OpenStack Compute (nova)

Neutron + security group + OVS is broken

Bug #1297469 reported by Nachi Ueno on 2014-03-25

This bug report is a duplicate of: Bug #1112912: get_firewall_required should use VIF parameter from neutron. Edit Remove

260

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Committed	High	Nachi Ueno	OpenStack Compute (nova) icehouse-rc1 "RC1"
OpenStack Security Advisory	Incomplete	Undecided	Unassigned
neutron	Confirmed	Critical	Unassigned

Bug Description

Background of this issue:
ML2 + OVSDriver + IptablesBasedFirewall combination is a default plugin setting in the Neutron.
In this case, we need a special handing in VIF. Because OpenVSwitch don't support iptables, we are
using linuxbride + openvswitch bridge. We are calling this as hybrid driver.

On the other discussion, we generalized the Nova side VIF plugging to the Libvirt GenericVIFDriver.
The idea is let neturon tell the VIF plugging configration details to the GenericDriver, and GerericDriver
takes care of it.

Unfortunatly, HybridDriver is removed before GenericDriver is ready for security group.
This makes ML2 + OVSDriver + IptablesBasedFirewall combination unfunctional.
We were working on realfix, but we can't make it until Icehouse release due to design discussions [1].
# Even if neturon side patch isn't merged yet.

So we are proposing a workaround fix to Nova side.
In this fix, we are adding special version of the GenericVIFDriver which can work with the combination.
There is two point on this new Driver.
(1) It prevent set conf.filtername. Because we should use NoopFirewallDriver, we need conf.filtername should be None
when we use it.
(2) use plug_ovs_hybrid and unplug_ovs_hybrid by enforcing get_require_firewall as True.

Here is patchs with UT.

Workaournd fix:
Nova
https://review.openstack.org/#/c/82904/

Devstack patch for ML2 (Tested with 82904)
https://review.openstack.org/#/c/82937/

We have tested the patch 82904 with following test, and this works.

- Launch VM
- Assign floating ip
- make sure ping to the floating ip is failing from GW
- modify security group rule to allow ping from anywhere
- make sure ping is working

[1] Real fix: (defered to Juno)

Improve vif attributes related with firewalling
https://review.openstack.org/#/c/21946/

Support binding:vif_security parameter in neutron
https://review.openstack.org/#/c/44596/

See original description

Nachi Ueno (nati-ueno) on 2014-03-25

Changed in neutron:
importance:	Undecided → Critical
status:	New → Confirmed

Nachi Ueno (nati-ueno) on 2014-03-25

description:

updated

Revision history for this message

Russell Bryant (russellb) wrote on 2014-03-25:

nova workaround for icehouse in progress: https://review.openstack.org/#/c/82904/1

Changed in nova:
status:	New → Confirmed
importance:	Undecided → High
status:	Confirmed → In Progress
assignee:	nobody → Nachi Ueno (nati-ueno)
milestone:	none → icehouse-rc1

Revision history for this message

Nachi Ueno (nati-ueno) wrote on 2014-03-25:

I added some notes and status update on
https://etherpad.openstack.org/p/neturon_security_group_fix_workaround_icehouse

Sandeep Raman (sandeep-raman) on 2014-03-26

information type:

Public → Public Security

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-03-26:

@Sandeep: does this really constitute a vulnerabililty ? Sounds like a bug to me (with the limited information I have on the bug)

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-03-26:

it's a bug, which might result in a deployer thinking the environment is secured where it actually isn't

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-03-26:

OK adding OSSA task to judge the need for advisory

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-03-26:

I have played a bit with this problem.
find three attachment, for two alternative to the new drivers.
I'm attaching here for not polluting gerrit (so just disregard if you think the proposed approach with the inherited vif driver is ok).

hack.patch basically just does always hybrid vif plugging, and does not set a nw filter name when using neutron.
It's similar to the driver only not configurable.
It does not break the NSX plugin. And I think similarly for other plugins which do not require hybrid plugging.
I'm still not super happy about the extra hop we'd introduce for those plugins.
This approach is similar to the one currently on gerrit, but does not introduce the need for a new driver value in nova.conf (so no devstack patch). However, it's not configurable for plugins which do not need hybrid.

anyway the patch is just +5,-5

then vif_type_nova.patch and vif_type_neutron.patch basically promote "hybrid" as a first class citizen vif type for neutron, while preserving current plugging mode for nova network.
The change is mainly that nova will nova use neutr_on's instructions regarding vif plugging. So if neutron specifies it needs a hybrid vif, it will do the hybrid thing.

These are two patches, relatively small, but still larger than the workaround:
Nova: +18,-4
Neutron: +8,-7

I think the benefit of this approach is that it's somethign we can keep building on rather than a workaround creating technical debt. The neutron patch applies to:
- Cisco (mostly)
- ML2 with OVS mech
- NEC
- OVS
- RYU

there might be other plugins still affected.

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-03-26:

hack.patch Edit (2.4 KiB, text/plain)

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-03-26:

vif_type_nova.patch Edit (4.3 KiB, text/plain)

Revision history for this message

Salvatore Orlando (salvatore-orlando) wrote on 2014-03-26:

vif_type_neutron.patch Edit (5.0 KiB, text/plain)

Nachi Ueno (nati-ueno) on 2014-03-26

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-27: Fix merged to nova (master)

#10

Reviewed: https://review.openstack.org/83190
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=304df046eaaad6d64ee16898b1eaa76918e98878
Submitter: Jenkins
Branch: master

commit 304df046eaaad6d64ee16898b1eaa76918e98878
Author: Robert Kukura <email address hidden>
Date: Wed Mar 26 15:25:55 2014 -0400

Use binding:vif_details to control firewall

    Neutron can include 'ovs_hybrid_plug' and 'port_filter' boolean keys in
    the binding:vif_details port attribute. 'port_filter' indicates whether
    or not neutron is handling port filtering for nova to determine if it needs
    to filter for that port. 'ovs_hybrid_plug' can be set to True to indicate
    that the neutron plugin still requires the bridge plugging strategy to attach
    firewall rules.

    Corresponding neutron patch:
    Review - https://review.openstack.org/#/c/83280/
    Commit - 8c42ba115b58cc2c7486be9fee89e1facedb5f76

Closes-Bug: 1297469
Change-Id: I3bbcfc67036ab7389c82720add0bc0fc627bfee0

Changed in nova:
status:	In Progress → Fix Committed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1112912 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.