external network is visible for non-admin users until neutron-server restart

this should probably be neutron not python neutron-client.
check for regression of issue with early loading of policies.

For some reason the issue does not appear with postgresql

This appears to be a regression of the bug already found and solved with the load balancing plugin.
I would therefore look into the VPN and/or Firewall plugin to check how they load the admin context.

what do u mean by default settings at 1. install devstack using the default settings?
IMHO, the default setting will use nova network instead of neutron! can u give out localrc?

gongysh: Oh..I'm using neutron + ML2. DevStack will setup 2 networks (public and private) by default.

my first run of neutron is: $ neutron net-list
+--------------------------------------+---------+--------------------------------------------------+
| id | name | subnets |
+--------------------------------------+---------+--------------------------------------------------+
| 48eb0cf3-b984-44c1-b8d4-599bdcedd04c | private | 11a8abd6-6056-44f5-8cd7-1e53c35a40b4 10.0.0.0/24 |
+--------------------------------------+---------+--------------------------------------------------+

gongysh: "public" will show up only after a fresh installation. If you ever reboot q-svc, it is missing ...

Yes, I am running it just after I got the devstack stack.sh output. Maybe your localrc will help.

gongysh: here is my localrc
DATABASE_PASSWORD=admin
RABBIT_PASSWORD=admin
SERVICE_TOKEN=admin
SERVICE_PASSWORD=admin
ADMIN_PASSWORD=admin

LOGFILE=$DEST/logs/stack.sh.log
SCREEN_LOGDIR=$DEST/logs/screen

HOST_IP=192.168.8.159
FLOATING_RANGE=192.168.8.0/24
PUBLIC_NETWORK_GATEWAY=192.168.8.254
EXT_GW_IP=192.168.8.160
PUBLIC_INTERFACE=eth1

Q_FLOATING_ALLOCATION_POOL=start=192.168.8.170,end=192.168.8.190

disable_service n-net
enable_service q-svc
enable_service q-agt
enable_service q-dhcp
enable_service q-l3
enable_service q-meta
enable_service neutron
# Optional, to enable tempest configuration as part of devstack
enable_service tempest

Q_PLUGIN=ml2
ENABLE_TENANT_TUNNELS=True

RECLONE=True

and I changed this
stack@ubuntu:~/devstack$ git diff lib/neutron
diff --git a/lib/neutron b/lib/neutron
index 098a589..5d1ac6f 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -361,7 +361,7 @@ function create_neutron_initial_network() {
         neutron router-interface-add $ROUTER_ID $SUBNET_ID
         # Create an external network, and a subnet. Configure the external netw
         EXT_NET_ID=$(neutron net-create "$PUBLIC_NETWORK_NAME" -- --router:exte
- EXT_GW_IP=$(neutron subnet-create --ip_version 4 ${Q_FLOATING_ALLOCATIO
+ EXT_GW_IP1=$(neutron subnet-create --ip_version 4 ${Q_FLOATING_ALLOCATI
         neutron router-gateway-set $ROUTER_ID $EXT_NET_ID

         if is_service_enabled q-l3; then

I'm seeing this with ml2+mysql. With ml2+postgres it however does not appear

gongysh: if it's an issue Salvator is talking about, then it's kind of race condition which may or may not appear in particular run.

2013-11-18 20:11:52.112 DEBUG neutron.common.utils [-] Reloading cached file /etc/neutron/policy.json
2013-11-18 20:11:52.113 DEBUG neutron.policy [-] Loading policies from file: /etc/neutron/policy.json
siming_debug: resource:firewalls, field:shared not found!
siming_debug: resource:networks, field:router:external not found!
2013-11-18 20:11:52.123 INFO neutron.api.extensions [-] Initializing extension manager.
2013-11-18 20:11:52.123 INFO neutron.api.extensions [-] Loading extension file: routedserviceinsertion.py
2013-11-18 20:11:52.124 INFO neutron.api.extensions [-] Loading extension file: vpnaas.py
                                        ...

ext_mgr is not initialized when loading policy.

I think we should temporarily block message processing before exts are loaded.

This is a quick fix.

diff --git a/neutron/manager.py b/neutron/manager.py
index bc71464..3b05830 100644
--- a/neutron/manager.py
+++ b/neutron/manager.py
@@ -130,6 +130,7 @@ class NeutronManager(object):
         # the rest of service plugins
         self.service_plugins = {constants.CORE: self.plugin}
         self._load_service_plugins()
+ self.plugin._setup_rpc()

     def _load_services_from_core_plugin(self):
         """Puts core plugin in service_plugins for supported services."""
diff --git a/neutron/plugins/ml2/plugin.py b/neutron/plugins/ml2/plugin.py
index 973a9fe..c98b955 100644
--- a/neutron/plugins/ml2/plugin.py
+++ b/neutron/plugins/ml2/plugin.py
@@ -104,7 +104,7 @@ class Ml2Plugin(db_base_plugin_v2.NeutronDbPluginV2,
         self.type_manager.initialize()
         self.mechanism_manager.initialize()

- self._setup_rpc()
+ # self._setup_rpc()

         # REVISIT(rkukura): Use stevedore for these?
         self.network_scheduler = importutils.import_object(

There is another problem:
ml2 seems not support firewall extension, "field:firewalls:shared=True" is still not converted to boolean correctly.

Sorry, the above comment is wrong, ignore it.

Pretty sure bug #1254555 (which I reported) is a duplicate of this one. We are now getting races either way, sometimes restarting neutron-server exposes ext-net to the user, sometimes it does not.

Clint, you are correct.