OpenStack Compute (nova)

nova network-create allows invalid fixed-ip creation

Bug #1367060 reported by Dan Sneddon on 2014-09-09

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Thang Pham	OpenStack Compute (nova) 2015.1.0 "kilo"

Bug Description

Creating a network with 'nova network-create' allows the creation of fixed-ips that fall outside the fixed-range-v4, resulting in invalid fixed IPs.

To recreate:
Create a network with network-create that contains a fixed-cidr that falls outside the fixed-range-v4.

Actual outcome:
If the user runs the following command
nova network-create vmnet --fixed-range-v4 10.1.0.0/24 --fixed-cidr 10.20.0.0/16 --bridge br-100

This command succeeds, and creates invalid fixed IPs which can be retrieved with 'nova fixed-ip-get', for example:

nova fixed-ip-get 10.20.0.1

+-----------+-------------+----------+------+
| address | cidr | hostname | host |
+-----------+-------------+----------+------+
| 10.20.0.1 | 10.1.0.0/24 | - | - |
+-----------+-------------+----------+------+

This address falls outside the cidr, so is invalid.

Desired outcome:
Nova network-create should verify that the fixed-cidr is a subset of fixed-range-v4, if the fixed-cidr falls outside of the fixed-range-v4 the command should fail with an error, such as "ERROR: fixed-cidr must be a subset of fixed-range-v4".

Tags:

Revision history for this message

Sean Dague (sdague) wrote on 2014-09-09:

#1

This is at best a medium bug given that it's admin apis

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: api

Thang Pham (thang-pham) on 2014-09-10

Changed in nova:
assignee:	nobody → Thang Pham (thang-pham)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-11: Fix proposed to nova (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/120848

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

Jay Pipes (jaypipes) wrote on 2014-09-12:

#3

Does this occur with both neutron and nova-network?

tags:	added: nova-network
tags:	removed: nova-network

Revision history for this message

Thang Pham (thang-pham) wrote on 2014-09-12:

#4

I only noticed it (specifically using "nova network-create") with nova-network. If neutron is enabled, "nova network-create" throws a NotImplementedError exception.

Revision history for this message

Dan Sneddon (dsneddon) wrote on 2014-09-12: Re: [Bug 1367060] Re: nova network-create allows invalid fixed-ip creation

#5

This bug only applies to Nova Network. Perhaps I should have made that more clear in the bug report.

> On Sep 12, 2014, at 10:55 AM, Thang Pham <email address hidden> wrote:
>
> I only noticed it (specifically using "nova network-create") with nova-
> network. If neutron is enabled, "nova network-create" throws a
> NotImplementedError exception.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1367060
>
> Title:
> nova network-create allows invalid fixed-ip creation
>
> Status in OpenStack Compute (Nova):
> In Progress
>
> Bug description:
> Creating a network with 'nova network-create' allows the creation of
> fixed-ips that fall outside the fixed-range-v4, resulting in invalid
> fixed IPs.
>
> To recreate:
> Create a network with network-create that contains a fixed-cidr that falls outside the fixed-range-v4.
>
> Actual outcome:
> If the user runs the following command
> nova network-create vmnet --fixed-range-v4 10.1.0.0/24 --fixed-cidr 10.20.0.0/16 --bridge br-100
>
> This command succeeds, and creates invalid fixed IPs which can be
> retrieved with 'nova fixed-ip-get', for example:
>
> nova fixed-ip-get 10.20.0.1
>
> +-----------+-------------+----------+------+
> | address | cidr | hostname | host |
> +-----------+-------------+----------+------+
> | 10.20.0.1 | 10.1.0.0/24 | - | - |
> +-----------+-------------+----------+------+
>
> This address falls outside the cidr, so is invalid.
>
> Desired outcome:
> Nova network-create should verify that the fixed-cidr is a subset of fixed-range-v4, if the fixed-cidr falls outside of the fixed-range-v4 the command should fail with an error, such as "ERROR: fixed-cidr must be a subset of fixed-range-v4".
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1367060/+subscriptions

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-30: Fix merged to nova (master)

#6

Reviewed: https://review.openstack.org/120848
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=445e4e20b5756de7b126d54070bd0e9e6d36618b
Submitter: Jenkins
Branch: master

commit 445e4e20b5756de7b126d54070bd0e9e6d36618b
Author: Thang Pham <email address hidden>
Date: Thu Sep 11 13:16:28 2014 -0400

Check fixed-cidr is within fixed-range-v4

    Creating a network using 'nova network-create' allows the
    creation of fixed IPs that fall outside the fixed-range-v4,
    resulting in invalid fixed IPs. The following patch add a
    check to see if the fixed-cidr subnet is within the
    fixed-range-v4 and throws an exception if it does not.

Change-Id: I00458b54094d3371da63d22e3356660194e2fb95
Closes-Bug: #1367060

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-12-18

Changed in nova:
milestone:	none → kilo-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in nova:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.