bug when allocating floating ips to machine
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Fix Released
|
High
|
Heather Lanigan | ||
Bug Description
i'm using juju 2.1.2.1 (i didn't upgrade to 2.2 yet, that's why i didn't open a bug on launchpad) with openstack as cloud provider.
When i use as credentials an Admin user (but a specific tenant) i have issues with floating ip assignment: the admin user can see all the floating ips in the openstack region.
So, if another tenant allocates an IP without assigning to a VM (so, unused) juju tries to use it and attach to the VM it just deployed.
i.e.
user test1 is Admin and has primary project "tenant-one"
user test2 is member of project "tenant-two"
credentials given to juju are test1, test1_password, tenant-one and RegionOne.
# source novarc_test1
# neutron floatingip-list
+------
| id | fixed_ip_address | floating_ip_address | port_id |
+------
| 03d1a8e8-
| 2b4e48ba-
| 3144b683-
| 55145d85-
+------
the third line shows and ip address assigned to tenant-two by test2.
User test1 has admin role so he has permission to see the ip.
Using a command like "neutron floatingip-show 3144b683-
juju model is configured with
use-default-
use-floating-ip model true
When trying to deploy any application juju spawns a VM, but it never ends and logs:
Unable to associate floating IP 10.1.2.22 to fixed IP 192.168.0.9 for instance 3d95283c-
Removing the unused floating ip address or using a member-only (not admin user) bypass the problem: juju will allocate a new ip and associate with the new VM.
I didn't try but i do think that if an user is member of two different tenants it may try to mis-use the addresses and mess with them, failing to deploy.
Desiderata: juju should check if the allocated ip address is in the same tenant_id view of the given credentials.
| Changed in juju: | |
| milestone: | none → 2.3-alpha1 |
| importance: | Undecided → High |
| status: | New → Triaged |
| Changed in juju: | |
| milestone: | 2.3-beta1 → 2.3-beta2 |
| Changed in juju: | |
| assignee: | nobody → Heather Lanigan (hmlanigan) |
| Changed in juju: | |
| status: | Triaged → In Progress |
| Heather Lanigan (hmlanigan) wrote | #1 |
| Changed in juju: | |
| status: | In Progress → Fix Committed |
| Patrizio Bassi (patrizio-bassi) wrote | #2 |
| Changed in juju: | |
| status: | Fix Committed → Fix Released |
Adding a filter to goose ListFloatingIPsV2 so we can retrieve only the fips in the
same project as the juju credentials specify.
Here is the PR for the goose part of the work:
https:/
Here is the PR for the juju part of the work:
https:/
@Patrizio Bassi,
I do not have a configuration to fully test this fix. Is it possible for you to do so?
Thank you,
Heather