Ask Your Question
1

Forbidden: It is not allowed to create an interface on external network

asked 2014-05-12 02:27:59 -0500

agenge gravatar image

updated 2014-05-12 03:11:29 -0500

Hi,all!

I encountered the following error when creating an instance of this time:

Forbidden: It is not allowed to create an interface on external network(HTTP 403)

In normal use this afternoon, I just re-create the external network admin, and demo-related networks. I really can not find the root cause of the problem, how to solve this problem?

/var/log/apache2/error.log:

[Mon May 12 07:14:54 2014] [error] Unauthorized: It is not allowed to create an interface on external network 4fcaf61c-f927-448a-92db-1686dfa7bb83 (HTTP 403) (Request-ID: req-a8dac3ed-50fb-44c4-9418-42d9413b5a41)
[Mon May 12 07:14:54 2014] [error] Traceback (most recent call last):
[Mon May 12 07:14:54 2014] [error]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/project/instances/workflows/create_instance.py", line 752, in handle
[Mon May 12 07:14:54 2014] [error]     disk_config=context['disk_config'])
[Mon May 12 07:14:54 2014] [error]   File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/nova.py", line 503, in server_create
[Mon May 12 07:14:54 2014] [error]     disk_config=disk_config), request)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/v1_1/servers.py", line 871, in create
[Mon May 12 07:14:54 2014] [error]     **boot_kwargs)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/v1_1/servers.py", line 534, in _boot
[Mon May 12 07:14:54 2014] [error]     return_raw=return_raw, **kwargs)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/base.py", line 152, in _create
[Mon May 12 07:14:54 2014] [error]     _resp, body = self.api.client.post(url, body=body)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 286, in post
[Mon May 12 07:14:54 2014] [error]     return self._cs_request(url, 'POST', **kwargs)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 260, in _cs_request
[Mon May 12 07:14:54 2014] [error]     **kwargs)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 242, in _time_request
[Mon May 12 07:14:54 2014] [error]     resp, body = self.request(url, method, **kwargs)
[Mon May 12 07:14:54 2014] [error]   File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 236, in request
[Mon May 12 07:14:54 2014] [error]     raise exceptions.from_response(resp, body, url, method)
[Mon May 12 07:14:54 2014] [error] Forbidden: It is not allowed to create an interface on external network 4fcaf61c-f927-448a-92db-1686dfa7bb83 (HTTP 403) (Request-ID: req-a8dac3ed-50fb-44c4-9418-42d9413b5a41)

AND in /etc/neutron/neutron file nova_admin_tenant_id is corret.

Version: OpenStack Icehouse OS: Ubuntu 12.04 LTS

Thanks!

edit retag flag offensive close merge delete

Comments

So the issue comes up when you try to create an istance on your demo network that is attacched through a router to your external network? Do I understand it correctly?

Could you retry with debug and verbose mode on in your neutron conf files?

Antonio G. gravatar imageAntonio G. ( 2014-05-12 03:16:21 -0500 )edit

yes.

DEBUG logs:

2014-05-13 11:10:14.835 2106 DEBUG nova.network.neutronv2.api [req-bd75bee8-7e0f-4200-b8fb-5b33940b33cb aaed4f5e5534494e8505979bbf784af4 59a5695a4a7b4d38a69487dec8f8105f] validate_networks() for [(u'6bde7035-220b-4cdd-a68d-209854295f81', None, None), (u'4fcaf61c-f927-448a-92db-1686dfa7bb83', None, None)] validate_networks /usr/lib/python2.7/dist-packages/nova/network/neutronv2/api.py:596 2014-05-13 11:10:14.836 2106 DEBUG neutronclient.client [-] REQ: curl -i http://op-i-controll:9696/v2.0/networks.json?id=6bde7035-220b-4cdd-a68d-209854295f81&id=4fcaf61c-f927-448a-92db-1686dfa7bb83 (http://op-i-controll:9696/v2.0/networ...) -X GET -H "X-Auth-Token: 214a17a474b763f54763768d17a6628c" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" http_log_req /usr/local/lib/python2.7/dist-packages/neutronclient/common/utils.py:173 2014-05-13 11:10:14.850 2106 DEBUG neutronclient.client [-] RESP:{'status': '200', 'content-length': '525', 'content-location': 'http://op-i-controll:9696/v2.0/networks.json?id=6bde7035-220b-4cdd-a68d-209854295f81&id=4fcaf61c-f927-448a-92db-1686dfa7bb83', 'date': 'Tue, 13 May 2014 03:10:14 GMT', 'content-type': 'application/json; charset=UTF-8', 'x-openstack-request-id': 'req-6f24a71b-3f44-4e03-b3f7-69732d97a477'} {"networks": [{"status": "ACTIVE", "subnets": ["8ec298d6-c603-47da-9c8b-9ef75e9c05dd"], "name": "ext-net", "router:external": true, "tenant_id": "96ad80f9166442138a1834797eeb1fe3 ...(more)

