From 6ea945e3b126879a86fe78d9c0537f5d258cf91a Mon Sep 17 00:00:00 2001
From: melanie witt <melwittt@gmail.com>
Date: Fri, 11 Oct 2019 21:08:33 +0000
Subject: [PATCH] Remove redundant call to get/create default security group

In the instance_create DB API method, it ensures the (legacy) default
security group gets created for the specified project_id if it does
not already exist. If the security group does not exist, it is created
in a separate transaction.

Later in the instance_create method, it reads the default security group
back that it wrote earlier (via the same ensure default security group
code). But since it was written in a separate transaction, the current
transaction will not be able to see it and will get back 0 rows. So, it
creates a duplicate default security group record if project_id=NULL
(which it will be, if running nova-manage db online_data_migrations,
which uses an anonymous RequestContext with project_id=NULL). This
succeeds despite the unique constraint on project_id because in MySQL,
unique constraints are only enforced on non-NULL values [1].

To avoid creation of a duplicate default security group for
project_id=NULL, we can use the default security group object that was
returned from the first security_group_ensure_default call earlier in
instance_create method and remove the second, redundant call.

This also breaks out the security groups setup code from a nested
method as it was causing confusion during code review and is not being
used for any particular purpose. Inspection of the original commit
where it was added in 2012 [2] did not contain any comments about the
nested method and it appeared to either be a way to organize the code
or a way to reuse the 'models' module name as a local variable name.

Closes-Bug: #1824435

[1] https://dev.mysql.com/doc/refman/8.0/en/create-index.html#create-index-unique
[2] https://review.opendev.org/#/c/8973/2/nova/db/sqlalchemy/api.py@1339

Change-Id: Idb205ab5b16bbf96965418cd544016fa9cc92de9
---
 gate/post_test_hook.sh    |  7 +------
 nova/db/sqlalchemy/api.py | 24 +++++++++++-------------
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/gate/post_test_hook.sh b/gate/post_test_hook.sh
index cf2645574c..28ad9b939e 100755
--- a/gate/post_test_hook.sh
+++ b/gate/post_test_hook.sh
@@ -266,13 +266,8 @@ $MANAGE db online_data_migrations
 # creation of a new deleted marker instance.
 set +e
 archive_deleted_rows
+set -e
 
 # Verify whether online data migrations run after archiving will succeed.
 # See for more details: https://bugs.launchpad.net/nova/+bug/1824435
 $MANAGE db online_data_migrations
-rc=$?
-set -e
-if [[ $rc -ne 2 ]]; then
-    echo "Expected return code 2 from online_data_migrations until bug 1824435 is fixed"
-    exit 2
-fi
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 9e0c2b1d8a..9f43eebd06 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -1753,7 +1753,7 @@ def instance_create(context, values):
     values - dict containing column values.
     """
 
-    security_group_ensure_default(context)
+    default_group = security_group_ensure_default(context)
 
     values = values.copy()
     values['metadata'] = _metadata_refs(
@@ -1782,21 +1782,19 @@ def instance_create(context, values):
     instance_ref['extra'].update(values.pop('extra', {}))
     instance_ref.update(values)
 
-    def _get_sec_group_models(security_groups):
-        models = []
-        default_group = _security_group_ensure_default(context)
-        if 'default' in security_groups:
-            models.append(default_group)
-            # Generate a new list, so we don't modify the original
-            security_groups = [x for x in security_groups if x != 'default']
-        if security_groups:
-            models.extend(_security_group_get_by_names(
-                context, security_groups))
-        return models
+    # Gather the security groups for the instance
+    sg_models = []
+    if 'default' in security_groups:
+        sg_models.append(default_group)
+        # Generate a new list, so we don't modify the original
+        security_groups = [x for x in security_groups if x != 'default']
+    if security_groups:
+        sg_models.extend(_security_group_get_by_names(
+            context, security_groups))
 
     if 'hostname' in values:
         _validate_unique_server_name(context, values['hostname'])
-    instance_ref.security_groups = _get_sec_group_models(security_groups)
+    instance_ref.security_groups = sg_models
     context.session.add(instance_ref)
 
     # create the instance uuid to ec2_id mapping entry for instance