Bug 1476332

Summary: Live migration of instance with config disk fails in nova-migration-wrapper
Product: Red Hat OpenStack Reporter: Matthew Booth <mbooth>
Component: openstack-novaAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact: Joe H. Rahme <jhakimra>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: awaugama, berrange, dasmith, eglynn, jjoyce, kchamart, owalsh, sbauza, sferdjao, sgordon, srevivo, vromanso
Target Milestone: zstreamKeywords: Regression, Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-2015.1.4-45.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1481397 1481400 1481402 1481404 (view as bug list) Environment:
Last Closed: 2017-10-19 18:19:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1481397, 1481400, 1481402, 1481404    

Description Matthew Booth 2017-07-28 16:16:44 UTC 
When live migrating an instance with a config disk, the destination copies the config disk from the source over scp. This is denied by nova-migration-wrapper with:

Jul 28 11:34:51 localhost nova_migration_wrapper: Denying connection='172.17.1.19 
33100 172.17.1.17 22' command=['scp', '-r', '-f', '/var/lib/nova/instances/2979904
7-9dfd-4bfd-80fe-54115897b353/disk.config']

Note that the scp command has '-f' in place of '-t'. I believe this is because this is a remote to local copy, not a local to remote copy:

https://github.com/openssh/openssh-portable/blob/master/scp.c#L713

We also do remote to local copies during both cold and live migration when a backing file is missing because an image has been deleted from glance. In this case the destination host side-loads the file from the image cache of the source host. I suspect this issue means that this case is also broken.
Comment 1 Matthew Booth 2017-07-28 16:52:20 UTC 
Fix:

/bin/nova-migration-wrapper gets:

  cold_migration_cmds = [
      ['mkdir', '-p'],
      ['rm', '-rf'],
      ['touch'],
      ['rm'],
      ['scp', '-r', '-t'],
+     ['scp', '-r', '-f'],
  ]

/etc/nova/migration/rootwrap.d/cold_migration.filters gets:

  copy_file: PathFilter, /usr/bin/scp, nova, -r, -t, /var/lib/nova/instances/
+ copy_file: PathFilter, /usr/bin/scp, nova, -r, -f, /var/lib/nova/instances/
Comment 6 errata-xmlrpc 2017-10-19 18:19:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2994