[Openstack-security] [Bug 1632537] Re: l3 agent print the ERROR log in l3 log file continuously , finally fill file space, leading to crash the l3-agent service
Jeremy Stanley
fungi at yuggoth.org
Mon Aug 7 15:21:18 UTC 2017
"Denial of service" conditions arising from unconstrained resource
consumption by authenticated users is a grey area we struggle with
classifying (and we don't even have confirmation yet that it _can_ be
triggered intentionally by mere users of the environment). At some
point, operators must have a means of identifying abuse by their users,
locking them out and cleaning up the mess. In a "typical" production
deployment servicing potentially risky users, how quickly can an abuser
"fill up" your logs doing this? Will your monitoring system alert
operations to the increase in activity and disk utilization in
reasonable time for them to take mitigating action? Are deployments
likely to include rate-limiting proxies which further throttle problem
API calls such as these?
In most cases, we triage such reports as security hardening
opportunities (class D in our taxonomy: https://security.openstack.org
/vmt-process.html#incident-report-taxonomy ) and since this report is
already public there's no harm in doing that for now while entertaining
further discussion on whether it should be reclassed and any potential
advisory issued.
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1632537
Title:
l3 agent print the ERROR log in l3 log file continuously ,finally fill
file space,leading to crash the l3-agent service
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent [req-5d499217-05b6-4a56-a3b7-5681adb53d6c - d2b95803757641b6bc55f6309c12c6e9 - - -] Failed to process compatible router 'da82aeb4-07a4-45ca-ae7a-570aec69df29'
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent Traceback (most recent call last):
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/agent.py", line 501, in _process_router_update
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self._process_router_if_compatible(router)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/agent.py", line 438, in _process_router_if_compatible
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self._process_added_router(router)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/agent.py", line 446, in _process_added_router
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent ri.process(self)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/dvr_local_router.py", line 488, in process
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent super(DvrLocalRouter, self).process(agent)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/dvr_router_base.py", line 30, in process
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent super(DvrRouterBase, self).process(agent)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/ha_router.py", line 386, in process
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent super(HaRouter, self).process(agent)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/common/utils.py", line 385, in call
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self.logger(e)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self.force_reraise()
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent six.reraise(self.type_, self.value, self.tb)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/common/utils.py", line 382, in call
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent return func(*args, **kwargs)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/router_info.py", line 964, in process
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self.process_address_scope()
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/l3/dvr_edge_router.py", line 239, in process_address_scope
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self.snat_iptables_manager, ports_scopemark)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib64/python2.7/contextlib.py", line 24, in __exit__
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent self.gen.next()
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/iptables_manager.py", line 461, in defer_apply
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent raise n_exc.IpTablesApplyException(msg)
2016-10-12 10:04:38.587 25667 ERROR neutron.agent.l3.agent IpTablesApplyException: Failure applying iptables rules
this ERROR information will fill l3-agent log file continuously until
solving the problem ,it will fill the file space.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1632537/+subscriptions
More information about the Openstack-security
mailing list