From gerrit2 at review.openstack.org Fri May 1 19:31:49 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 01 May 2015 19:31:49 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I364b23784f001dd1da0c1e148c34789fffd873aa Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/149467 Log: commit a18d7f79620653af22c189072f72d6824e07774b Author: Ian Cordasco Date: Thu Jan 22 21:10:51 2015 -0600 Add HTTPS verification to glance-replicator blueprint migrate-replicator-to-requests SecurityImpact Change-Id: I364b23784f001dd1da0c1e148c34789fffd873aa From fungi at yuggoth.org Mon May 4 14:23:26 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 04 May 2015 14:23:26 -0000 Subject: [Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens References: <20150319111325.13509.80712.malonedeb@wampee.canonical.com> Message-ID: <20150504142326.16614.20023.malone@gac.canonical.com> I agree, precedent is for this to be documented as current behavior with known workarounds. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in OpenStack Identity (Keystone): In Progress Status in Keystone juno series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions From thierry.carrez+lp at gmail.com Mon May 4 14:23:44 2015 From: thierry.carrez+lp at gmail.com (Thierry Carrez) Date: Mon, 04 May 2015 14:23:44 -0000 Subject: [Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens References: <20150319111325.13509.80712.malonedeb@wampee.canonical.com> Message-ID: <20150504142344.16346.90046.malone@gac.canonical.com> Agreed, let's go the OSSN route ** Changed in: ossa Status: Confirmed => Won't Fix ** Changed in: ossn Status: New => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in OpenStack Identity (Keystone): In Progress Status in Keystone juno series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions From fungi at yuggoth.org Tue May 5 14:49:20 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 05 May 2015 14:49:20 -0000 Subject: [Openstack-security] [Bug 1447673] Re: session ID reusable? References: <20150423154006.13687.43783.malonedeb@wampee.canonical.com> Message-ID: <20150505144920.29216.69540.malone@wampee.canonical.com> Based on discussion above, I've switched this report to public, marked it as potential security hardening in case someone decides to work on it in the future, and set the security advisory task to won't fix indicating it's not a report for which the vulnerability management team will be issuing one. This is either category B2, D or E in our incident reporting taxonomy, most probably E. http://security.openstack.org/vmt- process.html#incident-report-taxonomy ** Information type changed from Private Security to Public Security ** Information type changed from Public Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1447673 Title: session ID reusable? Status in OpenStack Identity (Keystone): Incomplete Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments. Reported via private E-mail from Anass ANNOUR: I had tested to reply the session ID and the token to a local environnent between to distinct IP, and it worked perfectly. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1447673/+subscriptions From 1299039 at bugs.launchpad.net Tue May 5 15:03:34 2015 From: 1299039 at bugs.launchpad.net (Dolph Mathews) Date: Tue, 05 May 2015 15:03:34 -0000 Subject: [Openstack-security] [Bug 1299039] Re: Token Scoping References: <20140328144343.5612.44045.malonedeb@chaenomeles.canonical.com> Message-ID: <20150505150334.29256.89512.malone@wampee.canonical.com> Implemented as part of: https://blueprints.launchpad.net/keystone/+spec/rescoping ** Changed in: keystone Milestone: None => 2015.1.0 ** Changed in: keystone Status: Triaged => Fix Released ** Changed in: keystone Assignee: Priti Desai (priti-desai) => Adam Young (ayoung) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1299039 Title: Token Scoping Status in OpenStack Identity (Keystone): Fix Released Bug description: In Havana Stable release for both V2.0 an V3, A scoped token can be used to get another scoped or un-scopped token. This can be exploited by anyone who has gained access to a scoped token. For example, 1. userA is related to two projects: Project1, Project2 2. userA creates tokenA scoped by Project1 3. userA shares the tokenA to a third party (malicious). 4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA. Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure. A scoped token should not be allowed to create another scoped token. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions From fungi at yuggoth.org Tue May 5 17:22:01 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 05 May 2015 17:22:01 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150505172201.16544.21137.malone@gac.canonical.com> In the past, the VMT has not considered info leaks in debug logs to warrant an advisory. Reclassifying as security hardening. ** Information type changed from Public Security to Public ** Tags added: security ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Triaged Status in OpenStack Security Advisories: Won't Fix Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From dstanek at dstanek.com Tue May 5 19:36:40 2015 From: dstanek at dstanek.com (David Stanek) Date: Tue, 05 May 2015 19:36:40 -0000 Subject: [Openstack-security] [Bug 1440958] Re: loosen validation on matching trusted dashboard References: <20150407024927.26193.80349.malonedeb@gac.canonical.com> Message-ID: <20150505193640.15713.99811.malone@chaenomeles.canonical.com> In theory, relaxing the exact match makes us vulnerable to an attack if this functionality is used with a dashboard that allows unvalidated redirects. Could a user spoof this by setting the dashboard URL to something like: http://dashboard/redirect?url=http://hacked_site ? And if they can what could they steal? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions From gerrit2 at review.openstack.org Wed May 6 01:45:21 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 06 May 2015 01:45:21 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change I3c66e92cbe8883dcad843ad243388def3a96dbe5 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157097 Log: commit 1a4ed3014d95bac505903d71d4f0f1c2ccfa572c Author: Juergen Brendel Date: Thu Feb 26 13:51:04 2015 +1300 ARP spoofing patch: Data structures for rules. ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the some classes for the maintenance of ebtable chains and rules. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: I3c66e92cbe8883dcad843ad243388def3a96dbe5 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From 1446406 at bugs.launchpad.net Fri May 1 00:10:58 2015 From: 1446406 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 01 May 2015 00:10:58 -0000 Subject: [Openstack-security] [Bug 1446406] Fix proposed to barbican (master) References: <20150420223742.32593.66588.malonedeb@gac.canonical.com> Message-ID: <20150501001058.14558.95628.malone@chaenomeles.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/179301 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1446406 Title: Insecure signing_dir configuration in barbican-api-paste.ini Status in OpenStack Key Management (Barbican): Fix Committed Status in Barbican kilo series: Fix Released Bug description: It appears that Barbican sets signing_dir to "/tmp/barbican/cache" in etc/barbican/barbican-api-paste.ini (Reference: https://github.com/openstack/barbican/blob/master/etc/barbican /barbican-api-paste.ini#L42) A Nova bug from 2013 (https://bugs.launchpad.net/nova/+bug/1174608) mentions that they had the same basic issue, and it's a security issue because: "This means that if an attacker populated the /tmp/keystone-signing-nova with the appropriate files for signautre verification they could potentially issue forged tokens which would be validated by the middleware. As: - The directory location deterministic. (default for glance, nova) - *If the directory already exists it is reused*" This Nova bug was issued CVE-2013-2030: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2030 This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode: 2015-03-23 16:59:15 zigo_ I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix. 2015-03-23 16:59:28 zigo_ The signing_dir directive should never be set to /tmp like this. 2015-03-23 16:59:33 zigo_ Best is to simply remove the directive. 2015-03-23 16:59:57 zigo_ I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :) zigo's suggested fix was to remove the directive. It appears Cinder has taken this approach for their project (https://bugs.launchpad.net/cinder/+bug/1185098) To manage notifications about this bug go to: https://bugs.launchpad.net/barbican/+bug/1446406/+subscriptions From 1447673 at bugs.launchpad.net Tue May 5 14:49:37 2015 From: 1447673 at bugs.launchpad.net (Guang Yee) Date: Tue, 05 May 2015 14:49:37 -0000 Subject: [Openstack-security] [Bug 1447673] Re: session ID reusable? References: <20150423154006.13687.43783.malonedeb@wampee.canonical.com> Message-ID: <20150505144938.29816.98054.malone@wampee.canonical.com> Read the fantastical OpenStack Security Guide :) http://docs.openstack.org/security-guide/content/ -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1447673 Title: session ID reusable? Status in OpenStack Identity (Keystone): Incomplete Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments. Reported via private E-mail from Anass ANNOUR: I had tested to reply the session ID and the token to a local environnent between to distinct IP, and it worked perfectly. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1447673/+subscriptions From 1447673 at bugs.launchpad.net Tue May 5 15:25:24 2015 From: 1447673 at bugs.launchpad.net (Dolph Mathews) Date: Tue, 05 May 2015 15:25:24 -0000 Subject: [Openstack-security] [Bug 1447673] Re: session ID reusable? References: <20150423154006.13687.43783.malonedeb@wampee.canonical.com> Message-ID: <20150505152524.28815.79655.malone@soybean.canonical.com> Z! poor architecture / design, with (some) security implications, e.g., strengthening opportunities -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1447673 Title: session ID reusable? Status in OpenStack Identity (Keystone): Incomplete Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments. Reported via private E-mail from Anass ANNOUR: I had tested to reply the session ID and the token to a local environnent between to distinct IP, and it worked perfectly. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1447673/+subscriptions From 1451931 at bugs.launchpad.net Tue May 5 17:33:33 2015 From: 1451931 at bugs.launchpad.net (Robert Clark) Date: Tue, 05 May 2015 17:33:33 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150505173333.15945.32718.launchpad@gac.canonical.com> ** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Triaged Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From 1451931 at bugs.launchpad.net Tue May 5 18:13:21 2015 From: 1451931 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 05 May 2015 18:13:21 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150505181322.15680.74136.launchpad@chaenomeles.canonical.com> ** Changed in: nova Status: Triaged => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From 1440958 at bugs.launchpad.net Tue May 5 21:52:34 2015 From: 1440958 at bugs.launchpad.net (Lin Hua Cheng) Date: Tue, 05 May 2015 21:52:34 -0000 Subject: [Openstack-security] [Bug 1440958] Re: loosen validation on matching trusted dashboard References: <20150407024927.26193.80349.malonedeb@gac.canonical.com> Message-ID: <20150505215234.29118.13458.malone@wampee.canonical.com> if horizon (djanog) redirects to http://hacked_site after login, it would just perform a simple redirect [1] to the hacked site. Horizon stores the session information of the login user in the cookie, but the cookie will be scoped to the domain of horizon. So the bad site it redirected to will not be able to access any of the session information. [1] https://github.com/django/django/blob/master/django/contrib/auth/views.py#L47-L53 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions From marek.denis at cern.ch Tue May 5 22:14:24 2015 From: marek.denis at cern.ch (Marek Denis) Date: Tue, 05 May 2015 22:14:24 -0000 Subject: [Openstack-security] [Bug 1440958] Re: loosen validation on matching trusted dashboard References: <20150407024927.26193.80349.malonedeb@gac.canonical.com> Message-ID: <20150505221424.15967.45583.malone@chaenomeles.canonical.com> If the problem is that it's hard to add redirect urls in keystone config i think we should improve error msgs and logging msgs (even though they seemed to specify what was the input, so it should be easily to sketch up a script that compares values with ones from keystone.conf) instead of loosing restrictions on those checks. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions From 1442787 at bugs.launchpad.net Wed May 6 07:25:52 2015 From: 1442787 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 06 May 2015 07:25:52 -0000 Subject: [Openstack-security] [Bug 1442787] Re: Mapping openstack_user attribute in k2k assertions with different domains References: <20150410195742.13839.10394.malonedeb@wampee.canonical.com> Message-ID: <20150506072552.14427.95023.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/172562 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ae2d7075ff58e426e324e2eac57c852ffd4bc804 Submitter: Jenkins Branch: master commit ae2d7075ff58e426e324e2eac57c852ffd4bc804 Author: Rodrigo Duarte Sousa Date: Fri Apr 10 17:27:12 2015 -0300 Add openstack_user_domain to assertion Currently, a keystone IdP does not provide the domain of the user when generating SAML assertions. Since it is possible to have two users with the same username but in different domains, this patch adds an additional attribute called "openstack_user_domain" in the assertion to identify the domain of the user. Closes-Bug: 1442787 bp assertion-extra-attributes Change-Id: I65d5c02c0a21f4d4c1b54f8aa56e27950d20badd ** Changed in: keystone Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1442787 Title: Mapping openstack_user attribute in k2k assertions with different domains Status in OpenStack Identity (Keystone): Fix Committed Bug description: We can have two users with the same username in different domains. So if we have a "User A" in "Domain X" and a "User A" in "Domain Y", there is no way to differ what "User A" is being used in a SAML assertion generated by this IdP (we have only the openstack_user attribute in the SAML assertion). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1442787/+subscriptions From 1440958 at bugs.launchpad.net Tue May 5 22:38:00 2015 From: 1440958 at bugs.launchpad.net (Lin Hua Cheng) Date: Tue, 05 May 2015 22:38:00 -0000 Subject: [Openstack-security] [Bug 1440958] Re: loosen validation on matching trusted dashboard References: <20150407024927.26193.80349.malonedeb@gac.canonical.com> Message-ID: <20150505223800.16412.34645.malone@gac.canonical.com> after discussing in IRC it was decided to just revert the patch to loosen the validation, and then improve the logging to make it easier to resolve issue when validation fails on the trusted_dashboard. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions From fungi at yuggoth.org Wed May 6 12:14:57 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 06 May 2015 12:14:57 -0000 Subject: [Openstack-security] [Bug 1450798] Re: Multiple command injection vulns in schema_diff tool References: <20150501135051.16168.63595.malonedeb@gac.canonical.com> Message-ID: <20150506121457.29359.33185.malone@soybean.canonical.com> Based on the above discussion, I'm reclassifying this as "E: not a vulnerability" http://security.openstack.org/vmt-process.html#incident- report-taxonomy but have tagged it "security" since it might present a strengthening opportunity (albeit a very minimal one). ** Information type changed from Private Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1450798 Title: Multiple command injection vulns in schema_diff tool Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Won't Fix Bug description: These lines in the latest Nova (as of May 1, 2015) are vulnerable to command injection https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103 https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117 In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L86 ), if a malicious filename such as "; rm -rf /etc" is provided, the /etc directory will be removed with the privileges of the user running this script. In this case (https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L103), if either a malicious name or filename are provided, the command will be executed with the privileges of the running user. In this case(https://github.com/openstack/nova/blob/master/tools/db/schema_diff.py#L117), if either a malicious name or filename are provided, the command will be executed with the privileges of the running user. I'm not familiar enough with the usage of this module to know all of the places these inputs can come from, but presumably it can be used in automation, potentially with elevated privileges. I'm sure the idea of this script is to allow certain functionality, not unrestricted commands. The way this has been developed allows unrestricted command execution by tampering with any of the above mentioned inputs. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1450798/+subscriptions From 1334926 at bugs.launchpad.net Wed May 6 21:49:08 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 06 May 2015 21:49:08 -0000 Subject: [Openstack-security] [Bug 1334926] Related fix proposed to neutron (master) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150506214908.29180.6728.malone@wampee.canonical.com> Related fix proposed to branch: master Review: https://review.openstack.org/180765 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1442787 at bugs.launchpad.net Thu May 7 14:12:33 2015 From: 1442787 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 07 May 2015 14:12:33 -0000 Subject: [Openstack-security] [Bug 1442787] Fix proposed to keystone (stable/kilo) References: <20150410195742.13839.10394.malonedeb@wampee.canonical.com> Message-ID: <20150507141233.29425.3812.malone@soybean.canonical.com> Fix proposed to branch: stable/kilo Review: https://review.openstack.org/181007 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1442787 Title: Mapping openstack_user attribute in k2k assertions with different domains Status in OpenStack Identity (Keystone): Fix Committed Bug description: We can have two users with the same username in different domains. So if we have a "User A" in "Domain X" and a "User A" in "Domain Y", there is no way to differ what "User A" is being used in a SAML assertion generated by this IdP (we have only the openstack_user attribute in the SAML assertion). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1442787/+subscriptions From 1451931 at bugs.launchpad.net Thu May 7 18:40:23 2015 From: 1451931 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 07 May 2015 18:40:23 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150507184024.14688.15952.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/179857 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=63aa353c676a094fbf02e799115a884c70a48002 Submitter: Jenkins Branch: master commit 63aa353c676a094fbf02e799115a884c70a48002 Author: Joe Gordon Date: Mon May 4 11:19:33 2015 -0700 Mark ironic credential config as secret Mark ironic credentials as secret so we don't log the values. Detected with bandit while testing out: I3026b81317f0a6322acfc94784899a7453af586f Change-Id: Icfd13b3294a9fa0881a5ab01f50864ebcbce393e Closes-Bug: #1451931 ** Changed in: nova Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From gerrit2 at review.openstack.org Thu May 7 20:23:53 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 07 May 2015 20:23:53 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change I3c66e92cbe8883dcad843ad243388def3a96dbe5 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157097 Log: commit f77c17ef9993ea8c545dc044ad2ac013a28dbc22 Author: Juergen Brendel Date: Thu Feb 26 13:51:04 2015 +1300 ARP spoofing patch: Data structures for rules. ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the some classes for the maintenance of ebtable chains and rules. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: I3c66e92cbe8883dcad843ad243388def3a96dbe5 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From sbauza at free.fr Thu May 7 19:38:24 2015 From: sbauza at free.fr (Sylvain Bauza) Date: Thu, 07 May 2015 19:38:24 -0000 Subject: [Openstack-security] [Bug 1450454] Re: RFE: allow admin to upload SSH keypair on behalf of an user References: <20150430121604.16608.68030.malonedeb@gac.canonical.com> Message-ID: <20150507193826.16484.7599.launchpad@gac.canonical.com> ** Changed in: nova Importance: Undecided => Wishlist ** Summary changed: - RFE: allow admin to upload SSH keypair on behalf of an user + Allow admin to upload SSH keypair on behalf of an user ** Tags added: api security ** Tags removed: security ** Tags added: low-hanging-fruit ** Changed in: nova Status: New => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1450454 Title: Allow admin to upload SSH keypair on behalf of an user Status in OpenStack Compute (Nova): Confirmed Bug description: I am setting up OpenStack instance configuration in Ansible manifest, so in case of a failure, I can rebuild the instance. We have a lot of users and we have central storage of their ssh keys. I can upload the SSH keys at early hours of OpenStack instance by: nova --os-username USER1 --os-password USER1_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1 However this require that we track the password we initially set and I could not do that once user changes his password (and I do not know the password). I can then do: nova --os-username ADMIN --os-password ADMIN_PASSWORD --os-tenant-name FOO keypair-add --pub-key user1.pub user1 but then user1 does not see this keypair and is unable to manage his own key. It would be nice if admin user can upload and delete ssh key on behalf of user. I.e. admin uploads ssh key for user and that user can see/delete that ssh key. This way when user alter his ssh key on central repository, we can sync it to OpenStack. It will tighten security because we would not need to track users initial passwords separetely. And lower need of human assistance when reprovision whole OpenStack infrastructure. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1450454/+subscriptions From gerrit2 at review.openstack.org Fri May 8 13:06:37 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 08 May 2015 13:06:37 +0000 Subject: [Openstack-security] [openstack/keystone] SecurityImpact review request change I03b9c5c64f4bd8bca78dfc83199ef17d9a7ea5b7 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/177686 Log: commit 0e7f63c13c4d326709ccd3912d7037c675a16ad2 Author: abhishekkekane Date: Tue Oct 21 04:10:57 2014 -0700 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time, eg: $ time nc localhost 8776 real 1m0.063s Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added wsgi_keep_alive option (default=True). Added client_socket_timeout option (default=900). SecurityImpact Conflicts: keystone/common/config.py keystone/common/environment/eventlet_server.py NOTE: This is not 1:1 cherry-pick because 'eventlet_server' config group is not present in juno. Closes-Bug: #1361360 Change-Id: I03b9c5c64f4bd8bca78dfc83199ef17d9a7ea5b7 (cherry picked from commit 3b08644eb9cf4c5aca51a36250ae93105c17f6c4) From gerrit2 at review.openstack.org Fri May 8 21:16:34 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 08 May 2015 21:16:34 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Idbe37922c5f944e3d567ce16913ce5d87af41fef Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/141485 Log: commit 57949d7052a77735393deb406f618a8fc3223a63 Author: Daniel Genin Date: Thu Feb 5 09:28:16 2015 -0500 libvirt: Disconnect dm-crypt on instance suspend/stop Strengthens protection provided by ephemeral storage encryption feature by disconnecting the dm-crypt device, which provides access to unencrypted disk, when an encrypted instance is suspended or stopped. Implements: blueprint stop-dmcrypt-on-suspend SecurityImpact Change-Id: Idbe37922c5f944e3d567ce16913ce5d87af41fef From kevin.carter at rackspace.com Fri May 8 19:09:27 2015 From: kevin.carter at rackspace.com (Kevin Carter) Date: Fri, 08 May 2015 19:09:27 -0000 Subject: [Openstack-security] [Bug 1404862] Re: Horizon SSL configuration vulnerable References: <20141222115556.21788.73486.malonedeb@gac.canonical.com> Message-ID: <20150508190929.15466.5371.launchpad@chaenomeles.canonical.com> ** Changed in: openstack-ansible Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1404862 Title: Horizon SSL configuration vulnerable Status in Ansible playbooks for deploying OpenStack: Fix Released Status in openstack-ansible icehouse series: Fix Released Status in openstack-ansible juno series: Fix Released Bug description: Currently the Apache configuration for Horizon is very simple and therefore vulnerable to various forms of SSL and TLS attack vectors. The Qualys SSL test on the default setup results in a C grading. In order to ensure that best practices are implemented and anyone using os-ansible-deployment has a secure by default setup, this needs to be addressed. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1404862/+subscriptions From kevin.carter at rackspace.com Fri May 8 21:05:17 2015 From: kevin.carter at rackspace.com (Kevin Carter) Date: Fri, 08 May 2015 21:05:17 -0000 Subject: [Openstack-security] [Bug 1412393] Re: mariadb repo unnecessarily configured in all containers References: <20150119110012.23998.45109.malonedeb@gac.canonical.com> Message-ID: <20150508210519.15818.90795.launchpad@chaenomeles.canonical.com> ** Changed in: openstack-ansible/trunk Status: Fix Committed => Invalid ** Changed in: openstack-ansible/juno Status: Triaged => Confirmed ** Changed in: openstack-ansible/icehouse Status: Triaged => Confirmed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1412393 Title: mariadb repo unnecessarily configured in all containers Status in Ansible playbooks for deploying OpenStack: Invalid Status in openstack-ansible icehouse series: Confirmed Status in openstack-ansible juno series: Confirmed Status in openstack-ansible trunk series: Invalid Bug description: The mariadb repo is unnecessarily configured on every host and in every container. The repo should only configured for containers and hosts that require access to the database. In order to provide a more secure-by-default installation, the /root/.my.cnf client configuration should only placed where necessary - the utility container is likely to be the only location that requires it as all DB access by services are done through explicit configuration with a restricted DB user. Another set of containers it should perhaps be placed into would be the galera containers themselves. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1412393/+subscriptions From gerrit2 at review.openstack.org Mon May 11 05:01:26 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 11 May 2015 05:01:26 +0000 Subject: [Openstack-security] [openstack/barbican-specs] SecurityImpact review request change Iccdfca4f309c50b7507f0a0992bec561045784f0 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/178926 Log: commit 27ae14e479a0238b61bdfc2db6c43275868fb3f2 Author: jfwood Date: Wed Apr 29 23:32:50 2015 -0500 Add Crypto/HSM MKEK Rotation Support Currently Barbican has no means to migrate secrets encrypted with a crypto/HSM-style plugin to a new master key encryption key (MKEK) and its associated wrapped project KEKs. This blueprint proposes adding a new Barbican service process that supports completing the rotation of secrets to a new master key encryption key (MKEK) and a new wrapped project KEK. Note that unlike the similarly-named blueprint at https://blueprints.launchpad.net/barbican/+spec/add-crypto-mkek-rotation-support-lightweight this blueprint does call for re-encrypting secrets *and* wrapped project KEKs, so the other blueprint is a 'lightweight' alternative to this one. This process would be started after deployers, out of band: (1) generate new MKEK and HMAC signing keys with a binding to new labels, and then (2) replicate these keys to other HSMs that may be in the high availability (HA) group, and then (3) update Barbican's config file to reference these new labels, and finally (4) restart the Barbican nodes. The proposed process would then migrate secrets from encryption via the old keys to encryption via the new ones. Change-Id: Iccdfca4f309c50b7507f0a0992bec561045784f0 Implements: blueprint add-crypto-mkek-rotation-support SecurityImpact: Rotates and migrates secrets to new KEKs. DocImpact: Add information on running KEK migration process. From gerrit2 at review.openstack.org Mon May 11 12:59:22 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 11 May 2015 12:59:22 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Idbe37922c5f944e3d567ce16913ce5d87af41fef Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/141485 Log: commit dc5a9641e36ca1697616dcaddad53f47e146a5d2 Author: Daniel Genin Date: Thu Feb 5 09:28:16 2015 -0500 libvirt: Disconnect dm-crypt on instance suspend/stop Strengthens protection provided by ephemeral storage encryption feature by disconnecting the dm-crypt device, which provides access to unencrypted disk, when an encrypted instance is suspended or stopped. Implements: blueprint stop-dmcrypt-on-suspend SecurityImpact Change-Id: Idbe37922c5f944e3d567ce16913ce5d87af41fef From gerrit2 at review.openstack.org Tue May 12 12:00:21 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 12 May 2015 12:00:21 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Idbe37922c5f944e3d567ce16913ce5d87af41fef Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/141485 Log: commit 6ec77410c065336c0251d92214cd01ecf68a0e44 Author: Daniel Genin Date: Thu Feb 5 09:28:16 2015 -0500 libvirt: Disconnect dm-crypt on instance suspend/stop Strengthens protection provided by ephemeral storage encryption feature by disconnecting the dm-crypt device, which provides access to unencrypted disk, when an encrypted instance is suspended or stopped. Implements: blueprint stop-dmcrypt-on-suspend SecurityImpact Change-Id: Idbe37922c5f944e3d567ce16913ce5d87af41fef From gerrit2 at review.openstack.org Wed May 13 00:59:18 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 13 May 2015 00:59:18 +0000 Subject: [Openstack-security] [openstack/keystone-specs] SecurityImpact review request change I633c50b17c733dfec229f482e5f752ff7a7686aa Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/182513 Log: commit abb24b6a7baa1d2be62b7fc8d6b05e764d31e642 Author: chioleong Date: Tue May 12 17:52:42 2015 -0700 Light-weight Keystone to Keystone Federation Spec for light-weight keystone to keystone federation. SecurityImpact bp lightweight-k2k-federation Change-Id: I633c50b17c733dfec229f482e5f752ff7a7686aa From 1274034 at bugs.launchpad.net Wed May 13 07:33:55 2015 From: 1274034 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 13 May 2015 07:33:55 -0000 Subject: [Openstack-security] [Bug 1274034] Related fix merged to neutron (master) References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150513073355.23561.16692.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/157097 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f77c17ef9993ea8c545dc044ad2ac013a28dbc22 Submitter: Jenkins Branch: master commit f77c17ef9993ea8c545dc044ad2ac013a28dbc22 Author: Juergen Brendel Date: Thu Feb 26 13:51:04 2015 +1300 ARP spoofing patch: Data structures for rules. ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the some classes for the maintenance of ebtable chains and rules. