Recently, operators of projects can’t seem to view or edit networks they should be able to. It looks like the network-project relations are missing?
Even when I create the OVN networks with “project” set, the operators of projects still does not have access.
This appears to be a regression, or a change in behavior at least, since the users in the shared project used to be able to access the networks defined in restrictions.networks.access in that shared prroject.
Can you show incus project show NAME of the project in question as well as incus network list --project NAME, both from an admin user?
This is the shared project I was putting users on:
[moonpie@osiris .ssh]$ incus project show layer8
config:
features.images: "true"
features.networks: "false"
features.networks.zones: "false"
features.profiles: "true"
features.storage.buckets: "true"
features.storage.volumes: "true"
limits.disk: 400GiB
restricted: "true"
restricted.networks.access: internal0
restricted.snapshots: allow
description: Layer 8
name: layer8
used_by:
- /1.0/instances/usernameredacted-OpenStack?project=layer8
- /1.0/instances/usernameredacted-container?project=layer8
- /1.0/instances/usernameredacted-Instance?project=layer8
- /1.0/instances/usernameredacted-container?project=layer8
- /1.0/instances/usernameredacted-container?project=layer8
- /1.0/instances/moonpie-container?project=layer8
- /1.0/images/7e6e9c024b93fccf70657d03f7afa819a91e8ce50434ce171386990df9e95535?project=layer8
- /1.0/profiles/default?project=layer8
[moonpie@osiris .ssh]$ incus network list --project layer8
+-----------+--------+---------+----------------+---------------------------+-------------+---------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY | STATE |
+-----------+--------+---------+----------------+---------------------------+-------------+---------+---------+
| internal0 | bridge | YES | 10.230.28.1/24 | fd42:9c6d:a864:7762::1/64 | | 11 | CREATED |
+-----------+--------+---------+----------------+---------------------------+-------------+---------+---------+
This is the individual personal projects I was attempting to create by syncing IDP users to Incus and openfga:
[moonpie@osiris .ssh]$ incus project show moonpiedumplings
config:
features.images: "false"
features.networks: "false"
limits.cpu: "4"
limits.memory: 8GiB
restricted: "true"
restricted.backups: block
restricted.containers.nesting: allow
restricted.networks.access: internal0, moonpiedumplings-vlab, moonpiedumplings-cloudnet
restricted.snapshots: allow
description: User specific project
name: moonpiedumplings
used_by: []
[moonpie@osiris .ssh]$ incus network list --project moonpiedumplings
+---------------------------+--------+---------+-----------------+---------------------------+-----------------------------------------+---------+---------+
| NAME | TYPE | MANAGED | IPV4 | IPV6 | DESCRIPTION | USED BY | STATE |
+---------------------------+--------+---------+-----------------+---------------------------+-----------------------------------------+---------+---------+
| internal0 | bridge | YES | 10.230.28.1/24 | fd42:9c6d:a864:7762::1/64 | | 11 | CREATED |
+---------------------------+--------+---------+-----------------+---------------------------+-----------------------------------------+---------+---------+
| moonpiedumplings-cloudnet | ovn | YES | 10.37.155.1/24 | fd42:af92:fdc8:2522::1/64 | Personal network for moonpiedumplings | 0 | CREATED |
+---------------------------+--------+---------+-----------------+---------------------------+-----------------------------------------+---------+---------+
| moonpiedumplings-vlab | ovn | YES | 192.168.40.1/24 | none | Non routed network for moonpiedumplings | 0 | CREATED |
+---------------------------+--------+---------+-----------------+---------------------------+-----------------------------------------+---------+---------+
Although right now, the moonpiedumplings-* networks have their project set as default. But that still wouldn’t explain why the shared project stopped working for everybody.
[moonpie@osiris .ssh]$ incus network show moonpiedumplings-cloudnet
config:
bridge.mtu: "1500"
ipv4.address: 10.37.155.1/24
ipv4.nat: "true"
ipv6.address: fd42:af92:fdc8:2522::1/64
ipv6.nat: "true"
network: forovn0
security.acls: default
volatile.network.ipv4.address: 10.83.142.7
volatile.network.ipv6.address: fd42:b55f:d877:83a2:1266:6aff:feb3:935b
description: Personal network for moonpiedumplings
name: moonpiedumplings-cloudnet
type: ovn
used_by: []
managed: true
status: Created
locations:
- none
project: default
[moonpie@osiris .ssh]$ incus network show moonpiedumplings-cloudnet
config:
bridge.mtu: "1500"
ipv4.address: 10.37.155.1/24
ipv4.nat: "true"
ipv6.address: fd42:af92:fdc8:2522::1/64
ipv6.nat: "true"
network: forovn0
security.acls: default
volatile.network.ipv4.address: 10.83.142.7
volatile.network.ipv6.address: fd42:b55f:d877:83a2:1266:6aff:feb3:935b
description: Personal network for moonpiedumplings
name: moonpiedumplings-cloudnet
type: ovn
used_by: []
managed: true
status: Created
locations:
- none
project: default
wait, I realize a problem. The layer8 project has a default profile, which is used to give virtual machines access to the networks.
But the users could never view the networks normally. And then my custom projects have no profiles/separate profiles.
Ah. The custom projects can’t view the default profile because it’s in the default project which they don’t have access to.
Okay, I am having trouble creating OVN networks inside a project. I create them with project: username but they show up as project: default after I create them.,
Okay, I see where I screwed up. I have to have networks set as isolated in project settings. And then I have to specify which network names are acceptable uplinks. And then users can create and manage their own OVN networks.
Ah, I see. I need to stop using restricted.networks.access, and instead set restricted.networks.uplink to enable OVN networks to be able to use uplinks.
And then I need to set features.networks: true to isolate the project networks. Then users can create and manage their own OVN networks inside of a project.