[nova][neutron][ptg] Summary: Leaking resources when ports are deleted out-of-band

Akihiro Motoki amotoki at gmail.com
Fri May 3 23:22:46 UTC 2019


On Fri, May 3, 2019 at 4:11 PM Matt Riedemann <mriedemos at gmail.com> wrote:

> On 5/3/2019 3:35 PM, Bal√°zs Gibizer wrote:
> > 2) Matt had a point after the session that if Neutron enforces that
> > only unbound port can be deleted then not only Nova needs to be changed
> > to unbound a port before delete it, but possibly other Neutron
> > consumers (Octavia?).
>
> And potentially Zun, there might be others, Magnum, Heat, idk?
>
> Anyway, this is a thing that has been around forever which admins
> shouldn't do, do we need to prioritize making this change in both
> neutron and nova to make two requests to delete a bound port? Or is just
> logging the ERROR that you've leaked allocations, tsk tsk, enough? I
> tend to think the latter is fine until someone comes along saying this
> is really hurting them and they have a valid use case for deleting bound
> ports out of band from nova.
>

neutron deines a special role called "advsvc"  for advanced network
services [1].
I think we can change neutron to block deletion of bound ports for regular
users and
allow users with "advsvc" role to delete bound ports.
I haven't checked which projects currently use "advsvc".

[1]
https://opendev.org/openstack/neutron/src/branch/master/neutron/conf/policies/port.py#L53-L59


>
> --
>
> Thanks,
>
> Matt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190503/653b1008/attachment.html>


More information about the openstack-discuss mailing list