agenge gravatar imageagenge ( 2014-05-12 22:26:40 -0500 )edit

I have the same issue on centos. as "demo", I can not create an instance with "ext-net" I am following the default icehouse installation guide, http://docs.openstack.org/icehouse/install-guide/install/yum/content/neutron_initial-tenant-network.html (http://docs.openstack.org/icehouse/in...)

2014-05-13 00:19:02.705 1874 INFO neutron.wsgi [-] (1874) accepted ('172.20.4.11', 41558)

2014-05-13 00:19:02.706 1874 DEBUG keystoneclient.middleware.auth_token [-] Authenticating user token __call__ /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:602
2014-05-13 00:19:02.706 1874 DEBUG keystoneclient.middleware.auth_token [-] Removing headers from request environment: X-Identity-Status,X-Domain-Id,X-Domain-Name,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-User-Id,X-User-Name,X-User-Domain-Id,X-User-Domain-Name,X-Roles,X-Service-Catalog,X-User,X-Tenant-Id,X-Tenant-Name,X-Tenant,X-Role _remove_auth_headers /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:661
2014-05-13 00:19:02.708 1874 DEBUG keystoneclient.middleware.auth_token [-] Returning cached token _cache_get /usr/lib/python2.6/site-packages/keystoneclient/middleware/auth_token.py:1010 ...
(more)
ask_icehouse gravatar imageask_icehouse ( 2014-05-12 23:14:27 -0500 )edit

more log at http://paste.openstack.org/show/80162/

ask_icehouse gravatar imageask_icehouse ( 2014-05-12 23:31:50 -0500 )edit

2 answers

Sort by » oldest newest most voted
1

answered 2014-06-13 03:19:52 -0500

The only way this error appears is when you try to boot an instance on an external shared network without having the admin role and router:external being set to True. Here is a piece of the code that throws the error:

nova/network/neutronv2/api.py:

if not context.is_admin:
        for net in nets:
          [coments]
            if net.get('router:external'):
                raise exception.ExternalNetworkAttachForbidden(
                    network_uuid=net['id'])

Make sure you are logged in as admin and/or you have the admin role on the tenant you try to create a new instance or check the router:external parameter on the network.

edit flag offensive delete link more
1

answered 2014-06-06 10:28:37 -0500

anant gravatar image

updated 2014-06-06 10:31:24 -0500

I faced this issue, and I think there is some problem with external network assignment. If you are following icehouse install guide, you would have created a private tenant network. If not, then you must create a private network by following that. I have specified that private network's net-id in --nic option in nova boot command.

$ nova boot -flavor flavourName --nic net-id=netUuid --key-name keyName --image imageName instanceName

edit flag offensive delete link more

Comments

--nic net-id=netUuid did the trick. I gave demo-net-id and worked for me. Thanks

Hari gravatar imageHari ( 2014-07-22 23:31:08 -0500 )edit

anant - of course if this is going to be used by public paying users, they can't login to shell and execute that command, so in that case how else can we setup flavor this --nic assignment so that our end users don't have to (a) figure out through failing it needs done and (b) it does it automatic?

ethode gravatar imageethode ( 2015-04-02 21:55:24 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2014-05-12 02:27:59 -0500

Seen: 5,222 times

Last updated: Jun 13 '14