[OVN] default setting leak nameserver config from the host to instances
Bug #1951074 reported by
Dr. Jens Harbott
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Opinion
|
Undecided
|
Unassigned |
Bug Description
Using the default settings, i.e. without [ovn]dns_servers being specified in ml2_conf.ini, OVN will send the nameserver addresses that are specified in /etc/resolv.conf on the host in DHCP responses. This may lead to unexpected leaks about the host infrastructure and thus should at least be well documented. In most cases it will also lead to broken DNS resolution for the instances, since when systemd-resolve is being used, the host's nameserver address will be 127.0.0.53, and an instance will not be able to resolve anything using that address.
Possibly a better approach would be to not send any nameserver information via DHCP in this scenario.
To post a comment you must log in.
Hello Jens:
This is the expected behaviour for OVN, as documented here [1]. When building the DHCP options, the DNS servers option is populated first with the subnet "dns_nameservers". If empty, the "OVN.dns_servers" option will be used. If empty, the OVN mech driver will use the local DNS resolver (reading from "/etc/resolv.conf") [2].
Admin/user can always provide a valid DNS nameserver if needed.
Regards.
[1]https:/ /github. com/openstack/ neutron/ blob/90b5456b8c 11011c41f2fcd53 a8943cb45fb6479 /neutron/ conf/plugins/ ml2/drivers/ ovn/ovn_ conf.py# L158-L164 /github. com/openstack/ neutron/ blob/90b5456b8c 11011c41f2fcd53 a8943cb45fb6479 /neutron/ plugins/ ml2/drivers/ ovn/mech_ driver/ ovsdb/ovn_ client. py#L1916- L1918
[2]https:/