Neutron + security group + OVS is broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Committed
|
High
|
Nachi Ueno | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned | ||
neutron |
Confirmed
|
Critical
|
Unassigned |
Bug Description
Background of this issue:
ML2 + OVSDriver + IptablesBasedFi
In this case, we need a special handing in VIF. Because OpenVSwitch don't support iptables, we are
using linuxbride + openvswitch bridge. We are calling this as hybrid driver.
On the other discussion, we generalized the Nova side VIF plugging to the Libvirt GenericVIFDriver.
The idea is let neturon tell the VIF plugging configration details to the GenericDriver, and GerericDriver
takes care of it.
Unfortunatly, HybridDriver is removed before GenericDriver is ready for security group.
This makes ML2 + OVSDriver + IptablesBasedFi
We were working on realfix, but we can't make it until Icehouse release due to design discussions [1].
# Even if neturon side patch isn't merged yet.
So we are proposing a workaround fix to Nova side.
In this fix, we are adding special version of the GenericVIFDriver which can work with the combination.
There is two point on this new Driver.
(1) It prevent set conf.filtername. Because we should use NoopFirewallDriver, we need conf.filtername should be None
when we use it.
(2) use plug_ovs_hybrid and unplug_ovs_hybrid by enforcing get_require_
Here is patchs with UT.
Workaournd fix:
Nova
https:/
Devstack patch for ML2 (Tested with 82904)
https:/
We have tested the patch 82904 with following test, and this works.
- Launch VM
- Assign floating ip
- make sure ping to the floating ip is failing from GW
- modify security group rule to allow ping from anywhere
- make sure ping is working
[1] Real fix: (defered to Juno)
Improve vif attributes related with firewalling
https:/
Support binding:
https:/
Changed in neutron: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
description: | updated |
information type: | Public → Public Security |
description: | updated |
nova workaround for icehouse in progress: https:/ /review. openstack. org/#/c/ 82904/1