2015-06-02 11:24:55 |
Darragh O'Reilly |
bug |
|
|
added bug |
2015-06-02 12:15:56 |
Jeremy Stanley |
description |
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py" |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py" |
|
2015-06-02 12:16:32 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2015-06-02 12:17:14 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2015-06-02 12:17:44 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
2015-06-02 13:12:40 |
Darragh O'Reilly |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py" |
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
Workaround:
neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1 |
|
2015-06-02 14:20:44 |
Jeremy Stanley |
description |
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
Workaround:
neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1 |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
Workaround:
neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1 |
|
2015-06-02 15:50:11 |
Salvatore Orlando |
neutron: importance |
Undecided |
Critical |
|
2015-06-02 15:50:14 |
Salvatore Orlando |
neutron: status |
New |
Confirmed |
|
2015-06-02 15:55:15 |
Kyle Mestery |
bug |
|
|
added subscriber Kyle Mestery |
2015-06-02 16:07:55 |
Kyle Mestery |
neutron: assignee |
|
Kyle Mestery (mestery) |
|
2015-06-02 20:22:59 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
2015-06-02 20:23:07 |
Tristan Cacqueray |
ossa: importance |
Undecided |
Critical |
|
2015-06-03 13:28:33 |
Kyle Mestery |
neutron: assignee |
Kyle Mestery (mestery) |
Aaron Rosen (arosen) |
|
2015-06-03 23:33:16 |
Aaron Rosen |
attachment added |
|
fix_ipset_validation_bug.patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4409471/+files/fix_ipset_validation_bug.patch |
|
2015-06-04 21:33:59 |
Kyle Mestery |
bug |
|
|
added subscriber Kevin Benton |
2015-06-04 22:47:38 |
Kevin Benton |
attachment added |
|
arp00000patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4410106/+files/arp00000patch |
|
2015-06-05 12:53:22 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Triaged |
|
2015-06-06 01:08:00 |
Aaron Rosen |
attachment added |
|
fix_ipset_validation_bug_kilo.patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4410605/+files/fix_ipset_validation_bug_kilo.patch |
|
2015-06-09 03:38:54 |
Kyle Mestery |
nominated for series |
|
neutron/juno |
|
2015-06-09 03:38:54 |
Kyle Mestery |
bug task added |
|
neutron/juno |
|
2015-06-09 03:38:54 |
Kyle Mestery |
nominated for series |
|
neutron/kilo |
|
2015-06-09 03:38:54 |
Kyle Mestery |
bug task added |
|
neutron/kilo |
|
2015-06-09 03:39:01 |
Kyle Mestery |
neutron/juno: importance |
Undecided |
Critical |
|
2015-06-09 03:39:08 |
Kyle Mestery |
neutron/juno: status |
New |
Confirmed |
|
2015-06-09 03:39:10 |
Kyle Mestery |
neutron/kilo: status |
New |
Confirmed |
|
2015-06-09 03:39:20 |
Kyle Mestery |
neutron/juno: assignee |
|
Aaron Rosen (arosen) |
|
2015-06-09 03:39:27 |
Kyle Mestery |
neutron/kilo: assignee |
|
Aaron Rosen (arosen) |
|
2015-06-09 03:39:48 |
Kyle Mestery |
neutron/kilo: importance |
Undecided |
Critical |
|
2015-06-09 18:41:34 |
Tristan Cacqueray |
ossa: status |
Triaged |
In Progress |
|
2015-06-09 18:41:37 |
Tristan Cacqueray |
ossa: assignee |
|
Tristan Cacqueray (tristan-cacqueray) |
|
2015-06-09 19:39:47 |
Darragh O'Reilly |
attachment added |
|
juno-reject-prefix-zero.diff https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4412213/+files/juno-reject-prefix-zero.diff |
|
2015-06-10 15:14:58 |
Tristan Cacqueray |
summary |
Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent |
Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221) |
|
2015-06-10 15:15:04 |
Tristan Cacqueray |
cve linked |
|
2015-3221 |
|
2015-06-11 21:18:12 |
Aaron Rosen |
attachment added |
|
zero_length_addressses_juno.patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4413508/+files/zero_length_addressses_juno.patch |
|
2015-06-11 22:22:58 |
Aaron Rosen |
attachment added |
|
fix_for_juno.patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4413521/+files/fix_for_juno.patch |
|
2015-06-15 18:33:23 |
Aaron Rosen |
attachment added |
|
fix_for_juno_2.patch https://bugs.launchpad.net/neutron/+bug/1461054/+attachment/4415238/+files/fix_for_juno_2.patch |
|
2015-06-18 12:50:01 |
Tristan Cacqueray |
ossa: status |
In Progress |
Fix Committed |
|
2015-06-23 15:00:17 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
2015-06-23 15:01:36 |
OpenStack Infra |
neutron: status |
Confirmed |
In Progress |
|
2015-06-23 15:01:36 |
OpenStack Infra |
neutron: assignee |
Aaron Rosen (arosen) |
Tristan Cacqueray (tristan-cacqueray) |
|
2015-06-23 15:01:56 |
OpenStack Infra |
neutron/juno: status |
Confirmed |
In Progress |
|
2015-06-23 15:01:56 |
OpenStack Infra |
neutron/juno: assignee |
Aaron Rosen (arosen) |
Tristan Cacqueray (tristan-cacqueray) |
|
2015-06-23 15:02:16 |
OpenStack Infra |
neutron/kilo: status |
Confirmed |
In Progress |
|
2015-06-23 15:02:16 |
OpenStack Infra |
neutron/kilo: assignee |
Aaron Rosen (arosen) |
Tristan Cacqueray (tristan-cacqueray) |
|
2015-06-23 15:04:06 |
Tristan Cacqueray |
summary |
Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221) |
[OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221) |
|
2015-06-23 17:12:01 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto Murata |
2015-06-23 21:06:53 |
OpenStack Infra |
neutron/juno: status |
In Progress |
Fix Committed |
|
2015-06-24 17:30:38 |
OpenStack Infra |
neutron: assignee |
Tristan Cacqueray (tristan-cacqueray) |
Aaron Rosen (arosen) |
|
2015-06-25 00:13:36 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Committed |
|
2015-06-26 17:29:53 |
OpenStack Infra |
tags |
|
in-feature-qos |
|
2015-06-26 17:29:54 |
OpenStack Infra |
bug watch added |
|
http://bugs.python.org/issue21239 |
|
2015-06-29 17:10:16 |
Vladimir Kuklin |
tags |
in-feature-qos |
6.1-mu-1 in-feature-qos |
|
2015-06-30 02:30:02 |
OpenStack Infra |
tags |
6.1-mu-1 in-feature-qos |
6.1-mu-1 in-feature-pecan in-feature-qos |
|
2015-07-02 20:12:44 |
OpenStack Infra |
neutron/kilo: status |
In Progress |
Fix Committed |
|
2015-07-02 20:15:27 |
Tristan Cacqueray |
ossa: status |
Fix Committed |
Fix Released |
|
2015-07-09 16:55:12 |
OpenStack Infra |
tags |
6.1-mu-1 in-feature-pecan in-feature-qos |
6.1-mu-1 in-feature-pecan in-feature-qos in-stable-kilo |
|
2015-07-10 19:04:15 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
Workaround:
neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1 |
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/0
Updated port: 28dc7eb1-6f95-429f-8e30-adaefffcec70
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
Workaround:
neutron port-update $PORT_ID --allowed_address_pairs list=true type=dict ip_address=0.0.0.0/1 ip_address=128.0.0.0/1 |
|
2015-07-29 18:57:09 |
Doug Hellmann |
neutron: status |
Fix Committed |
Fix Released |
|
2015-07-29 18:57:09 |
Doug Hellmann |
neutron: milestone |
|
liberty-2 |
|
2015-10-15 12:24:38 |
Thierry Carrez |
neutron: milestone |
liberty-2 |
7.0.0 |
|
2015-11-14 15:08:42 |
Alan Pevec |
neutron/juno: milestone |
|
2014.2.4 |
|
2015-11-19 21:43:33 |
Alan Pevec |
neutron/juno: status |
Fix Committed |
Fix Released |
|