© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Note a CVE has been issued for this bug in on 2018-07-27 http://
as a quick status update on this bug.
first i want to mention that a second variant of this issue has also been highlight to me.
i will be filing a separate private bug for that variant as it will require changes outside of os-vif
to address and will be more involved. the second variant is also not covered by the existing cve description so i want to track it separately.
regarding the state of this bug i have proposed
https:/
and expect both to be viable to merge later today.
There are some limitations however this this fix.
- First for it to work corectly this will require the multiple port binding support added in rocky to nova. As such on stable/queens and older branches the backport is only a partial mitigation as nova will not wait for neutron to signel it has finished wiring up the port before resuming the guest on the destination node.
- Second If the neutron ovs ml2 agent crashes after the ml2 driver binds the port on the destination node but before the ml2 agents wires up the port addded to ovs by os-vif then we cannot detect this from nova/os-vif and the mitigation will not be effective. as the neutron control plane would be in an undefined state if its agents crashed/exited on the compute node i feel its fair to declare this limitation out of scope of this current bug.
It may be possible to address one or both of these limitation as part of the the second variant's mitigation however it will require more extensive modification to nova, neutron and os-vif which are unlikely to be back portable easily as they may require a minor backwards compatible api extension.