/
2. Does Heat delete the floating IPs that have being created for the stack on teardown?
In my local tests, the records are deleted only when the floating IP is being deleted, not when the instance or the Neutron port associated with it are deleted. One still might argue whether this is the correct behaviour (I think possibly not), but I would like to make sure we are talking about the same phenomenon here.
Pawel Suder (pasuder) wrote : | #8 |
In addition to 3rd Miguel question:
Do you have logs from Heat and Designate for situation when stack is being deleted and there are instances with ports with registered DNS records? Would you like to share them, please?
Also my questions:
1) is it possible to reproduce it on devstack?
2) what's the type of port? is it openvswitch?
3) which version of Ocata do you use? what is the latest commit ID from upstream repository? is it neutron-15.1.13?
4) what stack template do you use? could you share an example, please?
Mark Ts (madved4ik) wrote : | #9 |
Dr. Jens Harbott,
1. No, we follow use case #3 - "Ports are published directly in the external DNS service".
Perhaps that is the issue. if the DNS records are being removed only when the floating ips are removed, and there are no floating ips in this use case..
Pawel Suder,
1. Sorry but not currently.
2. yes, its openvswitch.
3. this is the commit ID "93330aca08c30f
I will share logs soon.
Pawel Suder (pasuder) wrote : | #10 |
1. Does network have dns_name attribute set?
2. Does port have dns_name attribute set?
3. How does stack configure network for each instance?
4. How does stack remove port? Or is it automatically remove with instance?
5. What are the the IP addresses assigned to instance? Do you have records assigned to floating IP? How those ports are created?
Dr. Jens Harbott (j-harbott) wrote : | #11 |
O.k., I can reproduce this without Heat, simply by doing:
1. Create a port in a network suited for use case 3.
2. Create an instance with --nic port-id=$port.
3. Observe that DNS records are created as expected.
4. Delete the instance.
5. Observe that DNS records still exist. (This is an issue similar to the one mentioned earlier for FIPs).
6. Delete the port.
7. Observe that DNS records are not deleted at this point either.
I did my testing with stable/ocata, will verify whether this still exists in master now.
summary: |
- Deleting heat stack doesnt delete dns records + Deleting port doesnt delete dns records |
Changed in neutron: | |
status: | New → Confirmed |
Dr. Jens Harbott (j-harbott) wrote : | #12 |
Just noticed that there is an error in the Neutron server log for the deletion event. It looks like Neutron is using the wrong auth context for the deletion:
2018-04-25 09:40:37.532 14717 ERROR neutron.
sses '10.0.0.3, fdd0:1f70:
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
2018-04-25 09:40:37.532 14717 ERROR neutron.
and in the designate api log
2018-04-25 09:40:37.488 7978 DEBUG keystoneauth.
RESP BODY: {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "a876b997d9254e
_http_log_response /usr/local/
Pawel Suder (pasuder) wrote : | #13 |
Thank you for you your update.
1. Did you reproduce issue on devstack?
2. What type of port did you use?
3. What IP address did you use?
4. Could you provide command outputs for each step mentioned by your, please?
Changed in neutron: | |
status: | Confirmed → New |
Dr. Jens Harbott (j-harbott) wrote : | #14 |
1. Yes devstack stable/ocata as well as master now.
2. vxlan, after devstack created network "private" with ID 42, edit /etc/neutron/
3. IPs are auto assigned from the subnets, see output below.
4. Sure:
ubuntu@
+------
| Field | Value |
+------
| admin_state_up | UP |
| allowed_
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2018-04-
| data_plane_status | None |
| description | |
| device_i...
Pawel Suder (pasuder) wrote : | #15 |
Thank you for your update.
I would like to ask you to provide a bit more data from Designate logs. Provided line from Designate log is for keystone fetch token (as per my understanding). More logs from Designate might help to clarify if issue is on Neutron or Designate site.
Coming back to command outputs in your last reply, it seems that port does not have set dns_name and dns_domain. As per document https:/
Dr. Jens Harbott (j-harbott) wrote : | #16 |
The designate logs in master don't have useful information, they only show the request finding 0 zones.
Apr 27 13:59:24 jh-devstack-01 designate-
Apr 27 13:59:24 jh-devstack-01 designate-
Apr 27 13:59:24 jh-devstack-01 designate-
The port parameters do not seem to have to be set, so we should update the docs. The issue stays the same if I add the dns parameters to the port creation as in the example in the docs.
