OpenStack Compute (nova)

Different tenants can assign the same hostname to different machines without an error

Bug #1283538 reported by Joseph Lorenzini
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Won't Fix
High
Unassigned

Bug Description

nova version 2.15.0

My openstack deployment is relatively simple. It uses FlatDHCPManager and a single vlan. Multiple tenants exist and all are on the same vlan. Now consider the following situation:

1. tenant A and tenant B exist.
2. tenant A logs into horizon dashboard and launches an instance into vlan 192.168.50.X.
3. tenant A gives the instance a display name of "test". As a result, the DHCP server assigns the hostname "test" to the VM and an IP address of 192.168.50.2.
4. tenent B sometime later logs into the horizon dashboard.
5. tenant B has no visibility and consequently does not know that tenant A has a machine with a hostname of test in the 192.168.50 vlan.
6. tenant B launches an instance into vlan 192.168.50.X.
7. tenant B gives the instance a display name of "test". As a result, the DHCP server assigns the hostname "test" to the VM and an IP address of 192.168.50.3.

As a result, now when a nslookup is done on the hostname, two A records are returned instead of one. This situation would be far worse if each tenant launched multiple instances instead of just one. I don't know of a situation where anyone would want to automatically assign the same hostname to multiple IP addresses, especially when this behavior would be unknown to the tenants and would result in all kinds of bizarre networking behavior depending on the applications deployed in the vlan.

My expectation is that at a minimum if tenant B attempts to launch an instance with a hostname that already exists in the DHCP server's records, then that launch should fail and the tenant should be forced to change the display they tried to give the VM before a launch would be successful.

Tags: compute
Tracy Jones (tjones-i)
tags: added: compute
melanie witt (melwitt)
Changed in nova:
importance: Undecided → High
status: New → Confirmed
Simon Chang (changsimon)
Changed in nova:
assignee: nobody → Simon Chang (changsimon)
Simon Chang (changsimon)
Changed in nova:
assignee: Simon Chang (changsimon) → nobody
Samuel de Medeiros Queiroz (samueldmq)
Changed in nova:
assignee: nobody → Samuel de Medeiros Queiroz (samuel-z)
Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote :

Classes that inherit from NetworkManager, e.g. FlatDHCPManager, use the attribute instance_dns_manager to handle DNS service operations, such as creating new DNS entries.

This attribute is an instance of the class defined at CONF.instance_dns_manager, that is, by default, 'nova.network.noop_dns_driver.NoopDNSDriver'.

NoopDNSDriver, as suggested, does not do anything. However, other DNSDriver implementations like MiniDNS do. They verify if a DNS entry name is unique into the domain before adding the new DNS entry.

Changing this default configuration to 'nova.network.minidns.MiniDNS' at nova/network/floating_ips.py solved this issue:

    cfg.StrOpt('instance_dns_manager',
               default='nova.network.minidns.MiniDNS',
               help='Full class name for the DNS Manager for instance IPs'),

When trying to reproduce the bug after the modifications through Horizon, I got:

Error: Failed to launch instance "instance-name": Please try again later [Error: No valid host was found. ].

What do you think about this approach?

Revision history for this message
Joseph Lorenzini (joseph-lorenzini) wrote :

Overall, that looks good however could the exception be modified so that it tells the user the actual problem:

In other words, this:

[Error: No valid host was found. ].

Would be clearer if it was this instead:

[Error: An instance already exists with the hostname "instance name"].

Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote :

When using the MiniDNS driver, an exception of type exception.FloatingIpDNSExists is thrown.
This exception has the following message format: "The DNS entry %(name)s already exists in domain %(domain)s."

However, this message is changed at any point between Nova and Horizon; so I think this is out of the scope of this bug.
I think other bug should be created to make this message arrive correctly to the calling component, in this case, Horizon.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/94252

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
Samuel de Medeiros Queiroz (samueldmq) wrote :

In order to treat the wrong error that is being thrown, the following bug was created.
https://bugs.launchpad.net/nova/+bug/1321774

Revision history for this message
Sean Dague (sdague) wrote :

moving out of inprogress

Changed in nova:
assignee: Samuel de Medeiros Queiroz (samuel-z) → nobody
Revision history for this message
Sean Dague (sdague) wrote :

Honestly, I don't think this is going to be fixed in the current scheme. Until we have a more solid dns management stack integrated this is going to be hard to really address.

Changed in nova:
status: In Progress → Confirmed
status: Confirmed → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Samuel de Medeiros Queiroz (<email address hidden>) on branch: master
Review: https://review.openstack.org/94252

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.