Open Stack

We exuberantly announce the release of:

os_vif 1.13.0: A library for plugging and unplugging virtual
interfaces in OpenStack.

This release is part of the stein release series.

The source is available from:

    https://git.openstack.org/cgit/openstack/os-vif

Download the package from:

    https://pypi.org/project/os_vif

Please report issues through launchpad:

    https://bugs.launchpad.net/os-vif

For more details, please see below.

1.13.0
^^^^^^


New Features
************

* In this release the OVS plugin was extended to always plug VIFs
  even when libvirt could plug the vif. This will enable faster
  migration leveraging the multiple port bindings work completed in
  the Rocky release.


Security Issues
***************

* In this release an edgecase where libvirt plugged the VIF instead
  of os-vif was addressed. Previously if "ovs_hybrid_plug" was set to
  "False" in the port binding details, os-vif would only ensure the
  ovs bridge existed and the plugging would be done by libvirt. As a
  result during live migration, there was a short interval where a
  guest could receive tagged broadcast, multicast, or flooded traffic
  to/from another tenant. This vulnerability is described in bug
  1734320. By ensuring that os-vif always creates the OVS port as part
  of vif plugging we enable neutron to isolate the port prior to nova
  resuming the VM on the destination node. Note that as Nova cannot
  rely on Neutron to send "network-vif-plugged" events on completion
  of wiring up an interface it cannot wait to receive a notification
  before proceeding with the migration. As a result this is a partial
  mitigation and additional changes will be required to fully address
  this bug.

   (https://bugs.launchpad.net/neutron/+bug/1734320)

* A new config option was introduced for the OVS VIF plugin. The
  "isolate_vif" option was added as a partial mitigation of bug
  1734320. The "isolate_vif" option defaults to "False" for backwards
  compatibility with SDN controller based OpenStack deployments. For
  all deployments using the reference implementation of ML2/OVS with
  the neutron L2 agents, "isolate_vif" should be set to "True". This
  option instructs the OVS plugin to assign the VIF to the Neutron
  dead VLAN (4095) when attaching the interface to OVS. By setting the
  VIF's VLAN to this dead VLAN number, we eliminate the small attack
  vector that exists for other tenants to read packets during the
  VIF's bring up.

Changes in os_vif 1.12.0..1.13.0
--------------------------------

d291213 add isolate_vif config option
165ed32 always create ovs port during plug
8df626b Update min tox version to 2.0
dd69c70 Do not import pyroute2 on Windows


Diffstat (except docs and test files)
-------------------------------------

os_vif/internal/command/ip/api.py                  | 10 ++--
.../always-plug-vifs-for-ovs-1d033fc49a9c6c4e.yaml | 37 ++++++++++++++
tox.ini                                            |  2 +-
vif_plug_ovs/constants.py                          |  3 ++
vif_plug_ovs/linux_net.py                          |  4 +-
vif_plug_ovs/ovs.py                                | 48 ++++++++++++++++--
vif_plug_ovs/ovsdb/ovsdb_lib.py                    |  4 +-
8 files changed, 140 insertions(+), 25 deletions(-)