Creating Neutron L2 networks (without subnets) doesn't work as expected

Bug #1039665 reported by Ian Wells on 2012-08-21
This bug affects 16 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)

Bug Description

1. create a network in Quantum. Networks no longer need subnets, so I create a network without one. (Imagine I'm doing my addressing some other way.

    quantum net-create test

<returns an ID>

2. create a machine with that network attached via nova.

nova boot --image xxx --flavor yyy --nic net-id=e85d5994-7f8e-4024-bde9-c1cdb2b202d0 hasnet

All good. The machine boots perfectly well. However, it comes up without any NICs.

It turns out that VIF.legacy() is called just before calling driver.spawn() for the virt driver. This converts the VIF datastructure from the network model to its old form (because the virtualisation layer has not been brought up to date with the new model). The old form can't be created without, at least, an IPv4 address - so, in the above example where no address has been assigned to the VIF, it is silently omitted from the legacy version of the datastructure, and no NIC is added to the VM as the network_info datastructure is now empty.


- am I even calling the API correctly? Since nova-manage network create and quantum net-create both work, and no-one's written up the documentation yet, I can't tell that I'm doing this right (although I got no joy out of the IDs that nova-manage was returning)
- is this going to last into Folsom RCs or will it be fixed?
- if it is going to stay with us, perhaps we could throw an error at this point rather than continuing to create the wrong sort of VM?

(I need this functionality so I shall have to find a workaround if it's going to stay missing.)

Ian Wells (ijw-ubuntu) wrote :

Ah, just found the legacy_nwinfo() call on the hypervisor drivers - so it matters that I'm using libvirt, which hasn't yet been updated.

Ian Wells (ijw-ubuntu) on 2012-08-21
affects: quantum → nova
Mark McLoughlin (markmc) wrote :

From bug #1039419, it looks like what you're trying to do is expected to work

Thanks for all the info, I think there's plenty here to go on for someone familiar with the quantum integration. Marking as Confirmed and targeting to rc1

Changed in nova:
status: New → Confirmed
milestone: none → folsom-rc1
importance: Undecided → High
Ian Wells (ijw-ubuntu) wrote :

Thanks for the reference.

I'm working on the patches for libvirt to use the new network model as we speak. (This may not be a complete fix depending on what else uses the legacy models, though.)

dan wendlandt (danwent) wrote :

Ian, can you assign this bug to yourself? It would be great to see a work-in-progress patch on this soon, so someone from the nova-network team could provide some initial feedback, particularly about the impact of the changes on non-libvirt code.

Ian Wells (ijw-ubuntu) wrote :

Certainly. I actually have a patch that's working for my purposes, but it fails some white-box libvirt tests where the harness is passing in old-style data structures. I'll try and get it on Gerrit today.

Changed in nova:
assignee: nobody → Ian Wells (ijw-ubuntu)

Fix proposed to branch: master

Changed in nova:
status: Confirmed → In Progress


When I tried to access the above gerrit link, I got an error message which says "Application Error The page you requested was not found, or you do not have permission to view this page."

How can I access the review?

Ian Wells (ijw-ubuntu) wrote :

Sorry, I only put it up as a draft till I fixed a couple of issues, but apparently Gerrit linked it to the bug anyway.
I'll fix a couple of things and I'll put it up in a few hours.

Ian Wells (ijw-ubuntu) wrote :

Patch only fixes libvirt, but that should be all that's needed:

- You can only have a no-subnets case if you're using Quantum
- Apparently, only libvirt has VIF drivers for Quantum, so I assume it's the only one with Quantum support.

Thus, if the patch is approved, this can be closed (though we probably ought to open bugs against the other drivers for Quantum support...)

dan wendlandt (danwent) wrote :

xenserver also has vif drivers for quantum: virt/xenapi/

I haven't looked at this bug in detail, but my guess is that the problem is caused by some vif-drivers assuming they know IP layer information about a VM, which obviously doesn't exist if there is no subnet. If that's the case, I don't think this issue would apply to the xenserver drivers, based on a quick inspection.

Ian Wells (ijw-ubuntu) wrote :

Ah, possibly my mistake. It's that there's something specifically Quantum in the libvirt and no mention of Quantum in the XenAPI version.

Mark McLoughlin (markmc) on 2012-08-30
tags: added: quantum
Akihiro Motoki (amotoki) wrote :

/Information for quantum people using devstack/

To reproduce the bug, we need to use the default libvirt firewall driver (nova.virt.libvirt.firewall.IptablesFirewallDriver).
Please clear LIBVIRT_FIREWALL_DRIVER in localrc.

Note that QuantumDevstack wiki pages recommends "LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver") when using devstack with Quantum v2.

dan wendlandt (danwent) wrote :


Yes, it is true that our devstack page recommends using the NoopFirewallDriver, but that is only until we merge a patch currently under review that let's Nova security groups work with Quantum, after which point using the IptablesFirewallDriver is supported (see: So I consider this bug valid.

Akihiro Motoki (amotoki) wrote :

Thanks for the pointer. I consider this bug is valid too

I understand that using NoopFirewallDriver is transient.
First time I tried to reproduce, I could not due to this configuration, so it is worth sharing the information to test Ian's patch.


On Thu, Aug 30, 2012 at 2:26 AM, Akihiro Motoki
<email address hidden> wrote:

> First time I tried to reproduce, I could not due to this configuration, so it is worth sharing the information to test Ian's patch.

definitely agree :) I guess I misunderstood your original comment.

