Octavia is not handling VIPs on the same subnet as the lb-mgmt-net

Bug #1659488 reported by Michael Johnson on 2017-01-26
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
octavia
Fix Released
Medium
Lubosz Kosnik

Bug Description

Now that we have the network namespace in the amphora, we need to properly handle the case where a user enters the lb-mgmt-net (config setting) subnet as the VIP subnet.

Currently this does not work and the lb-mgmt port on the amp gets mis-configured.

We have two options:
1. Return an error from the API if the user specifies the lb-mgmt-net subnet as the VIP subnet.
2. Update octavia to allow a VIP on the lb-mgmt-net but enabling an alternate port inside the network namespace.

zhaobo (zhaobo6) wrote :

Hi, michael.
I think allow to create VIP in lb-mgmt-net is terrible, even though it is not a tech issue. As we use lb-mgmt-net to access control layer already, in this view, user can see lb-mgmt-net and he/her will see the related lb-mgmt-sg, also make an assumption that user know the node IP and health-manage IP, they can access our nodes directly through some simple routes. So I think we can not allow this operation for avoiding other security risk in the future. Do you agree?

zhaobo (zhaobo6) wrote :

Hi, micheal.
Cloud I fix it? :P.. I will introduce a change for this. If there is any problems of it, I will follow the nice suggesion from review comments.

Fix proposed to branch: master
Review: https://review.openstack.org/430578

Changed in octavia:
assignee: nobody → zhaobo (zhaobo6)
status: Triaged → In Progress
Michael Johnson (johnsom) wrote :

Hi Zhaobo,

I put this on the meeting agenda for this week to discuss the options. Please join the meeting or see the meeting log to see the discussion.

Adam Harwell (adam-harwell) wrote :

I agree it's not *great* but I think there is absolutely a use-case for this (for example, the cloud I work in cannot create additional networks, and this is basically my only deployment option).

I have a patch that makes it "work", I'll put it up and see what people think.

Fix proposed to branch: master
Review: https://review.openstack.org/431179

Changed in octavia:
assignee: zhaobo (zhaobo6) → Adam Harwell (adam-harwell)

Change abandoned by ZhaoBo (<email address hidden>) on branch: master
Review: https://review.openstack.org/430578
Reason: Abandon this for the other process.

Changed in octavia:
assignee: Adam Harwell (adam-harwell) → Lubosz Kosnik (diltram)

Reviewed: https://review.openstack.org/431179
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=e1ec15c9a860bc431174d8db63ce50e2d143b79c
Submitter: Jenkins
Branch: master

commit e1ec15c9a860bc431174d8db63ce50e2d143b79c
Author: Adam Harwell <email address hidden>
Date: Wed Feb 8 13:07:21 2017 -0800

    Allow to create vip in lb-mgmt-net

    Change-Id: Ie2c916bd557190e5dfead12c2635955da92c52ff
    Closes-Bug: #1659488

Changed in octavia:
status: In Progress → Fix Released

This issue was fixed in the openstack/octavia 1.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers