Juniper Openstack

Bug #1584625
Comment #27

Comment 27 for bug 1584625

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-23: A change has been merged

#27

Reviewed: https://review.opencontrail.org/27619
Committed: http://github.org/Juniper/contrail-controller/commit/cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Author: Bill Brinzer <email address hidden>
Date: Wed Jan 18 16:47:34 2017 -0500

Update Netronome Python code for compatibility with unpatched Nova

1. Allow plugging unconfigured vRouter ports under certain conditions
(Required for interoperability with unpatched Nova.)

2. Support --oper=(add|delete) command-line syntax in vrouter-port-control.

The new version of vrouter-port-control has a separate command-line parser
per subcommand, for clarity of --help output. Add a compatibility shim for
the previous version's --oper=VERB syntax.

3. Split single-arg command line for compatibility with unpatched nova-compute

The original (unaccelerated) nova-compute and vrouter_api.py pass all the
vrouter-port-control command line arguments lumped together as a single
string. vrouter-port-control, in turn, would attempt to split these on a
regex that matches only whitespace followed by an option.

This approach is vulnerable to injection attacks; see Launchpad #1584625.
Later code introduced a workaround involving double quotes, but this is
still vulnerable to a (different) injection attack. The correct fix is to
pass the command-line arguments as a list rather than lumped together into
a single string.

For the sake of compatibility with unaccelerated nova-compute, if the
command-line arguments are passed as a single string, we attempt to split
on them on one of the two original regexes here, stripping quotes if
applicable.

4. Exit with an error status in case of a command-line argument syntax error
(e.g., IP address with extraneous text). (Workaround for oslo_config bug.)

5. Fail VirtIO port plugging gracefully if the virtiorelayd component
(required for accelerating ports in VirtIO mode) is not installed.

The previous code would fail with a stack trace and the enigmatic message:

AttributeError: 'NoneType' object has no attribute 'PortControlRequest'

This has been replaced with a much clearer log message which indicates the
source of the problem:

CRITICAL: vrouter-port-control:
ImportError: No module named virtiorelayd.virtiorelayd_pb2

6. Only import python-zmq when needed for virtiorelayd

This reduces the set of extra packages needed for the new
vrouter-port-control script to run in unaccelerated mode to:

- python-werkzeug
- python-tornado

Change-Id: I693437cea3d7544b069641a5de066512796d5541
Partial-Bug: #1644348
Related-Bug: #1584625

Reviewed:  https://review.opencontrail.org/27619
Committed: http://github.org/Juniper/contrail-controller/commit/cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Submitter: Zuul (zuul@lists.opencontrail.org)
Branch:    R3.1

commit cc881a4c9d57c00816ee0ca82f6536f38b63cd7f
Author: Bill Brinzer <william.brinzer@netronome.com>
Date:   Wed Jan 18 16:47:34 2017 -0500

Update Netronome Python code for compatibility with unpatched Nova

1.  Allow plugging unconfigured vRouter ports under certain conditions
(Required for interoperability with unpatched Nova.)

2.  Support --oper=(add|delete) command-line syntax in vrouter-port-control.

The new version of vrouter-port-control has a separate command-line parser
per subcommand, for clarity of --help output. Add a compatibility shim for
the previous version's --oper=VERB syntax.

3.  Split single-arg command line for compatibility with unpatched nova-compute

4.  Exit with an error status in case of a command-line argument syntax error
(e.g., IP address with extraneous text). (Workaround for oslo_config bug.)

5.  Fail VirtIO port plugging gracefully if the virtiorelayd component
(required for accelerating ports in VirtIO mode) is not installed.