juju bug (?) when allocating floating ips to machines
Hi all i'm using juju 2.1.2.1 (i didn't upgrade to 2.2 yet, that's why i didn't open a bug on launchpad) with openstack as cloud provider. When i use as credentials an Admin user (but a specific tenant) i have issues with floating ip assignment: the admin user can see all the floating ips in the openstack region. So, if another tenant allocates an IP without assigning to a VM (so, unused) juju tries to use it and attach to the VM it just deployed. i.e. user test1 is Admin and has primary project "tenant-one" user test2 is member of project "tenant-two" credentials given to juju are test1, test1_password, tenant-one and RegionOne. # source novarc_test1 # neutron floatingip-list +--+--+- +--+ | id | fixed_ip_address | floating_ip_address | port_id | +--+--+- +--+ | 03d1a8e8-fd55-4d6e-ab7e-b62061ea6206 | 192.168.0.10 | 10.1.2.19 | b6ac7caf-0c6e-4d81-b055-ecb8b4bdeebd | | 2b4e48ba-aad6-4d78-aff6-88b912f89bf5 | 192.168.0.20 | 10.1.2.9 | 17f69b3b-97d0-4cec-8208-e4d2ac2f1034 | | 3144b683-2cf5-43cf-bddd-b06cb5662430 | | 10.1.2.22 | | | 55145d85-58ea-4f15-8a0c-96a719c0fa8d | 192.168.0.22 | 10.1.2.4 | 6eeaa12b-0971-496c-bd38-89e9b9d71818 | +--+--+- +--+ the third line shows and ip address assigned to tenant-two by test2. User test1 has admin role so he has permission to see the ip. Using a command like "neutron floatingip-show 3144b683-2cf5-43cf-bddd-b06cb5662430" correctly shows the project_id uuid related to tenant-two and not tenant-one. juju model is configured with use-default-secgroup model true use-floating-ip model true When trying to deploy any application juju spawns a VM, but it never ends and logs: Unable to associate floating IP 10.1.2.22 to fixed IP 192.168.0.9 for instance 3d95283c-69f2-4cf1-8980-99462a5904a2. Removing the unused floating ip address or using a member-only (not admin user) bypass the problem: juju will allocate a new ip and associate with the new VM. I didn't try but i do think that if an user is member of two different tenants it may try to mis-use the addresses and mess with them, failing to deploy. Desiderata: juju should check if the allocated ip address is in the same tenant view of the given credentials. Regards Patrizio -- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
Re: juju bug (?) when allocating floating ips to machines
Hi Patrizio, Judging by the code in develop, we do not check the tenant_id when choosing a FIP. There is an attempt to ensure the FIP is in the provided external network, if specified. So that may be another work around. Please file a bug. I'm wondering if there are more places the provider should be checking the tenant as well. -Heather On Thu, Jul 27, 2017 at 9:04 AM, Patrizio Bassi wrote: > Hi all > > i'm using juju 2.1.2.1 (i didn't upgrade to 2.2 yet, that's why i didn't > open a bug on launchpad) with openstack as cloud provider. > > When i use as credentials an Admin user (but a specific tenant) i have > issues with floating ip assignment: the admin user can see all the floating > ips in the openstack region. > So, if another tenant allocates an IP without assigning to a VM (so, > unused) juju tries to use it and attach to the VM it just deployed. > > i.e. > > user test1 is Admin and has primary project "tenant-one" > user test2 is member of project "tenant-two" > > credentials given to juju are test1, test1_password, tenant-one and > RegionOne. > > # source novarc_test1 > > # neutron floatingip-list > +--+--+- > +--+ > | id | fixed_ip_address | > floating_ip_address | port_id | > +--+--+- > +--+ > | 03d1a8e8-fd55-4d6e-ab7e-b62061ea6206 | 192.168.0.10 | 10.1.2.19 > | b6ac7caf-0c6e-4d81-b055-ecb8b4bdeebd | > | 2b4e48ba-aad6-4d78-aff6-88b912f89bf5 | 192.168.0.20 | 10.1.2.9 > | 17f69b3b-97d0-4cec-8208-e4d2ac2f1034 | > | 3144b683-2cf5-43cf-bddd-b06cb5662430 | | 10.1.2.22 > | | > | 55145d85-58ea-4f15-8a0c-96a719c0fa8d | 192.168.0.22 | 10.1.2.4 > | 6eeaa12b-0971-496c-bd38-89e9b9d71818 | > +--+--+- > +--+ > > the third line shows and ip address assigned to tenant-two by test2. > > User test1 has admin role so he has permission to see the ip. > Using a command like "neutron floatingip-show > 3144b683-2cf5-43cf-bddd-b06cb5662430" correctly shows the project_id uuid > related to tenant-two and not tenant-one. > > juju model is configured with > use-default-secgroup model