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: I3c66e92cbe8883dcad843ad243388def3a96dbe5 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1118066 at bugs.launchpad.net Wed May 13 17:20:00 2015 From: 1118066 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 13 May 2015 17:20:00 -0000 Subject: [Openstack-security] [Bug 1118066] Change abandoned on nova (master) References: <20130207064604.19234.83660.malonedeb@gac.canonical.com> Message-ID: <20150513172000.23698.70295.malone@soybean.canonical.com> Change abandoned by Joe Gordon (joe.gordon0 at gmail.com) on branch: master Review: https://review.openstack.org/143934 Reason: This review is > 4 weeks without comment and currently blocked by a core reviewer with a -2. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and contacting the reviewer with the -2 on this review to ensure you address their concerns. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1118066 Title: Nova should confirm quota requests against Keystone Status in OpenStack Compute (Nova): Confirmed Bug description: os-quota-sets API should check requests for /v2/:tenant/os-quota-sets/ against Keystone to ensure that :tenant does exist. POST requests to a non-existant tenant should fail with a 400 error code. GET requests to a non-existant tenant may fail with a 400 error code. Current behavior is to return 200 with the default quotas. A slightly incompatible change would be to return a 302 redirect to /v2/:tenant /os-quota-sets/defaults in this case. Edit (2014-01-22) Original Description -------------------- GET /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist returns 200 with the default quotas. Moreover POST /v2/:tenant/os-quota-sets/:this_tenant_does_not_exist with updated quotas succeeds and that metadata is saved! I'm not sure if this is a bug or not. I cannot find any documentation on this interface. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1118066/+subscriptions From 1369627 at bugs.launchpad.net Wed May 13 17:20:53 2015 From: 1369627 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 13 May 2015 17:20:53 -0000 Subject: [Openstack-security] [Bug 1369627] Change abandoned on nova (master) References: <20140915153310.17745.11485.malonedeb@chaenomeles.canonical.com> Message-ID: <20150513172053.21216.10033.malone@wampee.canonical.com> Change abandoned by Joe Gordon (joe.gordon0 at gmail.com) on branch: master Review: https://review.openstack.org/123073 Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1369627 Title: libvirt disk.config will have issues when booting two with different config drive values Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Security Advisories: Won't Fix Bug description: Currently, in the image creating code for Juno we have if configdrive.required_by(instance): LOG.info(_LI('Using config drive'), instance=instance) image_type = self._get_configdrive_image_type() backend = image('disk.config', image_type) backend.cache(fetch_func=self._create_configdrive, filename='disk.config' + suffix, instance=instance, admin_pass=admin_pass, files=files, network_info=network_info) The important thing to notice here is that we have "filename='disk.confg' + suffix". This means that the filename for the config drive in the cache directory will be simply 'disk.config' followed by any potential suffix (e.g. '.rescue'). This name is not unique to the instance whose config drive we are creating. Therefore, when we go to boot another instance with a different config drive, the cache function will detect the old config drive, and decide it doesn't need to create the new config drive with the appropriate config for the new instance. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1369627/+subscriptions From 1274034 at bugs.launchpad.net Wed May 13 22:40:05 2015 From: 1274034 at bugs.launchpad.net (Tomoko Inoue) Date: Wed, 13 May 2015 22:40:05 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150513224006.26576.90580.launchpad@gac.canonical.com> ** Tags added: juno-backport-potential kilo-backport-potential -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From gerrit2 at review.openstack.org Wed May 13 23:53:14 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 13 May 2015 23:53:14 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157634 Log: commit d23e1d8d6d45df6fcf4ab10699bb9340dc76b83a Author: Juergen Brendel Date: Thu May 14 11:51:36 2015 +1200 ARP spoofing patch: Ebtables manager ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the ebtables manager class. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From 1274034 at bugs.launchpad.net Thu May 14 01:05:26 2015 From: 1274034 at bugs.launchpad.net (Cedric Brandily) Date: Thu, 14 May 2015 01:05:26 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150514010526.21672.59856.malone@wampee.canonical.com> neutron kilo and juno do not depend on ebtables and their dependencies are frozen ... so the backport is not possible. ** Tags removed: havana-backport-potential icehouse-backport-potential juno-backport-potential kilo-backport-potential -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From gerrit2 at review.openstack.org Thu May 14 03:34:27 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 14 May 2015 03:34:27 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157634 Log: commit 8884958fe9dc7611d0a6b0fe1d1766055f53aa97 Author: Juergen Brendel Date: Thu May 14 11:51:36 2015 +1200 ARP spoofing patch: Ebtables manager ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the ebtables manager class. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From 1434545 at bugs.launchpad.net Thu May 14 21:08:28 2015 From: 1434545 at bugs.launchpad.net (Anna Shen) Date: Thu, 14 May 2015 21:08:28 -0000 Subject: [Openstack-security] [Bug 1434545] Re: Several command injection vulnerabilities in guestagent/pkg References: <20150320131103.23017.37206.malonedeb@chaenomeles.canonical.com> Message-ID: <20150514210829.26084.25926.launchpad@gac.canonical.com> ** Changed in: trove Assignee: (unassigned) => Anna Shen (ruiyuan-shen) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434545 Title: Several command injection vulnerabilities in guestagent/pkg Status in OpenStack Security Advisories: Won't Fix Status in Openstack Database (Trove): Triaged Bug description: At several places in the file guestagent/pkg.py, there are shell injection vulnerabilities: https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L209 In this line, the cmd_list is being built parameterized, but then it is just combined into one big string and called directly on a shell through the command getstatusoutput, which does a popen. If package name is set maliciously, the command will execute arbitrary code with the privilege of the trove process. The same is true on this line, https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L258 , where a package named something like "abc; rm -rf /etc" will cause all files in /etc which Trove has permissions for, to be deleted. Again, on this line: https://github.com/openstack/trove/blob/master/trove/guestagent/pkg.py#L371 , a malicious package name will cause arbitrary code injection with the privileges of the Trove process. I'm not nearly familiar enough with the Trove code and uses to know all the ways that package names for this code can be set, but these commands should be parameterized. Finally, os.popen is a deprecated function. The subprocess module should be used instead. To manage notifications about this bug go to: https://bugs.launchpad.net/ossa/+bug/1434545/+subscriptions From 1274034 at bugs.launchpad.net Fri May 15 12:35:04 2015 From: 1274034 at bugs.launchpad.net (George Shuklin) Date: Fri, 15 May 2015 12:35:04 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150515123504.21497.64829.malone@chaenomeles.canonical.com> But this is a security issue, isn't it? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From fungi at yuggoth.org Fri May 15 13:28:29 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Fri, 15 May 2015 13:28:29 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150515132829.23463.36584.malone@soybean.canonical.com> It _may_ be a security issue in your environment if you haven't mitigated it through other means already. That Neutron didn't do if for you in earlier releases doesn't mean it's a vulnerability in Neutron however, just that it was not a problem Neutron's anti-spoofing rules were originally designed to solve (much in the same way that a you wouldn't consider a helmet flawed just because it fails to protect your knees). As previously discussed Neutron developers and the OpenStack Vulnerability Management Team have chosen not to consider a lack of Nova Network feature parity in Neutron a security vulnerability, just an incomplete design which could stand to be improved. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Fri May 15 13:45:24 2015 From: 1274034 at bugs.launchpad.net (George Shuklin) Date: Fri, 15 May 2015 13:45:24 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150515134524.23698.57418.malone@soybean.canonical.com> I consider broken antispoofing as a serious flaw, because it allows to interrupt activity of innocent tenants by malicious activity of the unprivileged tenant. If you insist that it is 'not a security issue, just imperfect design', ok, ok. But don't get upset if this bug will be used by competitors to demonstrate how neglected security issues are in Openstack. Two versions of Openstack had been released with known security bug And after bugfix was finally released it was not ported to currently supported versions. Nice work! -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Fri May 15 14:17:26 2015 From: 1274034 at bugs.launchpad.net (Cedric Brandily) Date: Fri, 15 May 2015 14:17:26 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150515141726.21801.1169.malone@chaenomeles.canonical.com> That's why Kevin Benton provides a partial correction for OVS agent in kilo (https://review.openstack.org/171003) ... this one can be backported. But it's not a security bug (https://bugs.launchpad.net/neutron/+bug/1274034/comments/9) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 07:20:25 2015 From: 1274034 at bugs.launchpad.net (Kris Lindgren) Date: Mon, 18 May 2015 07:20:25 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518072025.21880.61962.malone@wampee.canonical.com> I completely agree with Geroge on this. You have a use case when neutron fails to correctly isolate on multi-tenants networks. This "incomplete feature" set was never called in documentation as a possible trade off. So if nothing you have an known issue that causes neutron not provide appropriate isolation under specific configurations, in a trivially to reproduce manner. This would lead to things that would be at a minimum considered bugs and most likely vulnerabilities. Without a patch this "incomplete feature" allows trivial man in the middle attacks, taking vm's offline of any tenant at will, taking over the metadata id, from there one could easily change/spoof peoples metadata including changing it to add credentials/users for other tenants vm's. This could also lead to someone breaking vm provisioning (metadata/userdata) scripts for other tenants. One could also trivially takeover the gateway for flat networked tenants allowing a vm to see all the routed traffic on that network. If one also managed to spin up a vm on the shared public network that peoples "correctly isolated" private l2 routers attach to one could also takeover traffic/floating ip destined to routers that neutron should be handling. I have seen on the mailing list people wanting to support both private and shared networks so this is a completely plausible configuration. Re: comment #9. Comment #8 specifically talks about back porting this change to latest stable --- which would be kilo/juno - no? and previous comments dealt more about handling this issue in the open as opposed to behind closed doors (IE only the security team and people involved in the fix can see the bug). Kevin Bentons patch only works on OVS. Last time I checked ml2 supported more than just OVS. Where this patch fixes it no mater the switch technology being used. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 08:45:45 2015 From: 1274034 at bugs.launchpad.net (Kris Lindgren) Date: Mon, 18 May 2015 08:45:45 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518084546.22112.72551.malone@chaenomeles.canonical.com> Re: just that it was not a problem Neutron's anti-spoofing rules were originally designed to solve (much in the same way that a you wouldn't consider a helmet flawed just because it fails to protect your knees). Considering this commit when allowed address pairs were added/refactored and the name previous name of this function: https://github.com/openstack/neutron/commit/b67b20832a5bfccd1bbf8d1e63ebcd7061856881 Or if thats not good enough - the original commit that added security group rules to begin with: https://github.com/openstack/neutron/commit/f14af5dc755706c7297a96fa504acdfe15ac1957#diff-65b266f9e013df37c4934f0b1007897cR168 The original function of that code piece was specifically called out to do ARP SPOOFING filtering/prevention. It's just that the person who originally did it probably didn't realize that you cant correctly filter arp via iptables. So lets call a spade a spade here. Its not an "imperfect design", its not an "incomplete design", it not that "neutron or quantum didn't try to filter or have features to prevent arp spoofing/cache poisoning. Its a bug going back since security groups were implemented in neutron(actually quantum). This got masked by a few code refactors when allowed address pairs was added, but the intent to do arp filter since the "dawn of time" is clearly there. So I would say based upon the code and the intent with the applied rules, this is more of the case of complaining because the helmet that you were wearing (that you were told is specifically suppose to protect you in the event of something bad) failed to protect your head and the kneepads that you were also wearing also failed to protect you knees. Lets do the right thing here. Backport the fix to the stable versions. Admit that the protections we thought we original added 2+ years ago failed to actually do what we thought they did. And move on with bigger and better problems. Jeremy you even said in post #6 that if neutron documentation or config options says it specifically implements code to do the filter that it would be a vulnerability. Well the original code says it was suppose to filter ARP spoofing, it doesn't. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From fungi at yuggoth.org Mon May 18 16:40:46 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 18 May 2015 16:40:46 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518164046.23826.72815.malone@gac.canonical.com> I sympathize with the frustration some people have expressed over this situation--I'm not thrilled with it either. Unfortunately the currently proposed patches risk introducing behavior changes in already released versions of Neutron. To those who are interested in seeing fixes for this applied to stable release branches, please provide a suitable alternative implementation. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 17:09:29 2015 From: 1274034 at bugs.launchpad.net (Darragh O'Reilly) Date: Mon, 18 May 2015 17:09:29 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518170929.30407.46718.malone@chaenomeles.canonical.com> Maybe I'm not understanding something, but I'm not convinced that the man-in-the-middle attack as described in the bug report is actually possible. How can VM1 forward the packets that come back from google.fr onto VM2? They will have the source ip of google.fr, so the anti-IP- address spoofing should drop them. I will test ... -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 17:30:32 2015 From: 1274034 at bugs.launchpad.net (George Shuklin) Date: Mon, 18 May 2015 17:30:32 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518173032.24580.56596.malone@soybean.canonical.com> Formally: There is a security hole in Openstack and it will not be closed for the nearest half of the year and will not applied to existing supporting installation. I do not understand why fix to _SECURITY_ bug is rejected because it will change behaviour? Obviously it will change behaviour, it will break ability for malicious user to break multitenancy in Openstack. Please, care about malicious hackers, please do not port security fixes to the existing versions! Otherwise they would find that Openstack is no longer vulnerable. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 19:09:03 2015 From: 1274034 at bugs.launchpad.net (George Shuklin) Date: Mon, 18 May 2015 19:09:03 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518190904.24842.81385.malone@soybean.canonical.com> Darragh O'Reilly, they can not use fake address (I've tested this), but they can announce it rendering any host in the network disabled. Or they can announce fake IP and listen for any non-stream protocols (f.e. UDP). They still will not be able to retransmit it to original or reply, but can intercept any unidirectional UDP (f.e. pieces of voice conversations in RTP, or even, pieces of TCP (with cookies! yum!)). Legitimate host will ask to retransmit them, but malicious VM will receive one copy of data. If it will do this sporadically for short time (like once in 10s) it will not disturb work of the legitimate host significantly (sometimes TCP will be really slow or stuck, but recover eventually), but still allows interception of pieces of traffic. I think this is a clear vulnerability in neutron without any 'but you can try to mitigate this' (HOW?). -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Mon May 18 21:13:48 2015 From: 1274034 at bugs.launchpad.net (Darragh O'Reilly) Date: Mon, 18 May 2015 21:13:48 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150518211348.24333.71607.malone@gac.canonical.com> George - I was pointing out that the bug report at the top of this page is suspect. I have just tried, and I cannot recreate what it says, as the existing anti-spoofing rules do indeed prevent forwarding. Only after turning off anti-spoofing with iptable -F does the attack work as the bug claims. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Wed May 20 07:18:32 2015 From: 1274034 at bugs.launchpad.net (Kris Lindgren) Date: Wed, 20 May 2015 07:18:32 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150520071832.24304.58548.malone@gac.canonical.com> So for man in the middle while I have not fully POC'd this. The following does/should work: 1.) Spin up a vm on a shared network with other tenants 2.) arpping for the gateway with your own mac or that of another vm. 3.) Add default gateway to your vm or another vm 3.) update the allowed ip address via allowed-address-pairs extension (which is enabled by default and is permited by the default rules) to add the default gateway to the your vm or another vm. Allowed address pairs does zero bounds checking on ip's that you want to allow on a vm. Also, until: https://github.com/openstack/neutron/commit/927399c011409b7d152b7670b896f15eee7d0db3 is backported is also a security issue, since by default anyone was allowed to hit the allowed address pairs extension. Also this allows you to directly spoof other peoples mac/ips and allow this traffic though the anti-spoofing rules. 4.) Profit. At this point you are garping for the default gateway and you have a vm that will allow traffic to pass. Without allowed-address-pairs one would be limited to bringing down an entire subnet/guest and/or seeing half of the network connectivity. Is a DoS also considered a security vulnerability? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1440958 at bugs.launchpad.net Thu May 21 19:35:23 2015 From: 1440958 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 21 May 2015 19:35:23 -0000 Subject: [Openstack-security] [Bug 1440958] Fix merged to keystone (master) References: <20150407024927.26193.80349.malonedeb@gac.canonical.com> Message-ID: <20150521193523.29080.75133.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/180343 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b48c820e3015a0d6264df6a0a87bf1a3dbea61c4 Submitter: Jenkins Branch: master commit b48c820e3015a0d6264df6a0a87bf1a3dbea61c4 Author: Lin Hua Cheng Date: Tue May 5 22:33:24 2015 +0000 Revert "Loosen validation on matching trusted dashboard" Loosening the validation introduce a security hole for unvalidated redirect. For example: redirect_url=http://dashboard/sso?next=http://hacksite This reverts commit fb6920e5fe1fef2fa32afe602d2bf93f18d48a3f. Change-Id: I7e85b2b879f4c66c3664e8610d3ddbb999a5ac75 Closes-Bug: #1440958 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions From 1427228 at bugs.launchpad.net Fri May 22 17:02:03 2015 From: 1427228 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 22 May 2015 17:02:03 -0000 Subject: [Openstack-security] [Bug 1427228] Fix proposed to neutron (neutron-pecan) References: <20150302135536.21027.11405.malonedeb@soybean.canonical.com> Message-ID: <20150522170204.5789.12980.malone@gac.canonical.com> Fix proposed to branch: neutron-pecan Review: https://review.openstack.org/185072 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1427228 Title: Allow to run neutron-ns-metadata-proxy as nobody Status in OpenStack Neutron (virtual network service): Fix Released Bug description: Currently neutron-ns-metadata-proxy runs with neutron user/group permissions on l3-agent but we should allow to run it with less permissions as neutron user is allowed to run neutron-rootwrap. We should restrict as much as possible neutron-ns-metadata-proxy permissions as it's reachable from VMs. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1427228/+subscriptions From 1274034 at bugs.launchpad.net Fri May 22 17:03:42 2015 From: 1274034 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 22 May 2015 17:03:42 -0000 Subject: [Openstack-security] [Bug 1274034] Related fix proposed to neutron (neutron-pecan) References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150522170342.20017.57350.malone@soybean.canonical.com> Related fix proposed to branch: neutron-pecan Review: https://review.openstack.org/185072 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From gerrit2 at review.openstack.org Mon May 25 02:29:49 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 25 May 2015 02:29:49 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157634 Log: commit ebcb9d9ee52536245c8be3e74981994e5143eb50 Author: Juergen Brendel Date: Thu May 14 11:51:36 2015 +1200 ARP spoofing patch: Ebtables manager ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the ebtables manager class. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From gerrit2 at review.openstack.org Wed May 27 10:58:57 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 27 May 2015 10:58:57 +0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/157634 Log: commit 037073465efb2eb0b0872f9de9b9e5216e7ef0c7 Author: Juergen Brendel Date: Thu May 14 11:51:36 2015 +1200 ARP spoofing patch: Ebtables manager ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the ebtables manager class. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: Ic115eeb59cbacdafb85296d435322ea8b8cc99d6 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel From 1361360 at bugs.launchpad.net Thu May 28 13:36:58 2015 From: 1361360 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 28 May 2015 13:36:58 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150528133658.2234.28981.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/177670 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=67cda0ccae04471340bcada099d945d90979e64d Submitter: Jenkins Branch: stable/kilo commit 67cda0ccae04471340bcada099d945d90979e64d Author: abhishekkekane Date: Tue Oct 21 04:10:57 2014 -0700 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time, eg: $ time nc localhost 8776 real 1m0.063s Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added wsgi_keep_alive option (default=True). Added client_socket_timeout option (default=900). SecurityImpact Closes-Bug: #1361360 Change-Id: I03b9c5c64f4bd8bca78dfc83199ef17d9a7ea5b7 (cherry picked from commit 3b08644eb9cf4c5aca51a36250ae93105c17f6c4) ** Tags added: in-stable-kilo -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: In Progress Status in Orchestration API (Heat): In Progress Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From 1414532 at bugs.launchpad.net Thu May 28 20:41:53 2015 From: 1414532 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 28 May 2015 20:41:53 -0000 Subject: [Openstack-security] [Bug 1414532] Re: asserts used in cache.py References: <20150126041237.12665.35620.malonedeb@soybean.canonical.com> Message-ID: <20150528204153.26005.53016.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/175043 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=29b282aa2428893bc227a4497b672214dd0412b8 Submitter: Jenkins Branch: stable/juno commit 29b282aa2428893bc227a4497b672214dd0412b8 Author: Geetika Batra Date: Tue Feb 24 04:32:51 2015 +0530 Replace assert statements with proper control-flow When python is run with -O assert statements are optimized away. Replacing them with proper control-flow statements (e.g., if, else, elif) prevents the matcher from returning an invalid match. Closes-bug: #1414532 Co-Authored-By: Ian Cordasco Change-Id: I60b42d5a5d71602be7adc321406ea87dfcf93f46 (cherry picked from commit 6b92b537822539497bc0194fe753fe218d1c70f1) ** Tags added: in-stable-juno -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1414532 Title: asserts used in cache.py Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: The asserts in the snippet below check at #2 to see if the HTTP method match the HTTP methods actually specified in the patterns at #1. /opt/stack/glance/glance/api/middleware/cache.py PATTERNS = { <--- #1 ('v1', 'GET'): re.compile(r'^/v1/images/([^\/]+)$'), ('v1', 'DELETE'): re.compile(r'^/v1/images/([^\/]+)$'), ('v2', 'GET'): re.compile(r'^/v2/images/([^\/]+)/file$'), ('v2', 'DELETE'): re.compile(r'^/v2/images/([^\/]+)$') } ... @staticmethod def _match_request(request): """Determine the version of the url and extract the image id :returns tuple of version and image id if the url is a cacheable, otherwise None """ for ((version, method), pattern) in PATTERNS.items(): match = pattern.match(request.path_info) try: assert request.method == method <--- #2 image_id = match.group(1) # Ensure the image id we got looks like an image id to filter # out a URI like /images/detail. See LP Bug #879136 assert image_id != 'detail' except (AttributeError, AssertionError): continue else: return (version, method, image_id) As stated in the Python documentation assert statements will not be evaluated when the Python code is compiled with optimization flags. This means that these checks will not be properly executed and one can in that case call a specific method with a completely different HTTP verb. This can result in security issues. For example think of having some filtering in place in front of the glance API to maybe allow only certain API queries to come from certain IP addresses. For example: 'the HTTP verb DELETE may only be executed from this IP range'. An attacker can now specify a completely different HTTP verb such as GET and make sure he still matches regular expressions at #1 and then bypass the firewall. It's a bit of a hypothetical scenario but in general one should never ever do error checking with assert statemetns. This should only be done for things which can never realistically fail and that is simply not an assumption one can hold when it comes to untrusted input from the network. For more information see https://docs.python.org/2/reference/simple_stmts.html#the-assert-statement and https://docs.python.org/2/using/cmdline.html#envvar-PYTHONOPTIMIZE This seems to be related to https://bugs.launchpad.net/cinder/+bug/1199354 but it's not fixed and maybe it should even be a security issue hence why I reported it again and tagged as a security vulnerability. I am not familiar enough with the code base to make that call. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1414532/+subscriptions From pawel.koniszewski at intel.com Fri May 29 07:53:39 2015 From: pawel.koniszewski at intel.com (Pawel Koniszewski) Date: Fri, 29 May 2015 07:53:39 -0000 Subject: [Openstack-security] [Bug 1419577] Re: when live-migrate failed, lun-id couldn't be rollback in havana References: <20150209012956.20741.53343.malonedeb@chaenomeles.canonical.com> Message-ID: <20150529075340.7862.33284.launchpad@gac.canonical.com> ** Tags removed: live-migration ** Tags added: live-migrate -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1419577 Title: when live-migrate failed, lun-id couldn't be rollback in havana Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Security Advisories: Won't Fix Bug description: Hi, guys When live-migrate failed with error, lun-id of connection_info column in Nova's block_deivce_mapping table couldn't be rollback. and failed VM can have others volume. my test environment is following : Openstack Version : Havana ( 2013.2.3) Compute Node OS : 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 1 cinder volume (vol01) 4) attach 1 volume to vm01 (/dev/vdb) 5) live-migrate vm01 from host#1 to host#2 6) live-migrate success      - please check the mapper by using multipath command in host#1 (# multipath -ll), then you can find mapper is not deleted.        and the status of devices is "failed faulty"      - please check the lun-id of vol01 7) Again, live-migrate vm01 from host#2 to host#1 (vm01 was migrated to host#2 at step 4) 8) live-migrate fail      - please check the mapper in host#1      - please check the lun-id of vol01, then you can find the lun hav "two" igroups      - please check the connection_info column in Nova's block_deivce_mapping table, then you can find lun-id couldn't be rollback This Bug is critical security issue because the failed VM can have others volume. and every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. I suggest below methods to solve issue : 1) when live-migrate is complete, nova should delete mapper devices at origin host 2) when live-migrate is failed, nova should rollback lun-id in connection_info column 3) when live-migrate is failed, cinder should delete the mapping between lun and host (Netapp : igroup, EMC : storage_group ...) 4) when volume-attach is requested , cinder volume driver of vendors should make lun-id randomly for reduce of probability of mis-mapping please check this bug. