Murano

Murano is unable to spawn VMs connected to a shared network owned by other projects

Bug #1644797 reported by Alexander Tivelkov on 2016-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Murano	Fix Released	High	Alexander Tivelkov

Bug Description

Steps to reproduce:

1) In Project A create a network X with a subnet. Uplink the subnet to a router, ensure internet connectivity etc.
2) As an administrator edit network X to mark it as "shared".
3) As a non-privileged user sign in to a Project B, create a new Murano environment there and select network X as a default network of this environment.
4) Add any application which deploys regular VM into the environment.
5) Deploy the environment.

Expected result:
Environment is successfully deployed, app spawns a VM which is connected to the network X.

Observed result:
Environment deployment fails with the following error:

[EnvironmentError]: Unexpected stack state CREATE_FAILED: Resource CREATE failed: Forbidden: resources.port-3d1418fec05a43ac8de1be370da4c51c-nvzsjivxojk0p2: Policy doesn't allow (rule:create_port and rule:create_port:fixed_ips) to be performed.

See original description

Alexander Tivelkov (ativelkov) on 2016-11-25

description:

updated

Revision history for this message

Alexander Tivelkov (ativelkov) wrote on 2016-11-25:

The error is originated from Heat stack, so the problem may be reproduced by just submitting a simple heat template, containing an OS::Nova::Server resource and an OS::Neutron::Port resource pointing to appropriate existing network.

The problem occurs if the OS::Neutron::Port resource definition has the "fixed_ips" block, without it the stack gets properly created.

It seems like Neutron enforces a policy which does not allow to create ports with a "fixed-ip" setting (the one which binds a port to a particular subnet of a network) in networks which are not owned by a current project. Obviously it may be reconfigured, but the default policy (https://github.com/openstack/neutron/blob/master/etc/policy.json#L75) clearly forbids such operations. Regular port creation (without a fixed-ip parameter) in a network does not have such limitations.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-29: Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/404271

Changed in murano:
assignee:	nobody → Alexander Tivelkov (ativelkov)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-29: Fix merged to murano (master)

Reviewed: https://review.openstack.org/404271
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=247c4bdfb91ebcedc941bd105346d49626537cf0
Submitter: Jenkins
Branch: master

commit 247c4bdfb91ebcedc941bd105346d49626537cf0
Author: Alexander Tivelkov <email address hidden>
Date: Tue Nov 29 18:17:12 2016 +0300

Murano can now properly attach VMs to shared networks

    When spawning VMs attached to pre-existing networks murano used to
    generate a Heat template with a fixed_ips property for Neutron ports.
    This can cause a policy violation if the target network is not owned
    by the deploying tenant (i.e. the network is shared by some other
    project).

    This has been addressed: ExistingNeutronNetwork class no longer
    generates the fixed_ips property of the port if the target network is
    not owned by a current project.

Change-Id: I0c60a522f4223fdc47f87b950da1a0822a8cbdbe
Closes-bug: #1644797

Changed in murano:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-25: Fix included in openstack/murano 3.1.0

This issue was fixed in the openstack/murano 3.1.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.