Move confirm resize under semaphore

The 'ResourceTracker.update_available_resource' periodic task builds
usage information for the current host by inspecting instances and
in-progress migrations, combining the two. Specifically, it finds all
instances that are not in the 'DELETED' or 'SHELVED_OFFLOADED' state,
calculates the usage from these, then finds all in-progress migrations
for the host that don't have an associated instance (to prevent double
accounting) and includes the usage for these.

In addition to the periodic task, the 'ResourceTracker' class has a
number of helper functions to make or drop claims for the inventory
generated by the 'update_available_resource' periodic task as part of
the various instance operations. These helpers naturally assume that
when making a claim for a particular instance or migration, there
shouldn't already be resources allocated for same. Conversely, when
dropping claims, the resources should currently be allocated. However,
the check for *active* instances and *in-progress* migrations in the
periodic task means we have to be careful in how we make changes to a
given instance or migration record. Running the periodic task between
such an operation and an attempt to make or drop a claim can result in
TOCTOU-like races.

This generally isn't an issue: we use the 'COMPUTE_RESOURCE_SEMAPHORE'
semaphore to prevent the periodic task running while we're claiming
resources in helpers like 'ResourceTracker.instance_claim' and we make
our changes to the instances and migrations within this context. There
is one exception though: the 'drop_move_claim' helper. This function is
used when dropping a claim for either a cold migration, a resize or a
live migration, and will drop usage from either the source host (based
on the "old" flavor) for a resize confirm or the destination host (based
on the "new" flavor) for a resize revert or live migration rollback.
Unfortunately, while the function itself is wrapped in the semaphore, no
changes to the state or the instance or migration in question are
protected by it.

Consider the confirm resize case, which we're addressing here. If we
mark the migration as 'confirmed' before running 'drop_move_claim', then
the periodic task running between these steps will not account for the
usage on the source since the migration is allegedly 'confirmed'. The
call to 'drop_move_claim' will then result in the tracker dropping usage
that we're no longer accounting for. This "set migration status before
dropping usage" is the current behaviour for both same-cell and
cross-cell resize, via the 'ComputeManager.confirm_resize' and
'ComputeManager.confirm_snapshot_based_resize_at_source' functions,
respectively. We could reverse those calls and run 'drop_move_claim'
before marking the migration as 'confirmed', but while our usage will be
momentarily correct, the periodic task running between these steps will
re-add the usage we just dropped since the migration isn't yet
'confirmed'. The correct solution is to close this gap between setting
the migration status and dropping the move claim to zero. We do this by
putting both operations behind the 'COMPUTE_RESOURCE_SEMAPHORE', just
like the claim operations.

Change-Id: I26b050c402f5721fc490126e9becb643af9279b4
Signed-off-by: Stephen Finucane <>
Partial-Bug: #1879878
(cherry picked from commit a57800d382)
Stephen Finucane 2 years ago
parent ce95af2caf
commit 4fcada57d6
  1. 23
  2. 22
  3. 2
  4. 16
  5. 6
  6. 28
  7. 22

@ -4357,6 +4357,8 @@ class ComputeManager(manager.Manager):
# NOTE(tr3buchet): tear down networks on source host
self.network_api.setup_networks_on_host(context, instance,
migration.source_compute, teardown=True)
# TODO(stephenfin): These next three calls should be bundled
network_info = self.network_api.get_instance_nw_info(context,
@ -4370,17 +4372,8 @@ class ComputeManager(manager.Manager):
self.driver.confirm_migration(context, migration, instance,
migration.status = 'confirmed'
# NOTE(mriedem): drop_move_claim relies on
# instance.migration_context so make sure to not call
# instance.drop_migration_context() until after drop_move_claim
# is called.
context, instance, migration.source_node, instance.old_flavor,
# Free up the old_flavor usage from the resource tracker for this host.
self.rt.drop_move_claim_at_source(context, instance, migration)
# NOTE(mriedem): The old_vm_state could be STOPPED but the user
# might have manually powered up the instance to confirm the
@ -4538,13 +4531,7 @@ class ComputeManager(manager.Manager):
self._delete_volume_attachments(ctxt, instance.get_bdms())
# Free up the old_flavor usage from the resource tracker for this host.
ctxt, instance, migration.source_node, instance.old_flavor,
migration.status = 'confirmed'
self.rt.drop_move_claim_at_source(ctxt, instance, migration)
def _confirm_snapshot_based_resize_delete_port_bindings(
self, ctxt, instance, migration):

@ -537,9 +537,31 @@ class ResourceTracker(object):
dev_pools_obj = self.pci_tracker.stats.to_device_pools_obj()
self.compute_nodes[nodename].pci_device_pools = dev_pools_obj
@utils.synchronized(COMPUTE_RESOURCE_SEMAPHORE, fair=True)
def drop_move_claim_at_source(self, context, instance, migration):
"""Drop a move claim after confirming a resize or cold migration."""
migration.status = 'confirmed'
context, instance, migration.source_node, instance.old_flavor,
# NOTE(stephenfin): Unsetting this is unnecessary for cross-cell
# resize, since the source and dest instance objects are different and
# the source instance will be deleted soon. It's easier to just do it
# though.
@utils.synchronized(COMPUTE_RESOURCE_SEMAPHORE, fair=True)
def drop_move_claim(self, context, instance, nodename,
instance_type=None, prefix='new_'):
context, instance, nodename, instance_type, prefix='new_')
def _drop_move_claim(
self, context, instance, nodename, instance_type=None, prefix='new_',
"""Remove usage for an incoming/outgoing migration.
:param context: Security context.

@ -981,7 +981,7 @@ class ConfirmResizeTask(base.TaskBase):
LOG.debug('Updating migration and instance status in target cell DB.',
# Complete the migration confirmation.
# Update the target cell migration.
self.migration.status = 'confirmed'
# Update the target cell instance.

@ -65,7 +65,7 @@ class TestColdMigrationUsage(integrated_helpers._IntegratedTestBase):
self.assertUsage(src_host, 1)
self.assertUsage(dst_host, 0)
orig_drop_claim = rt.ResourceTracker.drop_move_claim
orig_drop_claim = rt.ResourceTracker.drop_move_claim_at_source
def fake_drop_move_claim(*args, **kwargs):
# run periodics after marking the migration confirmed, simulating a
@ -78,15 +78,14 @@ class TestColdMigrationUsage(integrated_helpers._IntegratedTestBase):
if drop_race:
# FIXME(stephenfin): the periodic should not have dropped the
# records for the src yet
self.assertUsage(src_host, 0)
self.assertUsage(dst_host, 1)
self.assertUsage(src_host, 1)
self.assertUsage(dst_host, 1)
return orig_drop_claim(*args, **kwargs)
@ -102,10 +101,7 @@ class TestColdMigrationUsage(integrated_helpers._IntegratedTestBase):
# migration is now confirmed so we should once again only have usage on
# one host
# FIXME(stephenfin): Our usage here should be 0 and 1 for source and
# dest respectively when confirming, but that won't happen until we run
# the periodic and rebuild our inventory from scratch
self.assertUsage(src_host, -1 if drop_race else 0)
self.assertUsage(src_host, 0)
self.assertUsage(dst_host, 1)
# running periodics shouldn't change things

@ -8229,14 +8229,10 @@ class ComputeTestCase(BaseTestCase,
instance.new_flavor = new_type
instance.migration_context = objects.MigrationContext()
def fake_drop_move_claim(*args, **kwargs):
def fake_setup_networks_on_host(self, *args, **kwargs):
with test.nested(

@ -8588,14 +8588,7 @@ class ComputeManagerMigrationTestCase(test.NoDBTestCase,
mock_mig_save, mock_mig_get, mock_inst_get,
def fake_drop_move_claim(*args, **kwargs):
# RT.drop_move_claim must be called before
# instance.drop_migration_context.
mock_rt = self._mock_rt()
# Enforce order of drop_move_claim/drop_migration_context calls.
mock_rt.drop_move_claim.side_effect = fake_drop_move_claim
self.instance.migration_context = objects.MigrationContext(
@ -11386,22 +11379,22 @@ class ComputeManagerMigrationTestCase(test.NoDBTestCase,
def test_confirm_snapshot_based_resize_at_source(
self, mock_drop_mig_ctx, mock_delete_vols, mock_delete_bindings,
self, mock_delete_vols, mock_delete_bindings,
mock_delete_allocs, mock_get_bdms):
"""Happy path test for confirm_snapshot_based_resize_at_source."""
self.instance.old_flavor = objects.Flavor()
with test.nested(
mock.patch.object(self.compute, 'network_api'),
mock.patch.object(self.compute.driver, 'cleanup'),
mock.patch.object(self.compute.rt, 'drop_move_claim')
mock.patch.object(self.compute, 'network_api'),
mock.patch.object(self.compute.driver, 'cleanup'),
mock.patch.object(self.compute.rt, 'drop_move_claim_at_source')
) as (
mock_network_api, mock_cleanup, mock_drop_claim
mock_network_api, mock_cleanup, mock_drop_claim,
# Run the code.
self.context, self.instance, self.migration)
# Assert the mocks.
self.context, self.instance)
@ -11417,12 +11410,7 @@ class ComputeManagerMigrationTestCase(test.NoDBTestCase,
self.context, mock_get_bdms.return_value)
# Move claim and migration context were dropped.
self.context, self.instance, self.migration.source_node,
self.instance.old_flavor, prefix='old_')
# The migration was updated.
self.assertEqual('confirmed', self.migration.status)
self.context, self.instance, self.migration)
self.context, self.instance, self.migration)

@ -2541,6 +2541,7 @@ class TestResize(BaseTestCase):
mig_context_obj.new_resources = objects.ResourceList(
objects=[self.resource_1, self.resource_2])
instance.migration_context = mig_context_obj
instance.system_metadata = {}
migration = objects.Migration(
@ -2582,15 +2583,18 @@ class TestResize(BaseTestCase):
# Confirm or revert resize
if revert:
flavor = new_flavor
prefix = 'new_'
flavor = old_flavor
prefix = 'old_'
self.rt.drop_move_claim(ctx, instance, _NODENAME, flavor,
with test.nested(
if revert:
flavor = new_flavor
prefix = 'new_'
ctx, instance, _NODENAME, flavor, prefix=prefix)
else: # confirm
flavor = old_flavor
self.rt.drop_move_claim_at_source(ctx, instance, migration)
expected = compute_update_usage(expected, flavor, sign=-1)