kuryr-kubernetes

neutron-vif requires admin rights

Bug #1808506 reported by Luis Tomas Bolivar on 2018-12-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kuryr-kubernetes	In Progress	Medium	Antoni Segura Puimedon

Bug Description

The default neutron/policy.json does not allow normal tenant to specify host_id when creating the ports, nor retrieving the binding details:

"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",

"create_port:binding:host_id": "rule:admin_only"

This makes that, under a normal tenant, kuryr-controller will fail (at least) in the next actions:
https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/neutron_vif.py#L133-L134

https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/neutron_vif.py#L114

https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/vif_pool.py#L415

https://github.com/openstack/kuryr-kubernetes/blob/master/kuryr_kubernetes/controller/drivers/vif_pool.py#L418

Revision history for this message

Luis Tomas Bolivar (ltomasbo) wrote on 2018-12-14:

As an example of the error, when using the multi-pool driver, upon a kuryr-controller restart, trying to recover the precreated neutron ports will fail with:
2018-12-13 16:31:53.328 1 ERROR oslo_service.service [-] Error starting thread.: TypeError: sequence item 0: expected string, NoneType found
2018-12-13 16:31:53.328 1 ERROR oslo_service.service Traceback (most recent call last):
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/oslo_service/service.py", line 796, in run_service
2018-12-13 16:31:53.328 1 ERROR oslo_service.service service.start()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/service.py", line 112, in start
2018-12-13 16:31:53.328 1 ERROR oslo_service.service self.pool_driver.sync_pools()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 855, in sync_pools
2018-12-13 16:31:53.328 1 ERROR oslo_service.service vif_drv.sync_pools()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 328, in inner
2018-12-13 16:31:53.328 1 ERROR oslo_service.service return f(*args, **kwargs)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 328, in inner
2018-12-13 16:31:53.328 1 ERROR oslo_service.service return f(*args, **kwargs)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 299, in sync_pools
2018-12-13 16:31:53.328 1 ERROR oslo_service.service self._recover_precreated_ports()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 416, in _recover_precreated_ports
2018-12-13 16:31:53.328 1 ERROR oslo_service.service vif = ovu.neutron_to_osvif_vif(vif_plugin, port, subnet)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/os_vif_util.py", line 347, in neutron_to_osvif_vif
2018-12-13 16:31:53.328 1 ERROR oslo_service.service name=vif_translator, invoke_on_load=False)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/stevedore/driver.py", line 61, in __init__
2018-12-13 16:31:53.328 1 ERROR oslo_service.service warn_on_missing_entrypoint=warn_on_missing_entrypoint
2018-12-13 16:31:53.328 1 ERROR oslo_service.service File "/usr/lib/python2.7/site-packages/stevedore/named.py", line 88, in __init__
2018-12-13 16:31:53.328 1 ERROR oslo_service.service ', '.join(self._missing_names))
2018-12-13 16:31:53.328 1 ERROR oslo_service.service TypeError: sequence item 0: expected string, NoneType found
2018-12-13 16:31:53.328 1 ERROR oslo_service.service

As an example of the error, when using the multi-pool driver, upon a kuryr-controller restart, trying to recover the precreated neutron ports will fail with:
2018-12-13 16:31:53.328 1 ERROR oslo_service.service [-] Error starting thread.: TypeError: sequence item 0: expected string, NoneType found
2018-12-13 16:31:53.328 1 ERROR oslo_service.service Traceback (most recent call last):
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/oslo_service/service.py", line 796, in run_service
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     service.start()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/service.py", line 112, in start
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     self.pool_driver.sync_pools()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 855, in sync_pools
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     vif_drv.sync_pools()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 328, in inner
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     return f(*args, **kwargs)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py", line 328, in inner
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     return f(*args, **kwargs)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 299, in sync_pools
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     self._recover_precreated_ports()
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/controller/drivers/vif_pool.py", line 416, in _recover_precreated_ports
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     vif = ovu.neutron_to_osvif_vif(vif_plugin, port, subnet)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/kuryr_kubernetes/os_vif_util.py", line 347, in neutron_to_osvif_vif
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     name=vif_translator, invoke_on_load=False)
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/stevedore/driver.py", line 61, in __init__
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     warn_on_missing_entrypoint=warn_on_missing_entrypoint
2018-12-13 16:31:53.328 1 ERROR oslo_service.service   File "/usr/lib/python2.7/site-packages/stevedore/named.py", line 88, in __init__
2018-12-13 16:31:53.328 1 ERROR oslo_service.service     ', '.join(self._missing_names))
2018-12-13 16:31:53.328 1 ERROR oslo_service.service TypeError: sequence item 0: expected string, NoneType found
2018-12-13 16:31:53.328 1 ERROR oslo_service.service

Changed in kuryr-kubernetes:
assignee:	nobody → Luis Tomas Bolivar (ltomasbo)

Antoni Segura Puimedon (celebdor) on 2018-12-14

Changed in kuryr-kubernetes:
importance:	Undecided → High
importance:	High → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-17: Related fix proposed to kuryr-kubernetes (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/625655

OpenStack Infra (hudson-openstack) on 2018-12-18

Changed in kuryr-kubernetes:
assignee:	Luis Tomas Bolivar (ltomasbo) → Antoni Segura Puimedon (celebdor)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-18: Related fix merged to kuryr-kubernetes (master)

Reviewed: https://review.openstack.org/625655
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=040bea51d5695227b340676685eaf3eaece5f4d2
Submitter: Zuul
Branch: master

commit 040bea51d5695227b340676685eaf3eaece5f4d2
Author: Luis Tomas Bolivar <email address hidden>
Date: Mon Dec 17 17:38:44 2018 +0100

Ensure pools support don't break due to neutron-vif

    This patch ensures multi-pool support is not broken by the fact
    that neutron-vif requires admin rights to fully operate. In case
    kuryr is running without admin rights, the neutron-vif related ports
    will be removed instead of trying to put them back onto the pool, as
    there is no access to the needed information to recover them.

Related-Bug: 1808506
Change-Id: I6eba3bddf4649b4f817dfd7b8463144c4ad69789

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.