Instances cannot be booted using name of a non-public, but accessible, flavor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-novaclient |
Fix Released
|
Medium
|
Daniel Berrange |
Bug Description
Setup credentials to allow access to Nova as an administrator account
[root@localhost ] # . keystonerc_admin
[root@localhost ~(keystone_admin)]#
Now create a new flavor but mark it as non-public
[root@localhost ~(keystone_admin)] # nova flavor-create --is-public False astrochicken 21 2048 20 1
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-
| 21 | astrochicken | 2048 | 20 | 0 | | 1 | 1.0 | False |
+----+-
Then try a boot an instance using this flavour, specified by name
[root@localhost ~(keystone_admin)] # nova boot --flavor astrochicken vmm
ERROR: No flavor with a name or ID of 'astrochicken' exists.
This is clearly bogus as we just created the flavor successfully. Booting the instance succeeds with specifying the flavor ID instead of its name. So whatever resolves flavor names is failing for the non-public flavor, even when the user has permission to see the non-public flavor.
It is also noted that the flavour does not appear in the listing by default
[root@localhost ~(keystone_admin)]# nova flavor-list
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
+----+-
[root@localhost ~(keystone_admin)]# nova flavor-list --all
+----+-
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-
| 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True |
| 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True |
| 21 | astrochicken | 2048 | 20 | 0 | | 1 | 1.0 | False |
| 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True |
| 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True |
| 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True |
+----+-
Changed in python-novaclient: | |
status: | Confirmed → In Progress |
Changed in python-novaclient: | |
milestone: | none → 2.18.0 |
Changed in python-novaclient: | |
status: | Fix Committed → Fix Released |
The problem turns out to be on the client side.
In novaclient/ v1_1/flavors. py the FlavorManager.list method defaults to is_public=True, which means that it will only ever resolve flavours which are marked public, even if the user has permission to access non-public flavours.
If we change this to is_public=None, then the server side will do the right thing - privileged users will be shown all images they can access and unprivileged users will still be restricted to just public images.