From 96657be885275969a0feadde6255697b43e01590 Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Thu, 8 Jun 2017 16:10:45 -0700 Subject: [PATCH] Don't iterate updated_rule_sg_ids or updated_sg_members updated_rule_sg_ids and updated_sg_members can be updated concurrently by an RPC security_group_updated cast from the server which will result in a RuntimeError due to set size changing during iteration. This adjusts the logic to just iterate over a copy of the set. Change-Id: I0a7cf13157de256403cfd6196f64fafdfa65f180 Closes-Bug: #1696874 (cherry picked from commit e51ae07aecd14b8270f5e14175f943a5abc8caa6) --- neutron/agent/linux/iptables_firewall.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 6cb2b23ddfb..a20cd58546a 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -842,7 +842,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _clean_deleted_sg_rule_conntrack_entries(self): deleted_sg_ids = set() - for sg_id in self.updated_rule_sg_ids: + for sg_id in set(self.updated_rule_sg_ids): del_rules = self._find_deleted_sg_rules(sg_id) if not del_rules: continue @@ -856,7 +856,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _clean_updated_sg_member_conntrack_entries(self): updated_device_ids = set() - for device in self.updated_sg_members: + for device in set(self.updated_sg_members): sec_group_change = False device_info = self.filtered_ports.get(device) pre_device_info = self._pre_defer_filtered_ports.get(device)