On 5/1/25 08:17, Sean Mooney wrote:
On 01/05/2025 15:56, Nguyễn Hữu Khôi wrote:
Hello. I created an external network for a specified project but I cannot create instances with the external network on this tenant.
I must create RBAC Policies with shared and external policies then my instances can get IP addresses and run properly.
booting to a external network is admin only by default.
depending on your release nova used to enforce this too but in newer release we defer to neutron to enforce that policy
I think I actually looked at this recently while re-triaging old bugs downstream and AFAICT it's still an issue: https://bugs.launchpad.net/nova/+bug/1675486 We have mentioned the idea of deferring to Neutron for this entirely (and I expect we can with no ill side effects) but I don't believe we formally discussed with the Neutron team to confirm whether it would be 100% OK to do. I think it would be nice to follow up on ^ and finally remove the external network policy check in Nova. -melwitt
Is it normal? Pls correct me if I am wrong
yes its normal, neutron may have change the defautl to allow non admins but booting direclty to an extenal network was
always considerd privaldged in the past.
Thank you.
Nguyen Huu Khoi