yahoo-eng-team team mailing list archive

[Chuck Carmack <carmack@xxxxxxxxxx>]

I think the problem we are having is that we added "VMAdmin" to the
delete port rule.

We have this:

    "owner": "tenant_id:%(tenant_id)s",
    "admin_or_vm_admin_owner": "role:admin or (tenant_id:%(tenant_id)s and role:VMAdmin)",
    "admin_or_vm_admin_network_owner": "role:admin or (tenant_id:%(network:tenant_id)s and role:VMAdmin)",
    "vm_admin_owner_or_vm_admin_network_owner": "rule:admin_or_vm_admin_network_owner or rule:admin_or_vm_admin_owner",

    ...

    "delete_port": "rule:vm_admin_owner_or_vm_admin_network_owner or
rule:context_is_advsvc",

So it takes VMAdmin to delete a port, but the user in this case did not
have that role when deleting an instance.

I'm going to reopen this bug to see if nova can change to use admin to
delete the port, if the neutron port binding extension is enabled.


** Changed in: nova
       Status: Invalid => New

** Changed in: nova
     Assignee: (unassigned) => Chuck Carmack (chuckcarmack75)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1540939

Title:
  Instance delete causing port leak

Status in OpenStack Compute (nova):
  New

Bug description:
  Nova can cause a neutron port leak after deleting an instance.

  If neutron has the port binding extension installed, then nova uses admin credentials to create the port during instance create:
  https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L537

  However, during instance delete, nova always uses the user creds:
  https://github.com/openstack/nova/blob/master/nova/network/neutronv2/api.py#L739

  Depending on the neutron policy settings, this can leak ports in
  neutron.

  Can someone explain this behavior?

  We are running on nova kilo.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1540939/+subscriptions