On 5/1/25 15:11, Sean Mooney wrote:
On 01/05/2025 20:22, melanie witt wrote:
On 5/1/25 08:17, Sean Mooney wrote:
On 01/05/2025 15:56, Nguyễn Hữu Khôi wrote:
Hello. I created an external network for a specified project but I cannot create instances with the external network on this tenant.
I must create RBAC Policies with shared and external policies then my instances can get IP addresses and run properly.
booting to a external network is admin only by default.
depending on your release nova used to enforce this too but in newer release we defer to neutron to enforce that policy
I think I actually looked at this recently while re-triaging old bugs downstream and AFAICT it's still an issue:
https://bugs.launchpad.net/nova/+bug/1675486
We have mentioned the idea of deferring to Neutron for this entirely (and I expect we can with no ill side effects) but I don't believe we formally discussed with the Neutron team to confirm whether it would be 100% OK to do.
I think it would be nice to follow up on ^ and finally remove the external network policy check in Nova.
-melwitt
we merged https://review.opendev.org/c/openstack/nova/+/794360 3 years ago
but looking at the code change it just removed the commen so we still have our own
NETWORK_ATTACH_EXTERNAL polciy which is admin only.
so i guess an operat can chagne that to project_member but your right we never actully removed the proejct.
we probably should do that but ya we can see if neutron are still ok with this.
im 99% sure that we talked about it with them in a past ptg but its definetly been a couple of years.
Good to know, it is highly likely that I missed it or forgot given the time that has passed since then. I'm supportive of going ahead and removing it now and give it a lot of bake time this cycle to uncover potential issues.
one thing to keep in mind. external network do not have neutron router as there defautl gateway
by default neutron implements the metadata proxy via the l3 agent if your ussing ml2/ovs so you need
to enable the option to do that via the dhcp agent if you are still usign ml2/ovs or your vms wont have
metadata. for ml2/ovn i think it will just work but perhaps not.
I didn't understand any of that unfortunately :) but if it's a potential problem with deferring to Neutron it's good to look out for it. -melwitt
Is it normal? Pls correct me if I am wrong
yes its normal, neutron may have change the defautl to allow non admins but booting direclty to an extenal network was
always considerd privaldged in the past.
Thank you.
Nguyen Huu Khoi