Skip to content

project config 'restricted.cluster.groups' not checked when deleting a cluster group #15118

New issue
New issue
Closed
Bug
#15119
Closed
project config 'restricted.cluster.groups' not checked when deleting a cluster group#15118
Bug
#15119
Assignees
markylaing
Labels
JiraTriggers the synchronization of a GitHub issue in Jira
@wideawakening

Description

@wideawakening
wideawakening
opened on Mar 6, 2025

problem

spotted this while trying to restore a cluster member.
if you could make the error bit more verbose it would help. logs point into a more clear direction on the culprit

ubuntu@hpc-02:~$ lxc cluster restore hpc-01
Are you sure you want to restore cluster member "hpc-01"? (yes/no) [default=no]: yes
Error: Migration API failure: Project isn't allowed to use this cluster member: "hpc-01"

ubuntu-desktop-remote is a stopped instance, on project stable which has a restricted.cluster.groups that does not exist anymore (it was deleted some days back)

ubuntu@hpc-02:~$ lxc monitor --pretty  | grep hpc-01
...
time="2025-03-06T08:56:23+01:00" level=debug msg="Handling API request" fingerprint=9198a46812cfa3434c18bf56f7e519bc083db03008a1527c5f9c003198e0ed73 ip="REDACTED.24.228:44572" method=POST protocol=cluster url="/1.0/instances/ubuntu-desktop-remote?project=stable&target=hpc-01"
time="2025-03-06T08:56:23+01:00" level=debug msg="Database error" err="Project isn't allowed to use this cluster member: \"hpc-01\""
time="2025-03-06T08:56:23+01:00" level=info msg="ID: 6b6f9060-306d-44a5-98ee-9c3003279461, Class: task, Description: Restoring cluster member" CreatedAt="2025-03-06 08:56:23.037108935 +0100 CET" Err="Migration API failure: Project isn't allowed to use this cluster member: \"hpc-01\"" Location=hpc-01 MayCancel=false Metadata="map[evacuation_progress:Migrating \"ubuntu-desktop-remote\" in project \"stable\" from \"hpc-02\"]" Resources="map[]" Status=Failure StatusCode=Failure UpdatedAt="2025-03-06 08:56:23.371603162 +0100 CET"


ubuntu@hpc-01:~$ lxc project show stable
name: stable
description: use-cases for validation purpose
config:
...
  restricted.cluster.groups: hardened-nodes
...
used_by:
...

ubuntu@hpc-01:~$ lxc cluster group list
+---------+-----------------------+---------+
|  NAME   |      DESCRIPTION      | MEMBERS |
+---------+-----------------------+---------+
| default | Default cluster group | 5       |
+---------+-----------------------+---------+

howto reproduce

  • create a cluster group with a node
  • create a project and assign group as restricted.cluster.groups
  • delete group and now project is corrupted, since it's not validating that is not in use

more specific reproduction of our use case ,though i did not test it fully:

  • create a cluster group with a node
  • create a project and assign group as restricted.cluster.groups
  • create an instance in that project.
  • stop it (did not check if problem happens also with running instances, or even without an instance)
  • evacuate node
  • delete group and now project is corrupted and will probably get the first error
  • try restore node

Metadata

Metadata

Assignees

Labels

JiraTriggers the synchronization of a GitHub issue in Jira

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions