[openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
Miguel Ángel Ajo
majopela at redhat.com
Tue Jun 2 08:10:14 UTC 2015
The backport seems reasonable IMO.
Is this tested in a multihost environment?.
I ask, because given the Ian explanation (which probably I got wrong), the issue is in the
NET->NIC->VM path while the patch fixes the path in the network node (this is ran in the
dhcp agent). dhcp->NIC->NET.
Best,
Miguel Ángel Ajo
On Tuesday, 2 de June de 2015 at 9:32, Ian Wells wrote:
> The fix should work fine. It is technically a workaround for the way checksums work in virtualised systems, and the unfortunate fact that some DHCP clients check checksums on packets where the hardware has checksum offload enabled. (This doesn't work due to an optimisation in the way QEMU treats packet checksums. You'll see the problem if your machine is running the VM on the same host as its DHCP server and the VM has a vulnerable client.)
>
> I haven't tried it myself but I have confidence in it and would recommend a backport.
> --
> Ian.
>
> On 1 June 2015 at 21:32, Kevin Benton <blak111 at gmail.com (mailto:blak111 at gmail.com)> wrote:
> > I would propose a back-port of it and then continue the discussion on the patch. I don't see any major blockers for back-porting it.
> >
> > On Mon, Jun 1, 2015 at 7:01 PM, Tidwell, Ryan <ryan.tidwell at hp.com (mailto:ryan.tidwell at hp.com)> wrote:
> > > Not seeing this on Kilo, we're seeing this on Juno builds (that's expected). I'm interested in a Juno backport, but mainly wanted to be see if others had confidence in the fix. The discussion in the bug report also seemed to indicate there were other alternative solutions others might be looking into that didn't involve an iptables rule.
> > >
> > > -Ryan
> > >
> > > -----Original Message-----
> > > From: Mark McClain [mailto:mark at mcclain.xyz]
> > > Sent: Monday, June 01, 2015 6:47 PM
> > > To: OpenStack Development Mailing List (not for usage questions)
> > > Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
> > >
> > >
> > > > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan <ryan.tidwell at hp.com (mailto:ryan.tidwell at hp.com)> wrote:
> > > >
> > > > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged during Kilo. I'm wondering if we think we have identified a root cause and have merged an appropriate long-term fix, or if https://review.openstack.org/148718 was merged just so there's at least a fix available while we investigate other alternatives. Does anyone have an update to provide?
> > > >
> > > > -Ryan
> > >
> > > The fix works in environments we’ve tested in. Are you still seeing problems?
> > >
> > > mark
> > > __________________________________________________________________________
> > > OpenStack Development Mailing List (not for usage questions)
> > > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe)
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > > __________________________________________________________________________
> > > OpenStack Development Mailing List (not for usage questions)
> > > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe)
> > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> > --
> > Kevin Benton
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe)
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe (mailto:OpenStack-dev-request at lists.openstack.org?subject:unsubscribe)
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150602/675812b1/attachment.html>
More information about the OpenStack-dev
mailing list