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1419577/+subscriptions From nik.komawar at gmail.com Fri May 29 14:39:44 2015 From: nik.komawar at gmail.com (nikhil komawar) Date: Fri, 29 May 2015 14:39:44 -0000 Subject: [Openstack-security] [Bug 1414532] Re: asserts used in cache.py References: <20150126041237.12665.35620.malonedeb@soybean.canonical.com> Message-ID: <20150529143945.25519.20177.launchpad@soybean.canonical.com> ** Also affects: glance/juno Importance: Undecided Status: New ** Changed in: glance/juno Status: New => Fix Committed ** Changed in: glance/juno Importance: Undecided => Low ** Changed in: glance/juno Assignee: (unassigned) => Ian Cordasco (icordasc) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1414532 Title: asserts used in cache.py Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance juno series: Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: The asserts in the snippet below check at #2 to see if the HTTP method match the HTTP methods actually specified in the patterns at #1. /opt/stack/glance/glance/api/middleware/cache.py PATTERNS = { <--- #1 ('v1', 'GET'): re.compile(r'^/v1/images/([^\/]+)$'), ('v1', 'DELETE'): re.compile(r'^/v1/images/([^\/]+)$'), ('v2', 'GET'): re.compile(r'^/v2/images/([^\/]+)/file$'), ('v2', 'DELETE'): re.compile(r'^/v2/images/([^\/]+)$') } ... @staticmethod def _match_request(request): """Determine the version of the url and extract the image id :returns tuple of version and image id if the url is a cacheable, otherwise None """ for ((version, method), pattern) in PATTERNS.items(): match = pattern.match(request.path_info) try: assert request.method == method <--- #2 image_id = match.group(1) # Ensure the image id we got looks like an image id to filter # out a URI like /images/detail. See LP Bug #879136 assert image_id != 'detail' except (AttributeError, AssertionError): continue else: return (version, method, image_id) As stated in the Python documentation assert statements will not be evaluated when the Python code is compiled with optimization flags. This means that these checks will not be properly executed and one can in that case call a specific method with a completely different HTTP verb. This can result in security issues. For example think of having some filtering in place in front of the glance API to maybe allow only certain API queries to come from certain IP addresses. For example: 'the HTTP verb DELETE may only be executed from this IP range'. An attacker can now specify a completely different HTTP verb such as GET and make sure he still matches regular expressions at #1 and then bypass the firewall. It's a bit of a hypothetical scenario but in general one should never ever do error checking with assert statemetns. This should only be done for things which can never realistically fail and that is simply not an assumption one can hold when it comes to untrusted input from the network. For more information see https://docs.python.org/2/reference/simple_stmts.html#the-assert-statement and https://docs.python.org/2/using/cmdline.html#envvar-PYTHONOPTIMIZE This seems to be related to https://bugs.launchpad.net/cinder/+bug/1199354 but it's not fixed and maybe it should even be a security issue hence why I reported it again and tagged as a security vulnerability. I am not familiar enough with the code base to make that call. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1414532/+subscriptions From gerrit2 at review.openstack.org Fri May 22 17:05:50 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 22 May 2015 17:05:50 -0000 Subject: [Openstack-security] [openstack/neutron] SecurityImpact review request change I3ac12f10f733e85c2352052e9d29b853e0799842 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/185072 Log: commit 84fb6660a337e5e1f515b600ac8c22c6fdf82ec9 Author: Anand Shanmugam Date: Thu May 21 02:03:33 2015 -0700 Adding loadbalanacerv2 device owner constant to neutron constants The neutron constants doesn't have the constant for device owner lbaasv2. This fix adds the constant. This is needed for the bug 1430394 as we need to check the device owner when the port is to be deleted. Partial-Bug: #1430394 Change-Id: I222a9f44c5ed6c879feb2fb9e04047ae8f2c7745 commit 6c1cb05302f369b3105cea73cb86a00018ada6be Author: Cyril Roelandt Date: Wed May 20 15:09:13 2015 +0200 Python 3: use six.string_types instead of basestring In Python 3, there is no "basestring". In Python 3, "six.string_types" is "basestring", and "str" in Python 3. Change-Id: Ic22e932cbf3c4b75cd424f4b41428da869f197cf Blueprint: neutron-python3 commit 86d5944fcc2f44aac7cd786ea429f942fc5cb66e Author: Sripriya Date: Wed May 20 17:24:16 2015 -0700 Fix minor errors in the Vyatta L3 Plugin: update management_network to management_network_id in vrouter.ini Fix copyright header to refer to Brocade in vrouter_neutron_plugin.py Fix neutron.service_plugins brocade_vyatta_l3 entry in setup.cfg Change-Id: Ib9eb4a825454d99607deca61ceeb7acb43a9b248 Closes-Bug: #1457235 commit 29ea6436070762d38d17d9a34968bed8651b7c4b Author: Ihar Hrachyshka Date: Wed May 20 23:17:19 2015 +0200 Remove middleware oslo-incubator module The module was used during Kilo cycle to provide backwards compatibility for users that upgrade to the release without updating their api-paste.ini. We have issued the deprecation warning for a cycle now, so we should be ok to just drop the compatibility layer. Note that the change may require a notion in release notes to make sure everyone is notified, even if they don't look through their logs. DocImpact Change-Id: I41693f4613b5a69a01a33e54f90e82177f42e1af commit 12889f70e1ae547598f4c663e9da5b9bb03e347e Author: Kevin Benton Date: Fri May 15 19:44:16 2015 -0700 Match order of iptables arguments to iptables-save The way we were forming our iptables rules was not matching the output of iptables-save. This caused the logic that preserves counters to miss many of the rules. This patch corrects the order for the comments and the allowed address pairs to match the output order of iptables-save. Closes-Bug: #1456823 Change-Id: I34c2249d0865485578767865c82414e1d813d563 commit fdf7107dece3c9ac891750c6752ccaf8d8403101 Author: Gary Kotton Date: Fri May 15 08:12:54 2015 -0700 VMware NSXV: update configuration file Update the configuration file to show the variables for configuring the Edge username and password. This is very useful for administrators when they wish to debug issues. Change-Id: I7340b3b408a6edaf9b4b307909631e628befe921 commit 5836bbca83845fd78200c083465601d2558cdac2 Author: Adrien Vergé Date: Tue May 19 11:05:27 2015 +0200 Python 3: Use six.moves.range The function `xrange` was renamed to `range` in Python 3. * Remove `xrange` occurences so that Python 3 tests can pass. Use `six.moves.range` instead to get the right function in both cases. * Generalize the use of the efficient `range` (ex-`xrange`) in critical sections (when iterating over large lists). * Simplify code. * Add a hacking check to prevent future usage of `xrange`. Change-Id: I080acaaa1d4753619fbbb76dddba6d946d84e73f Partially implements: blueprint neutron-python3 commit a52ce62845c899407879e8afbac611fa78eac769 Author: Eugene Nikanorov Date: Thu Mar 19 04:59:48 2015 +0400 Use convenience method from db api to create nested transaction Instead of dealing with conditional nesting, use method that creates nested transaction if possible. Change-Id: Icb1fbd5d35dcbecce54426b9ef1e1be18b706d8b commit d89ee0b995259216cf4fdef6ad1afe315e3f549f Author: Salvatore Orlando Date: Mon May 18 14:51:05 2015 -0700 Remove a unused Context class This class in neutron.tests.unit.plugins.opencontrail.test_contrail.plugin is not used anywhere and has no future development purpose. Change-Id: Ibf149c5392b97f2aa33ccfc97c8ad6377f34bfee commit bf71868ba809587b72da68b8cd4c248cf33990a1 Author: Assaf Muller Date: Fri May 15 17:58:13 2015 -0400 Optimize IptablesManager._find_last_entry As it turns out calling .strip() thousands of times can be expensive. I'll defer to security groups and iptables experts to try and find ways to call the method less often, cache the results, or any other clever trick. Moving strip to the return statement speeds up the method by more than x2. Change-Id: I7522c6db50c76274bef93e0f0ea6a78d508b7fbe Related-Bug: #1455675 commit 274713450c4f4cc1f5c466e153b72c9764dd96c9 Author: Angus Lees Date: Tue Apr 21 11:04:33 2015 +1000 Take Daemon stdin/stdout/stderr args as file objects Previously Daemon constructor took stdin/stdout/stderr as paths (defaulting to '/dev/null') and opened them as regular files. This greatly limits the type of filehandles supported (no pipes, for example), and doesn't allow simple things like reusing existing fds. This change switches to accepting file objects rather than strings, and uses a sentinal value to represent the previous "open /dev/null" default behaviour. Change-Id: I51b36ce912194abd89ed46fad9943802f271444a commit c7cffb66824f18b8bd04c588aae9a0ad6494f2e8 Author: Jeremy Stanley Date: Thu May 14 21:38:20 2015 +0000 Replace ci.o.o links with docs.o.o/infra The http://ci.openstack.org/ documentation site has been deprecated, replaced by redirects to corresponding paths within http://docs.openstack.org/infra/ where other Project Infrastructure documentation already resides. Change-Id: I5b7d2d6699084cce38a4d1a84ebfc42f8a53624e commit 750ae6979d920007dc87701cb69db82d72f99fd7 Author: Jakub Libosvar Date: Tue May 5 14:32:21 2015 +0200 Refactor initialize() of sriov mech driver This patch rewrites checking correctness of supported_pci_vendor_devs config value from C-style to Python-style. Patch also adds some tests for wrong values passed. Change-Id: I90855d665ab8d42c4dd26b91d2e8b63feef122f4 commit ce95331c6b7f811d6e12f6c0e7ca7a5e5ed8e140 Author: Assaf Muller Date: Wed Apr 29 13:23:57 2015 -0400 Centralized register_OVS_agent in tests This will allow the helper to be used for new DVR and l2pop unit tests. Change-Id: Iabf2e94c2b2d91f68fe016695fc56831c1aa13e1 commit 6deed4363b6765093d0f3731f40c428810940f9b Author: Oleg Bondarev Date: Thu May 14 15:03:54 2015 +0300 Don't pass namespace name in disable_isolated_metadata_proxy It's not always possible/convenient to get namespace name when need to disable some process (like metadata process for stale router, see related bug). Since namespace name is not required for process manager to disable process we can remove this parameter from disable_isolated_metadata_proxy() Change-Id: I0e0da01d9640aa9920f41989804fc6f320c1c1eb Related-Bug: #1455042 commit d4a39439727055fed2cc0661f1ba02c73fd523dc Author: Moshe Levi Date: Wed Apr 22 14:17:28 2015 +0300 Add client id option support to dhcp agent According to the dnsmasq man client id option should be written to dhcp-hostsfile and not to the dhcp-optsfile. Also this patch update the dhcp_release command to take into account the client id when releasing old leases. Closes-Bug: #1447105 Change-Id: I6f11b12040ad4e00ae871be45edda3b52b4ee0da commit f3f2e59ae76ab2a52ee448bf53722be5503f0d43 Author: ankitagrawal Date: Thu May 14 02:06:39 2015 -0700 Remove use of contextlib.nested Removed use of contextlib.nested call from codebase, as it has been deprecated since Python 2.7. There are also known issues with contextlib.nested that were addressed by the native support for multiple "with" variables. For instance, if the first object is created but the second one throws an exception, the first object's __exit__ is never called. For more information see https://docs.python.org/2/library/contextlib.html#contextlib.nested contextlib.nested is also not compatible with Python 3. Multi-patch set for easier chunks. This one addresses the neutron/tests/unit/agent/test_securitygroups_rpc.py tests. Line continuation markers (e.g. '\') had to be used or syntax errors were thrown. While using parentheses is the preferred way for multiple line statements, but in case of long with statements backslashes are acceptable. Partial-Bug: 1428424 Change-Id: Ia66b98423b14fc7d1bbf6d8a673a49f798d328fa commit c003b450b34dcbb2e67b3ffb573cf68f23eb213f Author: shihanzhang Date: Mon May 11 17:22:40 2015 +0800 Allow updating port 'binding:host_id' be None with ml2 plugin, it should allow updating port 'binding:host_id' be None directly, there is already a bug in nova#1441419. Change-Id: I93e4c513e40a7cf5740dde6c658e2470788d716a Closes-Bug: #1453715 commit 251f551a5fe8fe05cdc8c9b9cfad357245b39bb9 Author: Ryan Tidwell Date: Mon May 4 15:56:41 2015 -0700 Block subnet create when a network hosts subnets allocated from different pools This change will ensure that all subnets with the same ip_version on a given network have been allocated from the same subnet pool or no pool. This provides cleaner subnet overlap detection. Change-Id: I3c7366c69b10c202c0511126fbee6b3aac36759e Closes-Bug: #1451559 commit 0933f26b2c9772c457bb259cff7c8f648d29f620 Author: Assaf Muller Date: Wed May 13 13:39:20 2015 -0400 Fix neutron tests Tox updated to a new major version and changed some substitute variables. Change-Id: Ifd00abed7bf0a68d4d46d12230118022fa2292ef commit c262695a31d698b75ee7e49328c324a045c365f5 Author: Henry Gessau Date: Tue Mar 31 10:54:51 2015 -0400 Allow unit tests to be run independently Add various initializations and imports so that unit tests can be run independently. This change fixes the following test cases which could not be run independently, that is running any individual unit test case by going in to the py27 venv and running "unit2 neutron.tests.unit.module.Class.test_case": neutron.tests.unit.plugins.ml2.drivers.arista.test_mechanism_arista.* neutron.tests.unit.plugins.ml2.drivers.cisco.apic.* neutron.tests.unit.plugins.ml2.test_rpc.RpcCallbacksTestCase.* neutron.tests.unit.services.l3_router.test_l3_apic.* neutron.tests.unit.agent.dhcp.test_agent.TestDhcpAgentEventHandler.* (Note that these issues are not seen when running tox because the initializations occur when all test modules are imported for test discovery.) Closes-bug: 1438463 Closes-bug: 1454640 Change-Id: I681caa66b51ce9a7bfbee5dfc43d534ba0d51947 commit d2703d81f086a9c3f7bb822046794668dde8ea6b Author: Angus Lees Date: Tue Apr 21 11:00:04 2015 +1000 SystemExit is ok for child processes DietTestCase catches SystemExit while running tests, interprets it as a test failure, and then carry on with the next test (without exiting). This greatly upsets forked child python processes, which may call exit() legitimately, and expect that to result in process exit. This change re-raises the SystemExit if the current process ID is not the original pid. Change-Id: Ia39a350b562b2856b5588cd73826afb3d072554f commit 276028cca26af573c14938255e40c58358eabd4a Author: Robert Collins Date: Wed May 13 07:49:15 2015 +1200 Update build hooks. The pbr setup_hook has not been needed for a while, so remove it. The neutron hook has been broken for a while: it places a setup_requires build dependency on everything in neutron/__init__.py, which is non-empty, but setup_requires is handled by easy install so we try very hard to avoid it. Instead, we can use environment markers to selectively include the win32 dependencies without requiring that neutron be importable during setup.py execution. This is unusual in OpenStack and will eventually be moved to a regular requirements.txt dependency with the same marker - once we've finished the integration work to make markers work properly in requirements.txt. Change-Id: Icdc403a3ccf06daeccf2a907a7bfeafd8dbbb5dd commit 8d4cbb3911a4c5b38ef998b0425eab1994b3bc2d Author: Carl Baldwin Date: Tue Apr 21 21:36:33 2015 +0000 Append @randtoken to L3 agent namespaces in full stack tests Change-Id: Ib180a5836f653385ec2877c50fbca6f850eff351 Closes-Bug: #1446261 commit 39af7fb15ef5abe9402d80da207c2c43ca905d23 Author: shihanzhang Date: Fri May 8 08:51:19 2015 +0800 setup port filters when sg rules change when security group rules change, the l2 agents which have the ports in this security group should reload iptables, this bug was introduced by patch#118274. Closes-bug: #1452718 Change-Id: Idb1577128be5d8812024467f599166bc131d57ea commit 54fc39308277d4aedc3e399286714d719ecacfbb Author: Ihar Hrachyshka Date: Fri Apr 10 11:29:56 2015 +0200 tests: don't allow oslo.config to autodiscover config files oslo.config makes attempts to autodiscover configuration files using find_config_files() helper. If e.g. /etc/neutron/neutron.conf exists, and is not readable, the following test failure can be experienced: oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/neutron/neutron.conf Unit tests must not rely on any external state of the system and run successfully no matter whether neutron is actually installed on the system, or not. Closes-Bug: #1442543 Change-Id: Ic90d8c40b2072fdda152703b84081719936b5f4e commit 3488559abaaffe28b0831689288938261a458adc Author: Moshe Levi Date: Sat May 9 18:53:59 2015 +0300 mlnx MD: mlnx_direct removal mlnx_direct is deprecated from Juno release. sriov-nic-switch with macvtap port is the replacement for it. This patch removes the mlnx_direct from mlnx MD and from the supported vif_types. Closes-Bug: #1453410 Change-Id: I7ee528dc04cdafa27455d5f8fd18c04c858466d8 commit f3eef3c0edc8968ce9c839c723e39e5959583b22 Author: YAMAMOTO Takashi Date: Mon Feb 23 13:37:47 2015 +0900 l2pop UT: Reduce code duplication in migration tests Change-Id: Id5c2a849c242932ecfc243daef1d83f1892cbb0a commit 922dae45d0a223f9256bdff1faa65d469cbc9275 Author: Robert Kukura Date: Wed Apr 1 17:11:59 2015 -0400 Add unit tests for ML2 DVR port binding and fix PortContext inconsistencies Extends the existing ML2 port binding unit tests to cover the distributed port bindings used for DVR. Within the test mechanism driver, bindings are tracked per-host, and additional assertions are added. Fixes issues with PortContext attributes that were exposed by these new tests. Adds new vif_type, original_vif_type, vif_details, and original_vif_details PortContext attributes, similar to the exising host, original_host, status, and original_status attributes, to reflect host-specific details of distributed (or normal) port bindings. Also fixes original_host and original_status to return None when in the context of an operation other than an update, and fixes original_host to reflect the specific host being bound for a distributed port. Closes-bug: 1453943 Closes-bug: 1453955 Change-Id: I467db0d48e4b82fdaad8d851e294e639a84a8160 commit ccc2fa44c53217c2b5c9a8ff5756571240749d4b Author: Carl Baldwin Date: Mon May 11 12:58:34 2015 -0600 Make it clear the rfe tag is lower-case This tripped me up, I tried adding RFE to my bug and was denied. It seems the tag was added with lower-case letters. This is fine with me as it is consistent with most, if not all, other tags in the project. If it stays lower-case, we should at least make the quoted tag in the policy document lower-case. Change-Id: I9c72a2db2a168b56b1137839f5bfc1d2068d9f0c commit 05daedff691a78c9a7d21d082f048ecc63a42476 Author: Jakub Libosvar Date: Mon May 11 16:05:03 2015 +0200 Remove H305 from tox.ini pep8 ignore list H305 is about grouping imports. It seems like we meet the requirement. I don't think there a reason to keep it. Change-Id: Ia2ddd467288c3c3aad39aed98eefb532b0e1d280 commit 8db41f04d54526104920f3a160203ecf7ef453b0 Author: Cyril Roelandt Date: Thu May 7 13:00:38 2015 +0000 Allow users to run 'tox -epy34' With this commit, it is possible to successfully run 'tox -epy34', even though only a small amount of tests will actually be run. This is a required step in making Neutron compatible with Python 3, as described in the 'Porting to Python 3' specification. This commit: - fixes some broken imports, while making sure they still work with Python 3; - updates a call to gettext.install; - adds a py34 target in tox.ini. Change-Id: I91cc7a992d05ea85f7004d1c5a45a1c02cbf1c85 Blueprint: neutron-python3 commit a6b6e5597f32dfb0d92dc168d91e83d6daafe227 Author: Salvatore Orlando Date: Fri May 8 17:03:55 2015 -0700 Deprecate quota_items, register resources upon REST initialization Register 'core' resources when the respective rest controllers are instantiated, rather than at module load time. Since in this way there will not be any need to iterate over quota_items, the option is being deprecated. This patch does not supply unit tests as the already-existing routine for registering a resource from quota_items is being deprecated as well (and was not covered by any unit test beforehand). DocImpact Change-Id: Icdb744adfd86d38363239a454ccf04f3c6b9c158 Closes-Bug: #1453322 commit 89489d2720c80c3465e36dad566aa835215fb92e Author: sridhargaddam Date: Tue Apr 14 08:03:49 2015 +0000 Support BP:ipv6-router in Neutron HA Router blueprint ipv6-router (ChangeID:Iaefa95f788053ded9fc9c7ff6845c3030c6fd6df), supports an IPv6 Router where the router gateway port has no subnet. The BP implements the following. If an external network (without any subnet) is attached to the Neutron router, it reads the ipv6_gateway config parameter (LLA of upstream router) from l3_agent.ini file and adds a default route that points to this LLA. If the ipv6_gateway config value is not configured, it would configure the gateway interface to accept router advts from upstream router to build the default route. For an HA router, we would have to configure keepalived to perform this operation. This patch extends the functionality to an HA router. Implements: blueprint ipv6-router Change-Id: I26dc5ce9e46c74423358aa8a9559bc6c7cbdf85e commit dcc9840684de11835625730aeca10aeaf416929b Author: Eugene Nikanorov Date: Sat May 9 22:56:44 2015 +0400 Catch ObjectDeletedError and skip port or subnet removal When network is deleted service ports are deleted in the scope of delete_network. Service ports could also be deleted by other entities such as DHCP agent releasing dhcp port. That could rarely lead to a race condition when port object used in _delete_ports helper is already deleted causing ObjectDeletedError exception. Need to handle it and prevent object deletion in that case. Change-Id: I531251d3211545c82a5bb7a471b7915da9b763b7 Closes-Bug: #1454408 commit 1d9fd2aec00cb85034e5a23cc1beac33c74e0110 Author: Eugene Nikanorov Date: Mon May 11 01:34:35 2015 +0400 Randomize tunnel id query to avoid contention When networks are created rapidly, neutron-servers compete for segmentation ids which creates too much contention and may lead to inability to choose available id in hardcoded amount of attempts (11) Randomize tunnel id selection so that condition is not hit. Change-Id: I7068f90fe4927e6e693f8a62cb704213b2da2920 Related-Bug: #1382064 Closes-Bug: #1454434 commit c9284827eeec90a253157286214bc1d17771db24 Author: Henry Gessau Date: Mon Apr 20 14:50:50 2015 -0400 Remove skip of service-type management API test Advanced services split is complete so remove the skip for the service-type management API test. (Yes, there is only one placeholder test. More tests need to be developed.) Also remove the obsolete 'JSON' suffix from the test class. Closes-bug: 1400370 Change-Id: I5b4b8a67b24595568ea13bc400c1f5fce6d40f28 commit 62ccf394c21eed132277b87b2428632efb07f1b0 Author: OpenStack Proposal Bot Date: Sun May 10 06:15:11 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: I879a3f7c7b0e970c91ef23b118f09ade99ceffc2 commit e833d33db199b6e8ca9f1877b2fd7914f376b433 Author: Kevin Benton Date: Sat May 2 05:08:26 2015 -0700 Add capability to wait for IPv6 address in ip_lib When an IPv6 address is added to an interface, it goes into a tentative state for a couple of seconds for duplicate address detection. During this time, use of the address will fail. This is an issue for functional tests where they may add an address to an interface and then immediately run a ping and expect success. This patch adds a new wait_until_address_ready function to ip_lib that will poll the interface every 200 ms until the status transitions off of tentative or until a time limit is exceeded. If the time limit is exceeded, it will raise an exception. It also adds unit tests and updates a functional test to make use of the new feature. Change-Id: I2fa51e3f55847f7b5062bec0c1c666f5c11364d5 commit 9c857dab6289047a272a4519479903c92a84dc4c Author: Sukhdev Kapur Date: Fri May 8 17:19:58 2015 -0700 remove router interface on Arista L3 plugin fails The failure is because of mismatch of the parameters to _validate_interface_info(). This patch removes this code as it can be inherited from upstream Change-Id: I5a92c6d05876e9ab5201e8fac018433eeb5c89e4 Closes-Bug: #1453323 commit 801dedebbfc7ff4ae6421c793a1154ca0d169e6c Author: Assaf Muller Date: Fri May 1 13:29:26 2015 -0400 Extenuate register_dhcp_agent code duplication in tests Non-obvious changes: * Change helpers.register_agent to use a slimmed down version of a plugin that knows how to register an agent. This allows the helper to be used with tests that do not register a core plugin. Change-Id: Iefb1af676af6a984b01cdc1e9050541dffb5951a commit 11cefbe5a38113cf8d782d3f0a9f52e2003d1c36 Author: sridhargaddam Date: Fri Apr 17 19:09:06 2015 +0000 Fix typos related to IPv6 use-cases Change-Id: I8ede289ded70d2820a39c13a4cbfdaae570f699c commit 6b4d006344e38dcbbc0048b17ca41af16e13e5a2 Author: Sergey Belous Date: Thu Jan 15 18:19:51 2015 +0300 Refactor checks for device existence The code calling driver.plug() shouldn't check for the device existence, it's a duplicate and it's an expensive call. Move check for device existence to base LinuxInterfaceDriver.plug() to remove code duplication. Make plug_new() abstract instead. Change-Id: Id118a64012ad10b197ba681ce5f1b2742eb135b4 Closes-Bug:1348703 commit 9fd685a322107c2523f58d3653828118d67641a2 Author: OpenStack Proposal Bot Date: Thu May 7 23:32:27 2015 +0000 Updated from global requirements Change-Id: Iecf009725214efa30e42f62d14e4ef920d6ce4a1 commit 3a1175b88a436eecf00b8f04e5cc9f5cbce3ee06 Author: Kevin Benton Date: Sat May 2 23:10:52 2015 -0700 Check for missing network in _bind_devices _bind_devices was making the assumption that the ports it was operating had local VLAN map entries for their network. This wasn't the case when a network was deleted right before _bind_ports was called because the VLAN was reclaimed. This patch just checks to see if the the network ID has an entry in the map. If not, it skips the port. The port will be handled on the next scan_ports iteration when the agent will discover that the port is no longer defined on the plugin and it will be placed in the DEAD vlan. Change-Id: Ica51d727aceb41848fec0f4edbd16916365941ee Closes-Bug: #1452903 commit f1b4dfd52bd37ff613b0f8c9156386b6032295b2 Author: Yushiro FURUKAWA Date: Tue Apr 7 10:56:55 2015 +0900 Add missed actions into policy.json This patch adds following actions into policy.json. 1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule 2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule Closes-Bug: #1439383 Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062 commit 47dd65cf986d712e9c6ca5dcf4420dfc44900b66 Author: Dane LeBlanc Date: Tue Apr 14 09:18:18 2015 -0400 Reuse caller's session in ML2 DB methods This patch changes the get_port_from_device_mac() and get_sg_ids_grouped_by_port() methods in ML2 db.py module so that they do not create a new database session (via get_session()), but instead reuse the session associated with the caller's context. In order to make the session that is associated with the caller's context available to these ML2 DB methods, the get_ports_from_devices plugin API in securitygroups_rps_base.py needs to be modified so that the context can be passed down to the ML2 plugin. (A similar change is made to the get_port_from_device plugin API for consistency.) Change-Id: I3f990895887e156de929bd7ac3732df114dd4a4b Closes-Bug: 1441205 commit f77c17ef9993ea8c545dc044ad2ac013a28dbc22 Author: Juergen Brendel Date: Thu Feb 26 13:51:04 2015 +1300 ARP spoofing patch: Data structures for rules. ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into smaller patch sets for easier review. This patch set here includes the some classes for the maintenance of ebtable chains and rules. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: I3c66e92cbe8883dcad843ad243388def3a96dbe5 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel commit 1bfd86e1ef7148370798aa99c868d7f931fcbf78 Author: Andrew Boik Date: Wed Mar 25 16:05:41 2015 -0400 Limit router gw ports' stateful fixed IPs to one per address family Validate a router's gateway port during a router update by ensuring it has no more than one v4 fixed IP and one v6 (statefully-assigned) fixed IP. Note that there is no limit on v6 addresses from SLAAC and DHCPv6-stateless subnets as they are automatically allocated. Change-Id: I6a328048b99af39ab9497fd9f265d1a9b95b7148 Closes-Bug: 1438819 Partially-implements: blueprint multiple-ipv6-prefixes commit 1612b2ad8d3f964f035ec49426c832d95e845477 Author: Kobi Samoray Date: Sun Apr 19 12:25:33 2015 +0300 VMWare NSXv: Metadata for distributed router Metadata support for NSXv distributed routers is provided via DHCP Edge appliances. In order to avoid conflicts between distributed routers and DHCP Edges which map different networks with same CIDRs, we create a 1:1 mapping between an distributed router and a DHCP Edge. This patch contains the data model for the above, while the implementation is in vmware-nsx repository. Change-Id: I324403f7d5df4861193840e05bedf7a473aea655 commit cf84ec4c10461bef6dd57b9645cb902e0c16584f Author: Cedric Brandily Date: Thu Oct 23 17:49:46 2014 +0200 Allow to define enable_snat default value Currently neutron resets enable_snat attribute to True when enable_snat is not provided in router external_gateway_info. But in some deployments (private/enterprise clouds) such behavior is not the expected default one as snat/nat/floating-ips is not used (at least by default). This change defines the option enable_snat_by_default which allows deployers to set enable_snat default value when neutron resets it. The option default value is True for backward compatibility. DocImpact APIImpact Closes-Bug: #1388858 Change-Id: I455a552230ec89fe907a087c1de8c8144b5d086e commit 3e085ec97c4a8d77398e70c0db78ae0849dda841 Author: Kyle Mestery Date: Wed May 6 14:50:57 2015 +0000 Update the specs process for Liberty This adds explicit wording around the fact we will not use a deadline for specs submission during Liberty. It also adds wording around the new requirement for a less heavy-weight template to be filled in when submitting a spec. Change-Id: Id54550fb4314117db8fcfea90dd0627899e80c74 commit dd9129d42cf280458301d5101a131c4c5c12abdf Author: Matthew Thode Date: Wed May 6 14:39:20 2015 -0500 changes log level to debug for help calls Calling help typically causes the program being called to exit non-zero. This causes the command to be logged as an error even though it should not be. By setting 'log_fail_as_error=False' we log to debug. This helps clean up logs. Change-Id: I13f9488b9bc524bb85047e9b2dcf4e8a76bd6c11 Closes-Bug: 1452425 commit 4cd1600b2548b3d15cdbc9dcc368c375d2f7fee9 Author: ankitagrawal Date: Wed Mar 25 05:40:45 2015 -0700 Remove use of contextlib.nested Removed use of contextlib.nested call from codebase, as it has been deprecated since Python 2.7. There are also known issues with contextlib.nested that were addressed by the native support for multiple "with" variables. For instance, if the first object is created but the second one throws an exception, the first object's __exit__ is never called. For more information see https://docs.python.org/2/library/contextlib.html#contextlib.nested contextlib.nested is also not compatible with Python 3. This is the first patch in a series for removing use of contextlib.nested. Added hacking check to catch if any new instances are added to the codebase. Line continuation markers (e.g. '\') had to be used or syntax errors were thrown. While using parentheses is the preferred way for multiple line statements, but in case of long with statements backslashes are acceptable. Partial-Bug: 1428424 Change-Id: I171fbdb89892a3d4548bf2ca52f4a7dd9ef8dccb commit d7cb612b451edbcf35049a92a42e0583086e6fda Author: Jakub Libosvar Date: Wed May 6 13:13:37 2015 +0200 Fix fetching prevent_arp_spoofing from cfg in neutron-sanity-check Change-Id: I0e2ae9fb7236db3aadfc8969bd0adc1d28ea1fc7 Closes-bug: 1452241 commit a5a4ebfe5aa62c6b5f2925b9833919cd946ff488 Author: Gary Kotton Date: Thu Apr 30 06:40:58 2015 -0700 VMware: add in router types for NSXv The configuration file was updated to include the configuration variable for the tenant_router_types Change-Id: Id6d544f0d11bad3fa2fe33781a14c299f4043aff commit 087eb159a61bcd3eb49860a23cb6ee7d12311d41 Author: Ann Kamyshnikova Date: Thu Apr 30 15:42:06 2015 +0300 Add test for security groups Add test that default security group name can not be updated. Change-Id: Iff0a920122be8e19a1e1d92db33519f372a8b9b2 commit bd5373b670cdd7f21f8a1ece98fde6be9fda71ab Author: yangxurong Date: Tue Aug 26 15:15:40 2014 +0800 Use iptables zone to separate different ip_conntrack ip_conntrack causes security group rule failures when packets share the same 5-tuple. Use iptables zone option to separate different conntrack zone. Currently this patch only works for OVS agent. Co-authored-by: shihanzhang Change-Id: I90b4d2485e3e491f496dfb7bdee03d57f393be35 Partial-Bug: #1359523 commit 8978516e49a246fb490dad9a2a4e34f1e98afea5 Author: OpenStack Proposal Bot Date: Tue May 5 00:07:15 2015 +0000 Updated from global requirements Change-Id: Ic51f5b4e157bcc097bd42eb5607dd8223d01952d commit a4ada8e0a980a40384c5c0fcd43b872469dcded7 Author: Paul Michali Date: Tue Apr 21 16:12:38 2015 -0400 Enhance configure_for_func_testing.sh for *aaS use Modify the script so that it can be used by the *aaS functional tests. This is done by allowing callers, namely other *aaS repos, to override information, like the project name and virtual environment used (for example, VPNaaS has two functional jobs with different virtual env). Change-Id: I450273036e938a4acc9a7bc1dc193a9c207b2d58 Closes-Bug: #1446807 commit 26ef84f51ec34c20f43b3b75da3d0aa407fc3305 Author: Brian Haley Date: Tue Apr 14 17:37:55 2015 -0400 Add IP version support to all ip_lib code Added an ip_version argument to IpNeighCommand.show() and IpRouteCommand.pullup_route() to match other code in the file. Change-Id: Ifdf2abc5a77f551223bad061a1abdc88695fa5f1 commit 22c9e5421fbf7c9cdb3f919a84d4b51a30609f82 Author: OpenStack Proposal Bot Date: Mon May 4 06:08:30 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: I676a4c8fc05330990be3b8bfe3f123fcd897b12f commit 26284228dfc3c5f121f869dd6b2d2a492afaf659 Author: Kevin Benton Date: Fri Apr 17 05:10:26 2015 -0700 Get all interfaces for get_snat_sync_interfaces The get_snat_sync_interfaces method was being called for each router individually during a sync, which resulted in a new query to the database. This patch eliminates that waste by querying for the snat interfaces for all of the routers in the list at once. Change-Id: I1e44a0cf15a70632e8b62ac89ce807a7a457747d Partial-Bug: #1445412 commit dbe7ba1868f35af0142f78c70693ed69e6f42ca3 Author: YAMAMOTO Takashi Date: Tue Apr 28 12:37:22 2015 +0900 OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention The flow rules to match on ARP headers for spoofing prevention fail to install when an IPv6 address is used. These should be skipped since the ARP spoofing prevention doesn't apply to IPv6. Co-authored-by: Kevin Benton Closes-Bug: #1449363 Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde commit 25795cbde864e249921c24561bea0e89a7024fea Author: sridhargaddam Date: Wed Apr 15 15:07:45 2015 +0000 Remove un-used keys in keepalived tests Change-Id: Ie1069f5ee6c7c28da67260656c4a0753b930624a commit 9e0993b6adbc23b31e0c88cdb7404416a144420d Author: Salvatore Orlando Date: Fri May 1 16:32:23 2015 -0700 Deprecate config-based Quota Driver This patch displays a deprecation warning everytime the quota driver neutron.quota.ConfDriver is loaded. The driver will be removed in the "M" cycle. Change-Id: Ifb799755bce50bb089f8df020286fd2e95c80a68 Closes-Bug: #1430523 commit d544e6daeea6447f217b5663dbb1f7976224ea2e Author: Salvatore Orlando Date: Fri May 1 15:35:03 2015 -0700 Clarify stackforge/vmware-nsx is for VMware NSX suite To avoid confusion with networking-vsphere Change-Id: I5e787ba9d7aab75ff568baf5f5b9a6c37bf24d08 commit cc291499490cbd0f21f34310c96bfa76d4d2a2a1 Author: OpenStack Proposal Bot Date: Fri May 1 20:18:50 2015 +0000 Updated from global requirements Change-Id: I42cf4af2058c08e8e805c323a5d0b7075947c031 commit 74fd34eef8892efd8ef8a3c992e2d9e59d9b0959 Author: Matt Riedemann Date: Fri May 1 08:04:00 2015 -0700 l3 agent: fix grammar in router info not found warning This offends my delicate sensibilities... Change-Id: I4d00747093da6c39d5dc73272efd5acbcaa3684d commit 723162501a5e2e5f202af9d95a1b946e3d43cf96 Author: Eugene Nikanorov Date: Wed Apr 22 19:45:57 2015 +0400 Finally let L3 and DHCP agents cleanup namespaces by default There has been a problem with iproute package that resulted in errors when deleting the namespaces, so deleting was turned off by default. According to tests with iproute version 3.12.0 there is no such issue so the option could be safely turned on by default. DocImpact Related-Bug: #1052535 Related-Bug: #1402739 Change-Id: I4c831f98fb2462382ef0f9216e265555186b965a commit 661dea6b5e1861e56bfccc8ebe1ae637a70b3cbd Author: Salvatore Orlando Date: Wed Apr 29 16:07:27 2015 -0700 Context: is_admin==True implies is_advsvc=True With this change is the is_admin parameter is set to True when creating a context, the is_advsvc property is set to True as well, without executing a pointless check with policy engine. Closes-Bug: #1450244 Change-Id: I0a21a82692665599260d07c00c55df18fc926eb5 commit 9a3d3764c509290999c3dee67d808ad5a433d8c7 Author: Ann Kamyshnikova Date: Thu Apr 30 14:09:59 2015 +0300 Add some tests for floating ips * Associate floating ip to port that has already another floating ip * Associate floating ip with port from another tenant Change-Id: I8da074e94526c21d4d6a6a7910052cda809a1338 commit b760fdf6640aedfcf480dd80913f4cf64bfcc51d Author: Russell Bryant Date: Tue Apr 21 11:53:08 2015 -0400 Add notes about official sub-projects. There was recently a thread on openstack-dev titled "A big tent home for Neutron backend code." The thread began here: http://lists.openstack.org/pipermail/openstack-dev/2015-April/062310.html and has roughly ended up here: http://lists.openstack.org/pipermail/openstack-dev/2015-April/062853.html This patch is an attempt to reflect the end of that thread with updates to docs. Any further discussion should just continue on openstack-dev to avoid forking the discussion between openstack-dev and gerrit. Change-Id: I48dbe8ac69e60fbfd5e5082844004aaf9fdce539 commit b65b1e6645a48174703591f0f8bec8d79d294d9b Author: Romil Gupta Date: Thu Apr 30 01:37:34 2015 -0700 Updated ovsvapp_agent.ini in neutron we have added the vxlan support for OVSvApp l2 Agent. References: https://review.openstack.org/#/c/168866/ https://review.openstack.org/#/c/175148/ https://review.openstack.org/#/c/177616/ Change-Id: I8061a1280b765e71aa682711c55c469f8425dac6 commit e1fd7a8c5d1dd683603a75244f5baf273d018fc7 Author: Jakub Libosvar Date: Wed Apr 29 12:04:03 2015 +0200 Don't use iterator in search for tunnel type Changing dictionary size while using iterator causes RuntimeError. This can happen in local vlan mapping under certain program flows. This patch changes iteritems() to values() that returns list and thus preventing from failure if local vlan mapping changes during creating tunnels. Change-Id: I8a858d5c53e85f83a582f34205f9afa214cb4d58 Closes-Bug: 1449944 commit 3543d8858691c1a709127e25fc0838e054bd34ef Author: rossella Date: Thu Apr 23 22:57:18 2015 +0000 Remove is_active property from SimpleInterfaceMonitor is_active property from SimpleInterfaceMonitor shadows the method is_active inherited from AsyncProcess. The property checks that ovsdb monitor is running and that it received some data. When ovsdb monitor starts it always receives data, since it processes the interfaces present on the machine, so the flag data_received will always be set to true right after SimpleInterfaceMonitor starts. Considering that, is_active can be removed and the method is_active inherited from AsyncProcess can be used instead. Change-Id: I05faeddd061ab45af51c044a10462c3a57593d4d commit fc1608a6a1430253174ca3760e38ab96230bc6ef Author: OpenStack Proposal Bot Date: Wed Apr 29 19:18:14 2015 +0000 Updated from global requirements Change-Id: Icec7a7d00ebdd07673cfdb49a46faa4c73d3908a commit 350e2d1ee8a1e300d5ef182be152db77b65bd44c Author: Assaf Muller Date: Tue Apr 28 11:44:16 2015 -0400 Disembowel register_l3_agent code duplication in tests Change-Id: I32fe50ce0904ff439c615d9860782d76e94c48c3 commit 9b7beb0e29d1de3e7cc787a3c0e20d24ccb0427c Author: Sam Betts Date: Wed Apr 29 16:15:35 2015 +0100 Ensure mocks for lla allocator _write in test_agent The test test_create_dvr_fip_interfaces_for_restart_l3agent_case was causing a file fip-linklocal-networks to be created when the tests are run, this patch ensures that the correct part of the LinkLocalAllocator is patched to prevent this in the test case. Change-Id: Ifd0cae56324364b281a9279047b26a182b77905a Closes-Bug: 1450090 commit 3e4e932a4d9dbfac908cf03c221b350e645d8b17 Author: Kevin Benton Date: Mon Mar 30 11:29:44 2015 -0700 Fix _device_to_port_id for non-tap devices This adjusts the _device_to_port_id function in ML2 to recognize other interfaces that belong to Neutron under different name prefixes. Adds unit tests to achieve full converage of _device_to_port_id method. Closes-Bug: #1443710 Change-Id: I80284ee67e5876cf5689e49e1592ca1351ae5fa1 commit 4d638cfcf6564e8e155de131c98000d0d10a7e22 Author: OpenStack Proposal Bot Date: Wed Apr 29 06:14:13 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: I35b81a59fe9d273742cdebf7ee3d47c23e2f5b9a commit 6dac1d6a4b882e51102caeacd9ed8d960c22c84d Author: Gal Sagie Date: Wed Apr 29 07:49:16 2015 +0300 Rename delete_gateway method name Fix last comments from bug #1435012 Some comments were left out and the patch is already merged. This patch address these comments. Rename method and remove an unneeded comment Change-Id: Ie087edf1fee7136eddf75ce01d4b640211445bfa commit 5281e52512fc5b9b1017cf5c5da40cc92a7fe775 Author: Doug Hellmann Date: Tue Apr 28 22:08:39 2015 +0000 Drop use of 'oslo' namespace package The Oslo libraries have moved all of their code out of the 'oslo' namespace package into per-library packages. The namespace package was retained during kilo for backwards compatibility, but will be removed by the liberty-2 milestone. This change removes the use of the namespace package, replacing it with the new package names. The patches in the libraries will be put on hold until application patches have landed, or L2, whichever comes first. At that point, new versions of the libraries without namespace packages will be released as a major version update. Please merge this patch, or an equivalent, before L2 to avoid problems with those library releases. Blueprint: remove-namespace-packages https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages Change-Id: If8a132de65ba1e57ea93f98daac66816a3cefaa8 commit 7759db3fe9396e4385fdfc01c0d86c1ce33e294f Author: Brian Haley Date: Tue Apr 28 16:07:47 2015 -0400 Remove 'IP' from device exception message Message should match others of this type elsewhere, and isn't IP-specific. Cleanup from https://review.openstack.org/#/c/168806/ Change-Id: I4cd3eb86e078f069b871b3cd08b66024682f92a6 commit dd05b8b8290e9310b77518dcf439bb1793a716a0 Author: lijianlj Date: Thu Jan 29 14:41:20 2015 +0800 Add icmpv6 to sg_supported_protocols support using icmpv6 (protocol num 58) in the protocol option, when creating a security group rule.At this time, port_range_min/port_range_max represent icmpv6 type/code, and you can use only port_range_min to specify just one type. eg:neutron security-group-rule-create --direction ingress \ --ethertype ipv6 --protocol icmpv6 --port-range-min 134 SECURITY_GROUP ApiImpact DocImpact Partial-Bug:#1427973 Change-Id: Ide4f7476cdb8a4f04f72983917ce7dbfc7be90a5 commit f6845986446601b92082c811f4181016ef0fefc8 Author: Gal Sagie Date: Mon Mar 30 10:40:36 2015 +0300 Suppress exception when trying to remove non existing device in SNAT redirect L3 service plugin first calls to remove_router_interface from the L2 OVS agent which delete this port from OVS and then the service plugin calls to remove the router interface from L3 agent. Catch the exception thrown on the delete gateway, if its due to device doesn't exists ignore the exception Closes-Bug: #1435012 Change-Id: Ieeaa01e7c0393f5200d1a8d2bbbc16befe7699a2 commit a5e54338770fc074e01fa88dbf909ee1af1b66b2 Author: Henry Gessau Date: Mon Apr 27 09:59:21 2015 -0400 Run radvd as root During the refactoring of external process management radvd lost its root privileges. Closes-bug: 1448813 Change-Id: I84883fe81684afafac9b024282a03f447c8f825a commit 99de7cdf700218a54fa6fc2e194cca3ccb35abd4 Author: sridhargaddam Date: Mon Apr 20 10:29:54 2015 +0000 Support multiple IPv6 prefixes on internal router ports for an HA Router As part of BP multiple IPv6 prefixes, we can have multiple IPv6 prefixes on router internal ports. Patch, I7d4e8194815e626f1cfa267f77a3f2475fdfa3d1, adds the necessary support for a legacy router. For an HA router, instead of configuring the addresses on the router internal ports we should be updating the keepalived config file and let keepalived configure the addresses depending on the state of the router. Following are the observations with the current code for an HA router. 1. IPv6 addresses are configured on the router internal ports (i.e., qr-xxx) irrespective of the state of the router. As the same IP is configured on multiple ports you will notice dadfailed status on the ports. 2. Keepalived configuration is not updated with the new IPv6 addresses. This patch addresses the above issues for an HA Router. Closes-Bug: #1446161 Partially-implements: blueprint multiple-ipv6-prefixes Change-Id: Icb9a0e4e6e5deafbdc0135ce7e6b100b1725df66 commit c27310638bff452f54086cf027c442ad2a62e65f Author: Xu Han Peng Date: Thu Apr 9 01:46:36 2015 -0400 Not creating HA router when not enough l3 agents Currently a HA router can be successfully created even when there is not enough active l3 agent. Current code only checks existing l3 agents but does not check if the agent is already down. This patch fixes this problem by checking only active l3 agents when getting the number of agents for scheduling HA router. Closes-Bug: 1420117 Change-Id: I6c1d108db1a7c93b61c0dd0b1ffee319a411b17a commit 682c0fdcc2faad07e82968a7a7739f2dedd7173f Author: Kevin Benton Date: Fri Apr 17 04:54:41 2015 -0700 Eliminate extra queries used to retrieve gw_ports The _get_sync_routers method was calling get_routers and then getting the gateway ports from the db in a separate get_ports call. This extra call is unnecessary since is already an SQL relationship directly between the router and it's gw_port. This patch eliminates all of the additional gw_port retrieval logic by replacing the get_routers call with a _get_collection call to make use of the gw_port object already present on each router object. Change-Id: I478bfef8b0273b343aa72bcd6787a486eba4f006 Partial-Bug: #1445412 commit a80924dc3e648984873833399350ba4817f1eaa9 Author: Kevin Benton Date: Fri Apr 17 04:09:48 2015 -0700 Don't update port with host id of None In the L3 RPC code if the host for a port is not present, it ends up calling update_port with the host_id set to None. This does not update the host id at all because it's treated as an unset attribute which leads to the same thing happening on the next iteration. These pointless update calls are expensive because they involve a semaphore and calls to mechanism drivers. This patch adjusts the logic to only send a port update if it actually has a host to ensure is on the port. Change-Id: Ic55496dd2ba3abcef0a2de9fc8699c391b79fa51 Partial-Bug: #1445412 commit 51c53ea40a30e0fcfbe9e4184f63fe4c1887ed6f Author: lzklibj Date: Sat Mar 21 09:58:15 2015 -0700 fix l3-agent restart with last runtime fip for dvr In DVR enabled environment, after we associated a floating IP to a VM, when we restart L3-agent on the same compute node, the L3-agent will miss to create rtr_fip_subnet for router_info. The previous floating IP can still work, but new associated floating IPs to VMs related to the same router on this L3-agent will fail to configure and not work. This patch will fix this. The method create_dvr_fip_interfaces in dvr_router.py will invoke fip_ns.create_rtr_2_fip_link, and the later one will create rtr_fip_subnet, consider VMs related to the same router will share the same rtr_fip_subnet, so processing here should run only once for those VMs, once rtr_fip_subnet is created. Current code will check dist_fip_count then decide to invoke fip_ns.create_rtr_2_fip_link or not. dist_fip_count should be zero if a router related VMs never have been associated with any floating IPs before. But if a router has floating IPs associated to its related VMs, after it is restared, dist_fip_count will be non-zero, and this is the point this patch try to fix. And for case rtr_fip_subnet has been created, both dist_fip_count and is_fisrt will be false, and fip_ns.create_rtr_2_fip_link will be no more need to be invoked. Change-Id: I3786eab86755a403991728ccb72d03f159ff8b63 Closes-Bug: 1434824 commit 0399bf5c8b65175d0d308a5d4a1541161cbfad7d Author: rajeev Date: Wed Feb 25 13:45:11 2015 -0500 Refactoring to adhere to coding convention By convention, internal properties of the DvrRouter class are initialized to None in the constructor. This patch initializes the fip_ns property to None in order to adhere to those guidelines Change-Id: Ic135102a4c9372fcbbdba261f906b594e247d451 commit 4be5c2f6dc635e1139e268b078ba3c28c3bcefb6 Author: Kevin Benton Date: Fri Apr 17 04:51:26 2015 -0700 Replace unnecessary call to get_sync_routers Replaces a call to get_sync_routers with a single-column router DB query in a method that doesn't use any of the gateway information get_sync_routers spends extra time populating. Change-Id: I35eae975209316aad6b2c97c909dce385729864d Partial-Bug: #1445412 commit 521e036a45eeb26c72e66aae2dab1a3b383bccc5 Author: Eugene Nikanorov Date: Sat Apr 25 00:50:25 2015 +0400 Move test_get_user_allocation*returns_none test to a proper class Move it out of NeutronDbPluginV2TestCase so there is no test duplication. Change-Id: Ib01f2d651c1b0a48062656bd1f66c52481a86ad6 Closes-Bug: #1448268 commit 954b553439964b7258568c1b71d9fdfd1f5a91cb Author: Cedric Brandily Date: Thu Mar 5 21:43:09 2015 +0000 Replace BaseLinuxTestCase by BaseSudoTestCase BaseLinuxTestCase provides 2 methods which are used once/three time(s), this change inlines these methods and removes BaseLinuxTestCase and replaces it by BaseSudoTestCase. Change-Id: I2b60abf55193f535fc7d7637bcb2f15c6a372a87 commit e78a49c86cc00cb92bc143dc6d72747c9d875297 Author: Cedric Brandily Date: Fri Apr 24 21:20:40 2015 +0200 Remove RecursivePermDirFixture useless cleanup This change removes a useless cleanup in RecursivePermDirFixture: previously RecursivePermDirFixture reverts permission changes on directories, but the cleanup is useless as directories are provided by TempDir. Change-Id: I76c8dbefe3b42ec34a50fb164b9cbc25f4ac4245 commit d0d7030ce78cf3fb182a8d824b3770ab0f124d7a Author: Carl Baldwin Date: Mon Apr 20 22:15:46 2015 +0000 Utilities for building/parsing netns names to facilitate testing Creating these utilities allows functional tests to mock them out more easily to in order to change the namespace identification and cleanup behavior. Change-Id: I76cb2dc43a0ca4a7ea27c2ea71b27068b92154ce Related-Bug: #1446261 commit e6bd3ed9c86ff493b7087c99797bfd3fb473c3a7 Author: armando-migliaccio Date: Fri Apr 24 09:27:40 2015 -0700 Fix MismatchError to nondeterministic order for list of controllers The list of controllers returned by the ovsdb server can be in any order, therefore we can't assert likes for likes. Assert the sorted lists instead. Change-Id: Ice3bb8cc0b3da70f8c9aae50d8cdae2b474ff49b Closes-bug: #1448202 commit 697c934933c9d5edcb2d9392a7626f2676d67ed7 Author: Kevin Benton Date: Fri Apr 24 06:52:21 2015 -0700 Add missing interface to populate subnets method Change Ib46f685d72eb61ecbaa2869e28fb173cd6d49552 introduced and optimization to defer the lookup of interface subnet info until all of the router interfaces were collected. However, it didn't add the DVR SNAT interface to the list of interfaces to populate subnet info so it broke DVR. This patch corrects the behavior by adding the DVR SNAT interface to the list of ports that need subnet info populated. Change-Id: I32054ff00bf6992c5dedd21735b6d2afd15c5fb3 commit 88510ef1b153fc548fc5bccc24e116a0882e66a8 Author: Elena Ezhova Date: Tue Apr 7 14:54:45 2015 +0300 Refactor socket ssl wrapping Move socket wrapping into a separate method in order to separate its logic from other action done in _get_socket. Now, ssl wrapping is applied to the socket returned by _get_socket method. Additionally checks for ssl config options are now performed during init and not each time wrap_socket is called. Added unit tests. Related-Bug: #1276694 Change-Id: I706517ae351a7a681623ec91c9657a2f61cd2679 commit db9ac7e0110a0c2ef1b65213317ee8b7f1053ddc Author: Kevin Benton Date: Fri Apr 24 00:35:31 2015 -0700 Don't resync on DHCP agent setup failure There are various cases where the DHCP agent will try to create a DHCP port for a network and there will be a failure. This has primarily been caused by a lack of available IP addresses in the allocation pool. Trying to fix all availability corner cases on the server side will be very difficult due to race conditions between multiple ports being created, the dhcp_agents_per_network parameter, etc. This patch just stops the resync attempt on the agent side if a failure is caused by an IP address generation problem. Future updates to the subnet will cause another attempt so if the tenant does fix the issue they will get DHCP service. Change-Id: I0896730126d6dca13fe9284b4d812cfb081b6218 Closes-Bug: #1447883 commit 8a4540acac511cacb0d4f5680ce285e913f7ff50 Author: Cedric Brandily Date: Sun Mar 1 23:05:36 2015 +0000 Replace BaseIPVethTestCase by FakeMachine This change removes BaseIPVethTestCase class and moves Pinger class to allow its use from a fake machine. Change-Id: I0636f11a327e9535828e7b52e60195e52831a0b2 commit 6b6384d15ea84518238d4f34106022bef8fa85a2 Author: OpenStack Proposal Bot Date: Fri Apr 24 06:13:56 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: Ib7e961af3fe219179b3c6847f8fec785ad040351 commit 27c8ad5108208afcae8494d5bb2827edb858545e Author: Aaron Rosen Date: Wed Mar 4 13:34:26 2015 -0800 Allow plugin to specify router_id It is useful to allow the backend to specify the uuid that we want neutron to use. We currently do this same thing for networks. This patch enables the same behavior for routers as well. Change-Id: If675dfd2997217886976301270ef5f773ffa7a13 commit 9274c590a78444e9157afd4d41bff566b26c9323 Author: sridhargaddam Date: Mon Dec 8 16:11:38 2014 +0000 Neutron to Drop Router Advts from VM ports As part of Spoofing filter chain Neutron drops all the outbound traffic where MAC/IP does not match the IP address assigned to the VM ports (inc' allowed_address_pairs). Along with this, we also drop traffic associated to dhcp[v6] server (i.e., do not allow a VM to run dhcp[v6] server). Currently we do not have any rules to drop Router Advts from VM ports. This can create issues in the network as other devices in the network may not have any protection for this kind of stuff. Even if we allow RAs from the VM ports, because of the Anti-Spoofing rules that are applied, a VM cannot act as a IPv6 router (i.e., it cannot forward IPv6 traffic). So there is no point in allowing Router Advts from VMs assuming that it would be useful in Service VM use-cases. In order to properly implement IPv6 router as a Service VM, one needs to use the port_security_extension [1] which allows us to disable security group rules/anti-spoofing filters on the VM ports. [1]https://review.openstack.org/#/c/99873/22/specs/kilo/ml2-ovs-portsecurity.rst This patch disables Router Advts from VM ports. Closes-Bug: #1372882 Change-Id: I8db5d6dbe60bf04f4e3754a886c6aa8a97a16bab commit e2d5be1cb3094ffbfc979aa04262f3dbc43f38ec Author: Assaf Muller Date: Thu Apr 23 13:43:29 2015 -0400 Fix L3 agent functional tests random failures The test_ha_router_failover tests were not being unmocked. This is because the same object was being mocked twice, but unmocked once. The mock.patch.stopall call in the tests base class was rewinding the value of the object from the second mock to the first mock. Follow up tests in the same worker were using namespace names defined via the first mock in the failover test. Closes-Bug: #1446261 Change-Id: I8f24b8bb3a6a501dbe210c2cc67c47fa4b76257c commit dd995ca711f642eba9a40ee7c75e48b497dab5a2 Author: Assaf Muller Date: Wed Apr 22 12:04:42 2015 -0400 Mock report_state during L3 agent functional tests Less spam, yay! Change-Id: I0a6162057f968511b200713359afdc54b107fc39 commit 4625c45a30ffe09fbd29c16337e64e264de75bd8 Author: Salvatore Orlando Date: Fri Apr 17 16:59:42 2015 -0700 Remove backward compatibility for check_is_admin This routine in policy.py used to have a backward compatibility check to ensure proper behaviour even when the policy.json file did not have a specific 'context_is_admin' policy. However, this backward compatibility check does not work. It appears indeed that it has been broken for several release cycles; it is also possible that actually it never worked. When the 'context_is_admin' policy is not in the policy.json file the enforcer simply ends up evaluating whatever is the default policy configured there. Therefore this patch: - Removes the backward compatibility check, since it does not work - Fails, for safety, check_is_admin if 'context_is_admin' policy is not specified - Fixeds check_is_advsvc in the same way (the backward compatibility check never made any sense for this function) - Fixes unit tests adding appropriate tests for check_is_admin and check_is_advsvc Change-Id: Ia47e5781d86a3f21b9d837c9ac70a62ac435d20b Closes-Bug: #1445690 commit aa769e7065075df06d98c676de0bbff742cdc92a Author: Kevin Benton Date: Tue Apr 21 04:28:27 2015 -0700 Add weak reference test for callback manager Adds a unit test to make sure the callback manager can have weakly referenced functions as callbacks. Change-Id: Ic811e8fe63bcde2d89cdb39f9a641cde1ebd9ddb commit 2f9b0ce940099bcc82d2940b99bdc387db22d6fc Author: sridhargaddam Date: Wed Apr 8 10:57:19 2015 +0000 Spawn RADVD only in the master HA router Currently radvd is spawned in all the HA routers irrespective of the state of the router. This approach has the following issues. 1. While processing the internal router ports (i.e., qr-xxx), ha_router removes the LLA of the interface and adds it as a VIP to Keepalived conf. Radvd daemon is spawned after this operation in the router namespace (if the port is associated with any IPv6 subnets). Radvd notices that qr-xxx interface does not have the LLA, so does not transmit any Router Advts. In this state, VMs fail to acquire IPv6 addresses because of the missing RAs. Radvd does not recover even after keepalived configures the LLA of the interface. The only solution is to restart/reload radvd daemon. Currently keepalived-state-change monitor does not do any radvd related operations when a state transition happens. So we endup in this state forever. 2. For all the routers in Backup state, qr-xxx interface does not have LLA as it is managed by keepalived and configured only on the Master HA router. In such agents syslog is flooded with the messages [1] and this can cause loss of other useful info. [1] - resetting ipv6-allrouters membership on qr-2e373555-97 This patch implements the following. 1. If the router is already in the Master state, we configure the LLA as a VIP in keepalived conf but do not delete the LLA of the internal interface. 2. We spawn radvd only if the router is in the Master State. 3. Keepalived-state-change monitor takes care of enabling/disabling radvd upon state transitions. Closes-Bug: #1440699 Change-Id: I351c71d058170265bbb8b56e1f7a3430bd8828d5 commit 0c1f96ad5a6606c1205bd50ea944c3a383892cde Author: watanabe.isao Date: Wed Apr 15 15:48:08 2015 +0900 Restrict subnet create/update to avoid DHCP resync As we know, IPs in subnet CIDR are used for 1) Broadcast port 2) Gateway port 3) DHCP port if enable_dhcp is True, or update to True 4) Others go into allocation_pools Above 1) to 3) are created by default, which means if CIDR doesn't have that much of IPs, subnet create/update will cause a DHCP resync. This fix is to add some restricts to the issue: A) When subnet create, if enable_dhcp is True, /31 and /32 cidrs are forbidden for IPv4 subnets while /127 and /128 cidrs are forbidden for IPv6 subnets. B) When subnet update, if enable_dhcp is changing to True and there are no more IPs in allocation_pools, the request should be denied. Change-Id: I2e4a4d5841b9ad908f02b7d0795cba07596c023d Co-authored-by: Andrew Boik Closes-Bug: #1443798 commit d72572729152e709c5f7ebae2896d5f66748b59b Author: watanabe.isao Date: Thu Apr 2 10:54:56 2015 +0900 Make sure OVS restarts when Exception occurred This fix let flows in br-tun automatically recover from an Exception, which is an ideal situation. Simplly improve a missed flag will make sure OVS restart properly after we walked out of Exception loop. Change-Id: Id0ac9399ec39fef19ce71566670ed245c681192e Closes-Bug: #1439472 commit 8959032dfb195ba3836e50fbccecbfedb9164038 Author: armando-migliaccio Date: Tue Apr 21 16:47:09 2015 -0700 Remove dependency on weak reference for registry callbacks The use of weakref was introduced as a preventive measure to avoid potential OOM kills, however that limited our ability to employ certain functions as callbacks, such as object methods (see [1] for an example). Since the adoption of the callback registry, it has been observed that callbacks are generally long lived (for the entire duration of the process they belong to), therefore this limitation appears to be too restrictive at this point in time. Some might argue that it's better safe than sorry, but until we have some evidence of actual OOM kills, it's probably best to take the bolder action of removing the adoption of weak references and deal with the potential fallout, should it happen. [1] https://review.openstack.org/#/c/175179/ Change-Id: Idcd0286fc4235af82901c8a17ea45bc758b62b37 commit ec408ac379108eee26d87a8d9834180db11877e0 Author: Salvatore Orlando Date: Wed Apr 22 13:27:53 2015 -0700 Ensure metadata network works with DVR As DVR routers use a different type of interface, this patch amends the DHCP agent code ensuring that a metadata proxy is spawned when the metadata network feature is enabled on the DHCP agent. Change-Id: Id7f2e891c0753620a604cf6160c6b592db1aa284 Closes-Bug: #1447344 commit 16db327c8d65a13fb18538b537fdc631c256ce59 Author: Assaf Muller Date: Wed Apr 22 12:12:47 2015 -0400 Change callbacks logging from INFO to DEBUG This is an internal implementation detail, would admins care if internal events are being fired off successfully? What actionable information does this present? Change-Id: I81418c1ff529b5a8ffe60513d91f51d134a45f26 commit fc6484357c266d7e6111afd0003a6ff3daec9022 Author: Assaf Muller Date: Mon Apr 20 11:53:41 2015 -0400 Fix DVR functional tests resources leak Change-Id: I882bd9127a61de7e016abfca53d22b01cbf57835 Closes-Bug: #1446288 commit 35acb27da0a762184129d97d43a7b93c9daddf91 Author: Brent Eagles Date: Tue Feb 17 13:45:25 2015 -0330 Refactor RESOURCE_ATTRIBUTE_MAP cleanup This patch adds a AttributeMapMemento class that can be used for restoring the RESOURCE_ATTRIBUTE_MAP on test tear down. Tests containing their own cleanup code have been modified to use it instead. Change-Id: I7ce5182bdfb8f541741a327feada63a29ddac2ae commit 3b537033206a6321fe0f8300ce284ef518ac348c Author: Robert Li Date: Tue Apr 21 15:58:00 2015 -0400 remove metadata_proxy_local filters for rootwrap With the dependent patch Iade8b5b09bb53018485c85f8372fb94dbc2ad2da, /usr/local/bin is added to exec_dirs in rootwrap.conf. Therefore, these filters are no longer needed for devstack use case. Depends-On: Iade8b5b09bb53018485c85f8372fb94dbc2ad2da Change-Id: I98bff3cc679dfe19315f2b9b028ff48e4296e0de commit 0109578a8ec07f743f7e2b654007e17f145ea20f Author: Eugene Nikanorov Date: Sat Apr 18 15:31:44 2015 +0400 Fix incorrect query for user ip allocations Previously the query was fetching an IPAllocation object incorrectly relying on the fact that it has port attribute that should be join-loaded when it really is not. Incorrect query produced by previous code: SELECT ipallocations.port_id AS ipallocations_port_id, ipallocations.ip_address AS ipallocations_ip_address, ipallocations.subnet_id AS ipallocations_subnet_id, ipallocations.network_id AS ipallocations_network_id FROM ipallocations, ports WHERE ipallocations.subnet_id = :subnet_id_1 AND ports.device_owner NOT IN (:device_owner_1) The query then may have produced results that don't satisfy the condition intended by the code. Query produced by the fixed code: SELECT ipallocations.port_id AS ipallocations_port_id, ipallocations.ip_address AS ipallocations_ip_address, ipallocations.subnet_id AS ipallocations_subnet_id, ipallocations.network_id AS ipallocations_network_id FROM ipallocations JOIN ports ON ports.id = ipallocations.port_id WHERE ipallocations.subnet_id = :subnet_id_1 AND ports.device_owner NOT IN (:device_owner_1) Change-Id: I34682df784e30e3ce49ee48c690f8b799ad58149 Closes-Bug: #1357055 commit 7743e571cd15ec50a35a34dc3cc668702c54393d Author: Eugene Nikanorov Date: Wed Apr 22 04:14:42 2015 +0400 OOP naming cleanup in l3_dvr_db Start protected method names with underscore. Closes-Bug: #1446911 Change-Id: Iddf4f467118e40eb5b4bfe18bde00aa9d34b2ec4 commit 2414834ffeb8ba7ce2401236d01c88702fec5a14 Author: Édouard Thuleau Date: Tue Feb 10 13:43:34 2015 +1300 ARP spoofing patch: Low level ebtables integration ARP cache poisoning is not actually prevented by the firewall driver 'iptables_firewall'. We are adding the use of the ebtables command - with a corresponding ebtables-driver - in order to create Ethernet frame filtering rules, which prevent the sending of ARP cache poisoning frames. The complete patch is broken into a set of smaller patches for easier review. This patch here is th first of the series and includes the low-level ebtables integration, unit and functional tests. Note: This commit is based greatly on an original, now abandoned patch, presented for review here: https://review.openstack.org/#/c/70067/ Full spec can be found here: https://review.openstack.org/#/c/129090/ SecurityImpact Change-Id: I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0 Implements: blueprint arp-spoof-patch-ebtables Related-Bug: 1274034 Co-Authored-By: jbrendel commit 4000b18275112a0c9e3aa055fbaea634ac89a382 Author: Maru Newby Date: Fri Apr 17 23:49:09 2015 +0000 Fix test discovery for api and functional paths The use of the builtin unittest test loader was silently dropping tests that couldn't be imported. This change also drops the retargetable path from discovery in the api path due to a previously-masked configuration problem, and fixes an invalid import in a functional testing fixture module. Fullstack tests are also disabled temporarily pending a fix for #1446261. Change-Id: Ie44e45c117bd864538e7919dfcf499091fde7752 Related-Bug: #1440834 Related-Bug: #1443480 Closes-Bug: #1446405 commit 927399c011409b7d152b7670b896f15eee7d0db3 Author: Kevin Benton Date: Tue Apr 21 02:01:39 2015 -0700 Block allowed address pairs on other tenants' net Don't allow tenants to use the allowed address pairs extension when they are attaching a port to a network that does not belong to them. This is done because allowed address pairs can allow things like ARP spoofing and all tenants attached to a shared network might not implicitly trust each other. Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5 Closes-Bug: #1447242 commit 3b74095a935f6d2027e6bf04cc4aa21f8a1b46f2 Author: Ihar Hrachyshka Date: Mon Apr 20 17:06:38 2015 +0200 tests: confirm that _output_hosts_file does not log too often I3ad7864eeb2f959549ed356a1e34fa18804395cc didn't include any regression unit tests to validate that the method won't ever log too often again, reintroducing performance drop in later patches. It didn't play well with stable backports of the fix, where context was lost when doing the backport, that left the bug unfixed in stable/juno even though the patch was merged there [1]. The patch adds an explicit note in the code that suggests not to add new log messages inside the loop to avoid regression, and a unit test was added to capture it. Once the test is merged in master, it will be proposed for stable/juno inclusion, with additional changes that would fix the regression again. Related-Bug: #1414218 Change-Id: I5d43021932d6a994638c348eda277dd8337cf041 commit 46a842136e93ce21936cbf28950b6f0d358c3359 Author: Henry Gessau Date: Tue Apr 21 11:35:10 2015 -0400 Fix super cleanUp for fullstack ProcessFixture This fixes a problem where the fullstack neutro-server process would sometimes not be stopped after tests completed. Change-Id: Iadf9f47fc22b39144cfc6163330ca60fefc8b464 commit 868e67b480b08cc815d802cf950547c6b5ac0153 Author: armando-migliaccio Date: Thu Apr 16 12:45:32 2015 -0700 Add security groups events ML2 mech drivers have no direct exposure to security groups, and they can only infer them from the associated network/ports. This is problematic as agentless ML2 mech drivers have no way of intercepting securitygroups events and propagate the information to their backend, or more generally, react to them. This patch leverages the callback registry to dispatch such events so that interested ML2 mech drivers (or any interested party like service plugins) can be notified and react accordingly. This patch addresses create/update/delete of security groups and create/delete of security groups rules. Other events may be added over time, if need be. This patch is only about emitting the events. The actual subscription and implementation of the event handlers will have to take place where deemed appropriate. Closes-bug: #1444112 Change-Id: Ifa1d7ee9c967576f824f1129dd68e6e3abd48f5c commit 615102520c0df3952347c3e176b60c0ddc97040b Author: Ryan Tidwell Date: Tue Apr 14 15:53:02 2015 -0700 Block subnet create with mismatched IP versions Change-Id: Ic0a3baf0e956505999d2473ae85ebac90e0970cd Closes-Bug: 1444146 commit d3f13320be51afd8e4fa384602eee88b6e0438a5 Author: Jakub Libosvar Date: Tue Apr 21 16:44:58 2015 +0200 Remove neutron.tests.common.agents package It seems like agents' package content was removed by commit 01a7ba19cf6661b1aef7d08fb748bb2470caf28f but package itself was left in the tree. Change-Id: I651f8010aa7c4af59ce403b099db7bc064364133 commit 9701bd479529ccc243e48fdb944c284d2921c376 Author: Kevin Benton Date: Fri Apr 17 04:46:11 2015 -0700 L3 DB: Defer port DB subnet lookups _populate_subnets_for_ports was being called multiple times for different interface types during the get_routers process. This patch eliminates those extra queries by deferring the subnet information population until after all of the interfaces have been looked up. Includes a function rename as well to indicate that a function is only used internally. Change-Id: Ib46f685d72eb61ecbaa2869e28fb173cd6d49552 Partial-bug: #1445412 commit 6cf92011143eb55adda180ffac91886566fc7826 Author: Darragh O'Reilly Date: Thu Apr 16 18:21:03 2015 +0000 lb-agent: ensure tap mtu is the same as physical device On compute-nodes, Nova creates the bridge with the tap before the physical is in the bridge. This causes the tap to have the default 1500 MTU which may be different to what is on the physical. With this patch the linuxbridge agent ensures that the MTU on the tap device is the same as what is on the physical device. Change-Id: Id1a4f662ec33ca0333c15eb210366bc850d0d54c Closes-Bug: 1443607 commit f85de393c469d1e649a1c1e5ee1b683246442351 Author: Kevin Benton Date: Mon Apr 20 22:26:22 2015 -0700 Only update MTU in update code for MTU The ML2 create_network_db was re-passing in the entire network with extensions like vlan_transparency present that was causing issues in the base update function it was calling. This corrects the behavior by having it only update the MTU, which is the only thing it was intending to update in the first place. Change-Id: I723c5c138e0830de98f6024c7635ec65065e9346 Closes-Bug: #1446784 commit 0cde6752f86d84541c8c10a39bb1c8b0d65e5482 Author: YAMAMOTO Takashi Date: Tue Apr 21 14:07:08 2015 +0900 Revive BaseLinuxTestCase._create_namespace It was removed by commit 7f7343b1afc0b1b953e5c36a753397a6d37316cb but still have a few users. Closes-Bug: #1446465 Change-Id: I2914700f17ae38a775735906931f0f616c13c602 commit 649599457e29b58ad0aec9ace990e0a2b59b05d0 Author: Kevin Benton Date: Fri Apr 17 03:53:45 2015 -0700 Defer creation of router JSON in get_routers RPC The get_routers method in the l3 RPC code has a log.debug statement that formats all of the router data as indented JSON. This method can be expensive if there are hundreds of routers being synced and it happens even if debugging is disabled since the function call result is the parameter to the debug statement. This patch adds and leverages a small helper class that takes a callable and its args and defers calling it until the __str__ method is called on it when it's actually trying to be rendered to a string. Change-Id: I2bfceb286ce30f2a3595381b62bdc6dd71ed8483 Partial-Bug: #1445412 commit d36940b720616ec6607c62eca50023eb00bdae01 Author: YAMAMOTO Takashi Date: Thu Apr 16 13:39:55 2015 +0900 ovs_lib: Fix a race between get_port_tag_dict and port removal get_port_tag_dict() gets a list of ports using get_port_name_list() and then queries the db again for ports in the list. It fails if some of ports disappeared in between. This change fixes it by ignoring "not exist" errors in the later query. Closes-Bug: #1444797 Change-Id: Ic54b644bb1d72a4664b70f124863d17805c26fff commit ccd30a8cab6b91259cfb09b16a8fbbf69747cdf4 Author: Cedric Brandily Date: Wed Oct 22 14:03:13 2014 +0200 Correct inconsistent enable_snat management Neutron resets enable_snat attribute when external_gateway_info is cleared but not when external_gateway_info is only updated which implies the following sets of actions have different behaviors: neutron router-gateway-set router1 pub1 --disable-snat neutron router-gateway-set router1 pub2 enable_snat is False after the last command neutron router-gateway-set router1 pub1 --disable-snat neutron router-gateway-clear router1 neutron router-gateway-set router1 pub2 enable_snat is True after the 2nd command resets the gateway AND enable_snat. This change proposes to always reset the attribute enable_snat when enable_snat is not provided in external_gateway_info on POST/PUT for consistency. APIImpact Change-Id: Ibab289936c55b1cf9614b44a4f18f54c959ee9e8 Closes-Bug: #1384146 commit bde4f6f767d3da4c3eca15390ea45a934f2ff398 Author: Aaron Rosen Date: Mon Apr 20 12:45:12 2015 -0700 _create_subnet_from_implicit_pool assumes external network extension network.external is only present if one is using the external_net_db mixin. This patch just adds a check to see network has the attribute external to avoid an Attribute error. Closes-bug: 1441793 Change-Id: Ic003879b557a8c7ab52268a95d08d6d710618438 commit d9e3352f9a7df6e7bc571ca1696a1ef4ca716654 Author: Assaf Muller Date: Mon Apr 20 15:15:34 2015 -0400 Log caught exceptions while deleting a router Change-Id: I2c270f1eebf4f3c0d2cecdef457efc626e503975 Closes-Bug: #1446349 commit 7f7343b1afc0b1b953e5c36a753397a6d37316cb Author: Cedric Brandily Date: Sun Mar 1 22:08:58 2015 +0000 Define FakeMachine helper for functional/fullstack tests The change defines the FakeMachine fixture/helper which emulates a machine through a namespace with: * a port bound to a bridge, * an ip on the port, * a gateway (if requested). The FakeMachine class can be used to emulate: * a VM for testing network features (ex: metadata service), * an external machine for testing "external" network features (ex: routing/natting), * a server for low level tests of network features (ex: iptables). The change also defines PeerMachines fixture/helper to create some fake machines bound to a bridge. Change-Id: I4fde1a03badd9adfd14b9124b5602331b69dda9d commit ba05644bc888d23e571386bbaa6ae8c7597c8c98 Author: Ihar Hrachyshka Date: Mon Mar 30 18:41:28 2015 +0200 Replace custom method call logger with oslo.log helper oslo.log now provides a logging helper that is similar to custom neutron helper (actually, the helper in oslo.log started from neutron version). Now switching to library implementation. Deprecated neutron.common.log.log Change-Id: I85d5fc570950ff18cfdb8db20ad20b166e195299 commit e214b56da9205be7ba927142cc92e4f69ad09b01 Author: Assaf Muller Date: Mon Mar 2 11:29:51 2015 -0500 Simplify keepalived.virtual_routes keepalived.virtual_routes previously held one list of virtual routes of different kinds, and the HA router class manipulated that list directly. The list held both the default gateway virtual route, and any extra routes. This means that when adding extra routes for example, the HA router would first have to remove all routes that are not default gateway routes, then add the extra routes received via RPC. This is messy because: a) It's needlessly complicated b) It's fragile c) There's zero separation of concerns (HA router should not know how keepalived maintains its list of virtual routes) d) It requires changes to the management of the default gateway and virtual routes just to add another type of extra routes This patch solves these issues by separating the persistency of virtual routes according to their role. Co-Authored-By: gong yong sheng Related-Bug: 1414640 Change-Id: I1406b1876c3a47b110818686b42e5f2f688154fa commit 4791746f416164f45223332a0be1b257aeeeaa9a Author: YAMAMOTO Takashi Date: Mon Feb 23 13:23:53 2015 +0900 l2pop UT: Simplify migration tests "port2" is created but not used in the tests. Change-Id: Ib27d32063a2b5cecc707a6aece4e604cbfecefa7 commit a6af531339c870bdc330f3343c91dce3e6757c3e Author: YAMAMOTO Takashi Date: Wed Apr 8 17:29:10 2015 +0900 l2pop UT: Expire cached db objects before reusing a session Partial-Bug: #1441488 Change-Id: Ic22ae49d99b52e9f650ea0ed638842e7c91831af commit 35fbe1c884f7e91a27506ec782c6d379b804f4f9 Author: Terry Wilson Date: Fri Apr 17 16:13:09 2015 -0500 Correct typo for matching non-dict ovsdb rows As can be seen just above, the correct operator for the equality test is '=' and not '=='. This match isn't currently being used in the neutron code, but will be used by the OVN driver. The previous code would also raise NotImplemented when there was no match. Change-Id: I17ac85d1ad68d3e207225db300f65c0df1f6e1ad commit c65d3ab6ad4589e6e4a6b488d2eb5d1e4cfee138 Author: Swaminathan Vasudevan Date: Tue Apr 14 21:34:33 2015 -0700 Fixes race condition and boosts the scheduling performance This patch fixes a race-condition that occurs when the scheduler tries to check for dvr serviceable ports before it schedules a router when a subnet is associated with a router. Sometimes the dhcp port creation is delayed and so the router is not scheduled to the l3-agent. Also it boosts the scheduling performance on dvr-snat node for scheduling a router. This patch will provide a work around to fix this race condition and to boost the scheduling performance by scheduling a router on a dvr-snat when dhcp is enabled on the provided subnet, instead of checking all the available ports on the subnet. Closes-Bug: #1442494 Change-Id: I089fefdd8535bdc9ed90b3230438ab0bfb6aab4f commit 9b53b82ce7dad551ebc0f02ff667d5345fb7e139 Author: mathieu-rohon Date: Sat Mar 7 13:30:49 2015 +0100 ML2: Change port status only when it's bound to the host Currently, nothing prevents the port status to be changed to BUILD state when get_device_details() is sent by a host that doesn't own the port. In some cases the port might stay in BUILD state. This could happen during a live-migration, or for multi-hosted ports such as HA ports. This commit allows the port status modification only if the port is bound to the host that is asking for it. Closes-Bug: #1439857 Closes-Bug: #1438040 Closes-Bug: #1416933 Change-Id: I9b3673f453abbafaaa4f78542fcfebe8dc93f2bb commit 3310c3c3d4c05c0d13f32f08f978ba4813e2a39a Author: Kevin Benton Date: Fri Apr 17 04:28:58 2015 -0700 Remove double queries in l3 DB get methods Two frequently called functions were querying the routerport table and the corresponding ports just to get the port ID. Then they were calling get_ports again with those port IDs, resulting in two queries to the port table when there should have only been one. This eliminates the second call to get_ports since all of the necessary data hase been retrieved from the port table. Change-Id: I806e9c380b7de048fe084b2baf4b6f92ab0edf6b Partial-Bug: #1445412 commit 6c6d3c9cca17a788a31526bb652dcdfc7bb54326 Author: Kevin Benton Date: Fri Apr 17 04:18:56 2015 -0700 Strip unnecessary overrides in extraroute_db mixin The extra route DB mixin seemed to be overriding the get_router and get_routers method for no reason. They both just called the super version of themselves with the same arguments. This patch just pulls those functions out. Found in tracebacks while working on a related bug. Change-Id: Ifd1a0676073e91104db3a13df6fe1eb2189f20f5 Related-bug: #1445412 commit 10b17a884452736a6b214bcb7705b955192a1748 Author: Kevin Benton Date: Fri Apr 17 03:36:50 2015 -0700 Set loading strategy to joined for Routerport/Port The RouterPort model has a relationship to the ports model which is frequently relied on to get the port IDs of interfaces attached to a router. However, this defaults to the loading strategy to 'select', which meant a new query was being emitted for every interface to the ports table just to get the ID. This patch adjusts the relationship to be 'joined' by default so one query will fetch the related ports. Another option would have been not to use the port object at all since the ID is all that the callers were usually interested in. However, they would end up using the ID to do a port lookup, which is being optimized away in another patch anyway so the full port object from the relationship will end up getting used. Change-Id: Id1ae35f845f7367d5f1f065c6fa637da7b980a2b Partial-Bug: #1445412 commit 05a9f16257c2953bf40d11ca2a2f9651ba4e86b2 Author: armando-migliaccio Date: Thu Apr 16 17:37:51 2015 -0700 Avoid double-hopping deletes for security group rules There is no need to get and delete; we can delete with one bullet. This will most likely have quite a decent performance benefit overall. The patch preserves the existing logic of raising and error on the missing element; a test was added to spur up the coverage. Related-bug: #1444112 Change-Id: Iaef77bd3f7775ed91d374838fb5488d925b4062c commit a38b5df5cd3c47672705aad4c30e789ae11ec958 Author: Kevin Benton Date: Mon Mar 30 23:52:56 2015 -0700 Set IPset hash type to 'net' instead of 'ip' The previous hash type was 'ip' and this caused a major issue with the allowed address pairs extension since it results in CIDRs being passed to ipset. When the hash type is 'ip', a CIDR is completely enumerated into all of its addresses so 10.100.0.0/16 results in ~65k entries. This meant a single allowed_address_pairs entry could easily exhaust an entire set. This patch changes the hash type to 'net', which is designed to handle a CIDRs as a single entry. This patch also changes the names of the ipsets because creating an ipset with different parameters will cause an error and our ipset manager code isn't robust enough to handle that at this time. There is another ongoing patch to fix that but it won't be ready in time.[1] The related bug was closed by increasing the set limit, which did alleviate the problem. However, this change would also address the issue because the gate tests run an allowed address pairs extension test with the CIDR mentioned above. 1. I59e2e1c090cb95ee1bd14dbb53b6ff2c5e2713fd Related-Bug: #1439817 Closes-Bug: #1444397 Change-Id: I8177699b157cd3eac46e2f481f47b5d966c49b07 commit decdf03c61f303fcfc82fe601beb4096d3305536 Author: Salvatore Orlando Date: Thu Apr 16 11:57:37 2015 -0700 Quota model: use HasTenantId mixin This change simply changes the Quota model class to obtain the tenant_id from the mixin class. As the attribute in the mixin is identical to that in the model there is no need for a migration. This patch also removes a reference to quota classes in the docstring, as Neutron does not implement those. It is good to be careful when copying and paste code. Change-Id: Idab15d5ef2ddd2b830a7dcde46990506064535f7 Closes-Bug: #1445169 commit dd2f87ae3fabaf4c1b46cd1dba0fe035c17e767e Author: armando-migliaccio Date: Wed Apr 15 17:35:13 2015 -0700 Clarify the init logic for the ML2 plugin This patch cleans up the init logic for the plugin so that we better separate the tasks required for establishing the integration with DHCP and RPC layers. In other words: some bikeshedding whilst dealing with bug #1444112 Change-Id: I68710ad002b0e1b5bff40baa5de343b0bd7ecea6 commit 400ac8c27c2f8408aea9d11b7ea369aead52997d Author: armando-migliaccio Date: Wed Apr 15 17:35:13 2015 -0700 Deal with TODO related to Security Groups RPC API's classes Change-Id: Ifb70a118cef48c3c4cd313e22e907aa47bc51ad0 commit 43b5630aaf1d5f665aaddb8d5f4d26efc24c2889 Author: Henry Gessau Date: Thu Apr 16 13:38:46 2015 -0400 Add Kilo release milestone Change-Id: Id7d969c92b7c757b766760681357ac13c8079ca3 commit 1c25a4fe448ccd7f8f1059c3ca46e787116a311c Author: AKamyshnikova Date: Thu Apr 16 16:25:42 2015 +0300 Add some more comments to models/frozen.py Some people get confused and tried to add new models in models/frozen.py To prevent this add some more information in comments in this file. Change-Id: Iaa52ae2a826609f94e1aa81d815ae7c082bf9204 commit ae7ab01c76c8579288096e6c6e5567e4147d78cd Author: nfedotov Date: Thu Mar 19 17:45:53 2015 +0300 Two api tests for 'firewall insertion mode' feature Some time ago the feature called 'fwaas insertion mode' was merged. It allows to associate a firewall with routers. The patchset adds two api tests: * Create firewall assiciated with a router, add another router to the firewall, remove old one * Create firewall assoicited with a router, try to create new firewall on the same router Change-Id: I7c4d41189056ff6da47bc1173d3479183e58a173 commit 9e7f484adc199b424bb9a5390c8cf3ced0f77278 Author: Terry Wilson Date: Thu Mar 19 12:43:21 2015 -0500 OVS_LIB API addition - change bridge controller connection-mode Add an API to change controller connection mode to 'out-of-band', feature which might be useful for many projects using Openflow controller with OVS Change-Id: If93f6858f4eed05f5f1d9bdb1667838d80c490cd Closes-Bug: #1433208 commit da8a9a0021edfdb6f5b299462f4c3ceb09059370 Author: OpenStack Proposal Bot Date: Thu Apr 16 06:13:44 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: I700d3463e560d09e61f9d709b60f64b91feaa735 commit 3bbf473b49457c4afbfc23fd9f59be8aa08a257d Author: armando-migliaccio Date: Wed Apr 15 18:20:51 2015 -0700 Drop the ovs_lib compat layer as per TODO note Breakage documented in [1] [1] https://wiki.openstack.org/wiki/Neutron/LibraryAPIBreakage Change-Id: I41820faf8ef7fd00cf864da6f1a63ccb79c25fd8 commit bd1044ba0e9d7d0f4752c891ac340b115f0019c4 Author: Dane LeBlanc Date: Thu Apr 9 10:32:33 2015 -0400 IPv6 SLAAC subnet create should update ports on net If ports are first created on a network, and then an IPv6 SLAAC or DHCPv6-stateless subnet is created on that network, then the ports created prior to the subnet create are not getting automatically updated (associated) with addresses for the SLAAC/DHCPv6-stateless subnet, as required. Change-Id: I88d04a13ce5b8ed4c88eac734e589e8a90e986a0 Closes-Bug: 1427474 Closes-Bug: 1441382 Closes-Bug: 1440183 commit e20a279b28f572a6ef2a5dee6cd38b973ff98248 Author: Oleg Bondarev Date: Fri Apr 10 12:03:09 2015 +0300 Use 'port' instead of 'ports' to reference port from IPAllocation 'ports' is just confusing as IPAllocation can be associated with only one port. Closes-Bug: #1442527 Change-Id: I36bfa65956f54e4b290bb7568499a47eca7c126f commit ae0107f95664a3430131228600446cd7269e03ad Author: Gal Sagie Date: Wed Apr 15 09:26:54 2015 +0300 Enhance OVSDB Transaction timeout configuration OVSDB Transaction currently takes the timeout parameter from a context object that assume to have a vsctl_timeout attribute This doesnt fit well for other users of this class (like OVN) This fix configure the transaction timeout in a more common way Change-Id: I51bb8d8fdc6d061d44af828818aaf62e187795fd Closes-Bug: #1444277 commit 26b4e57858ef83ef9343f053c2835a95f6e6c860 Author: Aman Kumar Date: Fri Jan 23 01:34:00 2015 -0800 Added config variable for External Network type in ML2 Description: With the ML2 Plugin, every network created has segments with provider:network_types being tenant_network_types. When applied to external networks, the types that could be in tenant_network_types parameter (like vxlan or gre) are not appropriate. Implementation: Added new config variable 'external_network_type' in ml2_conf.ini which contains the default network type for external networks when no provider attributes are specified, by default it is None. It also includes small code re-factoring/renaming of import statement. DocImpact Closes-Bug: #1328991 Co-Authored-By: Romil Gupta Change-Id: Idbbe6bced73cfedbe0f8e7abba35f87589b1a004 commit a44a3789741528524106186d1382e96f62d6c376 Author: armando-migliaccio Date: Tue Apr 14 14:40:13 2015 -0700 Update decomp progress chart This patch updates the progress chart, now that the first cycle after the decomp started. For the fully decomposed plugins/drivers and for known projects that integrate with Neutron, this patch proposes a new summary table that provides a go-to reference for everything Neutron related. Related-blueprint: core-vendor-decomposition Change-Id: Ib79a7b6d1401f1d9241621ae03cf6692685e12b1 commit 8be4e4d5fc052655f7a968fc5016c84aca48758e Author: Li Ma Date: Sun Apr 12 22:29:56 2015 -0700 Provide details for configure multiple DHCP agents The help text is not that good for operation. This fix adds more information about the option 'dhcp_agents_per_network'. Change-Id: I955c1e9989a9c65b0ffdbbdca9113c795ec72fe6 Closes-Bug: #1370934 commit 2c3b0763bade1b9765cd83bbfe9ee6002770b6e0 Author: Assaf Muller Date: Fri Mar 27 19:31:51 2015 -0400 Stop running L3 functional tests with both OVSDB interfaces Running the L3 functional tests with both OVSDB interfaces doubles the run time and may discourage developers from running them frequently during development. Since the OVSDB interfaces are tested explicitly, I don't think the trade off is worth it here. The L3 functional tests use OVS in a *really* trivial way and won't catch any issues that the explicit tests won't. Added an OVSInterfaceDriverTestCase plug functional test that runs with both OVS interfaces to make it harder to introduce regressions. Related-Bug: #1442272 Change-Id: I387db347fe34f8497069ddf768624bccb9d1de8b commit cc904070cc19a050002805bb6809d778677c17fb Author: armando-migliaccio Date: Tue Apr 14 14:41:45 2015 -0700 Fix formatting errors in TESTING.rst There were a few errors that went undetected. TESTING.rst:266: SEVERE: Title level inconsistent: TESTING.rst:67: ERROR: Unknown target name: "test". TESTING.rst:74: ERROR: Unknown target name: "test". Change-Id: Iad225e95c23b7460d228ba5447f4a361aa68d5dc commit 76fa87e12eb69c962dd85a3399d3dbce0c5a3271 Author: Kevin Benton Date: Mon Mar 30 11:49:40 2015 -0700 Pass correct port ID back to RPC caller The previous response to get_device_details calls was returning whatever the caller requested as the port_id in the response. This was only correct in the case where the port_id was used directly. In cases where device names were passed in, there was no way to retrieve the full port ID. This corrects that behavior by using the port ID from the database and adds tests to ensure the behavior remains correct. Closes-Bug: #1443714 Change-Id: Ibfc7b6659a29e892dfe6e83bd9340feb40e920dd commit 40a1f410ff45ce129c08da0cd071020c7ea338af Author: Brian Haley Date: Thu Apr 9 17:48:40 2015 -0400 Fix intermittent ipset_manager test failure Change ipset_manager _refresh_set() to make a copy of the list of IPs when creating a set, instead of using a reference, else any change to the set could update the caller's data. Also made the IpsetManagerTestCase classes always pass maxelem and hashsize to the parent class. Change-Id: I45fc716ab0952b80363b0c7dabae29cda05604dc Closes-bug: #1442377 commit 391c1b8cc1fc6f024232bef65bb5deb77357f294 Author: Dane LeBlanc Date: Tue Apr 14 11:05:40 2015 -0400 Fix mock return settings in test_full_uuids_skip_port_id_lookup In the test_full_uuids_skip_port_id_lookup test in test_security_group.py, there are a couple of problems with how a mock return value is being set for a database query. The first problem is that in this line: fmock = sess_mock.query.return_value.outerjoin.return_value.filter there is a missing '.return_value' missing between 'sess_mock' and 'query'. The second problem is that in this line: fmock.return_value.all.return_value = [] the 'all.return_value' should not be used. For reference, the query for which this mock return value is being set is in the get_sg_ids_grouped_by_port() method in ML2's db.py: query = session.query(models_v2.Port, sg_db.SecurityGroupPortBinding.security_group_id) query = query.outerjoin(sg_db.SecurityGroupPortBinding, models_v2.Port.id == sg_binding_port) query = query.filter(or_(*or_criteria)) This patch fixes the problems mentioned above so that the query above returns an empty list for the test_full_uuids_skip_port_id_lookup test. Change-Id: I2cec2c27fcdc82557c91205d202a6ac79987e92a Closes-Bug: 1444009 commit 304d68d9741fd15c14263d978e5b0bae43cde58e Author: John Schwarz Date: Tue Oct 14 14:12:35 2014 +0300 Add full-stack test Currently, the full-stack framework has only one test which only uses the neutron-server. This patch adds an actual test which makes sure that once a router is created, an actual namespace is create for it. Since this test requires 3 processes (neutron-server, l3-agent, ovs-agent), existing full-stack code is modified to add more streamlined support for such code. Partially-Implements: blueprint integration-tests Change-Id: Id5a8852d38543590b90e4bbed261a7a458071a9a commit 833ce26860c93bc8efb446a247c916d638a040ef Author: John Schwarz Date: Thu Apr 2 18:17:03 2015 +0300 create_resource should return maximum length str Previously, get_rand_name(max_length, prefix) returned a randomized suffix integer which was concatenated to the end of the given prefix. Effectively, the suffix was any decimal number between 1 and 0x7fffffff, so multiple calls to the function could return strings with different length. This is unexpected since running an already randomized name into the same function shouldn't return a different string. The suggested solution is to actually fill all the space needed until the string is 'max_length' in size. Also, a check is added to create_resource to make sure that it only generates a new port name if the input prefix is less than the maximum device name and if the prefix is long enough, don't generate a random port suffix. Change-Id: I0d5a20c676f627bce2a377e3c451043150ca734c commit 2797efc39faca97039714d3ffb6520634bf65b74 Author: Sudipta Biswas Date: Wed Mar 18 23:35:57 2015 +0530 Add clock sync error detection on agent registration For the server to determine if an agent is alive or not, it depends on the agent's clock being mostly in sync with the server clock. The neutron-server may reject and return the request if there's a timestamp difference between the two nodes. Currently there's no good way to detect this condition from the agent code. This fix will improve the error handling logic by writing an appropriate log in the neutron server's log file for an early detection of the problem. Change-Id: If884f90c4b1786cfc63d3e2ff2d66f92122258c2 Closes-Bug: #1432582 commit a22c6bdc8286e96454d6c8652a7ee5f832ce0952 Author: Assaf Muller Date: Wed Apr 8 19:13:14 2015 -0400 Log RPC initialization in L3 service plugin and ML2 Under certain conditions the messaging server may be up but not responding. In this case the Neutron server will fail to start silently, making it pretty hard to track down the issue without looking through a lot of code and adding a bunch of random logging. Change-Id: I6a562476f2789386a020db7b21b9349c4c58c30c commit 594353722ccba27d19c693c2f77905758e46223a Author: Angela Smith Date: Thu Apr 9 16:55:35 2015 -0400 Add block name to switch config options for MLX plug-ins. In the INI files, the switch_names option uses a dynamic value to determine the block names for the switch options. In order to create proper config option reference docs, there needs to be an example block name for the switch options. Change-Id: Ic5bf6de02ba1b7d1bc90ee29a5a0570fb45b9956 Closes-Bug: #1442357 commit 791d57922b00857e3f8bb753bff9499f3c4e1ab9 Author: Numan Siddique Date: Mon Apr 13 20:52:33 2015 +0530 Fix the ImportErrors in l3 and dhcp scheduler functional tests Change-Id: I5b8746d37173869f78a9c23834f10d630d2a36cd Closes-bug: #1443480 commit db4764587ce882766d53291983bd427d422e790f Author: Ihar Hrachyshka Date: Mon Apr 13 15:21:46 2015 +0200 Removed jsonrpclib dependency It was used by Arista ML2 driver that is now decomposed from the tree. The dependency is also one of those blocking our python 3 story [1]. [1]: https://caniusepython3.com/check/ba7f2a23-8a1b-4ec9-9d85-08c7d3b05230 Change-Id: I4de422da14e382ece49987da498d2d7f424e89b4 commit 77df532e10fac3cc18d1c4c6e505af8778ab5854 Author: Gal Sagie Date: Mon Apr 13 09:41:17 2015 +0300 Additions to TESTING.rst Small addition on how to run pep8 tests only for latest patch set. Change-Id: I07fa2c633d17acd1284ccd726a99a46414100ba3 commit 1642bca4d9c4fee15129f74d93300c1eab1afd29 Author: Eugene Nikanorov Date: Thu Apr 9 01:16:18 2015 +0300 Handle race condition on subnet-delete This fix targets quite rare case of race condition between port creation and subnet deletion. This usually happens during API tests that do things quickly. DHCP port is being created after delete_subnet checks for DHCP ports, but before it checks for IPAllocations on subnet. The solution is to apply retrying logic, which is really necessary as we can't fetch new IPAllocations with the same query and within the active transaction in mysql because of REPEATABLE READ transaction isolation. Change-Id: Ib9da018e654cdee3b64aa38de90f171c92ee28ee Closes-Bug: 1357055 commit 7f406805d93298d0e65d340c2a06ba0d2dd6ff76 Author: Romil Gupta Date: Mon Mar 23 08:05:41 2015 -0700 Move values for network_type to plugins.common.constants.py It is quite confusing to have values for network type in common.constants.py instead of having in plugins.common.constants.py. Currently, the plugins/common/constants.py consists network_type constants like VLAN, VXLAN, GRE etc. but values for network type like ranges are defined in common.constants.py which is not good, it is better to have both things at the same place. This patch set addresses the same. Moved out few methods which are predominantly used in plugins from common.utils.py to plugins.common.utils.py. Removed constants which were used in neutron-fwaas from plugins.common.constants.py: https://review.openstack.org/#/c/168709/ Closes-Bug: #1441043 Change-Id: Iecfb15c541ed5d3cce95ba48f072af7fa60ac6f1 commit aa7567e8bb4fef17f6fc1d496ac6b75f10039063 Author: Gal Sagie Date: Mon Apr 6 16:11:23 2015 +0300 allow OVSDB connection schema to be configurable Add the schema name as a parameter to the OVSDB IDL connection. That way other users can use this with other schemas Change-Id: I55ab5ae4f3f937d236eee773f9717b5090c18557 Closes-Bug: #1441180 commit 596a8c4c2c7588d4085f72fd5994b2d1cc8aab9e Author: Gal Sagie Date: Mon Apr 6 08:36:01 2015 +0300 Add OVSDB connection as a parameter to the transaction This adds the ovsdb connection as a parameter to the transaction in the IDL implementation. This allows other users to use this with a different connection Change-Id: Iedc0a836c1fc11c88de275c6714e9657b40292df Closes-Bug: #1440638 commit 2c0ac297494cd72029fe277a2a508140745d13ad Author: YAMAMOTO Takashi Date: Mon Apr 13 14:52:33 2015 +0900 l3_rpc: Fix a comment typo Change-Id: Ibd6a9928b84567ac6ad93077d26072d4de560a95 commit 8791f8e86dad5779d62e8d9e87d42af156b18829 Author: Terry Wilson Date: Tue Mar 24 22:16:38 2015 -0500 Fix native OVSDB db_get handling for UUID columns The OVS IDL python library returns Row objects for uuid-containing columns. Ensure that db_get returns UUID strings in this case. Closes-Bug: #1438751 Change-Id: Ia842a04fcad86329825d75db57680c7f23bed350 commit c72559f32dc7cabcd5614ae07e0da2e2248c2785 Author: Brian Haley Date: Fri Apr 10 15:51:43 2015 -0400 Move iptables and ipset config registration into modules Do not do this on a per-object basis, but instead in the module. Change-Id: Ib1cc604c7c0135ca62a6194d8e20a3c29d3c5ed6 Closes-bug: #1441163 commit fd162a82776d64af9abc5595d1b8d2473dfce8f2 Author: Ihar Hrachyshka Date: Mon Mar 30 14:35:15 2015 +0200 Kill hostname validation for subnet:dns_nameservers DNS servers that are hostnames seem like a bad idea. They are also not supported by base_db_plugin_v2 [1] anyway, so there is no big reason to pass them thru API validation only to receive InvalidInput later inside plugin code. [1]: http://git.openstack.org/cgit/openstack/neutron/tree/neutron/db/db_base_plugin_v2.py#n1049 Change-Id: I2db00fe266fe0748d0e6327fbad22fa16b751da8 Related-Bug: #1396932 commit 61aa4a57b17594bb0412f870f361a8a35ec07b62 Author: Swaminathan Vasudevan Date: Wed Mar 11 12:03:42 2015 -0700 Adds DVR functional test for multi-external networks This patch adds DVR functional test for multiple external networks related to FIP namespace. This test validates that FIP namespaces are created based on the external networks associated with the router. Change-Id: I0f8cd352e83f8c2f04bf420a8b0dd6407de6b5ce commit 52cd81934b6a64bda80a140446d8895413789221 Author: Ihar Hrachyshka Date: Sat Feb 28 13:48:18 2015 +0100 context: reuse base oslo.context class for to_dict() It is need to conform to expectations of consumers that rely on oslo.context behaviour (f.e. oslo.log that relies [1] on user_identity field being set for context objects). [1]: https://github.com/openstack/oslo.log/blob/master/oslo_log/_options.py#L99 Closes-Bug: #1433687 Change-Id: I95e803b96e6e3e5b8c12298dc6327b974330c639 commit 2749fd41f066dd51116c2a18198f79aa3c640156 Author: Maru Newby Date: Fri Apr 10 16:01:52 2015 +0000 Fix routerid constraint migration The migration to add a fk constraint to the routerl3agentbindings table could fail if orphaned records existed. This change ensures that binding records are properly sanitized before constraint addition is attempted. Change-Id: Iace190916c9c0b9be75ddd43c4ca86480f8e017f Closes-Bug: #1442683 commit 476f146ce20c87e93211248eb0d0cc4d8f199f58 Author: Ihar Hrachyshka Date: Fri Apr 10 17:30:30 2015 +0200 Synced versionutils from oslo-incubator This is needed to get access to versionutils.deprecated.LIBERTY symbol. Change-Id: Ifda59f762fd61437088750c988f03b782045f455 commit b3334eca0ae9f9c64ccd646035e69081f669e3e4 Author: Ihar Hrachyshka Date: Fri Apr 10 15:07:33 2015 +0200 Removed ml2_conf_odl.ini config file The file is already packaged into decomposed networking-odl repo [1]. [1]: https://git.openstack.org/cgit/stackforge/networking-odl/tree/etc/neutron/plugins/ml2/ml2_conf_odl.ini Closes-Bug: #1442615 Change-Id: Ic280454190aab4e3b881cde15a882808b652861e commit edbade486102a219810137d1c6b916e87475d477 Author: Stephen Ma Date: Tue Feb 24 23:31:33 2015 +0000 Router is not unscheduled when the last port is deleted When checking for ports that are still in use on a DVR router, the L3 agent scheduler makes the assumption that a port's network must be owned by the same tenant. This isn't always true as the admin could have created a shared network that other tenants may use. The result of this assumption is that the router associated with the shared network may not be unscheduled from a VM host when the last VM (created by a non-admin tenant) using the shared network is deleted from the compute node. The owner of a VM may not own all the ports of a shared network. Other tenants may have VMs using the same shared network running on the same compute node. Also the VM owner may not own the router ports. In order to check whether a router can be unscheduled from a node has to be run with admin context so all the ports associated with router are returned from database queries. This patch fixes this problem by using the admin context to make the queries needed for the DVR scheduler to make the correct unschedule decision. Change-Id: I45477713d7ce16f2451fa6fbe04c610388b06867 Closes-bug: #1424096 commit f4c17f529f1d83c44118927fc019257840b5f356 Author: Assaf Muller Date: Thu Apr 9 13:06:07 2015 -0400 Remove L3 report_state logging None of the agents log this information, and the reason is that it's not useful. Any errors are logged, successful state reports don't give actionable information as you can see that the agent is up in neutron agent-list anyway. Change-Id: I109373129808984d34abdf6780b8cda8ca8982be commit 81098620c298394e1a98127ceeba7f297db2d906 Author: Maru Newby Date: Thu Apr 9 17:00:57 2015 +0000 Double functional testing timeout to 180s The increase in ovs testing is resulting in job failure due to timeouts in test_killed_monitor_respawns. Giving the test more time to complete should reduce the failure rate. Change-Id: I2ba9b1eb388bfbbebbd6b0f3edb6d5a5ae0bfead Closes-Bug: #1442272 commit ff9c92c712be07f9fa39832debc2af7ee239515b Author: John Perkins Date: Wed Apr 8 12:24:03 2015 -0500 Non-json body on POST 500's If the body of a POST request is not json, we get crashes. This can happen when middleware sends along unexpected data. Closes-bug #1441879 Change-Id: Ifac59476e4785b86bca6e2a54759f4271629a193 commit dc31fecdd978a8c56d33bc0f1672e680e273111d Author: Gal Sagie Date: Thu Apr 9 18:57:52 2015 +0300 OVSDB python binding should use row.delete() to remove rows The OVS python IDL recognize a delete event when delete() is called on the row, this should be used to remove rows from the db Change-Id: I50c94a4f089659d78f8881653cd55d4ef069cdc1 Closes-Bug: #1442217 commit e4095758868f6debdddb5a7cd65f8c0a244bee66 Author: John Schwarz Date: Thu Apr 9 18:41:06 2015 +0300 Revert connection option post full-stack tests The full-stack framework overrides the database connection string before every test is started, but after the test it doesn't revert the string back to what it was originally. Since after the test the database is deleted, the string is not actually valid once the test finished, and this conflicts with tests which are ran on the same job (specifically the retargetable tests - see associated bug). The proposed patch saves the original connection string and reverts it after the test finishes. Change-Id: I96c01483009084cbc2b81588a1283e84e6bcb4c4 Closes-bug: #1440797 commit d9251d6e35ac87b755b63aa58bb32da20496dfba Author: Elena Ezhova Date: Tue Apr 7 14:55:50 2015 +0300 Handle SIGHUP in dhcp and l3 agents All launchers implemented in common.service require each service to implement reset method because it is called in case a process receives a SIGHUP. This change adds the reset method to neutron.service.Service class which is used to start dhcp and l3 agents. Now dhcp and l3 agents don't die on receiving SIGHUP and support reloading policy_path and logging options in config. Partial-Bug: #1276694 Change-Id: I96010e44928a665bea546865b2c81bde4ed0adf2 commit f92d22d91b8a29a0088c69a1cf4940c822d38847 Author: Elena Ezhova Date: Thu Mar 26 15:33:36 2015 +0300 Sync service from oslo-incubator This sync includes changes that are required to fix handling of SIGHUP in Neutron. The following changes and bugfixes are included: d24b658 Revert "Optimization of waiting subprocesses in ProcessLauncher" 593005b ProcessLauncher: reload config file in parent process on SIGHUP f29e865 Store ProcessLauncher signal handlers on class level bf92010 Optimization of waiting subprocesses in ProcessLauncher Change-Id: If0aab4e8978422346f6ba4c9e6272cdaf39db6cb Closes-Bug: #1433142 Related-Bug: #1276694 commit 7e95f878d9d5af968f970f20c3258436ab276e2a Author: OpenStack Proposal Bot Date: Thu Apr 9 06:58:54 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: Idf9c9beac35ee67d21986a172eb74b3ca6e93b54 commit d5aa1831ac95c16fcee6ec0bb8f0bf07afbe384c Author: Eugene Nikanorov Date: Wed Apr 8 02:23:22 2015 +0400 Add logging to dangling port to ml2 delete_subnet This is useful when trouble shooting test failures. Also, in db_base_plugin_v2, log only port_id instead of full allocation object. Change-Id: I3d77318aee70836de125687a7f6c0f495d545f21 Related-Bug: #1357055 commit 29dd67ff754eba3064549886c0906a83500d1879 Author: Eugene Nikanorov Date: Wed Apr 8 00:15:43 2015 +0400 Avoid synchronizing session when deleting networkdhcpagentbinding Synchronizing session on delete leads to traces in neutron-server logs when such binding is deleted concurrently. Also, catch and ignore ObjectDeletedError during iterating over bindings, that is possible since the code is not within a transaction. Change-Id: I7a2c9a8a59ce313c7d242230eeb5da69986bfbd4 Closes-Bug: #1424593 commit 1e06631d947a25589981b04acb221b2e4870dc2c Author: armando-migliaccio Date: Wed Apr 8 12:50:19 2015 -0700 Update L3 Agent Scheduler API tests Changes [1,2] recently merged in temptest. Change [2] in particular is required if we run the API tests with DVR enabled, because now the binding logic has been altered by [3]. This patch ensure that should that happen, the API job doesn't fail. [1] https://review.openstack.org/#/c/169895/ [2] https://review.openstack.org/#/c/165246/ [3] https://review.openstack.org/#/c/154289/ Change-Id: Iead1b90030098139090ae6ad4b77f50068817083 commit 0107bdd5f03e3d0fef6be88b8b586f735f610522 Author: armando-migliaccio Date: Wed Apr 8 10:57:13 2015 -0700 Revert "IPv6 SLAAC subnet create should update ports on net" This reverts commit 81f4469b620ec221f53d3ffb4d00b90896dc5ce1. Change-Id: I63a392fccda29ceff3e91c0a4de741d263bd0e8e Related-bug: #1441382 Related-bug: #1440183 commit 3d1277555e183a81b56c2ea2dc01342d8333afdd Author: Edgar Magana Date: Mon Apr 6 22:57:06 2015 -0700 Add missing config parameters in neutron.conf Include all missing configuration parameters already integrated in Neutron code. Change-Id: Iefa344a2f9ec2c74f6314e7c783ff3b213d76ea3 Closes-bug: #1438329 commit 809e434d2da99cb3e1a778be9838b1175e785e76 Author: Pritesh Kothari Date: Wed Mar 25 11:34:05 2015 -0700 Moving VLAN Transparency support from core to extension * Moving VLAN Transparency support from core to extension * Remove the older unit tests and add new corresponding ones DocImpact Closes-Bug: #1434667 Change-Id: Ic551475ed7b64aad9627a57abb0df41acc19bfc1 commit aeb5efe3fbeae82a2d65f6bb68710d14156c58bf Author: Dane LeBlanc Date: Sat Apr 4 18:50:36 2015 -0400 Re-use context session in ML2 DB get_port_binding_host This patch modifies ML2 DB get_port_binding_host method so that it reuses the existing context session to do the database query rather than creating a new database session. Note that there are other methods in ML2 DB that do not re-use the caller's session (get_port_from_device_mac() and get_sg_ids_grouped_by_port()). These will be modified using a separate bug (https://bugs.launchpad.net/neutron/+bug/1441205). Change-Id: I8aafb0a70f40f9306ccc366e5db6860c92c48cce Closes-Bug: #1440183 commit e8603512c4e7aa976ad29dfaf609505267b8c870 Author: Andrew Boik Date: Fri Mar 27 16:21:29 2015 -0400 Consider all address scopes in init_l3 Currently init_l3 retrieves the list of global addresses from the kernel on a specific device in a network namespace. If any of the addresses are not in the ip_cidrs argument to init_l3, they will be deleted. The problem with only listing global addresses is that if a site-local or link-local address is added during a subnet-create, and the user wishes to later delete the address, init_l3 will never consider that address for deletion. To fix this, init_l3 should not limit its scope when listing addresses on an interface. It should, however, ignore the default IPv6 link-local address assigned by the operating system as this address is not known to Neutron and should not be deleted. Change-Id: I3d7a3e318e32acae3836c51e4e2e95ae756e645b Closes-Bug: #1437499 commit 14addb4f0ddd3288cf29849bc86d9c717d7374ff Author: Sanjeev Rampal Date: Mon Apr 6 17:19:37 2015 -0700 Improves the description string for the config parameter metadata_workers. Change-Id: I98d05ce52d7cd6c3631bfe1928509fda21d16b48 Closes-Bug: 1421892 commit 31631e82bbf974c50fb913dafe0ad86e2c0e6a8b Author: armando-migliaccio Date: Tue Apr 7 15:37:59 2015 -0700 Fix intermittent UT failures in test_utils Change eba4c2941ee introduced these tests. However they are not that useful as they simply mimick the code, without really ensuring that the behavior is expected, so they provide negative value ([1]), plus, they fail randomly. This patch removes them in favor of a more useful functional check. [1] http://googletesting.blogspot.com/2015/01/testing-on-toilet-change-detector-tests.html Closes-bug: #1441347 Change-Id: I8a321995295deef7f6d30be303486be491e2771f commit 23351390d87c3541e9df05164201024be0a3d42f Author: Eugene Nikanorov Date: Thu Mar 26 06:17:59 2015 +0400 OOP cleanup: start protected method names with underscore This slightly improves readability of l3_schedulers module. Change-Id: I362143939b513bb3b2a02e7472efa26e8c83cb96 Closes-Bug: #1436922 commit 3e83a26e665c43372f3639ba892198fa052fb2b2 Author: Maru Newby Date: Tue Mar 24 19:45:46 2015 +0000 Enhance TESTING.rst Add detail about api testing and provide better visual separation between the different types of testing. The current testing guidelines are mainly about running tests, and this change does little to fix that. The intention is to add detail about writing tests in subsequent changes. Change-Id: I39d0439c91e5c6edb1d48d4da310443c99fb6d9e commit e37dcd4c76e3ab61c585b116c34d32382c592b9f Author: Maru Newby Date: Tue Apr 7 15:00:25 2015 +0000 Remove check for bash usage Arbitrarily restricting ourselves from using bash because developers on platforms like netbsd don't want to install bash from ports doesn't make sense. Any non-trivial shell script is likely to use features like arrays or string manipulation that are poorly supported (if at all) by sh, and the continued bumping of the number of expected bash scripts is an indication that the check is not serving its purpose anyway. Along with removing the check, all shebang references to /bin/bash have been replaced with /usr/bin/env bash in an attempt to be more compatible across different hosts. Change-Id: Ief72dc380cc88af38959c330897e2c127e33c332 Closes-Bug: #1440824 commit 760fe6a8fabc921e75367b5f02bab4fc326b8115 Author: Ed Bak Date: Mon Feb 9 23:13:18 2015 +0000 Return from check_ports_exist_on_l3agent if no subnet found The call to get_subnet_ids_on_router can return an empty list. If the subnet_ids list is empty, the subsequent call to get the ports on a subnet returns all ports. If this occurs when doing a remove_router_interface, the performance of a remove_router_interface degrades significantly. This change returns immediately from check_ports_exist_on_l3agents if no subnet is found. A new unit test has been added to cover the specific case of returning immediately without calling get_ports when a remove_router_interface operation is performed. Change-Id: I247d3bae152ab4f8ab7e00bd24d878eb08dca1ba Closes-Bug: #1420032 Depends-On: I15bbf16fd4378c6431e9da8942d0968e7a012a91 commit 1c1dbf5676bcd934fbe8a8053641fcad6d37f075 Author: Thierry Carrez Date: Tue Apr 7 15:50:46 2015 +0200 Open Liberty development Bump pre-version in setup.cfg to formally open Liberty development. Kilo release branch will be cut from the previous commit. Change-Id: I9ca77808093741f6c52e49f3041e90c3cc7a74b6 commit 3c35b40b20b8245350968d0a78de03aacba0cc33 Author: YAMAMOTO Takashi Date: Wed Mar 25 14:07:58 2015 +0900 Remove duplicated l3 router scheduler test cases Turn L3SchedulerTestCase to a mixin to reduce the number of duplicated test cases. There's no reason to run them in both of L3SchedulerTestCase and L3ChanceSchedulerTestCase. Closes-Bug: #1436164 Change-Id: Iee33f77fa2f9b9e20bb9c3fc4fb11a38de14bca5 commit fed9c30b984fa69a048bc1672362e40c2fe0ad6c Author: Assaf Muller Date: Mon Apr 6 23:56:15 2015 -0400 Remove tests from HA routers test framework The framework class should not contain tests. Running the module was running an additional 9 tests that should not have been run. Change-Id: Iabc6367e8bfda18e395d1a19809b07507200003d commit 78d3b40899b81dd2ecfadcc8547c8eabc6849e53 Author: YAMAMOTO Takashi Date: Wed Mar 18 13:27:15 2015 +0900 linuxbridge UT: Fix a regression of the recent ip_lib change A recently merged change, I07d1d297f07857d216649cccf717896574aac301, changed IPWrapper.get_devices to use /sys instead of executing ip command. Unfortunately it broke linuxbridge unit tests, which seems to assume that mocking utils.execute is enough in some places. This commit fixes the regression. Closes-Bug: #1433417 Related-Bug: #1374663 Change-Id: I9570abe703b438a3fc358f747e25d023934d1ffd commit e585c822e38919451beeb95406c521b09b18e9fc Author: Swaminathan Vasudevan Date: Thu Apr 2 17:25:39 2015 -0700 Fix dynamic arp populate error for dvr routers Recent refactor to the L3 Agent have introduced this problem. When we create a VM after we attach an interface to a router or when we add an interface with an existing VM to a router, in both cases the arp entries for the dvr serviced ports are not getting populated in the Router Namespace. Closes-Bug: #1438969 Change-Id: I4a82e2435d176f3d9336d7f0dab9726c063840b9 Co-authored-by: Armando Migliaccio commit 21bef562c23d96fe41daeedeb43c0bb2d1c53ed0 Author: Maru Newby Date: Mon Apr 6 21:53:39 2015 +0000 Reorganize plugin test modules This change moves plugin test modules to conform to the new rules on unit test tree structure (see TESTING.rst). Vendor plugin paths continue to be ignored, and unit test modules that test features instead of modules are also ignored pending their removal to the functional test tree. Change-Id: I482c377ca72ffd58692ad84bd9692356513e4c98 Closes-Bug: #1440834 commit 5bdcacad62ba468de1bd339cad44428c2374d973 Author: Maru Newby Date: Mon Apr 6 21:51:23 2015 +0000 Merge open source plugin test code modules The unit test reorg is about moving files around so a test module is clearly associated with the code module it targets, but the test modules in this change needed to be manually merged because they both targeted the same module. Change-Id: I80f4b97fadd318896e7fa4e7e7e939f924127b2a Partial-Bug: #1440834 commit 1105782e3914f601b8f4be64939816b1afe8fb54 Author: Maru Newby Date: Sat Apr 4 00:22:05 2015 +0000 Reorganize unit test tree This change ensures that the structure of the unit test tree matches that of the code tree to make it obvious where to find tests for a given module. A check is added to the pep8 job to protect against regressions. The plugin test paths are relocated to neutron/tests/unit/plugins but are otherwise ignored for now. Change-Id: If307593259139171be21a71c58e3a34bf148cc7f Partial-Bug: #1440834 commit b5b919a7a3569ccb93c3d7d523c1edfaeddb7cb9 Author: Brian Haley Date: Thu Apr 2 21:11:06 2015 -0400 Add ipset element and hashsize tunables Recently, these messages have been noticed in both tempest logs, as well as reported by downstream users syslog: Set IPv4915d358d-2c5b-43b5-9862 is full, maxelem 65536 reached So the default of 64K is not sufficient enough. This change adds two config options to control both the number of elements as well as the hashsize, since they should be tuned together for best performance. Slightly different formats were required for 'ipset create' and 'ipset restore'. The default values for these are now set to 131072 (maxelem) and 2048 (hashsize), which is an increase over their typical default values of 65536/1024 (respectively), in order to fix the errors seen in the tempest tests. DocImpact Change-Id: Ic0b5b38a840e737dc6be938230f4052974c8620f Closes-bug: #1439817 commit 80bea7a38670620934faafd5f583fe6164b9f9b3 Author: Cedric Brandily Date: Tue Mar 17 15:20:07 2015 +0000 Allow metadata proxy running with nobody user/group Currently metadata proxy cannot run with nobody user/group as metadata proxy requires to connect to metadata_proxy_socket when queried. This change allows to run metadata proxy with nobody user/group by allowing to choose the metadata_proxy_socket mode with the new option metadata_proxy_socket_mode (4 choices) in order to adapt socket permissions to metadata proxy user/group. This change refactors also where options are defined to enable metadata_proxy_user/group options in the metadata agent. In practice: * if metadata_proxy_user is agent effective user or root, then: * metadata proxy is allowed to use rootwrap (unsecure) * set metadata_proxy_socket_mode = user (0o644) * else if metadata_proxy_group is agent effective group, then: * metadata proxy is not allowed to use rootwrap (secure) * set metadata_proxy_socket_mode = group (0o664) * set metadata_proxy_log_watch = false * else: * metadata proxy has lowest permissions (securest) but metadata proxy socket can be opened by everyone * set metadata_proxy_socket_mode = all (0o666) * set metadata_proxy_log_watch = false An alternative is to set metadata_proxy_socket_mode = deduce, in such case metadata agent uses previous rules to choose the correct mode. DocImpact Closes-Bug: #1427228 Change-Id: I235a0cc4f0cbd55ae4ec1570daf2ebbb6a72441d commit b7ac8501a0a4753be09b37525ec1665bafacdd8b Author: Maru Newby Date: Mon Apr 6 16:28:00 2015 +0000 Skip example retargetable functional test The example retargetable test that previously ran as part of the functional suite is now skipped due to the fullstack example's db fixture usage causing the test to fail if it the fullstack example runs first on the same worker. Change-Id: I0a34f9ba04c53a4291698be819070c66009c8b4a Related-Bug: #1440797 commit 980e54713776584f2b810d136a369ce5a73b3a7f Author: Maru Newby Date: Fri Apr 3 23:42:31 2015 +0000 Prepare for unit test reorg The unit test reorg is about moving files around so a test module is clearly associated with the code module it targets, but the test modules in this change needed to be manually merged because they both targeted the same module. test_api_v2 is also updated to use the path of neutron/tests/base.py as the root of path to test implementations of extensions. Change-Id: I432b84339e51c26ef0aa26d44e29b5a3311626ad Implements: bp/reorganize-unit-test-tree commit 3108d2dece0501dbb661e2f5a4bb530a199f9fde Author: Maru Newby Date: Fri Apr 3 17:26:33 2015 +0000 Remove orphaned nuage unit test module Change I6d02df85c7a2c307ad11442d0afdd50c64210af4 implemented the plugin decomp for nuage but one of the unit tests was missed. Change-Id: I37e1b3f6645b5f7730218d5ef08ca28f72b91883 commit 39a3c8aff262b6b8a1257b84ac2832d4d813b68a Author: zengfagao Date: Thu Apr 2 09:44:53 2015 -0700 Add API tests for subnet-create with subnetpool With subnetpool, we can create subnet with subnetpool. User can specify CIDR or prefixlen for subnet allocation. If neither is specified, CIDR will be chosen from the pool using the default-prefixlen of the pool. Change-Id: I2c4d81496e10826bed83a977ff0398f781d16c33 Partially-Implements: blueprint subnet-allocation commit 9bca9ca84b76cc5bba03e9c0ff42bceaf5d2b028 Author: Paul Michali Date: Wed Apr 1 13:47:43 2015 -0400 Refactoring cleanup for L3 agent callbacks This commit completes the refactoring of the L3 agent callback mechanism. The goal here is to also use the neutron/callbacks/ mechanism for L3 agent notifications, instead of have two mechanisms. [1] modified the L3 agent to send notifiactions for router create, udpate, and delete events, using the neutron/callbacks/ mechanism. [2] modified VPN to use this new mechanism, instead of the L3EventObservers mechanism. Note: [3] modified FW repo to no longer depended on the L3EventObserver and related objects (it doesn't currently use the event notifications). This commit removes the notifications for the L3EventObservers mechanism, removed the related modules and tests, and adds in tests to verify that the new notifications are called for the different events. Once [1] and [2] are upstreamed, this commit can proceed. Refs: [1] https://review.openstack.org/#/c/164466/ [2] https://review.openstack.org/#/c/165226/ [3] https://review.openstack.org/#/c/167275/ Change-Id: I7c4b4ea5f9fb19abb812665cdae5fb70c84fe3ec Depends-On: If5040a827a6903cc7cb5e59cdb7fb95f61b13d47 Closes-Bug: #1433552 commit 30c2e203d9cba559d7533ab5dbd5b45e5445e06d Author: OpenStack Proposal Bot Date: Fri Apr 3 06:13:58 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: I7ce3288f62fdd9ffae81c47f3bc1a359833839e4 commit 54c05b500ac3ffad98cb480dc5bfd04bdcf91229 Author: Andrew Boik Date: Mon Mar 23 11:21:11 2015 -0400 Support multiple IPv6 prefixes on internal router ports (Patch set #3 for the multiple-ipv6-prefixes blueprint) Provides support for adding multiple IPv6 subnets to an internal router port. The limitation of one IPv4 subnet per internal router port remains, though a port may contain one IPv4 subnet with any number of IPv6 subnets. This changes the behavior of both the router-interface-add and router-interface-delete APIs. When router-interface-add is called with an IPv6 subnet, the subnet will be added to an existing internal port on the router with the same network ID if the existing port already has one or more IPv6 subnets. Otherwise, a new port will be created on the router for that subnet. When calling the router-interface-add with a port (one that has already been created using the port-create command), that port will be added to the router if it meets the following conditions: 1. The port has no more than one IPv4 subnet. 2. If the port has any IPv6 subnets, it must not have the same network ID as an existing port on the router if the existing port has any IPv6 subnets. If the router-interface-delete command is called with a subnet, that subnet will be removed from the router port to which it belongs. If the subnet is the last subnet on a port, the port itself will be deleted from the router. If the router-interface-delete command is called with a port, that port will be deleted from the router. This change also allows the RADVD configuration to support advertising multiple prefixes on a single router interface. DocImpact Change-Id: I7d4e8194815e626f1cfa267f77a3f2475fdfa3d1 Closes-Bug: #1439824 Partially-implements: blueprint multiple-ipv6-prefixes commit 6c4091418eec5f40bd2fe0c264b1d7d2b70894da Author: Maru Newby Date: Fri Apr 3 01:10:07 2015 +0000 Fix functional test using local timeout value The ovsdb monitor test was using a timeout of 60s for monitor start. This change sets the timeout to the global timeout value if it is greater (it's 90s currently). Closes-bug: #1439914 Change-Id: I95ee3d7dfdb5f010347a9d8db1b2bf610c0289d1 commit f93007952e40a7ae7cb2d4f3588059acf42ea209 Author: shihanzhang Date: Tue Mar 31 16:14:12 2015 +0800 Add index for port This patch will speed up SELECTs Port with filters by 'network_id + device_owner' and 'network_id + mac_address'. Closes-bug: #1421089 Change-Id: Ied90b6304df971a6049871f65df3e1aaee624647 commit d82366fe015c6be91d12f3b94fb65f9a03189109 Author: Hong Hui Xiao Date: Thu Apr 2 08:24:35 2015 -0700 Always run dnsmasq as root Regarding https://review.openstack.org/#/c/145829/ The old code of DnsMasq will always get root_helper from neutron.agent.dhcp.agent. However, new code will only set run_as_root when namespace is used. That will cause permission error when namespace is disabled and dnsmasq need to be started. Change-Id: Ib00d6e54dba44dbbbec158b9e0518e6e42baceec Closes-Bug: #1428007 commit 692de8fa522f8da644bb8fc1d06c16403689f06c Author: Tim Swanson Date: Tue Mar 31 12:13:16 2015 -0400 Move network MTU from core REST API to extension API The network MTU was added to the core REST API via https://review.openstack.org/#/c/154921. This commit reverts that change and adds the network MTU to the extension API. Change-Id: I7a7d679f471ced3230f230684d5ae9789bcca305 Closes-bug: 1434671 commit 593b64dee4c0923fc85d6656e29a2beb27f27b17 Author: Paul Michali Date: Thu Mar 26 08:01:58 2015 -0400 Refactoring of L3 agent notifications for router The goal of this refactoring is to reduce duplication by replacing the L3EventObservers mechanism (a specific mechanism for L3 agent notifications), with the CallbacksManager mechanism (a more general mechanism currently in use), so that there is one method used. This is the first part of refactoring the L3 agent so that it uses the new neutron.callbacks mechanism. To do this, duplicate calls will be made for notifications related to the router, only using the new callback mechanism. This commit does two things. First, it puts in place the notifiers for the new callback mechanism. Second, it updates the metatdata proxy agent (which is in the same repo) to use the new callback mechanism. Later commits will update other repos from the old to new callback mechanism, and to then remove the old callback mechanism, once no longer used. Change-Id: If134947957fd671aa99a0b2d2b37f7ec65e37766 Partial-Bug: #1433552 commit 0616171a8c493731a85dacde3e10838e5a0053ec Author: Assaf Muller Date: Thu Apr 2 10:59:00 2015 -0400 Fix docstring for l3_dvr_db.dvr_vmarp_table_update Change-Id: I783b0357833cda0e5143581284be720e5d4f3a97 commit 2041ead12d1bf4c2b03fd980fd2a6ce5f653dcfb Author: Sudipta Biswas Date: Thu Apr 2 15:06:35 2015 +0530 Treat all negative quota values as -1 Currently if the quota_port, quota_network, quota_subnet values in the neutron.conf are set to a negative value not equal to -1, neutron reports the values as is to consumers like Nova. Nova treats -1 as the infinite quota indicator and doesn't expect neutron to return any other non-negative value. The fix allows the flexibility of having any negative number for the quota parameters in the neutron.conf file and allows the nova boot to succeed subsequently. The fix would report any negative value as -1 for port, subnet and network. Change-Id: Ib9a7136b0bfd01bdf04a5d0937854590029b1010 Closes-Bug: 1438738 Co-Authored-By: Salvatore Orlando commit ce2ae2fbe53ba9b019dfb6838264fca0b5b98042 Author: abhishek60014726 Date: Wed Mar 25 05:50:29 2015 -0700 Router test enhancements Add test to attach two routers to the same network -Create a network -Create a subnet -Create two port for the same network -Create two routers -Add router interface with the port_id for two routers by using respective port_ids -Verify the port device_id with that of router_id -Verify the port network id with that of created network Change-Id: Id9de0edf687319b6e20804daee347b41d8b840a2 commit da12e748d129c6ba38173d0b7a20f7b140bddbd6 Author: YAMAMOTO Takashi Date: Thu Apr 2 13:57:52 2015 +0900 ovs_neutron_agent: Remove a redundant assignment of ovs_status Change-Id: I8ed572aa48ccc226137f65514c58ca5c3ba77870 commit 0d98dcc673631265d35d06dee3fe78a51b3be2f7 Author: armando-migliaccio Date: Wed Apr 1 17:52:01 2015 -0700 Move orphaned api test - deux According to changes [1,2], API tests' new home is under neutron/tests/api. Change 92d2054f8a slipped through the cracks. It seems also that wrong imports lead to tests silently dropped (i.e. not executed). This patch rectifies the issue. [1] https://review.openstack.org/#/c/169850/ [2] https://review.openstack.org/#/c/167320/ Change-Id: I64be376d7cff9512bd027720116dc039831e7955 commit 81f4469b620ec221f53d3ffb4d00b90896dc5ce1 Author: Dane LeBlanc Date: Mon Mar 2 22:03:10 2015 -0500 IPv6 SLAAC subnet create should update ports on net If ports are first created on a network, and then an IPv6 SLAAC or DHCPv6-stateless subnet is created on that network, then the ports created prior to the subnet create are not getting automatically updated (associated) with addresses for the SLAAC/DHCPv6-stateless subnet, as required. Change-Id: I5901db6655c045c0e78c7cb7fc51ce8c9a9e1933 Closes-Bug: 1427474 commit 1e3cb4ee504b6e1e135cc7a97e2146f13361fe9e Author: armando-migliaccio Date: Tue Mar 24 11:30:08 2015 -0700 Add API tests for Neutron DVR extension This patch adds a number of positive and negative tests for the DVR functionality implemented by Neutron. Generated using: ./tools/copy_api_tests_from_tempest.sh [path to tempest working directory] Change-Id: Ia300b736250249ba54bd8fefa1307e6898f71652 commit c5ae4145bc9c92de75f1408b19d0f04fac122178 Author: Cedric Brandily Date: Wed Apr 1 22:43:13 2015 +0200 Add missing neutron/tests/unit/agent/common/__init__.py neutron/tests/unit/agent/common directory defines tests but is not a valid python2 package: __init___.py is missing. Change-Id: Ida0055b64c23c4af3f4cdce2a777b19418451f33 commit fbc22784149cd6b3ca6d8161e360d3d7c10d94ac Author: Cedric Brandily Date: Tue Mar 3 22:26:52 2015 +0000 Allow metadata proxy to log with nobody user/group Currently metadata proxy cannot run with nobody user/group as metadata proxy (as other services) uses WatchedFileHandler handler to log to file which does not support permissions drop (the process must be able to r/w after permissions drop to "watch" the file). This change allows to enable/disable log watch in metadata proxies with the new option metadata_proxy_log_watch. It should be disabled when metadata_proxy_user/group is not allowed to read/write metadata proxy log files. Option default value is deduced from metadata_proxy_user: * True if metadata_proxy_user is agent effective user id/name, * False otherwise. When log watch is disabled and logrotate is enabled on metadata proxy logging files, 'copytruncate' logrotate option must be used otherwise metadata proxy logs will be lost after the first log rotation. DocImpact Change-Id: I40a7bd82a2c60d9198312fdb52e3010c60db3511 Partial-Bug: #1427228 commit eff8af9a22f8b045048b3ad491cf6ea3309110d2 Author: Maru Newby Date: Wed Apr 1 17:30:55 2015 +0000 Move orphaned api test A recent change added a new api test to the old location that is no longer used for discovery. This change moves it to neutron/tests/api/admin to ensure that it can be discovered and run. Change-Id: Ifcada8f9b2178b3159151b0d1953fd841d82ffa6 commit 342859455690fed57adc9296c457f1bd7a7a93a2 Author: Carl Baldwin Date: Thu Mar 26 18:10:10 2015 +0000 Implement default subnet pool configuration settings The default_ipv6_subnet_pool option was added [1] as an integration point between prefix delegation work and subnet allocation work. This patch completes the integration with subnet allocation. This addresses the use case where a deployer wants all ipv6 addresses to come -- by default -- from a globally routable pool of ipv6 addresses. In a deployment with this option set, an API user can still access the old behavior by passing None explicitly as subnetpool_id when creating a subnet. This patch also adds the default_ipv4_subnet_pool for completeness. [1] https://review.openstack.org/#/c/166973 Change-Id: I301189b5cd31d7c5fa4a40fa3e04f8e6ac77592b Partially-Implements: blueprint subnet-allocation commit 748420518c2d9ffdf85ba3f78797326f5c8ec54f Author: Cedric Brandily Date: Fri Feb 27 14:08:23 2015 +0000 Define bridge/port fixtures for OVS/LinuxBridge/Veth backends This change defines for OVS, LinuxBridge and veth[1] bridge and port fixture classes in order to handle bridge and port setUp/cleanUp. It allows to simplify BaseOVSLinuxTestCase[2] and remove BaseBridgeTestCase[2]. [1] veth backend simulates a bridge with a veth [2] in neutron.tests.functional.agent.linux.base Change-Id: If34c9a8fb6fa584fb1e30173ec619d1aac9701f9 commit 650bd4a3f964e7cb36f27ffc181b664639744f98 Author: Kyle Mestery Date: Fri Mar 13 14:54:37 2015 +0000 Update core reviewer responsibilities This patch more clearly lays out who can merge code into the plethora of Neutron repositories. It also clarifies a few things with the existing text in places. Change-Id: I2628dad7ba2bbc0b63dd9ed716db6221a5b30b2d commit a8c7db5b9d9bba44660de3c7a64295f9f318b63a Author: Assaf Muller Date: Wed Apr 1 09:38:21 2015 -0400 Remove "Arguments dropped when creating context" logging This log was previously reduced from warning to debug. Cinder removed it entirely in: https://bugs.launchpad.net/cinder/+bug/1329156 The root cause is this: Agent heartbeats use an admin context. The context is serialized with its to_dict method, which exposes 'tenant' and 'project_name' (These are properties of the class that are calculated from other attributes). In the controller, this dict is used to initialize a ContextBase, which does not accept tenant and project_name as arguments, de facto sending those values as key word arguments. We can either handle 'tenant' and 'project_name' specially, fix it any other way, or drop the logging entirely. Is this logging ever useful? Change-Id: Ifd51b62bae7b96de44f04836015d2ed939bcb650 Closes-Bug: #1255441 commit a1b8a770c1f78d346fc33ddadbe5746d5ecdcee8 Author: sridhargaddam Date: Wed Apr 1 12:01:03 2015 +0000 Some cleanup in L3 HA code This patch addresses the following. 1. removes the un-used variables. 2. process_monitor (argument to KeepalivedManager) is changed to a non-default parameter as its used in spawn, disable methods. Change-Id: I8b130b21965ed3387e994818be947eb95d73a423 commit d313e668ba03a5438ce2c266bbb236303d5b3227 Author: Assaf Muller Date: Thu Feb 19 20:34:17 2015 -0500 Fix reference to non-existent setup_dvr_flows_on_integ_tun_br Found via the pylint no-member check. Co-authored-by: Kevin Benton Closes-Bug: #1423775 Change-Id: Id4104fa783aa8c34917df6d16ff1290882f93af5 commit eb79e5fe53e61af11033a5b824052d052ee755a9 Author: Henry Gessau Date: Thu Mar 26 22:54:21 2015 -0400 Modify a different agent in test_update_agent_description API test_update_agent_description modifies an agent's description, and test_list_agent assumes the first agent is never modified. We make sure that an agent other than the first one is modified. Closes-bug: 1437124 Change-Id: I7593e2896ab7ef8a14ad35005314382e65e805cb commit 57a445d6c8deab47a9e8615ca7a99da3654fb3de Author: Maru Newby Date: Tue Mar 24 16:21:57 2015 +0000 Move API tests to neutron.test.api To make api test development simpler, move the tests to neutron.tests.api. The neutron.tests.tempest subtree will remain while work continues to transition the required functionality to tempest-lib. Change-Id: Ie90671fbfe2f633e851da82728e152482133fd87 commit 2fa1fc4bb1a324e3878c68a74ca7bdb4bd545db1 Author: Ryan Tidwell Date: Mon Mar 16 11:02:13 2015 -0700 Simple subnetpool allocation quotas Enables enforcement of allocation quotas on subnet pools. The quota is pool-wide, with the value of allocation_quota applied to every tenant who uses the pool. allocation_quota must be non-negative, and is an optional attribute. If not supplied, no quotas are enforced. Quotas are measured in prefix space allocated. For IPv4 subnet pools, the quota is measured in units of /32 ie each tenant can allocate up to X /32's from the pool. For IPv6 subnet pools, the quota is measured in units of /64 ie each tenant can allocate up to X /64's from the pool. For backward-compatibility, allocation quotas are not applied to the implicit (AKA null) pool. Standard subnet quotas will continue to be applied to all requests. ApiImpact Partially-Implements: blueprint subnet-allocation Change-Id: I7e4641f47790414c693c7cc9b7a44b1889087801 commit fb8ea72240700573e97a70597418453374fbd02f Author: Ryan Tidwell Date: Thu Feb 19 15:29:08 2015 -0800 Subnet allocation from a subnet pool Contains API changes, model changes, and logic required to enable a subnet to be allocated from a subnet pool. Users can request a subnet allocation by supplying subnetpool_id and optionally prefixlen or cidr. If cidr is specified, an attempt is made to allocate the given CIDR from the pool. If prefixlen is specified, an attempt is made to allocate any CIDR with the given prefix length from the pool. If neither is specified, a CIDR is chosen from the pool using the default prefix length for the pool. ApiImpact Partially-Implements: blueprint subnet-allocation Change-Id: I59a221f4f434718fb77bd132dbbe1ff50fce4b0c commit 5723970e5fd9fcb44f791881bef56cabf514a857 Author: Maru Newby Date: Tue Mar 24 01:30:11 2015 +0000 Simplify retargetable test framework The retargetable testing prototype previously relied on each test case defining the 'scenarios' attribute used to parametize testing with testscenarios. Anticipating the requirement to retrofit the imported tempest api test cases, this change moves scenario definition to a base class since scenarios are common across all api tests. This change also sets the retargetable test to skip when invoked against rest. Tempest uses class-level setup for auth and this needs to be broken out into fixtures before the retargetable testing will work again. Change-Id: I70eb21db9b983d45e9bcc7ea90e36f202d3e3e45 commit 749886eb6b065a93dfad7fe7ed930cb77fe37b94 Author: Kevin Benton Date: Tue Mar 31 11:20:18 2015 -0700 Increase max attempts to 2 for pings on ARP tests If the server under test is under heavy load, the requirement of the very first ping passing may be too strict. This patch increases the max attempts to 2 for the ARP spoofing tests to give time for the OVS flow changes to take effect. Change-Id: Ib70790da23861a8ed9c77f9c11aaf8fa41bf581c Closes-Bug: #1443916 commit 03be14a569d240865dabff8b4c30385abf1dbe62 Author: Kevin Benton Date: Tue Mar 31 08:53:56 2015 -0700 Revert "Add ipset element and hashsize tunables" This reverts commit b5b919a7a3569ccb93c3d7d523c1edfaeddb7cb9. The current ipset manager code isn't robust enough to handle ipsets that already exist with different parameters. This reverts the ability to change the parameters so we don't break upgrades to Kilo. Change-Id: I538714df52424f0502cb75daea310517d1142c42 Closes-Bug: #1444201 commit 92d2054f8a19cc1a759a8d9707e76c58b3b492d3 Author: zengfagao Date: Wed Mar 25 07:28:25 2015 -0700 Add API tests for subnetpool allocation Add subnetpool creating, listing, updating and deleting via REST API. Change-Id: I0be397e6739a651ce1562137f9b03d0ca8739697 Depends-on: I88c6b15aab258069758f1a9423d6616ceb4a33c4 Partially-Implements: blueprint subnet-allocation commit e7e2609fae70dbffa0ddbf37c7804587e216648c Author: Kevin Benton Date: Mon Mar 30 20:29:51 2015 -0700 Handle no ofport in get_vif_port_to_ofport_map Newly added ports to OVSDB might not yet have an ofport number assigned to them. This causes the return from the DB query to return a list instead of a port number. This patch handles that by attempting to convert each result into an integer and then catching the exception and continuing through the iteration to ignore uninitialized ports like these. It also adds a unit test based on data from a failure observed in the gate. Change-Id: I5c1bc8363cc7b07a03df12e3ccd49a09b1907ad2 Closes-Bug: #1444269 commit fa3a3401c1788dcffae64d93966c56cf963e7e28 Author: YAMAMOTO Takashi Date: Tue Mar 31 11:00:14 2015 +0900 Update .coveragerc after the removal of Cisco Nexus monolithic plugin Related-Bug: #1350387 Change-Id: I3b8cb6412f1f13141a82515ab131e373b5a0628d commit 5154d974fdce4625710d3b4f360d45568678eb2f Author: Itsuro Oda Date: Wed Feb 25 13:34:04 2015 +0900 Make floatingip reachable from the same network The problem is that if one tries to communicate from a tenant network to floatingip which attached to a port on the same network, the communication fails. This problem is a regression cased by [1]. [1] https://review.openstack.org/131905/ Before [1] SNAT rule is as follows: -s %(internal_cidr)s -j SNAT --to-source ... (for each internal interface) After [1] SNAT rule is as follows: -o %(interface_name)s -j SNAT --to-source ... (for an external interface) The new rule was considered a super-set of the packets going out to the external interface compared to the old rules. This is true but there is a lack of consideration. Note that the packet is 'going out to external interface' OR 'DNATed' at this point since the rule: ! -o %(interdace_name)s -m conntrack ! --ctstate DNAT -j ACCEPT was applied already. So we should consider the following three cases. 1) going out to external interface should be SNATed. It is OK under the new rule but there was a lack of rules for packets from indirectly connected to the router under the old rules. ([1] fixed this.) 2) DNATed (and going out to internal interface) 2-1) came in from internal interface should be SNATed because the return traffic needs to go through the router to complete the conntrack association and to reverse the effect of DNAT on the return packets. If a packet is not SNATed, the return packet may be sent directly to the private IP of the initiator. The old rules done SNAT in this case but the new rule doesn't. 2-2) came in from external interface nothing to do. This patch adds a rule for the case 2-1). This patch also adds mangle rules to examine whether a packet came from external interface. Change-Id: Ifa695ac5428fb0edba60129a4d61ec0e127a5818 Closes-Bug: #1428887 commit b278feada205330898897bcc446bb3623414f1e1 Author: Maru Newby Date: Mon Mar 30 21:17:19 2015 +0000 Fix functional configure script A recent change to devstack renamed lib/neutron to lib/neutron-legacy, and this change updates the functional setup script to reflect the change. Change-Id: I5eb4b4052da4b0db128feb42feae50a8bc59f373 Closes-Bug: #1438426 commit 012840e2f5397454601c0eb332178da41ff707c8 Author: Kevin Benton Date: Sun Apr 12 14:14:38 2015 -0700 Enable ARP spoofing prevention by default Turn on the ARP spoofing prevention added in I7c079b779245a0af6bc793564fa8a560e4226afe by default. It was disabled by default since it was going into Kilo at the last minute and we didn't want to risk shipping with a default that might have broken an edge case that we didn't consider. This patch enables it by default since there shouldn't be any need to have it disabled. Change-Id: Id17939914ebf8292dce76ccb7d0f6486c91f49e5 commit 07077bebb69da29994257d061d3a8d7ea9598c3d Author: Abishek Subramanian Date: Mon Mar 30 13:24:09 2015 -0400 Support IPv6 Router Allow router-gateway-set to work even without an assigned subnet with the net_id so as to enable IPv6 L3 routing using the assigned LLA for the gateway. The goal is to allow for IPv6 routing using just the allocated LLA address for the gateway port to be used as the external gateway to connect to the upstream router. For this purpose router-gateway-set no longer has a requirement of an assigned subnet. A new config has also been added to the l3_agent.ini to allow the user to set a valid ipv6_gateway address to be used as the gateway for the default ::/0 route If the ipv6_gateway config is not set and a gateway is still created without a subnet, the gateway interface will be configured to accept router advertisements (RAs) from the upstream router so as to build the default route. Unit test changes and additions reflect these changes. APIImpact DocImpact UpgradeImpact Implements: blueprint ipv6-router Change-Id: Iaefa95f788053ded9fc9c7ff6845c3030c6fd6df commit 8a93a0665b42d2d2f86bbd8d340398629b076cd7 Author: Carl Baldwin Date: Tue Mar 10 23:12:51 2015 +0000 Move final remnants of router processing to router classes Change-Id: I467bb680666ec9bc82e55cfe534d74db29009cce Partially-Implements: bp/restructure-l3-agent commit 34380df15b3e28d7bfa4ca3a5a11fcbbcb65e376 Author: Kevin Benton Date: Wed Mar 18 04:13:11 2015 -0700 Only call get_engine().pool.dispose if _FACADE Avoid calling neutron.db.api.get_engine().pool.dispose() if an engine facade has not yet been created since there won't be any connections to get rid of. Calling it on services that do not use the DB (e.g. agents) unnecessarily creates a database connection engine that will never be used. Change-Id: I3dbad1bef5da7b3765898e7d539b4d119b89e73a Closes-Bug: #1433536 commit 8d8be7ee29d13a28e29be1185bb2fc55d392e3c9 Author: Ihar Hrachyshka Date: Mon Mar 30 18:55:04 2015 +0200 Stop using deprecated DEFAULT group for lock_path While we set the configuration option in DEFAULT section, we get the following deprecation message in our logs: WARNING oslo_config.cfg [-] Option "lock_path" from group "DEFAULT" is deprecated. Use option "lock_path" from group "oslo_concurrency". Switch to the new configuration option location. Change-Id: I89783cc975a4a845ee57920d83236d6eb698af9c commit 3b66a9ff77a0c77075a1320d832f97de7aeab22a Author: Ihar Hrachyshka Date: Wed Mar 18 14:21:57 2015 +0100 tests: don't rely on configuration files outside tests directory etc/... may be non existent in some build environments. It's also pip does not install those files under site-packages neutron module, so paths relative to python files don't work. So instead of using relative paths to etc/... contents, maintain our own version of configuration files. It means we need to maintain tests only policy.json file too, in addition to neutron.conf.test and api-paste.ini.test. Ideally, we would make etc/policy.json copied under site-packages in addition to /etc/neutron/. In that way, we would not maintain a copy of policy.json file in two places. Though it seems that setuputils does not have a good way to install files under site-packages that would consider all the differences between python environments (specifically, different prefixes used in different systems). Note: it's not *absolutely* needed to update the test policy.json file on each next policy update, though it will be needed in cases when we want to test policy changes in unit tests. So adding a check to make sure files are identical. This partially reverts commit 1404f33b50452d4c0e0ef8c748011ce80303c2fd. Conflicts: neutron/policy.py Related-Bug: #1433146 Change-Id: If1f5ebd981cf06558d5102524211799676068889 commit ca92ebdf968bef67e5259cdacce27c2cab84bd8a Author: Kevin Benton Date: Tue Sep 16 20:36:42 2014 -0700 Set floating IP port status to "N/A" The status of the port associated with a floating IP would always show as DOWN. This caused confusion to operators that weren't aware that this is expected behavior since the port is only used for an IP allocation. This commit sets the port status to "N/A" to reflect the fact that the port associated with a floating IP has no operational status. DocImpact APIImpact Closes-Bug: #1196851 Change-Id: I2f94afa001b213d61f0e5892aae2e6e6de98fe4c commit aa7356b729f9672855980429677c969b6bab61a1 Author: Kevin Benton Date: Sun Mar 29 03:37:25 2015 -0700 Add simple ARP spoofing protection Adds an option to setup OVS rules that will prevent ports attached to the agent from sending any ARP responses that contain an IP address not belonging to the port (in fixed IPs or allowed_address_pairs). It is disabled by default and requires an OVS version that can match on ARP fields. If it is too old, traffic will still flow but it won't have ARP spoofing protection. There is a sanity check to verify that ARP header matching is supported. This prevention is specific to OVS so it will not help with other plugins that use the reference iptables filtering. A non-OVS-specific general approach will require something like the ebtables integration in Ibc6d3d520c1383cf7e00f4bdeb7853a41ac4b14b. Details: A new table is added for ARP spoofing prevention. All ARP traffic on the local switching table is sent to this spoofing table. The spoofing table will allow all ARP requests because we aren't interested in them. It will then install an ARP response allow rule for each IP address the port is assigned. All other ARP responses are dropped. DocImpact SecurityImpact Partial-Bug: #1274034 Change-Id: I7c079b779245a0af6bc793564fa8a560e4226afe commit b7bff9e54b4f70fa9d6ee05e27011abdb3fd8dc4 Author: OpenStack Proposal Bot Date: Sun Mar 29 06:13:27 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: Iff665505f6cf88bf23e27c0e37a6babb221560d2 commit be77b688b9d7255b2ce68e342af819012ad86f12 Author: Miguel Lavalle Date: Sun Mar 8 17:32:21 2015 -0500 Add tests for the l3 agent namespaces manager The following tests are added for the l3 agent namespaces manager: 1) Unit tests 2) Funtional test 3) A test case within the l3 funtional test for periodic_sync_routers_task Change-Id: Ia26f1ccdc0a6619aa231c8799acc80377f4144f8 Partially-Implements: bp restructure-l3-agent commit 8c989e67b99745f55d462e21be0eaa00f6a0e9b8 Author: Kevin Benton Date: Thu Jan 15 08:11:49 2015 -0800 Make L3 agent honor periodic_interval setting The periodic_task decorator for the sync routers task was resulting in a default spacing of 60 seconds. This meant that any values less than that for the periodic_interval setting would not work correctly. The fixed interval looping call would run at the periodic_interval but this task would not execute every time as expected. For example, if the periodic_interval was 40 seconds, the task would only end up running every other interval (80 seconds in this case) because every other attempt would be blocked by the default 60 second barrier of periodic_task. This sets the periodic_taks spacing variable to 1 second so the interval is controlled only by the loopingcall as expected. Ultimately periodic_task should probably be completely removed since it's not compatible with the fixed interval loopingcall in this manner. Closes-Bug: #1411085 Change-Id: I23818c3fab2640b241692f00f9b5a2f923e3cf31 commit bfe3b679096e73015bae6592f926b26fa427f112 Author: Terry Wilson Date: Thu Mar 19 12:43:21 2015 -0500 Handle non-index lookups in native OVSDB backend ovs-vsctl get/set/clear/list can use a record_id that is not an index on the table being queried. For example, the Controller table can be queried by a bridge name. This patch implements the lookup table that ovs-vsctl uses to do these lookups. Change-Id: I1983c48c5839df016046ba2596c7c4affa1ebe00 Closes-Bug: 1435567 commit d907762f3cca1405eedaaad5d5841491576c8c54 Author: Kevin Benton Date: Fri Mar 27 23:18:08 2015 -0700 Fix error raising in security groups method In case there were security groups not belonging to tenant on port _get_security_groups_on_port would try to raise exception but fail trying to index set. This patch simply joins the whole set as a string and inserts it into the standard SecurityGroupNotFound exception. No new exception types, no string freeze violations. Co-Author: watanabe.isao Co-Author: Jacek Swiderski Change-Id: I039ea57269dc53ced8dece0985f33ce9ae7eab17 Closes-Bug: #1373816 commit f45f16537dc2948f69572328338afa2bcd06d10b Author: Akihiro Motoki Date: Sat Mar 28 18:06:18 2015 +0900 Update NEC plugin decomposition status PyPI is now available and update the document. Related-Bug: #1419396 Related to blueprint core-vendor-decomposition Change-Id: I8d8d96fb4473aa03b518c2e223b9a92fa1cca7e9 commit df7aa02aa5235b389ed8ad013acf9fccd7e877cd Author: Andrew Boik Date: Tue Mar 3 22:39:57 2015 -0500 Auto-update gateway port after subnet-create (Patch set #6 for the multiple-ipv6-prefixes blueprint) In the multi-prefix scenario, one can add two subnets to an external gateway port by adding the two subnets to the external network and using router-gateway-set. However, if there is only one subnet on the port and the user wishes to add another later, it is desirable to have the newly-created external subnet automatically added to the port. This patch adds this functionality. Change-Id: I9395834f673038dc23b25eaeefe14895fe154e0e Partially-implements: blueprint multiple-ipv6-prefixes commit e2666293c449ca98c52fc7f661be43323ee36828 Author: Andrew Boik Date: Fri Feb 27 18:48:29 2015 -0500 Allow update of ext gateway IP's w/out port delete (Patch set #5 for the multiple-ipv6-prefixes blueprint) Updating an external gateway port currently triggers a port-delete followed by a port-create. In the multi-prefix case, if a second subnet is added to an external gateway port, the port will be deleted, freeing the original IP allocation, and then the port will be recreated with new IP allocations from the two subnets. This is undesirable as the port can't keep the same IP address from the original subnet. This patch modifies the behavior so that a fixed-ip change on an external gateway port will cause a port-update instead of a delete/create. If the gateway port network id has changed, however, the port will be deleted and recreated as before. Change-Id: I5b19d3b167668ce5c04e7ce8adc63249a4501d0e Partially-implements: blueprint multiple-ipv6-prefixes commit 420c21f6c75484d047a2ed64e4c12f19c495e377 Author: Dane LeBlanc Date: Wed Mar 18 16:38:57 2015 -0400 Support Dual-Stack Gateway Ports on Neutron Routers (Patch set #2 for multiple-ipv6-prefixes blueprint) This patchset adds support for dual-stack gateway ports on Neutron routers. Some background on the changes included in this patchset: - The L3 driver's init_l3() method has been changed to accept a list of gateway IPs, rather than a single gateway IP. - The Neutron port dictionary's singular 'subnet' entry has been replaced with a 'subnets' list, since ports can now be associated with multiple subnets. - The Neutron port dictionary no longer has a (singular) 'ip_cidr' entry, since a port can now be associated with multiple IP CIDRs (e.g. up to one IP CIDR per IP family on gateway ports). Instead, a 'prefixlen' entry has been added to the Neutron fixed_ips dictionary, so that the port's (multiple) IP CIDRs can be derived from the matching 'ip_address' and 'prefixlen' pairs in the port's fixed_ips. Change-Id: I150da5938e79eeef0c947ddb1a4282e37d0515ee Partially-implements: blueprint multiple-ipv6-prefixes commit fe210a6ae25a1b143ed97ef9ac366e16a18d9393 Author: Kevin Benton Date: Fri Mar 20 18:56:51 2015 -0700 Remove auto deletion of routers in unit tests Remove the automatic deletion behavior of the router context manager in the L3 unit tests. Any tests that depend on the router being deleted should do so explicitly. It additionally removes the logic from the test_l3_plugin unit tests that was just related to tearing down enough stuff to allow the context managers to exit. It was code that distracted from what the tests were actaully verifying. All of the context managers for port, network, and subnet do not auto delete by default and that will be extended to the L3 constructs as well. The patch that did this for ports/subnets/networks is here: https://review.openstack.org/#/c/102465/ Change-Id: Iec97198f18e9fc390ff0747b795f7f309c8f3990 commit 04cd03840977bc32b2bcadcd185a8c4ae19b7159 Author: Dane LeBlanc Date: Wed Mar 18 12:41:25 2015 -0400 No allocation needed for specific IPv6 SLAAC addr assignment (Patch set #7 for the multiple-ipv6-prefixes blueprint) On internal router ports, Neutron allows for an address to be assigned for an IPv6 SLAAC subnet that is not necessarily EUI-64. This makes it easier for subnet create, since a convenient address, e.g. one ending in ::1, can be used as the subnet gateway IP address. Currently, when an internal router port is created with a specific (non-EUI-64) address for a SLAAC subnet, the call flow includes a call to _allocate_specific_ip. This call is not necessary, since we're not allocating an address from a pool (and recalibrating availability ranges, etc.). This patch set prevents the call to _allocate_specific_ip for this scenario. Co-Authored-By: Baodong (Robert) Li Change-Id: I2533ee82980bb602faa663b875787ca50b268b34 Partially-implements: blueprint multiple-ipv6-prefixes commit 15a507afb18ebfd0b65b97c6d41a9d490ebdb040 Author: Maru Newby Date: Fri Mar 27 17:39:41 2015 +0000 Remove neutron.tests.sub_base Change Ifca5615680217818b8c5e8fc2dee5d089fbd9532 was intended to remove the neutron.tests.sub_base module, but a bad rebase means that it was left in the tree. Change-Id: I5656a10bf3f8d3e87bf481a5a4f4a764bec17843 commit 18c5a8b2e9161e8beda8a14078a1e8d666e900d1 Author: Kevin Benton Date: Fri Mar 27 08:13:58 2015 -0700 Fix test case for DHCP agent interface restart One of the new test cases in the recent DHCP interface patch[1] was supposed to confirm that the driver wouldn't be restarted if the IP address stayed the same. However, it wasn't matching the device ID of the agent so it was never making it to that conditional. This patch just fixes that UT so it's exercising the right code path. 1. c4a7447e2d659b3a240a62ae9d34e6e0b9cee7a3 Change-Id: I8735c6e533d6b486c32cfded2c22eac8a25c855d commit 2756d9efe08d7cc1f1b244ce72b23007834d9b4f Author: Terry Wilson Date: Tue Mar 24 21:59:44 2015 -0500 Store and log correct exception info Since OVSDB commands execute in a different thread, the exceptions that are passed to the original thread do not contain traceback info from the exception. This patch stores the text from the exception as it is caught so that the calling thread can log it. Change-Id: If462c3d5dc104b349218dc910aa281220a5af528 commit f2fca84f7c2ecab79b4b9424d579450a97959ef2 Author: abhishek60014726 Date: Wed Mar 25 04:20:55 2015 -0700 Test to verify shared attribute of network Add Funtion to create a shared network Add function to create a shared network in bulk Add a test to create and update a shared network Add a test to create a port in a shared network using non admin tenant Add test to create shared networks in bulk Add function to list and show shared network Add test to list and show the shared network by admin and non admin Change-Id: I1894d73977d6018306faeda1231bc8523d35f357 commit 90e833a3cbbe4835de82e3d83196cbe4545818c1 Author: Miguel Angel Ajo Date: Tue Mar 24 13:10:37 2015 +0000 Enable Process Monitor by default. Process monitor is enabled by default by this patch, with a default 60 second monitoring interval, this interval was calculated early in the development process to scale to 1000s of processes with light load. We believe it's important to have it enabled to get user feedback as we release kilo. Process monitor is sucessfully enabled and backported to Red Hat D/S distributions from icehouse to juno without any issue. Specific process monitor functional tests provide coverage, also keepalived checks that it can be properly respawned. We should follow up with dhcp and l3 agent functional testing for killing and checking their processes correctly respawned. Normal process start/stop is already validated by other functional tests and tempest. DocImpact Change-Id: I85fe31bee30714148168a293eea29fa0a37f9701 Implements: blueprint agent-child-processes-status commit c4a7447e2d659b3a240a62ae9d34e6e0b9cee7a3 Author: Kevin Benton Date: Thu Mar 12 02:06:47 2015 -0700 Reload DHCP interface when its port is updated When a DHCP port corresponding to a DHCP agent is updated, trigger a reload on the namespace so it uses the latest port attributes (e.g. IP address). Closes-Bug: #1431248 Change-Id: I3d1d7b95a8baa4416f1ea3fbbf25a51b818c2c23 commit abc12279f774bafdc83e03234ef2bad679072a8b Author: Kevin Benton Date: Thu Mar 26 19:52:23 2015 -0700 Don't eagerly load ranges from IPAllocationPool The subnet object eagerly loads the IPAllocationPools associated with it. Each of these was eagerly loading the IPAvailabilityRange objects associated with it. On a large subnet with lots of churn, this could be thousands of records. All of these records were being loaded for every call to get_subnet, which means all get_subnets, get_networks, and so-on. icky This patch changes the relationship between IPAllocationPool and available_ranges to a 'select' load, so they won't be loaded until referenced. On my test system with a subnet that contained 10k ports, this changed the subnet-show time from 4.7 seconds to 0.56 seconds. There is no performance downside to this in the upstream code. At the time of this patch, there were no references to 'available_ranges' on an IPAllocationPool result. The logic that deals with the available ranges queries them explicitly using join statements. Change-Id: Ia94ce9437ad21e4f21526ba84213fd673693db34 Closes-Bug: #1437131 commit 3f0c2b552a28b2e9cb8b80dc1691680f65d812db Author: Dan Prince Date: Thu Mar 26 22:19:58 2015 -0400 Revert "Fix validation of physical network name for flat nets" This reverts commit dbe37d571474ca759e57e61308cd3926a00b481e. This validation change broke TripleO's os-cloud-config setup-neutron script. Change-Id: I94c419b26ba93c67c9064fc110c8986c1ff68897 Closes-bug: #1437116 commit 766c2738ae16ebbae37f26b17e261f0112616bb5 Author: Itsuro Oda Date: Fri Jan 9 08:47:56 2015 +0900 Enable services on agents with admin_state_up False Previously when admin_state_up of an agent is turned to False, all services on it will be disabled. This fix makes existing services on agents with admin_state_up False keep available. To keep current behavior available the following configuration parameter added. * enable_services_on_agents_with_admin_state_down If the parameter is True, existing services on agents with admin_state_up False keep available. No more service will be scheduled to the agent automatically. But adding a service to the agent manually is available. i.e. admin_state_up: False means to stop automatic scheduling under the parameter is True. The default of the parameter is False (current behavior). Change-Id: Ifba606a5c1f3f07d717c7695a7a64e16238c2057 Closes-Bug: #1408488 commit a314544defd29bc95e2f012ad24028ea1aabfae8 Author: Maru Newby Date: Mon Mar 23 23:18:44 2015 +0000 Simplify base test cases Previous changes (Ifa270536481fcb19c476c9c62d89e6c5cae36ca1 and I44251db399cd73390a9d1931a7f253662002ba10) separated out test setup that had to import Neutron to allow the api tests to run. The api tests previously imported Tempest, and errors would result if both Neutron and Tempest were imported in the same test run. Now that the api tests do not import Tempest, the base test cases can be simplified by reversing the referenced changes. A dependent change to neutron-fwaas removes reference to testlib plugin: I0f2098cfd380fb6978d643cfd09bcc5cf8ddbdb9 Change-Id: Ifca5615680217818b8c5e8fc2dee5d089fbd9532 commit 6abc6399df4903881a1ee292be9f721e0252c529 Author: Ilya Sokolov Date: Tue Dec 23 13:22:20 2014 +0000 Send only one rule in queue on rule create/delete Now we send all labels and rules per rule create/delete and rebuild whole iptables chains. In this patch we send only affected rule and create/ delete only this rule from iptables. Change-Id: I58ebd8d810c62980c09a340ee1680be17c12b74a Closes-Bug: #1400280 commit e0ea5edc128e7191d11514868b5711c23ef23821 Author: John Schwarz Date: Tue Oct 14 14:09:14 2014 +0300 Add full-stack tests framework This patch introduces the full-stack tests framework, as specified in the blueprint. In short, this adds the neutron.tests.fullstack module, which supports test-managed neutron daemons. Currently only neutron-server is supported and follow-up patches will support for multiple agents. Implements: blueprint integration-tests Co-Authored-By: Maru Newby Change-Id: Iff24fc7cd428488e918c5f06bc7f923095760b07 commit f8d6aa9c9ad676a29ff0874b5bf5b9fb898259c7 Author: Miguel Angel Ajo Date: Tue Mar 24 13:07:37 2015 +0000 Stop any spawned ProcessMonitor at test cleanup Base test class adds a cleanup fixture to stop any spawned process monitor via unit or functional tests, which otherwise would keep running after the tests already finished, and execution functions go unpatched. Without this patch unit tests will randomly fail when we enable process monitor by default at change: I85fe31bee30714148168a293eea29fa0a37f9701 Co-Authored-By: Maru Newby Change-Id: Ide799a52391b14ff921de25788e8b0f0463fb8f8 commit fa7e7d022ef14099b3261462a4f72bde4df7d4a8 Author: armando-migliaccio Date: Thu Mar 26 11:15:19 2015 -0700 Add missing DeferredOVSBridge export To preserve bw compat. Change-Id: Ice23208bacfe855b6d6224604a5d4fc1550eb7e3 commit af1f99478722893ea5e68e79ea8790f7e390a631 Author: Assaf Muller Date: Tue Mar 24 19:56:37 2015 -0400 Use router state in get_ha_device_name and ha_network_added get_ha_device_name and ha_network_added were moved from the agent to the router class, but they're not using the router state. Rather, they're accepting arguments that they don't need. Partially-Implements: bp/restructure-l3-agent Change-Id: I9a70cbc4c45ceadd8b0a86c49ac35f0885db4997 commit 857345c9e21a044b3e2a9cd7b070e34bd75c27fd Author: Mike Kolesnik Date: Thu Mar 26 15:35:05 2015 +0200 Added note about removing bridge from mappings A bridge removed from mappings is not managed by the OVS agent anymore, but continues to be connected to the integration bridge. Added a note about it in the config so that deployers make sure they don't end up in a sticky situation. Change-Id: I8992f842046651e0f231c6bf08b65efa07056757 Related-bug: #1436267 commit 72093e26a5a61c78e046d994f114ae650efdf482 Author: Kyle Mestery Date: Thu Mar 26 12:58:08 2015 +0000 Add language around re-proposing specs for new releases Attempt to provide guidance over how we handle specs which do not make a release and want to be re-proposed into the next release. Change-Id: I3820438e81fced0630c471f1e240174e63bbf062 commit 1c49571d296db07deb766149fe66756b5b4db66a Author: Romil Gupta Date: Sun Mar 22 23:38:00 2015 -0700 Follow up patch for Validate when DVR enabled, l2_pop is also enabled Reference: https://review.openstack.org/#/c/165311/ For a VLAN underlays, DVR does not mandate l2-pop to be turned ON. So just checking for enable_tunneling and validating for l2-pop being turned ON is more than sufficient. Change-Id: I96695dc623b4ea37d3ef1384eb9ac9c1384d3da3 Closes-Bug: #1417633 commit 379243ca1af79e622623bd83b6cc5f065caabaef Author: Ann Kamyshnikova Date: Wed Mar 25 12:57:43 2015 +0300 Fix displaying of devref for TestModelsMigrations One of the lists is displaying incorrectly in description of results of output from TestModelsMigrations. Change-Id: Ib400bb49b4189169c9e5ae1ba62e86aec4926fb1 commit bb9b0e01a4fe8df80c1917235252d721324828a5 Author: jun xie Date: Thu Mar 26 14:18:59 2015 +0800 Use 1/0 as booleans for DB2 DB2 stores booleans as 0 and 1. It does not recognize True/False. Change-Id: Idaba2fa5bba259e69a1f92c531c3389b3293cf75 Closes-Bug: #1436674 commit d6f1fb67d2ee7b5d138ab952a1d6ae7673aeab77 Author: rajeev Date: Fri Mar 6 10:02:30 2015 -0500 If configured, set the MTU for fpr/rfp intefaces if network_device_mtu parameter is configured, set the MTU for fpr and rfp interfaces to the value specified by the parameter at the time of creation of these interfaces. Enhanced DVR functional test to verify MTU gets set for the fpr/rfp interfaces. Co-Authored-By: Adolfo Duarte Closes-bug: #1429162 Change-Id: Ie41122d1f7306dfd3debbbb8dbf2ecabf716dcb8 commit 5b44f48ff384d60833c0fadcea78f35ce98d6f11 Author: Angela Smith Date: Wed Mar 4 15:59:23 2015 -0800 Add L3 router plugin shim for Brocade MLX Change-Id: I4eba6a3fb8ce2b22e0d142643d753ee2314425b8 Closes-Bug: #1428316 commit f0d9410a8268e01369a43c5159621f3083855b5f Author: Adelina Tuvenie Date: Tue Mar 24 11:29:17 2015 -0700 OVS agent support on Hyper-V This patch abstracts away platform specific differences in agent/linux/utils.py and agent/linux/polling.py in order for OVS neutron agent to work on Hyper-V. agent.linux.utils uses fcntl that is not available on Windows and also uses rootwrap which is no necessary on Windows. ovsdb_monitor.SimpleInterfaceMonitor works only on GNU/Linux because agent.linux.async_process uses platfom specific components like the kill command. Unit tests have been updated accordingly Implements blueprint: hyper-v-ovs-agent Change-Id: I3326414335467d9dc5da03e6d1016d0e32330dd0 commit d74603cb8136bf8b9574e7197892f8f762221688 Author: Dane LeBlanc Date: Sat Mar 14 20:54:16 2015 -0400 No IPv6 SLAAC addrs for create router intf without fixed_ips Consider the following sequence: - Create a neutron network - Create multiple subnets on the network, including one or more IPv6 SLAAC subnets - Create a router port on the network without specifying fixed_ips The port created in this case is incorrectly getting associated with addresses from the SLAAC subnet(s). This patch corrects this behavior. Change-Id: Ic0ab2294c5487f85baade8f879946dfe738d109b Closes-Bug: 1432270 commit 79fcf57b3757dd52cbae6cf0898d07f067ea375b Author: Assaf Muller Date: Tue Mar 24 19:45:11 2015 -0400 Move process_ha_router_added/removed from HA agent to router * Move process_ha_router_added/removed from ha.py to ha_router.py, rename them initialize and terminate * Remove _process_ha_router (Spawns/disables keepalived) from process_router (Called when adding/updating and deleting a router), move its content to process_router for add/update and terminate for delete * Rename ha_router.spawn_keepalived to enable_keepalived (Consistent with disable_keepalived and process_manager semantics) Partially-Implements: bp/restructure-l3-agent Change-Id: I1f21acdae2ae1faa2c78affaa3f1ce9056487104 commit 94951504a12735309e84f643d6d685a77bbd8f5a Author: Martin Kletzander Date: Thu Mar 19 17:25:57 2015 +0100 Fix common misspellings Wikipedia's list of common misspellings [1] has a machine-readable version. This patch fixes those misspellings mentioned in the list which don't have multiple right variants (as e.g. "accension", which can be both "accession" and "ascension"), such misspellings are left untouched. The list of changes was manually re-checked for false positives. [1] https://en.wikipedia.org/wiki/Wikipedia:Lists_of_common_misspellings/For_machines Partial-Bug: #1390035 Change-Id: Ie5d86247cc4f50b6578a9b76c9c8cade35128d5a Signed-off-by: Martin Kletzander commit 355ab2f31cf81575c6e1c0899526177711425428 Author: Darragh O'Reilly Date: Wed Mar 18 20:45:10 2015 +0000 Fix port status not being updated properly This problem was introduced by hierarchical port bindings and affected ports bound on linuxbridge hosts as that agent only passes the first 11 chars of the port_id to the plugin. Closes-Bug: 1433461 Change-Id: I8a3863ac1bb1c359de210c535462acbb107adf98 commit 15947d3399cff8a61750e8040c4017a2ec1e2892 Author: armando-migliaccio Date: Tue Feb 10 12:50:11 2015 -0800 Decouple L3 and service plugins during DVR router migration This change leverages the event registry to decouple L3, VPN and FW when checking whether a router can be converted to a DVR router. This patch cleans the UT's too. Depends-on: I5bfec047ec8404a6d699115a9da332988518f807 Depends-on: I6505fd11776e29895457e67806bec34d3f2c6e24 Related-blueprint: services-split Related-blueprint: plugin-interface-perestroika Change-Id: I6b5769a51b81b965c644d8a9a4e7d424f4f89114 commit 0a12058aab0b176eb33ebdc550df7050552b1e12 Author: Saggi Mizrahi Date: Wed Mar 18 15:57:41 2015 +0200 Fix minor nits in _notify_l3_agent_new_port() - Moved string formatting to the log instead of call - Used dict.get() instead of __getitem__(). I assume that was the author's intent or the subsequent condition in redundant. Change-Id: If2fa3654591607c01effc12cc1bafea38ac4945d Signed-off-by: Saggi Mizrahi commit 403ac1011d2642fff3ecf433b95d71a8dd03e2ac Author: Kobi Samoray Date: Tue Mar 3 11:44:18 2015 +0200 VMWare NSXv: Metadata default gateway param Add a default gateway parameter for metadata access from remote network. This parameter is necessary when NSXv metadata proxy is on a different cluster than the management VM and network, and hence requires routing. Change-Id: I420f48ee315e4406a1a684467bcea0cb8a79f53f Partially-Implements: blueprint vmware-nsx-v commit 0e8f7e1712b2bd92725622568b99901e0bcda59a Author: Kevin Benton Date: Sat Mar 21 09:10:25 2015 -0700 Remove unnecessary 'IN vs ==' sql query branches Removes some branches in the codebase that switch queries depending on whether a WHERE match is against a single criteria or multiple criteria. For multiple options an 'IN' statement was used and for a single option an '==' was used. This is completely unnecessary complexity and brancing in our codebase because the 'col IN items' statement is just a nice syntax offered by SQL that gets converted into 'col==item1 OR col==item2 OR col==item3...' statements under the hood. So in the case of one item, 'WHERE col IN "F"' is the same as 'WHERE col = "F"'. Change-Id: I8bee8c49d72958f5ae424f87c9dc98b8abe6f579 commit c1893ae8d4579840ce9bfe95fbf80aa952a1110e Author: Roey Chen Date: Wed Mar 18 09:29:19 2015 -0700 Fix create_security_group_rule_bulk_native to return all created rules create_security_group_rule_bulk_native should return all of the created security-group rules, but returns only one, this patch fix the issue and adds a unittest to validate it. Closes-Bug: #1434207 Change-Id: I8611c83fecf90e025b24b09fc3a371cbeebce637 commit b96a22661290ce2ea747537512eab2fb767679e6 Author: Erik Colnick Date: Fri Jan 23 12:16:28 2015 -0700 Improve DVR scale performance Only process floating ips on a router that are relevant to the agent hosting the router (don't process floating ips assigned to a router if the associated vm is not hosted on the compute node requesting the router sync). In this way, the number of database calls made during the DVR router updates is optimized to eliminate unnecessary duplication of calls which return the same data or are made to get data for routers which are not relevant to the sync_routers request from the agent. Change-Id: I4e8477bb61ffff164d2f3bbebb94e95a25838ce0 Partial-Bug: #1413314 commit 88fb463b3cfcd27888c02858cb45c5c5f3bda3a6 Author: Yushiro FURUKAWA Date: Tue Jan 6 17:53:54 2015 +0900 Enable to apply policies to resources with special plural Some neutron resource with special plural form can not apply the policy control using policy.json when create/update/delete the resource. Following resources can not apply the policy control because of wrong pluralize process: * firewall_policy * ipsec_policy * ikepolicy Current pluralize process is as following: "resource" + "s" e.g. *_policy -> *_policys This fix enables to apply the policy control with those resources. *_policy -> *_policies Change-Id: I38a55e95f653f69edd477dbbcbdd6e956c0a0e2b Closes-Bug: 1407886 commit e5cdaf22f82f1aac429e815d72123e3333bacd5d Author: Yushiro FURUKAWA Date: Thu Feb 19 19:11:27 2015 +0900 Enable to specify context on POST requests during unittests NeutronDbPluginV2TestCase has a method 'new_create_request' to send 'POST' request. But, it doesn't have a argument 'context'. So, we can not execute create-test as a tenant-user(NOT admin user) e.g. FWaaS resources can not test with the context in creating. This fix enables to specify 'context' when executing new_create_request. Closes-Bug: #1423470 Related-Bug: #1408236 Change-Id: Id8dc8cff87ca658e86c192b8da047f0c62989a4e commit 5dccff1cb3367f88b7a7851988b19caad313b036 Author: YAMAMOTO Takashi Date: Wed Mar 18 11:07:09 2015 +0900 Fix DBDuplicateError handling in _ensure_default_security_group The coding in change-id Ibb0597d4db187c856f9ac1d9700701e0165c3c73 catches and ignores DBDuplicateError in a nested transaction. It would cause another exception, InvalidRequestError, on the next operation. ("This Session's transaction has been rolled back") This commit fixes it. Also, tweak a test case to expose the error. Closes-Bug: #1433418 Related-Bug: #1419723 Change-Id: Ie4de271c0512fb2ecc6ed6842ad20386e3785a9c commit dca76ab40976241cd48417f91eaed8d74a31693f Author: Ivar Lazzaro Date: Mon Mar 2 10:56:36 2015 -0800 Missing entry points for cisco apic topology agents Change-Id: I75eb481bac67436299b4ea3ac6bca6ea1a7dd4d6 Closes-Bug: 1427343 commit 3d1d08e0085d45c61fd19e4d1dcedda386f040f8 Author: watanabe.isao Date: Thu Jan 8 11:15:44 2015 +0900 Validate string length at API level Add validation of string field. The the length of API validation matches max length of DB entries, which is 255. [Before fix] DB returns 500 internal DB Error. [After fix] Neutron returns 400 Bad Request Error (e.g. "XXX" exceeds maximum length of 255). APIImpact Change-Id: Ide98f347da563c5df10daca00491027a1b78523b Closes-Bug: 1408230 commit 9436cbdfb2c0d113517bc6108ded7d0397a096cb Author: Isaku Yamahata Date: Fri Oct 17 15:35:44 2014 +0900 ml2: remove stale _filter_nets_l3 in get_networks The commit of 0156ec175cc047826b211727d43d5d14a3e1f2d2 change-id of I47e01a11afaf6e6bcf06da7bd713fd39b05600ff which fixes bug 1132849 removed the call of _filter_nets_l3 methods. But somehow the fix missed ml2 plugin. This patch fixes ml2 plugin and removes the unused mothod. Change-Id: I4d13223c170fd6777773970e0d22a191b98dd5ee Closes-Bug: #1382360 From mriedem at us.ibm.com Tue May 26 15:33:52 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Tue, 26 May 2015 15:33:52 -0000 Subject: [Openstack-security] [Bug 1416314] Re: BUG : when live-migration failed, lun-id couldn't be rollback References: <20150130090750.712.84034.malonedeb@chaenomeles.canonical.com> Message-ID: <20150526153353.6514.23747.launchpad@gac.canonical.com> ** Tags added: libvirt live-migration ** Tags added: volum ** Tags removed: volum ** Tags added: volumes -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1416314 Title: BUG : when live-migration failed, lun-id couldn't be rollback Status in OpenStack Compute (Nova): Confirmed Bug description: Hi, guys I'm testing live-migration with openstack Juno. when live-migrate failed with error, lun-id of connection_info in bdm table couldn't be rollback my test version is following : Openstack Version : Juno ( 2014.2.1) Compute Node OS : 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 backend storage : EMC VNX 5400 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 2 cinder volumes (vol01, vol02) 4) attach 2 volumes to vm01 (vdb, vdc) 5) host#2's iscsi interface down - this situation can be occurred frequently in production 6) live-migrate vm01 from host#1 to host#2 7) live-migrate fails - please check connection_info(lun-id) of bdm at this time then you can find the lun-id of cinder-volume is not be rollback - please check lun's storage_group by using unisphere then you can find lun has two storage groups. This Bug is very critical because the VM can have different lun mappings when this case is occurred, so that filesystem of volume can be break. Actually this case was occurred and my vm's filesystem was broken. and I think every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. please fix this bug ASAP. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1416314/+subscriptions From mriedem at us.ibm.com Tue May 26 19:17:00 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Tue, 26 May 2015 19:17:00 -0000 Subject: [Openstack-security] [Bug 1416314] Re: BUG : when live-migration failed, lun-id couldn't be rollback References: <20150130090750.712.84034.malonedeb@chaenomeles.canonical.com> Message-ID: <20150526191700.21165.24943.malone@gac.canonical.com> Is this still an issue on master (liberty) level code? I'm assuming the virt driver here is libvirt - can someone confirm? I'm also confused about the 'controller-info' comment in the block_device_mapping table in comment 2 - do you mean the connection_info column which is a serialized dict? Looking at the nova.virt.libvirt.driver.pre_live_migration() method, I see it's connecting to a volume and the connection_info dictionary is updated in the nova.virt.libvirt.volume code, but I don't see where that connection_info dict comes back to the virt driver's pre_live_migration method and persists the change to the database. What I do see is that pre_live_migration returns a pre_live_migration_result dict to the compute manager which gets passed to live_migration in the virt driver and that uses it to update the domain xml here: http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/libvirt/driver.py?id=2015.1.0#n5431 which eventually gets here: http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/libvirt/driver.py?id=2015.1.0#n5306 It seems like that could cause issues, but I still don't see where anything is persisted to the database that requires rollback. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1416314 Title: BUG : when live-migration failed, lun-id couldn't be rollback Status in OpenStack Compute (Nova): Confirmed Bug description: Hi, guys I'm testing live-migration with openstack Juno. when live-migrate failed with error, lun-id of connection_info in bdm table couldn't be rollback my test version is following : Openstack Version : Juno ( 2014.2.1) Compute Node OS : 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 backend storage : EMC VNX 5400 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 2 cinder volumes (vol01, vol02) 4) attach 2 volumes to vm01 (vdb, vdc) 5) host#2's iscsi interface down - this situation can be occurred frequently in production 6) live-migrate vm01 from host#1 to host#2 7) live-migrate fails - please check connection_info(lun-id) of bdm at this time then you can find the lun-id of cinder-volume is not be rollback - please check lun's storage_group by using unisphere then you can find lun has two storage groups. This Bug is very critical because the VM can have different lun mappings when this case is occurred, so that filesystem of volume can be break. Actually this case was occurred and my vm's filesystem was broken. and I think every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. please fix this bug ASAP. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1416314/+subscriptions From mriedem at us.ibm.com Tue May 26 19:54:21 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Tue, 26 May 2015 19:54:21 -0000 Subject: [Openstack-security] [Bug 1416314] Re: BUG : when live-migration failed, lun-id couldn't be rollback References: <20150130090750.712.84034.malonedeb@chaenomeles.canonical.com> Message-ID: <20150526195421.6034.99820.malone@chaenomeles.canonical.com> *** This bug is a duplicate of bug 1419577 *** https://bugs.launchpad.net/bugs/1419577 This appears to be a duplicate of bug 1419577 which has already gone through the security team. ** This bug has been marked a duplicate of bug 1419577 when live-migrate failed, lun-id couldn't be rollback in havana -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1416314 Title: BUG : when live-migration failed, lun-id couldn't be rollback Status in OpenStack Compute (Nova): Confirmed Bug description: Hi, guys I'm testing live-migration with openstack Juno. when live-migrate failed with error, lun-id of connection_info in bdm table couldn't be rollback my test version is following : Openstack Version : Juno ( 2014.2.1) Compute Node OS : 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 backend storage : EMC VNX 5400 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 2 cinder volumes (vol01, vol02) 4) attach 2 volumes to vm01 (vdb, vdc) 5) host#2's iscsi interface down - this situation can be occurred frequently in production 6) live-migrate vm01 from host#1 to host#2 7) live-migrate fails - please check connection_info(lun-id) of bdm at this time then you can find the lun-id of cinder-volume is not be rollback - please check lun's storage_group by using unisphere then you can find lun has two storage groups. This Bug is very critical because the VM can have different lun mappings when this case is occurred, so that filesystem of volume can be break. Actually this case was occurred and my vm's filesystem was broken. and I think every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. please fix this bug ASAP. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1416314/+subscriptions From mriedem at us.ibm.com Tue May 26 20:02:40 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Tue, 26 May 2015 20:02:40 -0000 Subject: [Openstack-security] [Bug 1419577] Re: when live-migrate failed, lun-id couldn't be rollback in havana References: <20150209012956.20741.53343.malonedeb@chaenomeles.canonical.com> Message-ID: <20150526200243.5885.5796.launchpad@wampee.canonical.com> ** Tags added: live-migration volumes -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1419577 Title: when live-migrate failed, lun-id couldn't be rollback in havana Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Security Advisories: Won't Fix Bug description: Hi, guys When live-migrate failed with error, lun-id of connection_info column in Nova's block_deivce_mapping table couldn't be rollback. and failed VM can have others volume. my test environment is following : Openstack Version : Havana ( 2013.2.3) Compute Node OS : 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 1 cinder volume (vol01) 4) attach 1 volume to vm01 (/dev/vdb) 5) live-migrate vm01 from host#1 to host#2 6) live-migrate success      - please check the mapper by using multipath command in host#1 (# multipath -ll), then you can find mapper is not deleted.        and the status of devices is "failed faulty"      - please check the lun-id of vol01 7) Again, live-migrate vm01 from host#2 to host#1 (vm01 was migrated to host#2 at step 4) 8) live-migrate fail      - please check the mapper in host#1      - please check the lun-id of vol01, then you can find the lun hav "two" igroups      - please check the connection_info column in Nova's block_deivce_mapping table, then you can find lun-id couldn't be rollback This Bug is critical security issue because the failed VM can have others volume. and every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. I suggest below methods to solve issue : 1) when live-migrate is complete, nova should delete mapper devices at origin host 2) when live-migrate is failed, nova should rollback lun-id in connection_info column 3) when live-migrate is failed, cinder should delete the mapping between lun and host (Netapp : igroup, EMC : storage_group ...) 4) when volume-attach is requested , cinder volume driver of vendors should make lun-id randomly for reduce of probability of mis-mapping please check this bug. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1419577/+subscriptions From mriedem at us.ibm.com Fri May 29 14:16:23 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Fri, 29 May 2015 14:16:23 -0000 Subject: [Openstack-security] [Bug 1419577] Re: when live-migrate failed, lun-id couldn't be rollback in havana References: <20150209012956.20741.53343.malonedeb@chaenomeles.canonical.com> Message-ID: <20150529141623.1716.24494.malone@chaenomeles.canonical.com> I'm trying to sort this out a bit. Looking at the nova.virt.libvirt.driver.pre_live_migration() method, I see it's connecting to a volume and the connection_info dictionary is updated in the nova.virt.libvirt.volume code, but I don't see where that connection_info dict comes back to the virt driver's pre_live_migration method and persists the change to the database. This is where pre_live_migration() connects the volume: http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/libvirt/driver.py?id=2015.1.0#n5813 Let's assume we're using the LibvirtISCSIVolumeDriver volume driver, the connect_volume method in there will update the connection_info dict here: http://git.openstack.org/cgit/openstack/nova/tree/nova/virt/libvirt/volume.py?id=2015.1.0#n483 That change never gets persisted back to the block_device_mapping table for the bdm instance, but we've connected the volume potentially on another host so if live migration fails and we never rollback the volume connection_info to the source host (before pre_live_migration), and reboot the instance, then the bdm will be recreated from what's in the database which will be wrong. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1419577 Title: when live-migrate failed, lun-id couldn't be rollback in havana Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Security Advisories: Won't Fix Bug description: Hi, guys When live-migrate failed with error, lun-id of connection_info column in Nova's block_deivce_mapping table couldn't be rollback. and failed VM can have others volume. my test environment is following : Openstack Version : Havana ( 2013.2.3) Compute Node OS : 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Compute Node multipath : multipath-tools 0.4.9-3ubuntu7.2 test step is : 1) create 2 Compute node (host#1 and host#2) 2) create 1 VM on host#1 (vm01) 3) create 1 cinder volume (vol01) 4) attach 1 volume to vm01 (/dev/vdb) 5) live-migrate vm01 from host#1 to host#2 6) live-migrate success      - please check the mapper by using multipath command in host#1 (# multipath -ll), then you can find mapper is not deleted.        and the status of devices is "failed faulty"      - please check the lun-id of vol01 7) Again, live-migrate vm01 from host#2 to host#1 (vm01 was migrated to host#2 at step 4) 8) live-migrate fail      - please check the mapper in host#1      - please check the lun-id of vol01, then you can find the lun hav "two" igroups      - please check the connection_info column in Nova's block_deivce_mapping table, then you can find lun-id couldn't be rollback This Bug is critical security issue because the failed VM can have others volume. and every backend storage of cinder-volume can have same problem because this is the bug of live-migration's rollback process. I suggest below methods to solve issue : 1) when live-migrate is complete, nova should delete mapper devices at origin host 2) when live-migrate is failed, nova should rollback lun-id in connection_info column 3) when live-migrate is failed, cinder should delete the mapping between lun and host (Netapp : igroup, EMC : storage_group ...) 4) when volume-attach is requested , cinder volume driver of vendors should make lun-id randomly for reduce of probability of mis-mapping please check this bug. Thank you. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1419577/+subscriptions