true > use-floating-ip model true > > When trying to deploy any application juju spawns a VM, but it never ends > and logs: > > Unable to associate floating IP 10.1.2.22 to fixed IP 192.168.0.9 for > instance 3d95283c-69f2-4cf1-8980-99462a5904a2. > > Removing the unused floating ip address or using a member-only (not admin > user) bypass the problem: juju will allocate a new ip and associate with > the new VM. > > I didn't try but i do think that if an user is member of two different > tenants it may try to mis-use the addresses and mess with them, failing to > deploy. > > Desiderata: juju should check if the allocated ip address is in the same > tenant view of the given credentials. > > Regards > > Patrizio > > -- > Juju mailing list > Juju@lists.ubuntu.com > Modify settings or unsubscribe at: https://lists.ubuntu.com/ > mailman/listinfo/juju > > -- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju
Re: juju bug (?) when allocating floating ips to machines
Dear Heather here you are: https://bugs.launchpad.net/juju/+bug/1707248 The external network check is not enough because, as said, the same network ip range may be allocated in other tenants. Regards Patrizio 2017-07-27 19:43 GMT+02:00 Heather Lanigan : > Hi Patrizio, > > Judging by the code in develop, we do not check the tenant_id when > choosing a FIP. There is an attempt to ensure the FIP is in the provided > external network, if specified. So that may be another work around. > > Please file a bug. I'm wondering if there are more places the provider > should be checking the tenant as well. > > -Heather > > > > On Thu, Jul 27, 2017 at 9:04 AM, Patrizio Bassi > wrote: > >> Hi all >> >> i'm using juju 2.1.2.1 (i didn't upgrade to 2.2 yet, that's why i didn't >> open a bug on launchpad) with openstack as cloud provider. >> >> When i use as credentials an Admin user (but a specific tenant) i have >> issues with floating ip assignment: the admin user can see all the floating >> ips in the openstack region. >> So, if another tenant allocates an IP without assigning to a VM (so, >> unused) juju tries to use it and attach to the VM it just deployed. >> >> i.e. >> >> user test1 is Admin and has primary project "tenant-one" >> user test2 is member of project "tenant-two" >> >> credentials given to juju are test1, test1_password, tenant-one and >> RegionOne. >> >> # source novarc_test1 >> >> # neutron floatingip-list >> +--+--+- >> +--+ >> | id | fixed_ip_address | >> floating_ip_address | port_id | >> +--+--+- >> +--+ >> | 03d1a8e8-fd55-4d6e-ab7e-b62061ea6206 | 192.168.0.10 | 10.1.2.19 >> | b6ac7caf-0c6e-4d81-b055-ecb8b4bdeebd | >> | 2b4e48ba-aad6-4d78-aff6-88b912f89bf5 | 192.168.0.20 | 10.1.2.9 >> | 17f69b3b-97d0-4cec-8208-e4d2ac2f1034 | >> | 3144b683-2cf5-43cf-bddd-b06cb5662430 | | 10.1.2.22 >> | | >> | 55145d85-58ea-4f15-8a0c-96a719c0fa8d | 192.168.0.22 | 10.1.2.4 >> | 6eeaa12b-0971-496c-bd38-89e9b9d71818 | >> +--+--+- >> +--+ >> >> the third line shows and ip address assigned to tenant-two by test2. >> >> User test1 has admin role so he has permission to see the ip. >> Using a command like "neutron floatingip-show >> 3144b683-2cf5-43cf-bddd-b06cb5662430" correctly shows the project_id >> uuid related to tenant-two and not tenant-one. >> >> juju model is configured with >> use-default-secgroup model true >> use-floating-ip model true >> >> When trying to deploy any application juju spawns a VM, but it never ends >> and logs: >> >> Unable to associate floating IP 10.1.2.22 to fixed IP 192.168.0.9 for >> instance 3d95283c-69f2-4cf1-8980-99462a5904a2. >> >> Removing the unused floating ip address or using a member-only (not admin >> user) bypass the problem: juju will allocate a new ip and associate with >> the new VM. >> >> I didn't try but i do think that if an user is member of two different >> tenants it may try to mis-use the addresses and mess with them, failing to >> deploy. >> >> Desiderata: juju should check if the allocated ip address is in the same >> tenant view of the given credentials. >> >> Regards >> >> Patrizio >> >> -- >> Juju mailing list >> Juju@lists.ubuntu.com >> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm >> an/listinfo/juju >> >> > -- Patrizio Bassi www.patriziobassi.it http://piazzadelpopolo.patriziobassi.it -- Juju mailing list Juju@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju