This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron.agent.linux.utils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None]
Command: ['ipset', 'add', '-exist', u'NETIPv48a445928-2f41-43de-a', u'0.0.0.0/0']
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Releasing file lock "/opt/stack/data/neutron/lock/neutron-ipset" after holding it for 0.006s release /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:227
2015-06-02 11:02:31.898 DEBUG oslo_concurrency.lockutils [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/lib/python2.7/dist-packages/oslo_concurrency/lockutils.py:456
2015-06-02 11:02:31.898 ERROR neutron.plugins.openvswitch.agent.ovs_neutron_agent [req-6dfc4e3b-7162-4528-b821-295de80aa7ed None None] Error while processing VIF ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent Traceback (most recent call last):
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1640, in rpc_loop
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent ovs_restarted)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py", line 1434, in process_network_ports
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent port_info.get('updated', set()))
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 302, in setup_port_filters
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.prepare_devices_filter(new_devices)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 159, in decorated_function
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent *args, **kwargs)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/securitygroups_rpc.py", line 185, in prepare_devices_filter
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent security_groups, security_group_member_ips)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.gen.next()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/firewall.py", line 106, in defer_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.filter_defer_apply_off()
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 671, in filter_defer_apply_off
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.unfiltered_ports)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 155, in _setup_chains_apply
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._setup_chain(port, INGRESS_DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 182, in _setup_chain
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_rules_by_security_group(port, DIRECTION)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 423, in _add_rules_by_security_group
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._update_ipset_members(remote_sg_ids)
2015-06-02 11:02:31.898 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/iptables_firewall.py", line 460, in _update_ipset_m^C
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/logs/q-agt.log
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent return f(*args, **kwargs)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 72, in set_members
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_members_to_set(set_name, add_ips)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 132, in _add_members_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._add_member_to_set(set_name, ip)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 84, in _add_member_to_set
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self._apply(cmd)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/ipset_manager.py", line 117, in _apply
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent self.execute(cmd_ns, run_as_root=True, process_input=input)
2015-06-02 11:19:50.208 3679 TRACE neutron.plugins.openvswitch.agent.ovs_neutron_agent File "/opt/stack/neutron/neutron/agent/linux/utils.py"
vagrant@node1:~$ neutron port-update $PORT_ID --allowed_ address_ pairs list=true type=dict ip_address= 0.0.0.0/ 0 6f95-429f- 8e30-adaefffcec 70
Updated port: 28dc7eb1-
This does not work - the ipset man page says that zero prefix size is not allowed for type hash:net.
But it also breaks the l2 agent and so affects other ports/vms/tenants ... - so opening as security vulnerability.
2015-06-02 11:02:31.897 ERROR neutron. agent.linux. utils [req-6dfc4e3b- 7162-4528- b821-295de80aa7 ed None None] 28-2f41- 43de-a' , u'0.0.0.0/0']
Command: ['ipset', 'add', '-exist', u'NETIPv48a4459
Exit code: 1
Stdin:
Stdout:
Stderr: ipset v6.20.1: The value of the CIDR parameter of the IP address is invalid
2015-06-02 11:02:31.898 DEBUG oslo_concurrenc y.lockutils [req-6dfc4e3b- 7162-4528- b821-295de80aa7 ed None None] Releasing file lock "/opt/stack/ data/neutron/ lock/neutron- ipset" after holding it for 0.006s release /usr/local/ lib/python2. 7/dist- packages/ oslo_concurrenc y/lockutils. py:227 y.lockutils [req-6dfc4e3b- 7162-4528- b821-295de80aa7 ed None None] Lock "ipset" released by "set_members" :: held 0.006s inner /usr/local/ lib/python2. 7/dist- packages/ oslo_concurrenc y/lockutils. py:456 plugins. openvswitch. agent.ovs_ neutron_ agent [req-6dfc4e3b- 7162-4528- b821-295de80aa7 ed None None] Error while processing VIF ports plugins. openvswitch. agent.ovs_ neutron_ agent Traceback (most recent call last): plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ plugins/ openvswitch/ agent/ovs_ neutron_ agent.py" , line 1640, in rpc_loop plugins. openvswitch. agent.ovs_ neutron_ agent ovs_restarted) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ plugins/ openvswitch/ agent/ovs_ neutron_ agent.py" , line 1434, in process_ network_ ports plugins. openvswitch. agent.ovs_ neutron_ agent port_info. get('updated' , set())) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/securityg roups_rpc. py", line 302, in setup_port_filters plugins. openvswitch. agent.ovs_ neutron_ agent self.prepare_ devices_ filter( new_devices) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/securityg roups_rpc. py", line 159, in decorated_function plugins. openvswitch. agent.ovs_ neutron_ agent *args, **kwargs) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/securityg roups_rpc. py", line 185, in prepare_ devices_ filter plugins. openvswitch. agent.ovs_ neutron_ agent security_groups, security_ group_member_ ips) plugins. openvswitch. agent.ovs_ neutron_ agent File "/usr/lib/ python2. 7/contextlib. py", line 24, in __exit__ plugins. openvswitch. agent.ovs_ neutron_ agent self.gen.next() plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/firewall. py", line 106, in defer_apply plugins. openvswitch. agent.ovs_ neutron_ agent self.filter_ defer_apply_ off() plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ iptables_ firewall. py", line 671, in filter_ defer_apply_ off plugins. openvswitch. agent.ovs_ neutron_ agent self.unfiltered _ports) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ iptables_ firewall. py", line 155, in _setup_chains_apply plugins. openvswitch. agent.ovs_ neutron_ agent self._setup_ chain(port, INGRESS_DIRECTION) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ iptables_ firewall. py", line 182, in _setup_chain plugins. openvswitch. agent.ovs_ neutron_ agent self._add_ rules_by_ security_ group(port, DIRECTION) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ iptables_ firewall. py", line 423, in _add_rules_ by_security_ group plugins. openvswitch. agent.ovs_ neutron_ agent self._update_ ipset_members( remote_ sg_ids) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ iptables_ firewall. py", line 460, in _update_ipset_m^C logs/q- agt.log plugins. openvswitch. agent.ovs_ neutron_ agent return f(*args, **kwargs) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ ipset_manager. py", line 72, in set_members plugins. openvswitch. agent.ovs_ neutron_ agent self._add_ members_ to_set( set_name, add_ips) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ ipset_manager. py", line 132, in _add_members_to_set plugins. openvswitch. agent.ovs_ neutron_ agent self._add_ member_ to_set( set_name, ip) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ ipset_manager. py", line 84, in _add_member_to_set plugins. openvswitch. agent.ovs_ neutron_ agent self._apply(cmd) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ ipset_manager. py", line 117, in _apply plugins. openvswitch. agent.ovs_ neutron_ agent self.execute( cmd_ns, run_as_root=True, process_ input=input) plugins. openvswitch. agent.ovs_ neutron_ agent File "/opt/stack/ neutron/ neutron/ agent/linux/ utils.py"
2015-06-02 11:02:31.898 DEBUG oslo_concurrenc
2015-06-02 11:02:31.898 ERROR neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
2015-06-02 11:02:31.898 3679 TRACE neutron.
vagrant@node1:~$
vagrant@node1:~$ tail /opt/stack/
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.
2015-06-02 11:19:50.208 3679 TRACE neutron.