Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-57

Implement "Boot a VM with an unaddressed port" blueprint

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done-Errata
    • Icon: Minor Minor
    • rhos-18.0.0
    • rhos-18.0.0
    • openstack-nova
    • None
    • Implement "Boot a VM with an unaddressed port" blueprint
    • 1
    • False
    • False
    • Committed
    • No Docs Impact
    • OSP-14490 - Large scale scheduling
    • openstack-nova-27.1.1-18.0.20230930093334.a869ab1.el9ost
    • Committed
    • Committed
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      .Create a neutron port without an IP address if the port requires only L2 network connectivity

      You can now create an instance with a `non-deferred` port that has no fixed IP address if the network back end has L2 connectivity.

      In previous releases of RHOSP, all neutron ports were required to have a IP address. The IP address assignment could be immediate (default) or deferred for L3 routed networks.
      In RHOSO 18.0, that requirement has been removed. You can now create a neutron port without an IP address if the port requires only L2 network connectivity.

      To use this feature, set `ip_allocation = 'none'` on the neutron port before passing it to nova to use when creating a VM instance or attaching the port to an existing instance.
      Show
      .Create a neutron port without an IP address if the port requires only L2 network connectivity You can now create an instance with a `non-deferred` port that has no fixed IP address if the network back end has L2 connectivity. In previous releases of RHOSP, all neutron ports were required to have a IP address. The IP address assignment could be immediate (default) or deferred for L3 routed networks. In RHOSO 18.0, that requirement has been removed. You can now create a neutron port without an IP address if the port requires only L2 network connectivity. To use this feature, set `ip_allocation = 'none'` on the neutron port before passing it to nova to use when creating a VM instance or attaching the port to an existing instance.
    • Enhancement
    • Done
    • Proposed

      Description of problem:

      Instances are unable to be created using a port without a fixed-ip at the moment being (e.g. instances running NFV application using IP not directly managed by RHOSP).

      from [1]
      ~~~
      by design nova has required all ports to have ip adress before the vm is schdulerd until very recently.
      in fact supporting addressless ports was rejected severall times.
      ~~~

      A patch for said use case[2] was rejected in the past.
      However we can still see another blueprint[3] being "Pending Approval".

      I can see security concern mentioned in private comments on BZ1669350
      and from [4] as well
      ~~~
      because of the absence of strong firewalling, the network to which
      the port is attached is insecure, as the attached VM can spoof any
      other VM on the network. For security reasons, we should only
      permit unaddressed ports to be created by the tenant on tenant-owned
      networks, or by the administrator on shared networks [...]
      ~~~

      Version-Release number of selected component (if applicable):
      17+ (as RFE period for 16.x is over)

      How reproducible:
      N/A

      Steps to Reproduce:
      N/A

      Actual results:

      Unable to create VM with ip-less port

      Expected results:

      Being able to create VM with ip-less port

      Additional info:

      As we can see in [1] and [5], there is an actual need for such feature in environment dealing with NFV applications.

      As we are able to actually create a similar end result, with the following workaround
      ~~~
      $ openstack port create --no-fixed-ip --no-security-group --disable-port-security <port-name> --network <network-id>
      $ openstack server create [...] <server-name>
      $ openstack server add port <server-name> <port-name>
      ~~~
      it would be nice if we could avoid those extra steps, and work on the nova side, to allow the instance to be created with a port without a fixed ip.

      The business reason behind it is that in environments where NFV VM life cyrcle is done through THT, the lack of such feature[3] is a show stopper.
      Because of that, let me push for bp [3] once more, as some time has passed since BZ1669350 comment #4.

      [1] https://bugzilla.redhat.com/show_bug.cgi?id=1669350#c4
      [2] https://review.opendev.org/#/c/97715/
      [3] https://blueprints.launchpad.net/nova/+spec/boot-vm-with-unaddressed-port
      [4] https://review.opendev.org/c/openstack/neutron-specs/+/97715/6/specs/juno/nfv-unaddressed-interfaces.rst#83
      [5] https://bugzilla.redhat.com/show_bug.cgi?id=1559716

              sbauza@redhat.com Sylvain Bauza
              jira-bugzilla-migration RH Bugzilla Integration
              rhos-dfg-compute
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: