Don't retrieve SG port bindings when deleting a SG

Do not retrieve the security group port bindings in the database transaction that deletes a security group. In the previous context, if a security group port binding is present on the database, the method raises a ``SecurityGroupInUse``. It is unneeded to retrieve them again. This patch also changes the ``SecurityGroupPortBinding.security_group_id`` foreign key. Now if the security group is deleted, any security group port binding related will be too, using the database engine. That will ensure no leftover remains in the database. Although the check done in "delete_security_group" before the security group is deleted, there is a minimal possibility of race condition between the first database transaction (SG port binding check) and the second one (SG deletion). Trivial-Fix Change-Id: I1c9c2dd95b98a7cc77509b0d537d7c7766765275
2022-08-09 20:39:45 +02:00 · 2022-08-09 20:39:45 +02:00 · 7857a3194b
parent 492b68493f
commit 7857a3194b
4 changed files with 62 additions and 6 deletions
--- a/neutron/db/migration/alembic_migrations/versions/EXPAND_HEAD
+++ b/neutron/db/migration/alembic_migrations/versions/EXPAND_HEAD
@ -1 +1 @@
-21ff98fabab1
+5881373af7f5
--- a/neutron/db/migration/alembic_migrations/versions/zed/expand/5881373af7f5_delete_sgpb_on_sg_deletion.py
+++ b/neutron/db/migration/alembic_migrations/versions/zed/expand/5881373af7f5_delete_sgpb_on_sg_deletion.py
@ -0,0 +1,59 @@
+# Copyright 2022 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+from alembic import op
+import sqlalchemy as sa
+
+from neutron.db import migration
+
+"""delete SecurityGroupPortBinding on security group deletion
+
+Revision ID: 5881373af7f5
+Revises: 21ff98fabab1
+Create Date: 2022-08-10 07:17:00.360917
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '5881373af7f5'
+down_revision = '21ff98fabab1'
+
+TABLE_NAME = 'securitygroupportbindings'
+
+
+def upgrade():
+    inspector = sa.inspect(op.get_bind())
+    fk_constraints = inspector.get_foreign_keys(TABLE_NAME)
+    for fk in fk_constraints:
+        if fk['constrained_columns'] == ['security_group_id']:
+            migration.remove_foreign_keys(TABLE_NAME, [fk])
+            fk['options']['ondelete'] = 'CASCADE'
+            migration.create_foreign_keys(TABLE_NAME, [fk])
+            return
+
+
+def expand_drop_exceptions():
+    """Drop the foreign key from "securitygroupportbindings" table
+
+    In order to change the foreign key "security_group_id" from the table
+    "securitygroupportbindings" and set the condition "ondelete=CASCADE",
+    it is needed first to drop it, modify it and readd it again.
+    """
+    return {
+        sa.ForeignKeyConstraint: [
+            'securitygroupportbindings_ibfk_2',  # MySQL name
+            'securitygroupportbindings_security_group_id_fkey',  # PGSQL name
+        ],
+    }
--- a/neutron/db/models/securitygroup.py
+++ b/neutron/db/models/securitygroup.py
@ -63,7 +63,8 @@ class SecurityGroupPortBinding(model_base.BASEV2):
                                      ondelete='CASCADE'),
                        primary_key=True)
    security_group_id = sa.Column(sa.String(36),
-                                  sa.ForeignKey("securitygroups.id"),
+                                  sa.ForeignKey("securitygroups.id",
+                                                ondelete='CASCADE'),
                                  primary_key=True)
    revises_on_change = ('ports', )
    # Add a relationship to the Port model in order to instruct SQLAlchemy to
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@ -262,10 +262,6 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase,
        with db_api.CONTEXT_WRITER.using(context):
            # pass security_group_rule_ids to ensure
            # consistency with deleted rules
-            # get security_group_bindings and security_group one more time
-            # so that they will be attached for session where sg will be
-            # deleted
-            ports = self._get_port_security_group_bindings(context, filters)
            sg = self._get_security_group(context, id)
            sgr_ids = [r['id'] for r in sg.rules]
            sec_group = self._make_security_group_dict(sg)