Pawel Suder (pasuder) wrote : | #17 |
Thank you for your reply, please try to filter Designate logs by two req's:
- req-44539fbf-
- req-25dceb05-
- req-44539fbf-
Thank you!
Dr. Jens Harbott (j-harbott) wrote : | #18 |
O.k., I added a statement logging the context of the "list_zones" call to designate-api. When I just create the port (with DNS attrs) and delete it again directly, the recordsets are properly created and deleted again at the same time. The call to "list_zones" uses the "demo" user with whom all CLI commands are executed.
But if I create an instance with that port and delete the instance again before deleting the port, the "list_zones" call uses the "neutron" user defined in the "[designate]" part of neutron.conf. And of course this fails/lists no zones because the zone in question doesn't belong to that user.
Changed in neutron: | |
assignee: | nobody → Miguel Lavalle (minsel) |
status: | New → Confirmed |
Dr. Jens Harbott (j-harbott) wrote : | #19 |
One more thing to note: The error in q-svc happens during instance deletion. There seems to be no action towards designate happening when the port is deleted after that, in contrast to what happens when the port is deleted without having been attached to an instance.
Which may be an issue in itself, as the DNS records are created on port creation already. So maybe the correct solution would be to not try to delete them when the instance is deleted. For completeness, this also happens when I remove the port from the server beforehand.
Dr. Jens Harbott (j-harbott) wrote : | #20 |
More debugging:
1.: Deleting the port while it is attached to a server deletes both the port and the DNS records. (I'd assumed that this didn't work at all, similar like deleting a volume is blocked while it is attached to a server.)
2.: The final issue seems to be caused by the server deletion also removing the "dns_name" attribute from the port. If I set the "dns_name" of the port to the original value again at that point, deletion of the port successfully also deletes the DNS records again.
Hang Yang (hangyang) wrote : | #21 |
Hi there, I recently ran into a similar issue when using Queens Senlin/
When Nova deallocates network resources for an instance, it calls _unbind_ports() for pre-existing ports [1] (in this case, ports created by Senlin/Heat before creating the instance [2]) and in _unbind_ports, it clears device_id, device_owner as well as the dns_name [3]. Note that the port_client it uses is with admin context [4], so that when Neutron receives the dns_name update request, it tries to search the dns_name within admin zone thus can not find it and throws an error.
After I commented out the 2 lines for dns_name reset in [3], doing `openstack cluster node delete` can now remove the dns record cleanly without error. I’m not sure if it is necessary to request dns_name clean in _unbind_ports() on Nova side since the dns_record will eventually be removed when the port is deleted. But from the PR[5] that added those two lines, they are seems required.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
Miguel Lavalle (minsel) wrote : | #22 |
The issue was really introduced by this change https:/
1) When we have an orchestration layer, the ports are created before the VM is created. When the VM is deleted, Nova assumes correctly that it has to restore the port to its previous state, clearing the device_id, device_owner and dns_name. Nova does this using a neutron client with admin context, not the context of the user that is creating and deleting the VM
2) At the same time, in Designate the zones and recordsets are segregated by project / tenant. I cannot see or modify a zone that wasn't created by my project. That is why in Nova, when the VM is created, we update the port's dns_name using a neutron client with the context of the user creating the VM. Please look at this method: https:/
3) That is why the fix for the bug indicated above was incomplete: it should do something similar to what we do during VM creation. If dns_name is not none and the port's network has dns_domain set, it should assume that recordsets need to be removed from an external DNS service (Designate) and issue a second port update just to clear dns_name using a neutron client with the user's context
So the fix has to take place in Nova.
@Hang,
Are you going to file a bug in Nova and propose a fix?
Hang Yang (hangyang) wrote : | #23 |
Thanks @Miguel A Nova bug is filed here: https:/
Just to be clear on the situation, let's clarify something. Port data is being sent by Neutron to Designate, correct? If that is the case, we are talking about external dns integration.
I am assuming then external dns integration with Designate. When a port is deleted, it's corresponding records in Designate are deleted just before the port is actually deleted, because the code that takes care of it is triggered by a BEFORE_DELETE event: https:/ /github. com/openstack/ neutron/ blob/master/ neutron/ plugins/ ml2/extensions/ dns_integration .py#L530- L532. So my next question is: are the ports being deleted properly by Heat?