OpenStack Compute (nova)

creating a VM without IP (ip_allocation='none')

Bug #1741575 reported by Mathieu Rohon on 2018-01-05

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Opinion	Wishlist	Unassigned

Bug Description

Using latest neutron [1] and python-neutronclient [2], we are now able to create VMs without IP addresses.

If I run :

$ openstack network create net1
$ openstack port create --network net1 --no-fixed-ip port_net1

I get the IP_allocation field equal to "none" in the neutron database for the created port.

So the following command should result in a VM without IP Addresses :

$ openstack server create --flavor 1 --image 78ee2490-3b59-4c1f-bc29-cdb878ccfc26 --port port_net1

Instead I have the following error :

Port c1013516-8e00-4f99-817d-07edbb386142 requires a FixedIP in order to be used. (HTTP 400)

It seems that nova only accepts VMs with deferred ip_allocation [3][4], not "none".

Accepting "none" as a valid option for the ip_allocation attribute would implement [5], as [4] was expected to, regarding Matt Riedemann last comment on [5].

[1] https://review.openstack.org/#/c/361455/
[2] https://review.openstack.org/#/c/504817/
[3] http://git.openstack.org/cgit/openstack/nova/tree/nova/network/neutronv2/api.py#n1663
[4] https://review.openstack.org/#/c/299591/
[5] https://review.openstack.org/#/c/239276/

See original description

Tags:

Mathieu Rohon (mathieu-rohon) on 2018-01-08

description:

updated

Revision history for this message

Mathieu Rohon (mathieu-rohon) wrote on 2018-01-08:

patch.txt Edit (1.7 KiB, text/plain)

As soon as the port-security as been disabled on the network, the following patch works fine on top of 21d7d4e20c89e8a8ae174b5a42b8bc388c3a95e6

We end up having a VM without an IP, correctly created by nova.

Mathieu Rohon (mathieu-rohon) on 2018-01-08

summary:

- creating a VM without IP (ip_allocation=None)
+ creating a VM without IP (ip_allocation='none')

Revision history for this message

Mathieu Rohon (mathieu-rohon) wrote on 2018-01-08:

patch_segment.txt Edit (1.8 KiB, text/plain)

during my initial test, the ip_allocation was not activated on the neutron side.
Hence, the ip_allocation attribute of a port was not accessible over REST requests done by nova.

The only way to activate this extension with the neutron vanilla code seems to use the "segments" service plugin [1][2]

After adding the "segments" to the list of enabled service plugins in neutron.conf, nova can access the ip_allocation attribute of a port.

Then nova can check if the port's ip_allocation is set to 'none', and keep on creating the VM without raising an exception regarding the missing fixed ip.

This leads to the attached patch, that works in the context of :
- segment service plugin enabled in neutron;
- port_security disbaled on the port's network;

[1]https://docs.openstack.org/neutron/pike/contributor/internals/segments.html#
[2]https://github.com/openstack/neutron/blob/d505e3eeb7e4d3ee211499286fd050ed48fdbf96/neutron/services/segments/plugin.py

Revision history for this message

Mathieu Rohon (mathieu-rohon) wrote on 2018-01-09:

I've reported a related issue on Neutron, concerning the inconsistency of the ip_allocation attribute usage (can be set without "segments" service plugin enabled, but cannot be read)

https://bugs.launchpad.net/neutron/+bug/1742093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-12: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/533249

Changed in nova:
assignee:	nobody → Mathieu Rohon (mathieu-rohon)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2018-11-20

Changed in nova:
assignee:	Mathieu Rohon (mathieu-rohon) → do3meli (d-info-e)

do3meli (d-info-e) on 2018-11-20

Changed in nova:
assignee:	do3meli (d-info-e) → nobody

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2019-01-31:

not that ip_allocation=None was originally not supported intentornally
due to security concerns.

it was declared out of scope in
https://specs.openstack.org/openstack/nova-specs/specs/newton/implemented/neutron-routed-networks.html#proposed-change

i personaly am not confrotable treating this as jsut a bug fix without first checking
with the wider nova core team so i am not going to triage this as a valid bug untill i
discuss it futther on irc.

Changed in nova:
status:	In Progress → Opinion
tags:	added: network security-groups

Matt Riedemann (mriedem) on 2019-02-07

Changed in nova:
importance:	Undecided → Wishlist

Revision history for this message

do3meli (d-info-e) wrote on 2019-10-06:

has there been any more progress on this? was the issue discussed with the wider nova core team?

OpenStack Infra (hudson-openstack) on 2019-10-06

Changed in nova:
assignee:	nobody → do3meli (d-info-e)
status:	Opinion → In Progress

do3meli (d-info-e) on 2019-10-06

Changed in nova:
assignee:	do3meli (d-info-e) → nobody
status:	In Progress → Opinion

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.