Ironic Inspector

Prevent DHCP'ing when no introspection is going on and discovery is disabled

Bug #1557979 reported by Dmitry Tantsur
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic Inspector
Fix Released
High
Dmitry Tantsur

Bug Description

Reported downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1317695

Our DHCP server is always enabled. Actually it's not needed if no nodes are on introspection and no node_not_found_hook is set. By disabling it in firewall we'll avoid problems like in bug above, when deployed nodes get DHCP via our server.

The next step would be to cache all MAC's from the previous introspection runs, and use them for blacklist in additional to Ironic port list.

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-inspector (master)

Fix proposed to branch: master
Review: https://review.openstack.org/293362

Changed in ironic-inspector:
status: Triaged → In Progress
Dmitry Tantsur (divius)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-inspector (master)

Reviewed: https://review.openstack.org/293362
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=405c7de1f8671eb5da7eb5dbf996f519b70b32d9
Submitter: Jenkins
Branch: master

commit 405c7de1f8671eb5da7eb5dbf996f519b70b32d9
Author: Dmitry Tantsur <email address hidden>
Date: Wed Mar 16 11:32:22 2016 +0100

    Disable DHCP completely when no nodes are on introspection

    Currently we keep DHCP always open for new nodes. This is an overkill, as we
    always know which nodes are on introspection. It also causes problems when not
    all node NIC's are registered in Ironic, as these NIC's might get DHCP from our
    server.

    This change reduces probability of wrong nodes accessing our DHCP by REJECT'ing
    all DHCP requests when no nodes are on introspection and node_not_found_hook is
    not set. It does not solve the problem completely: conflicts are still possible
    during the introspection.

    Change-Id: I7a50c02023ef4364e14825cd80fa75565fac3dc8
    Partial-Bug: #1557979

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-inspector (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/293475

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-inspector (stable/liberty)

Reviewed: https://review.openstack.org/293475
Committed: https://git.openstack.org/cgit/openstack/ironic-inspector/commit/?id=39eb964134f2ff13288ac117305ae226267c2e47
Submitter: Jenkins
Branch: stable/liberty

commit 39eb964134f2ff13288ac117305ae226267c2e47
Author: Dmitry Tantsur <email address hidden>
Date: Wed Mar 16 11:32:22 2016 +0100

    Disable DHCP completely when no nodes are on introspection

    Currently we keep DHCP always open for new nodes. This is an overkill, as we
    always know which nodes are on introspection. It also causes problems when not
    all node NIC's are registered in Ironic, as these NIC's might get DHCP from our
    server.

    This change reduces probability of wrong nodes accessing our DHCP by REJECT'ing
    all DHCP requests when no nodes are on introspection and node_not_found_hook is
    not set. It does not solve the problem completely: conflicts are still possible
    during the introspection.

    Change-Id: I7a50c02023ef4364e14825cd80fa75565fac3dc8
    Partial-Bug: #1557979
    (cherry picked from commit 405c7de1f8671eb5da7eb5dbf996f519b70b32d9)

tags: added: in-stable-liberty
Sam Betts (sambetts)
Changed in ironic-inspector:
status: In Progress → Fix Committed
Dmitry Tantsur (divius)
Changed in ironic-inspector:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.