Update of neutron-server breaks compatibility to previous neutron-agent version
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Slawek Kaplonski |
Bug Description
During the update of Neutron from 15.1 to 15.3 (Train) server and agent are not compatible (RPC format) anymore.
I was able to narrow down the issue to commit https:/
With this commit, fixing the security issue in bug https:/
This change breaks compatibility as the loop in method "_sanitize_
--- 15.1 ---
for ip in addresses:
ip = netaddr.
if ip.prefixlen == 0:
--- /15.1 ---
--- 15.3 ---
for ip, _mac in addresses:
ip = netaddr.
if ip.prefixlen == 0:
--- /15.3 ---
As neutron server in version 15.1 delivers just a list of addresses, i,e. "['192.168.100.57', '192.168.
According to https:/
"
Those requirements are achieved in Neutron by:
If the Neutron backend makes use of Neutron agents, the Neutron server have backwards compatibility code to deal with older messaging payloads.
isolating a single service that accesses database (neutron-server).
To simplify the matter, it’s always assumed that the order of service upgrades is as following:
first, all neutron-servers are upgraded.
then, if applicable, neutron agents are upgraded.
This approach allows us to avoid backwards compatibility code on agent side and is in line with other OpenStack projects that support rolling upgrades (specifically, nova).
"
an upgraded neutron-server should still work with the previous neutron-agent.
I took the liberty to flag this as "security vulnerability" as security groups will likely not be applied / managed properly when running mixed between 15.1 and 15.3 which might be a common case in larger clusters.
Changed in neutron: | |
assignee: | nobody → Slawek Kaplonski (slaweq) |
no longer affects: | neutron (Ubuntu) |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
To not cause any confusion, especially regarding the security implications - I suspect that this only becomes an issue when the neutron-agent is running in version 15.3 while the server is still on 15.1:
--- cut --- plugins. ml2.drivers. agent._ common_ agent Traceback (most recent call last): plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ plugins/ ml2/drivers/ agent/_ common_ agent.py" , line 465, in daemon_loop plugins. ml2.drivers. agent._ common_ agent sync = self.process_ network_ devices( device_ info) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ osprofiler/ profiler. py", line 160, in wrapper plugins. ml2.drivers. agent._ common_ agent result = f(*args, **kwargs) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ plugins/ ml2/drivers/ agent/_ common_ agent.py" , line 207, in process_ network_ devices plugins. ml2.drivers. agent._ common_ agent device_ info.get( 'updated' )) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/securityg roups_rpc. py", line 258, in setup_port_filters plugins. ml2.drivers. agent._ common_ agent self.prepare_ devices_ filter( new_devices) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/securityg roups_rpc. py", line 123, in decorated_function plugins. ml2.drivers. agent._ common_ agent *args, **kwargs) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/securityg roups_rpc. py", line 135, in prepare_ devices_ filter plugins. ml2.drivers. agent._ common_ agent self._apply_ port_filter( device_ ids) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/securityg roups_rpc. py", line 159, in _apply_port_filter plugins. ml2.drivers. agent._ common_ agent security_groups, security_ group_member_ ips) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/securityg roups_rpc. py", line 176, in _update_ security_ group_info plugins. ml2.drivers. agent._ common_ agent remote_sg_id, member_ips) plugins. ml2.drivers. agent._ common_ agent File "/usr/lib/ python3/ dist-packages/ neutron/ agent/linux/ iptables_ firewall. py", line 150, in update_ security_ group_members plugins. ml2.drivers. agent._ common_ agent self._update_ ipset_members( sg_id, sg_members)
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-11-03 06:25:10.217 2749 ERROR neutron.
2020-1...