Bug 1566535

Summary:	It is possible to delete neutron ports that attached to instances
Product:	Red Hat OpenStack	Reporter:	Eran Kuris <ekuris>
Component:	openstack-neutron	Assignee:	Assaf Muller <amuller>
Status:	CLOSED WONTFIX	QA Contact:	Toni Freger <tfreger>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	13.0 (Queens)	CC:	amuller, chrisw, nyechiel, srevivo
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-15 21:23:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Eran Kuris 2018-04-12 13:29:48 UTC

Description of problem:
When neutron port is attached to the instance I expected that it could not be possible to delete this port unless the instance is shut down.

As you can see it is possible to delete neutron port that  attached to instances even when the instance is active.

Same as we cant delete floating IP port that attached to VM , we should not allow to delete active neutron port that attached to active vm.

(overcloud) [root@controller-0 ~]# openstack server list
+--------------------------------------+-------------+--------+----------+----------+---------+
| ID                                   | Name        | Status | Networks | Image    | Flavor  |
+--------------------------------------+-------------+--------+----------+----------+---------+
| 8d7bad01-579f-4737-9db1-5454a1690077 | VM_net-64-2 | ACTIVE |          | cirros35 | m1.nano |
| 8731edb1-d792-4d7b-bd3b-bf64e6f94052 | VM_net-64-1 | ACTIVE |          | cirros35 | m1.nano |
+--------------------------------------+-------------+--------+----------+----------+---------+
(overcloud) [root@controller-0 ~]# openstack port list
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------+--------+
| ID                                   | Name | MAC Address       | Fixed IP Addresses                                                        | Status |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------+--------+
| 40339056-b966-425f-8d1a-387456c54be5 |      | fa:16:3e:3c:76:c7 | ip_address='10.0.0.218', subnet_id='007cddaa-c960-4671-9322-23b605510434' | DOWN   |
| 4d41c791-45ba-4456-bc54-3b900c704dbf |      | fa:16:3e:cb:79:95 | ip_address='10.0.0.216', subnet_id='007cddaa-c960-4671-9322-23b605510434' | N/A    |
| 9adb74a6-5907-4dc2-8ad0-300f21374b2b |      | fa:16:3e:39:85:26 | ip_address='10.0.2.1', subnet_id='a5c6d49c-54ac-490b-a3d8-27e13e988226'   | DOWN   |
| ce09abbc-9acb-40da-8d29-b399aae862d1 |      | fa:16:3e:5b:8c:19 | ip_address='10.0.1.1', subnet_id='dfcd9b4f-3922-4b1a-bc05-f8bdca946513'   | DOWN   |
| eecc49d3-1149-4adf-b8ee-e8bf49fb5aea |      | fa:16:3e:14:d4:b8 | ip_address='10.0.0.210', subnet_id='007cddaa-c960-4671-9322-23b605510434' | N/A    |


Version-Release number of selected component (if applicable):
(overcloud) [root@controller-0 ~]# cat /etc/yum.repos.d/latest-installed 
13   -p 2018-04-03.3
(overcloud) [root@controller-0 ~]# rpm -qa | grep neutron
python-neutron-12.0.1-0.20180327195360.68b8980.el7ost.noarch
python2-neutron-lib-1.13.0-1.el7ost.noarch
puppet-neutron-12.3.1-0.20180319183812.fa94be9.el7ost.noarch
openstack-neutron-metering-agent-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-common-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-ml2-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-l2gw-agent-12.0.2-0.20180302213951.b064078.el7ost.noarch
openstack-neutron-openvswitch-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-lbaas-ui-4.0.1-0.20180326210834.a2c502e.el7ost.noarch
python2-neutronclient-6.7.0-1.el7ost.noarch
python-neutron-lbaas-12.0.1-0.20180316160204.f2cdc91.el7ost.noarch
openstack-neutron-linuxbridge-12.0.1-0.20180327195360.68b8980.el7ost.noarch
openstack-neutron-lbaas-12.0.1-0.20180316160204.f2cdc91.el7ost.noarch
openstack-neutron-sriov-nic-agent-12.0.1-0.20180327195360.68b8980.el7ost.noarch

(overcloud) [root@controller-0 ~]# rpm -qa | grep ovn 
openvswitch-ovn-central-2.9.0-15.el7fdp.x86_64
openvswitch-ovn-common-2.9.0-15.el7fdp.x86_64
python-networking-ovn-4.0.1-0.20180315174741.a57c70e.el7ost.noarch
openvswitch-ovn-host-2.9.0-15.el7fdp.x86_64
openstack-nova-novncproxy-17.0.2-0.20180323024604.0390d5f.el7ost.noarch
novnc-0.6.1-1.el7ost.noarch
python-networking-ovn-metadata-agent-4.0.1-0.20180315174741.a57c70e.el7ost.noarch
puppet-ovn-12.3.1-0.20180221062110.4b16f7c.el7ost.noarch
(overcloud) [root@controller-0 ~]# rpm -qa | grep openvs
openvswitch-ovn-central-2.9.0-15.el7fdp.x86_64
openvswitch-ovn-common-2.9.0-15.el7fdp.x86_64
openvswitch-2.9.0-15.el7fdp.x86_64
python-openvswitch-2.9.0-15.el7fdp.noarch
openvswitch-ovn-host-2.9.0-15.el7fdp.x86_64
openstack-neutron-openvswitch-12.0.1-0.20180327195360.68b8980.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1.create network & subnet
2.boot vm 
3.delete the neutron port that created for this vm
4. check the port list the vm port was deleted.


Actual results:


Expected results:


Additional info:

Comment 1 Assaf Muller 2018-04-15 21:23:39 UTC

This has been true ever since the first release of Neutron. The issue is that an instance and its port are cross project (Nova/Neutron) resources, and we don't do cross project validations. I'm not aware of any such examples. The reason why we can do a validation on floating IPs and ports is that both resources are managed by the same OpenStack project.

If you can think of a precedent of cross-project validations we could take a look.