OpenStack Compute (nova)

Instance delete causing port leak

Bug #1540939 reported by Chuck Carmack
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Chuck Carmack

Bug Description

Nova can cause a neutron port leak after deleting an instance.

If neutron has the port binding extension installed, then nova uses admin credentials to create the port during instance create:
https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L537

However, during instance delete, nova always uses the user creds:
https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L739

Depending on the neutron policy settings, this can leak ports in neutron.

Can someone explain this behavior?

We are running on nova kilo.

Revision history for this message
Sean M. Collins (scollins) wrote :

What are your policy settings for the following in your neutron policy.json?

    "create_port:binding:host_id": ,
    "create_port:binding:profile":
    "get_port:binding:vif_type":
    "get_port:binding:vif_details":
    "get_port:binding:host_id":
    "get_port:binding:profile":
    "update_port:binding:host_id":
    "update_port:binding:profile":

Revision history for this message
Chuck Carmack (chuckcarmack75) wrote :

Sean, thanks for the info in the channel. Marking the bug invalid.

Changed in nova:
status: New → Invalid
Revision history for this message
Chuck Carmack (chuckcarmack75) wrote :

I think the problem we are having is that we added "VMAdmin" to the delete port rule.

We have this:

    "owner": "tenant_id:%(tenant_id)s",
    "admin_or_vm_admin_owner": "role:admin or (tenant_id:%(tenant_id)s and role:VMAdmin)",
    "admin_or_vm_admin_network_owner": "role:admin or (tenant_id:%(network:tenant_id)s and role:VMAdmin)",
    "vm_admin_owner_or_vm_admin_network_owner": "rule:admin_or_vm_admin_network_owner or rule:admin_or_vm_admin_owner",

    ...

    "delete_port": "rule:vm_admin_owner_or_vm_admin_network_owner or rule:context_is_advsvc",

So it takes VMAdmin to delete a port, but the user in this case did not have that role when deleting an instance.

I'm going to reopen this bug to see if nova can change to use admin to delete the port, if the neutron port binding extension is enabled.

Changed in nova:
status: Invalid → New
assignee: nobody → Chuck Carmack (chuckcarmack75)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/280017

Changed in nova:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Chuck Carmack (<email address hidden>) on branch: master
Review: https://review.openstack.org/280017
Reason: I'm abadoning this because our operator agreed to change the neutron policy.

Chuck Carmack (chuckcarmack75)
Changed in nova:
status: In Progress → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.