Bug 1747519: pkg/destroy/aws: Do not failFast for deleteEC2SecurityGroupsByVPC #2346
Conversation
When there are multiple untagged security groups, a security group may fail deletion with DependencyViolation. Before this commit, that aborted that round of deleteEC2VPC, and when the blocking dependency was another untagged security group, deletion would hang [1]. With this commit, we keep iterating through all untagged security groups (just like we do for tagged security groups). For security group cycles, deletion will fail for the first few groups while we drain out their ingress and egress rules. But deletion will succeed for at least some of the cycle. And the rule draining will have completely deconstructed the cycle, so the second pass through will clear out all the security groups. So prior to 55630a3 (pkg/destroy/aws: Delete security groups by VPC, 2019-08-13, openshift#2214), destroy would hang on *any* untagged security group. And prior to this commit, it would hang when two untagged security groups referenced each other (or, if we got unlucky, A referenced B and our DescribeSecurityGroupsPages call always happened to return B first). With this commit, we should be good to go. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1747519#c5
openshift-ci-robot
added
the
bugzilla/invalid-bug
|
@wking: This pull request references Bugzilla bug 1747519, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
size/S
|
/bugzilla refresh |
|
@wking: This pull request references Bugzilla bug 1747519, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
bugzilla/valid-bug
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, wking The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@wking: All pull requests linked via external trackers have merged. Bugzilla bug 1747519 has been moved to the MODIFIED state. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
4 participants
When there are multiple untagged security groups, a security group may fail deletion with
DependencyViolation. Before this PR, that aborted that round ofdeleteEC2VPC, and when the blocking dependency was another untagged security group, deletion would hang.With this commit, we keep iterating through all untagged security groups (just like we do for tagged security groups). For security group cycles, deletion will fail for the first few groups while we drain out their ingress and egress rules. But deletion will succeed for at least some of the cycle. And the rule draining will have completely deconstructed the cycle, so the second pass through will clear out all the security groups.
So prior to 55630a3 (#2214), destroy would hang on any untagged security group. And prior to this PR, it would hang when two untagged security groups referenced each other (or, if we got unlucky, A referenced B and our
DescribeSecurityGroupsPagescall always happened to return B first). With this commit, we should be good to go.