[neutron] Failed to create a duplicate DefaultSecurityGroup

Neil Jerram neil at tigera.io
Tue Jun 16 08:58:04 UTC 2020 

With Ussuri I'm hitting this in the neutron server:

Failed to create a duplicate DefaultSecurityGroup: for attribute(s)
['PRIMARY'] with value(s) 11447be9beda4bf78dab27cdb75058e2
pymysql.err.IntegrityError: (1062, "Duplicate entry
'11447be9beda4bf78dab27cdb75058e2' for key 'PRIMARY'")
oslo_db.exception.DBDuplicateEntry: (pymysql.err.IntegrityError) (1062,
"Duplicate entry '11447be9beda4bf78dab27cdb75058e2' for key 'PRIMARY'")
[SQL: INSERT INTO default_security_group (project_id, security_group_id)
VALUES (%(project_id)s, %(security_group_id)s)]
[parameters: {'project_id': '11447be9beda4bf78dab27cdb75058e2',
'security_group_id': '9f3a473c-b08a-4cf2-8327-10ecc8b87301'}]
neutron_lib.objects.exceptions.NeutronDbObjectDuplicateEntry: Failed to
create a duplicate DefaultSecurityGroup: for attribute(s) ['PRIMARY'] with
value(s) 11447be9beda4bf78dab27cdb75058e2

(Those are all, I believe, reports of the same problem, at different levels
of the stack.)

IIUC, this is triggered by my Neutron driver calling

        rules = self.db.get_security_group_rules(
            context, filters={'security_group_id': sgids}
        )

where the context has project_id 11447be9beda4bf78dab27cdb75058e2.  Deep
down inside that call, Neutron tries to ensure that there is a default
security group for that project, and somehow that hits the reported
exception.

Here's the code in securitygroups_db.py:

    def _ensure_default_security_group(self, context, tenant_id):
        """Create a default security group if one doesn't exist.

        :returns: the default security group id for given tenant.
        """
        default_group_id = self._get_default_sg_id(context, tenant_id)
        if default_group_id:
            return default_group_id

        security_group = {
            'security_group':
                {'name': 'default',
                 'tenant_id': tenant_id,
                 'description': _('Default security group')}
        }
        return self.create_security_group(context, security_group,
                                          default_sg=True)['id']

Obviously it checks first if the default SG already exists for the project,
before creating it if not.  So why would that code hit the duplicate
exception as shown above?

Any ideas welcome!

Best wishes,
     Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200616/97690ef5/attachment.html>

More information about the openstack-discuss mailing list