Juniper Openstack

2.21-2-B40:ip_address parameter in VM name is resulting in incorrect IP being assigned to the VM instance.

Bug #1584625 reported by Sandeep Sridhar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.20
Fix Committed
Medium
Ashok Singh
R2.21.x
Fix Committed
Medium
Ashok Singh
R2.22.x
Fix Committed
Medium
Ashok Singh
R3.0
Fix Committed
Medium
Ashok Singh
R3.0.2.x
Fix Committed
Medium
Ashok Singh
R3.1
In Progress
Medium
Ashok Singh
Trunk
Fix Committed
Medium
Ashok Singh

Bug Description

A VM is created from horizon with the VM name defined as "vm2 --ip_address=x.x.x.x". This results in neutron assigning the address x.x.x.x IP to the VM instead of a free IP address from the network associated. Perhaps, there is an issue with parsing ?

Steps to replicate :

1. Create an Image and a Virtual Network (for ex. 50.50.50.0/24)
2. Launch Horizon, go to Project -> Instances -> Launch Instance.
3. In the Instance Name, key in "vm2 --ip_address=50.50.50.200" ( see snapshot )
4. Launch the instance the usual way by populating other fields.

Once the VM is launched, the VM takes the IP address 50.50.50.200 instead of picking a free IP address from the VN 50.50.50.0/24.

Maybe, ip_address is a valid parameter and should not be used in VM name ? Please add some GUI validation allowing user not to launch an instance should that be the case.

Greetings,
Sandeep.

Tags: vrouter
Revision history for this message
Sandeep Sridhar (ssandeep) wrote :
information type: Proprietary → Public
Jeba Paulaiyan (jebap)
tags: added: ui
Revision history for this message
Rahul (rahuls) wrote :

This is how it is supposed to behave, keys are passed like this.

Config already has a bug of allocating dup IIP's.

tags: added: config
removed: horizon ui
Revision history for this message
Sandeep Sridhar (ssandeep) wrote :

Hi Rahul - Do you mean, this is by design and not a bug ?

- Sandeep.

Sachin Bansal (sbansal)
tags: added: horizon
removed: config
Revision history for this message
Sandeep Sridhar (ssandeep) wrote :

Also, when this issue occurs, I see both IPs getting installed into the vrouter routing table. This is not correct. Please see the below output and the corresponding snapshot.

root@contrail76:~# nova list
+--------------------------------------+-------------------------------------------+-----------+------------+-------------+------------------------------------+
| ID | Name | Status | Task State | Power State | Networks |
 +--------------------------------------+-------------------------------------------+-----------+------------+-------------+------------------------------------+
| c615f6b7-91e5-4954-8301-07b2eb0a4bd0 | vmTest --ip_address=50.50.50.200 | ACTIVE | - | Running | BMSNetwork=50.50.50.9 |
 +--------------------------------------+-------------------------------------------+-----------+------------+-------------+------------------------------------+

Greetings,
Sandeep.

Revision history for this message
Sandeep Sridhar (ssandeep) wrote :
Revision history for this message
Sandeep Sridhar (ssandeep) wrote :

Hello, Could this be related to https://bugs.launchpad.net/juniperopenstack/+bug/1519768 ?

It could be a possible security issue as if someone sets arguments of other customer's IP address, the target VM could be accessed by unintended party. Can you please let me know when we intend to fix this ?

Greetings,
Sandeep.

Revision history for this message
Prakash Bailkeri (prakashmb) wrote :
Download full text (4.4 KiB)

The issue is with "vrouter-port-control" script called for sending plug message to vrouter-agent.

It wrongly parses the VM name and interprets the "--ip_address" which is part of the VM name.

        cmd_args = ("--oper=add --uuid=%s --instance_uuid=%s --vn_uuid=%s "
                    "--vm_project_uuid=%s --ip_address=%s --ipv6_address=%s"
                    " --vm_name=%s --mac=%s --tap_name=%s --port_type=%s "
                    "--tx_vlan_id=%d --rx_vlan_id=%d" % (vif['id'],
                    instance.uuid, vif['network']['id'],
                    instance.project_id, ip_addr, ip6_addr,
                    instance.display_name, vif['address'],
                    vif['devname'], ptype, -1, -1))

On the similar lines, if the vm name contain "--xx", the "plug" will fail from nova compute and VM info will not be sent to vrouter-agent

2016-06-23 11:10:33.840 2544 INFO nova.scheduler.client.report [-] Compute_service record updated for ('contrail64', 'contrail64.juniper.net')
2016-06-23 11:10:34.273 2544 ERROR nova.virt.libvirt.vif [-] [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] Failed while plugging vif
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] Traceback (most recent call last):
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] File "/usr/lib/python2.7/dist-packages/nova/virt/libvirt/vif.py", line 593, in plug_vrouter
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] utils.execute('vrouter-port-control', cmd_args, run_as_root=True)
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] File "/usr/lib/python2.7/dist-packages/nova/utils.py", line 163, in execute
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] return processutils.execute(*cmd, **kwargs)
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] File "/usr/lib/python2.7/dist-packages/nova/openstack/common/processutils.py", line 203, in execute
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] cmd=sanitized_cmd)
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] ProcessExecutionError: Unexpected error while running command.
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] Command: sudo nova-rootwrap /etc/nova/rootwrap.conf vrouter-port-control --oper=add --uuid=f2782847-4d5d-4d8d-bcf1-358633e4c182 --instance_uuid=626b1b37-507e-41aa-8992-2f77a836c68d --vn_uuid=9fedd29b-5e6b-4213-a5b3-73948fb82264 --vm_project_uuid=f1b93ade003c4215ac63caa95e7e4ba7 --ip_address=50.50.50.46 --ipv6_address=None --vm_name=prakash --ip-address=1.2.3.4 --mac=02:f2:78:28:47:4d --tap_name=tapf2782847-4d --port_type=NovaVMPort --tx_vlan_id=-1 --rx_vlan_id=-1
2016-06-23 11:10:34.273 2544 TRACE nova.virt.libvirt.vif [instance: 626b1b37-507e-41aa-8992-2f77a836c68d] Exit code: 2
2016-06-2...

Read more...

tags: added: vrouter
removed: horizon
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/21579
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] contrail/kilo-2015.1.2

Review in progress for https://review.opencontrail.org/21582
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/21588
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/21589
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/21590
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22.x

Review in progress for https://review.opencontrail.org/21591
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/21588
Committed: http://github.org/Juniper/contrail-controller/commit/a964b0d7c17cff55fbb643f54ccbd608f702906c
Submitter: Zuul
Branch: R3.0

commit a964b0d7c17cff55fbb643f54ccbd608f702906c
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Partial-Bug: #1584625
(cherry picked from commit dcd90d39e6d9848020ac455498bf041fc29e9e03)

Change-Id: I82a0fca45be3e28f89e27626cc246653edaeccf6

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/21579
Committed: http://github.org/Juniper/contrail-controller/commit/dcd90d39e6d9848020ac455498bf041fc29e9e03
Submitter: Zuul
Branch: master

commit dcd90d39e6d9848020ac455498bf041fc29e9e03
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Change-Id: Idb207e37d2018440d2b0a6f953091985af9ee4a0
Partial-Bug: #1584625

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0.2.x

Review in progress for https://review.opencontrail.org/21613
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/21590
Committed: http://github.org/Juniper/contrail-controller/commit/241346826dc943dceecc36e4a3cac096627f11e1
Submitter: Zuul
Branch: R2.21.x

commit 241346826dc943dceecc36e4a3cac096627f11e1
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Partial-Bug: #1584625

(cherry picked from commit a7062add0cc71694afc39830f2eb20687214e156)

Change-Id: Ia014da5cbc2f2a4135f37bad4e5785e45f165d9e

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0.2.x

Review in progress for https://review.opencontrail.org/21613
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/21613
Committed: http://github.org/Juniper/contrail-controller/commit/a3b376120d4981570d155cfb5f5daa5f16f6bbf8
Submitter: Zuul
Branch: R3.0.2.x

commit a3b376120d4981570d155cfb5f5daa5f16f6bbf8
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Partial-Bug: #1584625
(cherry picked from commit dcd90d39e6d9848020ac455498bf041fc29e9e03)

Change-Id: I70254935ac18cc8fa413dbb64b68d66c9a195a51

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/21589
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22.x

Review in progress for https://review.opencontrail.org/21591
Submitter: Ashok Singh (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/21589
Committed: http://github.org/Juniper/contrail-controller/commit/8ce35452d6b66492a938a995c297cc6081993c7f
Submitter: Zuul
Branch: R2.20

commit 8ce35452d6b66492a938a995c297cc6081993c7f
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Partial-Bug: #1584625
(cherry picked from commit dcd90d39e6d9848020ac455498bf041fc29e9e03)

Change-Id: I5683cc50dc22eaf9444ed08ee12bd3c93bf97a21

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/21591
Committed: http://github.org/Juniper/contrail-controller/commit/12219bb679a6839051156eafe113098b2219fea0
Submitter: Zuul
Branch: R2.22.x

commit 12219bb679a6839051156eafe113098b2219fea0
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:30:49 2016 +0530

Add support for special characters in Rest Interface for port addition

Vrouter-port-control script is used by nova-compute to send port add/delete notifications. This script now accepts arguments which have have special characters, provided the arguments are enclosed by double quotes. This was required to support the need for special characters in VM Name.

Partial-Bug: #1584625
(cherry picked from commit a7062add0cc71694afc39830f2eb20687214e156)

Change-Id: Ide5f2835dbea2034fa2891eff913f134950ac09b

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/21582
Committed: http://github.org/Juniper/nova/commit/c9da85e3a8c6ec8f98529353977a36770c53b429
Submitter: Zuul
Branch: contrail/kilo-2015.1.2

commit c9da85e3a8c6ec8f98529353977a36770c53b429
Author: ashoksingh <email address hidden>
Date: Thu Jun 30 13:56:58 2016 +0530

Add support for special characters in Rest Interface for port addition

Pass arguments to vrouter-port-control script by enclosing them in double quotes so that argument boundary can be detected.

Change-Id: Ic797a60e7fc7165494287eafd058bd23f4b506cc
Partial-Bug: #1584625

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/27619
Submitter: Bill Brinzer (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/27619
Committed: http://github.org/Juniper/contrail-controller/commit/cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Author: Bill Brinzer <email address hidden>
Date: Wed Jan 18 16:47:34 2017 -0500

Update Netronome Python code for compatibility with unpatched Nova

1. Allow plugging unconfigured vRouter ports under certain conditions
(Required for interoperability with unpatched Nova.)

2. Support --oper=(add|delete) command-line syntax in vrouter-port-control.

The new version of vrouter-port-control has a separate command-line parser
per subcommand, for clarity of --help output. Add a compatibility shim for
the previous version's --oper=VERB syntax.

3. Split single-arg command line for compatibility with unpatched nova-compute

The original (unaccelerated) nova-compute and vrouter_api.py pass all the
vrouter-port-control command line arguments lumped together as a single
string. vrouter-port-control, in turn, would attempt to split these on a
regex that matches only whitespace followed by an option.

This approach is vulnerable to injection attacks; see Launchpad #1584625.
Later code introduced a workaround involving double quotes, but this is
still vulnerable to a (different) injection attack. The correct fix is to
pass the command-line arguments as a list rather than lumped together into
a single string.

For the sake of compatibility with unaccelerated nova-compute, if the
command-line arguments are passed as a single string, we attempt to split
on them on one of the two original regexes here, stripping quotes if
applicable.

4. Exit with an error status in case of a command-line argument syntax error
(e.g., IP address with extraneous text). (Workaround for oslo_config bug.)

5. Fail VirtIO port plugging gracefully if the virtiorelayd component
(required for accelerating ports in VirtIO mode) is not installed.

The previous code would fail with a stack trace and the enigmatic message:

AttributeError: 'NoneType' object has no attribute 'PortControlRequest'

This has been replaced with a much clearer log message which indicates the
source of the problem:

CRITICAL: vrouter-port-control:
ImportError: No module named virtiorelayd.virtiorelayd_pb2

6. Only import python-zmq when needed for virtiorelayd

This reduces the set of extra packages needed for the new
vrouter-port-control script to run in unaccelerated mode to:

- python-werkzeug
- python-tornado

Change-Id: I693437cea3d7544b069641a5de066512796d5541
Partial-Bug: #1644348
Related-Bug: #1584625

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.