Murano can now properly attach VMs to shared networks
When spawning VMs attached to pre-existing networks murano used to generate a Heat template with a fixed_ips property for Neutron ports. This can cause a policy violation if the target network is not owned by the deploying tenant (i.e. the network is shared by some other project). This has been addressed: ExistingNeutronNetwork class no longer generates the fixed_ips property of the port if the target network is not owned by a current project. Change-Id: I0c60a522f4223fdc47f87b950da1a0822a8cbdbe Closes-bug: #1644797
This commit is contained in:
parent
d76f236547
commit
247c4bdfb9
|
@ -51,13 +51,20 @@ Methods:
|
||||||
properties:
|
properties:
|
||||||
network_id: $networkData.netId
|
network_id: $networkData.netId
|
||||||
replacement_policy: AUTO
|
replacement_policy: AUTO
|
||||||
fixed_ips:
|
|
||||||
- subnet_id: $networkData.subnetId
|
|
||||||
outputs:
|
outputs:
|
||||||
$aapPortName+'-virtualIp':
|
$aapPortName+'-virtualIp':
|
||||||
value:
|
value:
|
||||||
get_attr: [$aapPortName, fixed_ips, 0, ip_address]
|
get_attr: [$aapPortName, fixed_ips, 0, ip_address]
|
||||||
description: format('SharedIP Address of SharedIp group {0}', id($))
|
description: format('SharedIP Address of SharedIp group {0}', id($))
|
||||||
|
- If: $networkData.subnetId
|
||||||
|
Then:
|
||||||
|
- $t:
|
||||||
|
resources:
|
||||||
|
$aapPortName:
|
||||||
|
properties:
|
||||||
|
fixed_ips:
|
||||||
|
- subnet_id: $networkData.subnetId
|
||||||
|
- $template: $template.mergeWith($t)
|
||||||
- $region.stack.updateTemplate($template)
|
- $region.stack.updateTemplate($template)
|
||||||
- If: $.assignFloatingIp
|
- If: $.assignFloatingIp
|
||||||
Then:
|
Then:
|
||||||
|
|
|
@ -65,10 +65,18 @@ Workflow:
|
||||||
$.network_id = $this._internalNetworkId).first().name
|
$.network_id = $this._internalNetworkId).first().name
|
||||||
- If: $._internalSubnetworkId = null
|
- If: $._internalSubnetworkId = null
|
||||||
Then:
|
Then:
|
||||||
$._internalSubnetworkId: $._getSubnetworks().where(
|
# Specify subnetwork id only if the network is owned by the
|
||||||
($.name = $this.internalSubnetworkName or
|
# environment owner tenant (otherwise we may not be allowed to create
|
||||||
$.id = $this.internalSubnetworkName) and
|
# a port to that specific subnet)
|
||||||
$.network_id = $this._internalNetworkId).first().id
|
- $net: $this._getNetworks().where($.id = $this._internalNetworkId).first()
|
||||||
|
- If: $net.tenant_id = std:Project.getEnvironmentOwner().id
|
||||||
|
Then:
|
||||||
|
- $._internalSubnetworkId: $._getSubnetworks().where(
|
||||||
|
($.name = $this.internalSubnetworkName or
|
||||||
|
$.id = $this.internalSubnetworkName) and
|
||||||
|
$.network_id = $this._internalNetworkId).first().id
|
||||||
|
Else:
|
||||||
|
- $._internalSubnetworkId: null
|
||||||
|
|
||||||
- If: $.externalNetworkName = null and $._internalNetworkId != null
|
- If: $.externalNetworkName = null and $._internalNetworkId != null
|
||||||
Then:
|
Then:
|
||||||
|
|
|
@ -59,10 +59,18 @@ Methods:
|
||||||
type: 'OS::Neutron::Port'
|
type: 'OS::Neutron::Port'
|
||||||
properties:
|
properties:
|
||||||
network: $netRef
|
network: $netRef
|
||||||
fixed_ips:
|
|
||||||
- subnet: $subnetRef
|
|
||||||
replacement_policy: AUTO
|
replacement_policy: AUTO
|
||||||
|
|
||||||
|
- If: $subnetRef
|
||||||
|
Then:
|
||||||
|
- $template:
|
||||||
|
resources:
|
||||||
|
$portName:
|
||||||
|
properties:
|
||||||
|
fixed_ips:
|
||||||
|
- subnet: $subnetRef
|
||||||
|
- $patchTemplate: $patchTemplate.mergeWith($template)
|
||||||
|
|
||||||
- If: bool($securityGroupName) and $securityGroupsEnabled
|
- If: bool($securityGroupName) and $securityGroupsEnabled
|
||||||
Then:
|
Then:
|
||||||
- $template:
|
- $template:
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
issues:
|
||||||
|
- If a VM being a part of some shared-ip group is attached to the network
|
||||||
|
which is not owned by the current tenant (shared network) a policy
|
||||||
|
violation may occur thus failing the deployment.
|
||||||
|
|
||||||
|
fixes:
|
||||||
|
- Murano no longer specifies fixed-ip parameter for ports when creating VMs
|
||||||
|
attached to networks owned and shared by other tenants. Specifying this
|
||||||
|
parameter for non-owned networks could cause violation of neutron policies.
|
Loading…
Reference in New Issue