[openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum

Ian Wells ijw.ubuntu at cack.org.uk
Tue Jun 2 07:32:35 UTC 2015


The fix should work fine.  It is technically a workaround for the way
checksums work in virtualised systems, and the unfortunate fact that some
DHCP clients check checksums on packets where the hardware has checksum
offload enabled.  (This doesn't work due to an optimisation in the way QEMU
treats packet checksums.  You'll see the problem if your machine is running
the VM on the same host as its DHCP server and the VM has a vulnerable
client.)

I haven't tried it myself but I have confidence in it and would recommend a
backport.
-- 
Ian.

On 1 June 2015 at 21:32, Kevin Benton <blak111 at gmail.com> wrote:

> I would propose a back-port of it and then continue the discussion on the
> patch. I don't see any major blockers for back-porting it.
>
> On Mon, Jun 1, 2015 at 7:01 PM, Tidwell, Ryan <ryan.tidwell at hp.com> wrote:
>
>> Not seeing this on Kilo, we're seeing this on Juno builds (that's
>> expected).  I'm interested in a Juno backport, but mainly wanted to be see
>> if others had confidence in the fix.  The discussion in the bug report also
>> seemed to indicate there were other alternative solutions others might be
>> looking into that didn't involve an iptables rule.
>>
>> -Ryan
>>
>> -----Original Message-----
>> From: Mark McClain [mailto:mark at mcclain.xyz]
>> Sent: Monday, June 01, 2015 6:47 PM
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP
>> lease due packet has no checksum
>>
>>
>> > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan <ryan.tidwell at hp.com> wrote:
>> >
>> > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged
>> during Kilo.  I'm wondering if we think we have identified a root cause and
>> have merged an appropriate long-term fix, or if
>> https://review.openstack.org/148718 was merged just so there's at least
>> a fix available while we investigate other alternatives.  Does anyone have
>> an update to provide?
>> >
>> > -Ryan
>>
>> The fix works in environments we’ve tested in.  Are you still seeing
>> problems?
>>
>> mark
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>
> --
> Kevin Benton
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150602/7e428c57/attachment.html>


More information about the OpenStack-dev mailing list