作者:张华 发表于:2023-05-19
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
Problem
ExternalNetworkAttachForbidden will be thrown when non-admin user is using unshared external network
Reproduce the problem
./xxx.sh -s focal --name ovn --num-compute 1 --ovn --use-stable-charms --run
./configure
openstack domain create aaa_domain
openstack project create myproject --domain aaa_domain
openstack user create --project myproject --domain aaa_domain --password password user1
openstack role add --user user1 --project myproject --user-domain aaa_domain Member
openstack role assignment list --project myproject --name
export OS_REGION_NAME=RegionOne
export OS_AUTH_URL=https://10.5.0.52:5000/v3
export OS_PROJECT_DOMAIN_NAME=aaa_domain
export OS_USERNAME=user1
export OS_AUTH_TYPE=password
export OS_USER_DOMAIN_NAME=aaa_domain
export OS_PROJECT_NAME=myproject
export OS_PASSWORD=password
export OS_IDENTITY_API_VERSION=3
openstack network set --external private
$ openstack network show private |grep -E 'share|exter'
| router:external | External |
| shared | False |
juju config nova-cloud-controller use-policyd-override=false
openstack server create --wait --image jammy --flavor m1.small --key-name testkey --nic net-id=$(openstack network show private -cid -fvalue) i1
$ openstack server show i1 |grep fault
| fault | {'code': 500, 'created': '2023-05-17T05:58:50Z', 'message': 'Build of instance 9f7bbcaf-6f9f-481b-bfc3-1096b44b4dea aborted: Failed to allocate the network(s), not rescheduling.'} |
$ juju ssh nova-compute/0 -- grep -r 'ExternalNetworkAttachForbidden' /var/log/nova/ |tail -n1
Connection to 10.5.3.103 closed.
/var/log/nova/nova-compute.log:2023-05-17 05:58:49.684 12137 ERROR nova.compute.manager [instance: 9f7bbcaf-6f9f-481b-bfc3-1096b44b4dea] nova.exception.ExternalNetworkAttachForbidden: It is not allowed to create an interface on external network fc56660e-8595-44af-a7a8-36c79c1d199a
Using policy overide to fix it
the specified rules: “project_admin_api” and “project_member_api,” have been deprecated since Ussuri - https://github.com/openstack/nova/blob/dfda0c0482acf579452742860cec2bdd64ac616a/nova/policies/base.py#L23
juju config nova-cloud-controller use-policyd-override=false
cat <<EOF > /tmp/patched-override-file.yaml
"network:attach_external_network": "rule:system_admin_or_owner"
EOF
zip data.zip /tmp/patched-override-file.yaml
juju attach-resource nova-cloud-controller policyd-override=data.zip
juju config nova-cloud-controller use-policyd-override=true
juju list-resources nova-cloud-controller
juju debug-log --replay --no-tail --include nova-cloud-controller |grep 'policy.d overrides installed'
# on each n-c-c, verify the change
oslopolicy-policy-generator --namespace nova --output /tmp/policy.yaml
cat /tmp/policy.yaml |grep attach_external_network
#juju run -a nova-cloud-controller "oslopolicy-policy-generator --namespace nova --output /dev/stdout | grep attach_external_network"
或者不希望每个project下的member都能使用这个nonshared external network的话,可以用rbac解决:
openstack network rbac create --type network --action access_as_shared --target-project <project-id-want-to-share> <network-id>
Reference
[1] OpenStack Ussuri 版新特性: Nova功能分析 - https://www.codetd.com/article/11420952