octavia

Octavia is not handling VIPs on the same subnet as the lb-mgmt-net

Bug #1659488 reported by Michael Johnson
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
octavia
Fix Released
Medium
Lubosz Kosnik

Bug Description

Now that we have the network namespace in the amphora, we need to properly handle the case where a user enters the lb-mgmt-net (config setting) subnet as the VIP subnet.

Currently this does not work and the lb-mgmt port on the amp gets mis-configured.

We have two options:
1. Return an error from the API if the user specifies the lb-mgmt-net subnet as the VIP subnet.
2. Update octavia to allow a VIP on the lb-mgmt-net but enabling an alternate port inside the network namespace.

Revision history for this message
zhaobo (zhaobo6) wrote :

Hi, michael.
I think allow to create VIP in lb-mgmt-net is terrible, even though it is not a tech issue. As we use lb-mgmt-net to access control layer already, in this view, user can see lb-mgmt-net and he/her will see the related lb-mgmt-sg, also make an assumption that user know the node IP and health-manage IP, they can access our nodes directly through some simple routes. So I think we can not allow this operation for avoiding other security risk in the future. Do you agree?

Revision history for this message
zhaobo (zhaobo6) wrote :

Hi, micheal.
Cloud I fix it? :P.. I will introduce a change for this. If there is any problems of it, I will follow the nice suggesion from review comments.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to octavia (master)

Fix proposed to branch: master
Review: https://review.openstack.org/430578

Changed in octavia:
assignee: nobody → zhaobo (zhaobo6)
status: Triaged → In Progress
Revision history for this message
Michael Johnson (johnsom) wrote :

Hi Zhaobo,

I put this on the meeting agenda for this week to discuss the options. Please join the meeting or see the meeting log to see the discussion.

Revision history for this message
Adam Harwell (adam-harwell) wrote :

I agree it's not *great* but I think there is absolutely a use-case for this (for example, the cloud I work in cannot create additional networks, and this is basically my only deployment option).

I have a patch that makes it "work", I'll put it up and see what people think.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/431179

Changed in octavia:
assignee: zhaobo (zhaobo6) → Adam Harwell (adam-harwell)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on octavia (master)

Change abandoned by ZhaoBo (<email address hidden>) on branch: master
Review: https://review.openstack.org/430578
Reason: Abandon this for the other process.

OpenStack Infra (hudson-openstack)
Changed in octavia:
assignee: Adam Harwell (adam-harwell) → Lubosz Kosnik (diltram)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to octavia (master)

Reviewed: https://review.openstack.org/431179
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=e1ec15c9a860bc431174d8db63ce50e2d143b79c
Submitter: Jenkins
Branch: master

commit e1ec15c9a860bc431174d8db63ce50e2d143b79c
Author: Adam Harwell <email address hidden>
Date: Wed Feb 8 13:07:21 2017 -0800

    Allow to create vip in lb-mgmt-net

    Change-Id: Ie2c916bd557190e5dfead12c2635955da92c52ff
    Closes-Bug: #1659488

Changed in octavia:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/octavia 1.0.0.0b1

This issue was fixed in the openstack/octavia 1.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.