Bug 1559716

Summary: [RFE] Enable Instance boot with unaddressed port
Product: Red Hat OpenStack Reporter: Sandeep Yadav <sandyada>
Component: openstack-novaAssignee: OSP DFG:Compute <osp-dfg-compute>
Status: CLOSED WONTFIX QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 12.0 (Pike)CC: dasmith, egallen, eglynn, jhakimra, kchamart, lmiccini, lyarwood, mbooth, sandyada, sbauza, sgordon, srevivo, vromanso
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 09:33:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Matthew Booth 2018-04-13 11:58:52 UTC 
This restriction was introduced in fixing this bug:

https://bugs.launchpad.net/nova/+bug/1252410

Looks like a fix was proposed here:

https://review.openstack.org/#/c/59578/

From reading the review history this had excellent traction, but the author walked away from it.
Comment 3 Matthew Booth 2018-04-13 12:40:57 UTC 
Upstream master still applies the default security group:

https://github.com/openstack/nova/blob/00cfb0b45432bccadfb3775ccfbe2214a440a2f1/nova/compute/api.py#L1062
Comment 4 Matthew Booth 2018-04-13 12:55:31 UTC 
A TL;DR of Aaron's abandoned patch:

At boot time, if a network doesn't have port_security_enabled and the only security group is 'default', remove the default security group.

The approach variously had +2 from Joe Gordon, Matt Dietz, and Jay Pipes. Aaron seemed to abandon with only outstanding nits from Matt Riedemann. AFAICT there were no design objections. My take is that the approach is probably sound and ideally it should have landed at the time. The patch would require a rewrite rather than a backport at this stage, but the approach can still be applied to the current code.
Comment 5 Matthew Booth 2018-04-13 13:22:43 UTC 
This looks interesting: https://review.openstack.org/#/c/533249/

TL;DR: Neutron ports can be tagged with ip_allocation='none'. Don't fail for those ports.

I don't understand why it doesn't hit the default security group problem, though. Also doesn't seem to have the any traction yet, but it's much newer.
Comment 6 Matthew Booth 2018-04-13 14:16:16 UTC 
Opinion from team discussion was that this is probably a reasonable request, but we should run it past Matt Riedemann upstream.