should be a way to specify space binding for maas "unconfigured" (layer-2) interface

Bug #1659376 reported by Larry Michel on 2017-01-25
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack neutron-gateway charm
Wishlist
Unassigned
juju
High
Unassigned
neutron-gateway (Juju Charms Collection)
Undecided
Unassigned

Bug Description

Some network charms have requirements that a particular interface be connected to a specific network and that the interface be left unconfigured.

When using "data" binding for the neutron-gateway charm and deploying bundle with Juju 2.1-beta4-xenial-amd64 and MAAS Version 2.1.3+bzr5573-0ubuntu1, having the interface with a subnet associated with "data" space and unconfigured caused the charm to fail to install because it could not access network config for the interface on the OS. But in this case, it is a valid scenario for the interface to be left unconfigured and we should not see the error.

Also refer to bug 1659360.

tags: added: network
Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.2.0
John A Meinel (jameinel) wrote :

Supporting unconfigured interfaces is something that we do want to support. I would think we already have a bug about this, but maybe it was only a road map item. The charm had a workaround for it in the past (IIRC white listing MAC Addresses in the charm config), which is absolutely a workaround for us not having the right pieces modeled to expose it properly. Did 2.1b4 break the existing workaround or is it that you were hoping unconfigured space support was already implemented?

James Page (james-page) on 2017-02-23
Changed in neutron-gateway (Juju Charms Collection):
status: New → Invalid
Curtis Hovey (sinzui) on 2017-03-24
Changed in juju:
milestone: 2.2-beta1 → 2.2-beta2
tags: added: cdo-qa-blocker
Ryan Beisner (1chb1n) on 2017-03-29
tags: added: uosci
Changed in juju:
milestone: 2.2-beta2 → 2.2-beta3
Anastasia (anastasia-macmood) wrote :

As per comment # 5, we most certainly want to implement unconfigured space support. However, with 2.2 timeline and our current capacity, it will not be addressed in 2.2x.

I am removing it from milestone.

Changed in juju:
milestone: 2.2-beta3 → none
Larry Michel (lmic) wrote :

@John sorry I had not seen your earlier question. This is for new enablement of bindings in our bundle. So we don't know how the workaround worked prior to hitting this issue.

Changed in juju:
milestone: none → 2.3-alpha1
John A Meinel (jameinel) on 2017-04-10
summary: - neutron-gateway/0 install failure - should be a way to specify space
- binding for maas "unconfigured" interface
+ should be a way to specify space binding for maas "unconfigured"
+ interface

Changing the tag name as this isn't a blocking bug, but instead a requested feature.

tags: added: cdo-qa-feature
removed: cdo-qa-blocker
John A Meinel (jameinel) on 2017-05-31
tags: added: binding layer-2
summary: should be a way to specify space binding for maas "unconfigured"
- interface
+ (layer-2) interface
Peter Sabaini (peter-sabaini) wrote :

Just as a data point, I'd need this for a bit diff. usecase; for a cloud that calls for a publicly accessible api which we'd like to put in containers. We only have a small subnet available for that, and to save on ipaddress we have to leave the metal hosts configured with mode=link_up; only giving the actual containers ipaddress in the spaces subnet.

tags: added: canonical-bootstack
removed: binding layer-2
tags: added: binding layer-2
James Page (james-page) on 2017-09-27
Changed in charm-neutron-gateway:
status: New → Triaged
importance: Undecided → Wishlist
Changed in juju:
milestone: 2.3-beta1 → 2.3-beta2
Changed in juju:
milestone: 2.3-beta2 → none
Trent Lloyd (lathiat) wrote :

As part of the implementation for this, currently charms often need to get the network interface related to an IP. Currently they use the network-get charm command to get the IP of the space, but then have to figure out what interface that IP is on manually. Ideally the charm API would be expanded to specifically give the interface.

Having said that there is a trap here when things change after deployment, by either juju or the system administrator. Right now juju or MAAS won't let you change network interfaces after deployment so manual changes might be made which juju may or may not know about.

On the juju side, a case it knows about is when an interface is moved to be a bridge, e.g. when a container is deployed on that interface. That can happen during inital deploy, but could also happen much later if a container was deployed for the first time.

Just some thoughts.

Trent Lloyd (lathiat) wrote :

There is an additional security argument for this feature.

Right now, if you want to deploy a container onto a space, that space must be configured with an active IP address on the metal host.

You can configure an interface in MAAS with the space defined but the IP unconfigured. In this case, while the interface and it's MTU will be written to the interfaces file, juju will not recognize the host as having an interface on that space and deployment of a container will fail.

It is completely possible to still create a bridge on the interface and deploy the container in this configuration, without having an IP on the host, however juju does not know how to do so.

Peter Sabaini's comment from 2017-05-31 argued that we want this same behavior to save IP addresses on the (possibly small) public subnet. But we also want this behaviour so that the metal host (often with sensitive services such as nova-compute or ceph-osd) are not exposed to a public internet subnet unexpectedly.

This has been a real issue in real deployments, public routable IPs are assigned to host only for the reason of connecting the public-api space in containers. This has resulted in the unexpected exposition of sensitive services to the public internet. There is no simple way currently to implement a firewall for such cases.

In MAAS environments we have no security groups or automatic firewalls in many cases to work around this issue.

If we need to move this use case into a separate bug, let me know. It's a bit borderline as it's closely related but technically is a different use case to wanting a raw interface to use for other purposes.

tags: added: cpe-onsite
Peter Sabaini (peter-sabaini) wrote :

subscribed ~field-medium as we're hitting this again

Peter Sabaini (peter-sabaini) wrote :

Subscribing field-high as we have clouds running out of ipaddr

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers