linux bridge agent disables ipv6 before adding an ipv6 address
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Mitaka |
Fix Released
|
Undecided
|
Seyeong Kim | ||
neutron |
Fix Released
|
Undecided
|
Brian Haley | ||
neutron (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Seyeong Kim |
Bug Description
[Impact]
When using linuxbridge and after creating network & interface to ext-net, disable_ipv6 is 1. then linuxbridge-agent doesn't add ipv6 properly to newly created bridge.
[Test Case]
1. deploy basic mitaka env
2. create external network(ext-net)
3. create ipv6 network and interface to ext-net
4. check if related bridge has ipv6 ip
- no ipv6 originally
or
- cat /proc/sys/
after this commit, I was able to see ipv6 address properly.
[Regression]
This has been patched in newer releases of neutron for a while regression potential of the backport should be fairly low. You need to restart neutron-
This patch could cause bridge related issue. bridge can lose it's child interface's information. or assign wrong information to bridge or interface. and there could be issue related to interface deletion belongs to bridge. The risk is the same if it is ipv4 or ipv6.
[Others]
-- original description --
Summary:
========
I have a dual-stack NIC with only an IPv6 SLAAC and link local address plumbed. This is the designated provider network nic. When I create a network and then a subnet, the linux bridge agent first disables IPv6 on the bridge and then tries to add the IPv6 address from the NIC to the bridge. Since IPv6 was disabled on the bridge, this fails with 'RTNETLINK answers: Permission denied'. My intent was to create an IPv4 subnet over this interface with floating IPv4 addresses for assignment to VMs via this command:
openstack subnet create --network provider \
--allocatio
--dns-
--gateway 10.54.204.129 --subnet-range 10.54.204.128/25 provider
I don't know why the agent is disabling IPv6 (I wish it wouldn't), that's probably the problem. However, if the agent knows to disable IPv6 it should also know not to try to add an IPv6 address.
Details:
========
Version: Newton on CentOS 7.3 minimal (CentOS-
Seemingly relevant section of /var/log/
2017-02-06 15:09:20.863 1551 INFO neutron.
2017-02-06 15:09:20.863 1551 DEBUG neutron.
2017-02-06 15:09:20.870 1551 DEBUG neutron.
2017-02-06 15:09:20.871 1551 DEBUG neutron.
2017-02-06 15:09:20.878 1551 DEBUG neutron.
2017-02-06 15:09:20.879 1551 DEBUG neutron.
2017-02-06 15:09:20.885 1551 DEBUG neutron.
2017-02-06 15:09:20.886 1551 DEBUG neutron.
2017-02-06 15:09:20.895 1551 DEBUG neutron.
2017-02-06 15:09:20.895 1551 DEBUG neutron.
2017-02-06 15:09:20.905 1551 DEBUG neutron.
2017-02-06 15:09:20.905 1551 DEBUG neutron.
2017-02-06 15:09:20.909 1551 DEBUG neutron.
2017-02-06 15:09:20.910 1551 DEBUG neutron.
2017-02-06 15:09:20.913 1551 DEBUG neutron.
2017-02-06 15:09:20.914 1551 DEBUG neutron.
2017-02-06 15:09:20.919 1551 DEBUG neutron.
2017-02-06 15:09:20.919 1551 DEBUG neutron.
2017-02-06 15:09:20.922 1551 DEBUG neutron.
2017-02-06 15:09:20.923 1551 DEBUG neutron.
2017-02-06 15:09:20.923 1551 DEBUG neutron.
2017-02-06 15:09:20.927 1551 ERROR neutron.
Changed in neutron (Ubuntu): | |
status: | New → Fix Released |
description: | updated |
tags: | added: sru-neede sts |
tags: |
added: sts-sru-needed removed: sru-neede |
description: | updated |
Changed in neutron (Ubuntu Xenial): | |
status: | New → In Progress |
assignee: | nobody → Seyeong Kim (xtrusia) |
Changed in cloud-archive: | |
status: | New → Fix Released |
description: | updated |
IPv6 is disabled on bridge devices because it was exposing the hypervisor to possible attack from local VMs running on a compute node - i.e. you could ping and try to ssh to that IP, especially in the OVS hybrid case. Could be we're being overly aggressive in disabling it.
I'm not super knowledgable on the linux bridge agent, but if you had a stack track on how this is getting triggered it could probably be fixed.