neutron

Manually assign --device and --device-owner to a port does NOT binds the port inmediatly

Bug #1986969 reported by Rodolfo Alonso on 2022-08-18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	In Progress	Medium	Pierre Libeau

Bug Description

This could be considered as a documentation bug.

When a VM is created (there is a device ID), a user can create a port and assign the port device_id to the VM ID and the device_owner="compute:nova". That makes this port visible when executing:
$ openstack port list --server serverID

The port is not bound, of course. But when the VM is rebooted (hard reboot), the port is assigned and bound to this VM.

There is another related issue from the administrator point of view. A user can assign (by mistake or coincidence) the device ID of another project VM ID. This non-admin user can't see the other project VM. But the administrator, when executing the previous command, will see a VM assigned to a project with a port from another. This scenario:
* Is difficult to reproduce: the non-admin user must guess the VM ID of another project without having access.
* Affect only to the admin view, who can access to both projects.

Tags:

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2022-08-18:

NOTE: terraform [1] also allows to define the device_id of a port. In any case, that should be commented in this tool (or disallowed).

[1]https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_port_v2#device_id

Lajos Katona (lajos-katona) on 2022-08-19

tags:

added: doc

Lajos Katona (lajos-katona) on 2022-08-22

Changed in neutron:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-25: Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/854553

Revision history for this message

Lajos Katona (lajos-katona) wrote on 2022-08-26:

We discussed this during the drivers meeting (see the logs: [1]) and agreed the from Neutron perspective we have to document that this kind of bind is not working, and change the default policy of device-id.

[1]: https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-08-26-14.00.log.html#l-149

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-09: Change abandoned on neutron (master)

Change abandoned by "Arnaud Morin <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/854553
Reason: we will not do that, we will do a policy change instead

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-13: Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/861167

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-13: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/861169

Pierre Libeau (pierre-libeau) on 2022-10-14

Changed in neutron:
assignee:	nobody → Pierre Libeau (pierre-libeau)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-14: Fix proposed to neutron-lib (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/c/openstack/neutron-lib/+/861372

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-14: Change abandoned on neutron-lib (stable/stein)

Change abandoned by "Pierre Libeau <email address hidden>" on branch: stable/stein
Review: https://review.opendev.org/c/openstack/neutron-lib/+/861372
Reason: wrong gerrit