Akihiro, can you confirm you created a subnetless network with NoopFirewallDriver and your machine got an interface on it? Because that's exactly the situation I was in when I saw this bug in the first place - I don't believe it's specific to the firewall driver in use.

Akihiro Motoki (amotoki) wrote :

I investigated the condition this bug can be reproduced. Firewall driver is not related.

When using devstack, to reproduce ths bug, we must remove a subnet which created by devstack.
This is another bug #1043827. If bug #1043827 is resolved, this bug always happens when an instance is launched with a network without subnet.

Mark McLoughlin (markmc) wrote :

Just for anyone checking the status of this - lots of discussion in

Thierry Carrez (ttx) on 2012-09-18
Changed in nova:
milestone: folsom-rc1 → none
Ian Wells (ijw-ubuntu) wrote :

I am unconvinced that this can be fixed without also fixing the firewalling, which does not stand up to the unexpected situations Quantum brings (0+ addresses rather than precisely one). I think we should work out a solution that covers on all the issues.

Ian Wells (ijw-ubuntu) wrote :

I've not been doing Grizzly work, but a colleague points out to me that the code seems to have been converted to use new-style VIF types since Folsom. Does anyone know if this bug still stands in Grizzly?

Ian Wells (ijw-ubuntu) wrote :

Oops, wrong branch. I take that back. And I'll have a look at this in the next week.

Vish Ishaya (vishvananda) wrote :

Lowering the priority on this as it doesn't seem to be a very important use case. We should get a free fix in havanna from the code here:

Changed in nova:
importance: High → Low
assignee: Ian Wells (ijw-ubuntu) → nobody
Changed in nova:
assignee: nobody → Racha Ben Ali (racha-ben-ali)
Changed in nova:
assignee: Racha Ben Ali (racha-ben-ali) → nobody
Mathew Odden (locke105) on 2013-10-05
Changed in nova:
status: In Progress → Triaged
Stephen Gordon (sgordon) on 2014-05-23
tags: added: neutron nfv
removed: quantum
Changed in nova:
assignee: nobody → Racha Ben Ali (racha-ben-ali)
Brent Eagles (beagles) wrote :

The current approach is dependent on port security extensions in neutron. A complete fix requires changes in both components.

Sean Dague (sdague) wrote :

Is this still a valid bug? If so can we get a new consolidated reproduce case?

Changed in nova:
status: Triaged → Incomplete
assignee: Racha Ben Ali (racha-ben-ali) → nobody
Ian Wells (ijw-ubuntu) wrote :

Been a long while since I tried this and I don't have a suitable cloud handy to test, but if it does exist the following 5 minute test shows it up:

1. create a Neutron network
2. create a VM attached to that network (NB: Cirros has a default password which makes the following steps easier)
.. wait for futile DHCP'ing to pass ..
3. log into the VM on its console

Historical behaviour is that the VM would come up fine but with 0 interfaces. With more interfaces on the VM, you'd end up short the interface(s) on the no-subnet network(s) (and automated testing is feasible since not all networks need be no-subnet). I believe we also went through a phase of 'no valid host' when nova-compute was crashing out, too.

I'm fairly sure this *has* been fixed, though.

Racha Ben Ali (racha-ben-ali) wrote :

Ian, do you know if there's an NFV config flag or specific release that I should use to get rid of this message when I try it:

ERROR (BadRequest): Network 5ea23e60-a26b-409a-b388-f812177bbf92 requires a subnet in order to boot instances on. (HTTP 400) (Request-ID: req-22141a06-3d0c-480f-9860-5733c759ba9b)

I can create a non immediately working subnet with --disable-dhcp on the no-subnet network, but then iptables filtering will allow traffic only from pre-defined IP/MAC pairs if I don't allow address pairs manually through the API I guess...

Sean Dague (sdague) wrote :

assuming it's fixed, please reopen if still an issue

Changed in nova:
status: Incomplete → Invalid
Thiago Martins (martinx) wrote :

From what I'm seeing, with IceHouse / Juno, it is not possible to even start an Instance attached to a Network without a Subnet.

And I really need this feature... :-(

Currently, I'm patching OpenStack to make this work, here is the code for review:;a=commitdiff;h=a6c9a67723a92f435e0e8eff9eb43b618c7cf0bb

Thiago Martins (martinx) wrote :

I just found a nice example of this need (L2 Neutron Networks), right here:


Thiago Martins (martinx) wrote :

I'm reopening (confirming) this, since it is not fixed and Sean allowed that (comment #30).

Changed in nova:
status: Invalid → Confirmed
Thiago Martins (martinx) on 2015-04-23
summary: - Creating quantum L2 networks (without subnets) doesn't work as expected
+ Creating Neutron L2 networks (without subnets) doesn't work as expected

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
  Only still supported release names are valid (LIBERTY, MITAKA, OCATA, NEWTON).

Changed in nova:
importance: Low → Undecided
status: Confirmed → Expired

Change abandoned by Michael Still (<email address hidden>) on branch: master
Reason: This code hasn't been updated in a long time, and is in merge conflict. I am going to abandon this review, but feel free to restore it if you're still working on this.

Joshua Castaneda (senterright) wrote :

Dang I think I need this. :| I'm trying to simulate a failover scenario where i just want to have my backup gateway connected over L2, but without an L3 address until the master goes down.

Dominic (abhi-02666) wrote :

Is this still a valid bug? If so can we get a new consolidated reproduce case
Info that is meant to be shared across the net.
Shame on the search engines for not positioning this put up higher!
these codes are updated these benefits are using for work

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers