ironic incorrectly modified neutron port bidding for ports associated with nova instances
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Triaged
|
High
|
Unassigned |
Bug Description
nova was previosuly imacted by a cve where external modification of port binding on a neutron port could crash the compute agent https:/
nova has never supported modification fo a neutron ports vnic type while it is attached to a nova instance.
virt drivers in nova are not allowed to modify the vnic_type of any port that is associated with an instance.
when reviewing the output of ironic-
the following error is observed
Jul 25 20:34:42.508653 np0038062841 nova-compute[
there are potentially 2 issues with this job.
1st nova only supports creating ports of vnic_type=normal and all other vnic types require the port to be precreated and passed in when creating the instance.
its possible the relevant test is not written with that in mind and is not valid to execute when using ironic
2nd the test may support specifying the vnic_type and the relevant config option may just not be set
https:/
outside of the job issue, there is a large bug which is that there is existing technical debt where ironic is violating the contract for the virt driver nova-neutron interaction by modifying a neutron port associated with a VM.
this is entirely unsupported from a nova perspective and has previously been identified as technical debt
as with volume, it is not valid for ironic to ever modify a Netron port or volume attachments for a volume or port associated with an ironic instance.
we need to fix these codepaths in ironic eventually but that is a larger problem.
This bug is simply tracking the incorrect configuration fo the ironic-
Changed in ironic: | |
status: | New → Triaged |
importance: | Undecided → High |
It's worth noting that I'm not certain if this is of a "high" importance.