Murano can now properly attach VMs to shared networks
When spawning VMs attached to pre-existing networks murano used to generate a Heat template with a fixed_ips property for Neutron ports. This can cause a policy violation if the target network is not owned by the deploying tenant (i.e. the network is shared by some other project). This has been addressed: ExistingNeutronNetwork class no longer generates the fixed_ips property of the port if the target network is not owned by a current project. Change-Id: I0c60a522f4223fdc47f87b950da1a0822a8cbdbe Closes-bug: #1644797
This commit is contained in:
parent
d76f236547
commit
247c4bdfb9
|
@ -51,13 +51,20 @@ Methods:
|
|||
properties:
|
||||
network_id: $networkData.netId
|
||||
replacement_policy: AUTO
|
||||
fixed_ips:
|
||||
- subnet_id: $networkData.subnetId
|
||||
outputs:
|
||||
$aapPortName+'-virtualIp':
|
||||
value:
|
||||
get_attr: [$aapPortName, fixed_ips, 0, ip_address]
|
||||
description: format('SharedIP Address of SharedIp group {0}', id($))
|
||||
- If: $networkData.subnetId
|
||||
Then:
|
||||
- $t:
|
||||
resources:
|
||||
$aapPortName:
|
||||
properties:
|
||||
fixed_ips:
|
||||
- subnet_id: $networkData.subnetId
|
||||
- $template: $template.mergeWith($t)
|
||||
- $region.stack.updateTemplate($template)
|
||||
- If: $.assignFloatingIp
|
||||
Then:
|
||||
|
|
|
@ -65,10 +65,18 @@ Workflow:
|
|||
$.network_id = $this._internalNetworkId).first().name
|
||||
- If: $._internalSubnetworkId = null
|
||||
Then:
|
||||
$._internalSubnetworkId: $._getSubnetworks().where(
|
||||
($.name = $this.internalSubnetworkName or
|
||||
$.id = $this.internalSubnetworkName) and
|
||||
$.network_id = $this._internalNetworkId).first().id
|
||||
# Specify subnetwork id only if the network is owned by the
|
||||
# environment owner tenant (otherwise we may not be allowed to create
|
||||
# a port to that specific subnet)
|
||||
- $net: $this._getNetworks().where($.id = $this._internalNetworkId).first()
|
||||
- If: $net.tenant_id = std:Project.getEnvironmentOwner().id
|
||||
Then:
|
||||
- $._internalSubnetworkId: $._getSubnetworks().where(
|
||||
($.name = $this.internalSubnetworkName or
|
||||
$.id = $this.internalSubnetworkName) and
|
||||
$.network_id = $this._internalNetworkId).first().id
|
||||
Else:
|
||||
- $._internalSubnetworkId: null
|
||||
|
||||
- If: $.externalNetworkName = null and $._internalNetworkId != null
|
||||
Then:
|
||||
|
|
|
@ -59,10 +59,18 @@ Methods:
|
|||
type: 'OS::Neutron::Port'
|
||||
properties:
|
||||
network: $netRef
|
||||
fixed_ips:
|
||||
- subnet: $subnetRef
|
||||
replacement_policy: AUTO
|
||||
|
||||
- If: $subnetRef
|
||||
Then:
|
||||
- $template:
|
||||
resources:
|
||||
$portName:
|
||||
properties:
|
||||
fixed_ips:
|
||||
- subnet: $subnetRef
|
||||
- $patchTemplate: $patchTemplate.mergeWith($template)
|
||||
|
||||
- If: bool($securityGroupName) and $securityGroupsEnabled
|
||||
Then:
|
||||
- $template:
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
issues:
|
||||
- If a VM being a part of some shared-ip group is attached to the network
|
||||
which is not owned by the current tenant (shared network) a policy
|
||||
violation may occur thus failing the deployment.
|
||||
|
||||
fixes:
|
||||
- Murano no longer specifies fixed-ip parameter for ports when creating VMs
|
||||
attached to networks owned and shared by other tenants. Specifying this
|
||||
parameter for non-owned networks could cause violation of neutron policies.
|
Loading…
Reference in New Issue