Prevent DHCP'ing when no introspection is going on and discovery is disabled

Bug #1557979 reported by Dmitry Tantsur on 2016-03-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic Inspector
Fix Released
High
Dmitry Tantsur

Bug Description

Reported downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1317695

Our DHCP server is always enabled. Actually it's not needed if no nodes are on introspection and no node_not_found_hook is set. By disabling it in firewall we'll avoid problems like in bug above, when deployed nodes get DHCP via our server.

The next step would be to cache all MAC's from the previous introspection runs, and use them for blacklist in additional to Ironic port list.

Fix proposed to branch: master
Review: https://review.openstack.org/293362

Changed in ironic-inspector:
status: Triaged → In Progress
Dmitry Tantsur (divius) on 2016-03-16
description: updated

Reviewed: https://review.openstack.org/293362
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=405c7de1f8671eb5da7eb5dbf996f519b70b32d9
Submitter: Jenkins
Branch: master

commit 405c7de1f8671eb5da7eb5dbf996f519b70b32d9
Author: Dmitry Tantsur <email address hidden>
Date: Wed Mar 16 11:32:22 2016 +0100

    Disable DHCP completely when no nodes are on introspection

    Currently we keep DHCP always open for new nodes. This is an overkill, as we
    always know which nodes are on introspection. It also causes problems when not
    all node NIC's are registered in Ironic, as these NIC's might get DHCP from our
    server.

    This change reduces probability of wrong nodes accessing our DHCP by REJECT'ing
    all DHCP requests when no nodes are on introspection and node_not_found_hook is
    not set. It does not solve the problem completely: conflicts are still possible
    during the introspection.

    Change-Id: I7a50c02023ef4364e14825cd80fa75565fac3dc8
    Partial-Bug: #1557979

Reviewed: https://review.openstack.org/293475
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=39eb964134f2ff13288ac117305ae226267c2e47
Submitter: Jenkins
Branch: stable/liberty

commit 39eb964134f2ff13288ac117305ae226267c2e47
Author: Dmitry Tantsur <email address hidden>
Date: Wed Mar 16 11:32:22 2016 +0100

    Disable DHCP completely when no nodes are on introspection

    Currently we keep DHCP always open for new nodes. This is an overkill, as we
    always know which nodes are on introspection. It also causes problems when not
    all node NIC's are registered in Ironic, as these NIC's might get DHCP from our
    server.

    This change reduces probability of wrong nodes accessing our DHCP by REJECT'ing
    all DHCP requests when no nodes are on introspection and node_not_found_hook is
    not set. It does not solve the problem completely: conflicts are still possible
    during the introspection.

    Change-Id: I7a50c02023ef4364e14825cd80fa75565fac3dc8
    Partial-Bug: #1557979
    (cherry picked from commit 405c7de1f8671eb5da7eb5dbf996f519b70b32d9)

tags: added: in-stable-liberty
Sam Betts (sambetts) on 2016-05-11
Changed in ironic-inspector:
status: In Progress → Fix Committed
Dmitry Tantsur (divius) on 2016-05-11
Changed in ironic-inspector:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers