[ops][neutron] Is it possible to "lock" a floating IP to an instance ?

Massimo Sgaravatto massimo.sgaravatto at gmail.com
Fri Sep 24 15:17:46 UTC 2021

Thanks a lot

I tried associating the floating IP using:

curl -i "${NOVA_ENDPOINT_URL}/${TENANT_ID}/servers/${SERVER}/action" -X
POST -H "X-Auth-Project-Id: ${TENANT_ID}" -H "User-Agent:
python-novaclient" -H
"Content-Type: application/json" -H "Accept: application/json" -H
"X-Auth-Token: $TOKEN" -d '{"addFloatingIp": {"address": ""}}'

I hope this is what you mean with "using novas api to manage floating ips"

Then I locked the instance

However another user is then still able to disassociate that floating IP

Cheers, Massimo

On Thu, Sep 23, 2021 at 12:39 PM Sean Mooney <smooney at redhat.com> wrote:

> On Thu, 2021-09-23 at 12:20 +0200, Massimo Sgaravatto wrote:
> > Hello
> >
> > I have the following use case:
> >
> > A user creates a VM  and associates a floating IP to such instance
> >
> > Is in some way possible to prevent that the floating IP is
> > disassociated from that instance by another user of the same project ?
> >
> > If it helps, the user owning the instance could be admin (but allowing
> only
> > the admin user to manage floating IPs is not an option)
> if you are using novas api to manage floating ips then you might be able
> to lock the instnace which should prevent changing
> the ip assocations and most other instnace actions however if you were to
> manage teh floating ips form neutron that ouls entirly bypass that.
> we had talk about adding the ablity to lock ports for a different usecasue
> and haing nova lock the port whenever an instance is locked
> that might be the way to adress this in the future but for now i dont
> think you can do this without custom midelware.
> >
> >
> > Thanks, Massimo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210924/da748c37/attachment-0001.htm>

More information about the openstack-discuss mailing list