juju bug (?) when allocating floating ips to machines

Patrizio Bassi patrizio.bassi at gmail.com
Thu Jul 27 13:04:59 UTC 2017

Hi all

i'm using juju (i didn't upgrade to 2.2 yet, that's why i didn't
open a bug on launchpad) with openstack as cloud provider.

When i use as credentials an Admin user (but a specific tenant) i have
issues with floating ip assignment: the admin user can see all the floating
ips in the openstack region.
So, if another tenant allocates an IP without assigning to a VM (so,
unused) juju tries to use it and attach to the VM it just deployed.


user test1 is Admin and has primary project "tenant-one"
user test2 is member of project "tenant-two"

credentials given to juju are test1, test1_password, tenant-one and

# source novarc_test1

# neutron floatingip-list
| id                                   | fixed_ip_address |
floating_ip_address | port_id                              |
| 03d1a8e8-fd55-4d6e-ab7e-b62061ea6206 |     |
  | b6ac7caf-0c6e-4d81-b055-ecb8b4bdeebd |
| 2b4e48ba-aad6-4d78-aff6-88b912f89bf5 |     |
   | 17f69b3b-97d0-4cec-8208-e4d2ac2f1034 |
| 3144b683-2cf5-43cf-bddd-b06cb5662430 |                  |
  |                                      |
| 55145d85-58ea-4f15-8a0c-96a719c0fa8d |     |
   | 6eeaa12b-0971-496c-bd38-89e9b9d71818 |

the third line shows and ip address assigned to tenant-two by test2.

User test1 has admin role so he has permission to see the ip.
Using a command like "neutron floatingip-show
correctly shows the project_id uuid related to tenant-two and not

juju model is configured with
use-default-secgroup          model       true
use-floating-ip               model       true

When trying to deploy any application juju spawns a VM, but it never ends
and logs:

Unable to associate floating IP to fixed IP for
instance 3d95283c-69f2-4cf1-8980-99462a5904a2.

Removing the unused floating ip address or using a member-only (not admin
user) bypass the problem: juju will allocate a new ip and associate with
the new VM.

I didn't try but i do think that if an user is member of two different
tenants it may try to mis-use the addresses and mess with them, failing to

Desiderata: juju should check if the allocated ip address is in the same
tenant view of the given credentials.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju/attachments/20170727/29e41ff8/attachment.html>

More information about the Juju mailing list