create default security group using an independent context

The current method of creating a default security group may be under
an upper level context. If there is an exception of creating a
duplicate primary key for the default security group, it will cause
the context to need to be rolled back, but not rolled back, which
will affect subsequent database operations.

Through the submission of patch8, a default security group was
created every time. Upon reviewing the [1] log "Default FWG
was concurrently created", it was determined that duplicate primary keys
were actually triggered and the issue(#2061883) was fixed.

Closes-Bug: #2061883

[1] https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_94a/916968/8/check/neutron-tempest-plugin-fwaas/94a09c8/controller/logs/screen-q-svc.txt

Change-Id: Ib2e412ed5e5d4c4fcb4f0abe71d4750fb78bce27
This commit is contained in:
zhouhenglc 2024-04-25 14:21:15 +08:00 committed by ZhouHeng
parent 5f746b474c
commit e578839fca

View File

@ -18,6 +18,7 @@ import copy
import netaddr import netaddr
from neutron_lib import constants as nl_constants from neutron_lib import constants as nl_constants
from neutron_lib import context as lib_context
from neutron_lib.db import api as db_api from neutron_lib.db import api as db_api
from neutron_lib.db import constants as db_constants from neutron_lib.db import constants as db_constants
from neutron_lib.db import model_base from neutron_lib.db import model_base
@ -874,11 +875,10 @@ class FirewallPluginDb(object):
firewall_group_id=firewall_group_id).delete() firewall_group_id=firewall_group_id).delete()
return return
@db_api.CONTEXT_WRITER
def _get_default_fwg_id(self, context, tenant_id): def _get_default_fwg_id(self, context, tenant_id):
"""Returns an id of default firewall group for given tenant or None""" """Returns an id of default firewall group for given tenant or None"""
default_fwg = model_query.query_with_hooks( default_fwg = model_query.query_with_hooks(
context, FirewallGroup).filter_by( context.elevated(), FirewallGroup).filter_by(
project_id=tenant_id, name=const.DEFAULT_FWG).first() project_id=tenant_id, name=const.DEFAULT_FWG).first()
if default_fwg: if default_fwg:
return default_fwg.id return default_fwg.id
@ -917,10 +917,11 @@ class FirewallPluginDb(object):
try: try:
# NOTE(cby): default fwg not created => we try to create it! # NOTE(cby): default fwg not created => we try to create it!
with db_api.CONTEXT_WRITER.using(context): ctx = lib_context.get_admin_context()
with db_api.CONTEXT_WRITER.using(ctx):
fwr_ids = self._create_default_firewall_rules( fwr_ids = self._create_default_firewall_rules(
context, tenant_id) ctx, tenant_id)
ingress_fwp = { ingress_fwp = {
'description': 'Ingress firewall policy', 'description': 'Ingress firewall policy',
'firewall_rules': [fwr_ids['in_ipv4'], 'firewall_rules': [fwr_ids['in_ipv4'],
@ -932,9 +933,9 @@ class FirewallPluginDb(object):
fwr_ids['eg_ipv6']], fwr_ids['eg_ipv6']],
} }
ingress_fwp_db = self._create_default_firewall_policy( ingress_fwp_db = self._create_default_firewall_policy(
context, tenant_id, 'ingress', **ingress_fwp) ctx, tenant_id, 'ingress', **ingress_fwp)
egress_fwp_db = self._create_default_firewall_policy( egress_fwp_db = self._create_default_firewall_policy(
context, tenant_id, 'egress', **egress_fwp) ctx, tenant_id, 'egress', **egress_fwp)
fwg = { fwg = {
'name': const.DEFAULT_FWG, 'name': const.DEFAULT_FWG,
@ -948,8 +949,8 @@ class FirewallPluginDb(object):
'description': 'Default firewall group', 'description': 'Default firewall group',
} }
fwg_db = self._create_firewall_group( fwg_db = self._create_firewall_group(
context, fwg, default_fwg=True) ctx, fwg, default_fwg=True)
context.session.add(DefaultFirewallGroup( ctx.session.add(DefaultFirewallGroup(
firewall_group_id=fwg_db['id'], firewall_group_id=fwg_db['id'],
project_id=tenant_id)) project_id=tenant_id))
return fwg_db['id'] return fwg_db['id']