neutron

LBaaS VIP creation does not validate or reserve requested address

Bug #1129672 reported by Mark McClain
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Aaron Rosen
neutron 2013.1 "grizzly"

Bug Description

When creating a VIP the address is not checked that it belongs in the supplied subnet. The subnet is also not checked to ensure that the tenant has access rights.

Tags: lbaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to quantum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/22279

Changed in quantum:
status: New → In Progress
Revision history for this message
Ilya Shakhat (shakhat) wrote :

While I agree that VIP lacks validation of subnet access rights and IP range, I have concerns that the patch actually introduces binding between Vip and Quantum Port. During initial discussion in LBaaS group it was explicitly decided that Vip is responsible for q-port creation and does not require it. If such change is needed I'd suggest to open it for discussion between LBaaS folks.

Revision history for this message
Mark McClain (markmcclain) wrote :

This change is necessary to ensure that the address is valid and available on the subnet and that the allocation is integrated with the network's IPAM. There are number of reasons the allocation could fail: not within subnet, subnet not accessible by tenant, address already allocated, subnet out of addresses, etc. Quantum knows this information at call time and the API should fail fast when a failure condition exists. If Quantum accepts the value on faith there is no guarantee that the VIP could be created at a later point in time causing unexpected behavior.

Note: The port is set to down without any device owner/id, so a LBaaS implementation can use the port however it sees fit. Whether plugging it into a namespace, attaching it to a service router, passing it as port to a service VM, migrating the fixed_ip to another port on the subnet, or ignoring it.

Revision history for this message
dan wendlandt (danwent) wrote : Re: [Bug 1129672] Re: LBaaS VIP creation does not validate or reserve requested address

Yeah, the original discussion that I recall was more around whether the
tenant would pass in a port-id. In Mark's patch, we grab a port, but
really only as a way ensuring that the IP address is available, and
preventing anything else from allocating that IP after the fact.

Dan

On Tue, Feb 19, 2013 at 9:36 AM, Mark McClain <email address hidden>wrote:

> This change is necessary to ensure that the address is valid and
> available on the subnet and that the allocation is integrated with the
> network's IPAM. There are number of reasons the allocation could fail:
> not within subnet, subnet not accessible by tenant, address already
> allocated, subnet out of addresses, etc. Quantum knows this information
> at call time and the API should fail fast when a failure condition
> exists. If Quantum accepts the value on faith there is no guarantee
> that the VIP could be created at a later point in time causing
> unexpected behavior.
>
>
> Note: The port is set to down without any device owner/id, so a LBaaS
> implementation can use the port however it sees fit. Whether plugging it
> into a namespace, attaching it to a service router, passing it as port to a
> service VM, migrating the fixed_ip to another port on the subnet, or
> ignoring it.
>
> --
> You received this bug notification because you are a member of Netstack
> Core Developers, which is subscribed to quantum.
> https://bugs.launchpad.net/bugs/1129672
>
> Title:
> LBaaS VIP creation does not validate or reserve requested address
>
> Status in OpenStack Quantum (virtual network service):
> In Progress
>
> Bug description:
> When creating a VIP the address is not checked that it belongs in the
> supplied subnet. The subnet is also not checked to ensure that the
> tenant has access rights.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/quantum/+bug/1129672/+subscriptions
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~

dan wendlandt (danwent)
Changed in quantum:
milestone: grizzly-3 → grizzly-rc1
OpenStack Infra (hudson-openstack)
Changed in quantum:
assignee: Mark McClain (markmcclain) → Aaron Rosen (arosen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to quantum (master)

Reviewed: https://review.openstack.org/22279
Committed: http://github.com/openstack/quantum/commit/0dc5e2a0022238ad1e1957bebbf14e459c3699c6
Submitter: Jenkins
Branch: master

commit 0dc5e2a0022238ad1e1957bebbf14e459c3699c6
Author: Mark McClain <email address hidden>
Date: Sun Feb 17 23:31:02 2013 -0500

    create a Quantum port to reserve VIP address

    fixes bug 1129672

    The API previously allowed a VIP to be created without verifying that
    the tenant had access to the subnet and that the address was valid and
    available. This change modifies VIP creation behavior to create a
    Quantum port with the requested address. If an address is not provided, an
    address is allocated using the normal allocation process for the subnet.

    This change also renames the port attribute to protocol_port to remove the
    ambiguity about which type of port it represents.

    Additional tests were added to validate the change in behavior.

    Change-Id: Ib19ef653887da568364b4faa0d2c0fac30970b5f

Changed in quantum:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in quantum:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in quantum:
milestone: grizzly-rc1 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.