OpenStack-Ansible

networking fails due to new ebtables-based arp spoofing protection

Bug #1482756 reported by Jesse Pretorius
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Jesse Pretorius
OpenStack-Ansible 12.0.0
Juno
Fix Released
High
Jesse Pretorius
OpenStack-Ansible 10.1.16
Kilo
Fix Released
High
Jesse Pretorius
OpenStack-Ansible 11.2.3
Trunk
Fix Released
High
Jesse Pretorius
OpenStack-Ansible 12.0.0

Bug Description

Due to upstream changes for arp spoofing protection in neutron, networking is failing in gate checks and builds with updated upstream SHA's. os-ansible-deployment needs to deploy both the ebtables package and the appropriate rootwrap file to facilitate the upstream changes.

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

For reference, I think these are the upstream changes which matter:
- https://review.openstack.org/157097
- https://review.openstack.org/141130

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to os-ansible-deployment (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210593

Changed in openstack-ansible:
status: Triaged → In Progress
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1483315

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/210593
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=a1eebe6afd0f042eaa161d41d9bab4ac3c2bfe77
Submitter: Jenkins
Branch: master

commit a1eebe6afd0f042eaa161d41d9bab4ac3c2bfe77
Author: Jesse Pretorius <email address hidden>
Date: Fri Aug 7 20:57:02 2015 +0100

    Add ebtables to neutron agent configuration

    Neutron now uses ebtables as an extra security layer for ARP
    spoof filtering. This patch adds the ebtables package and
    rootwrap to the neutron role to ensure that the agent is able
    to use this subsystem. Without it the networking from the
    instances to the L3 router will fail.

    Co-Authored-By: Evan Callicoat <email address hidden>
    Closes-Bug: #1482756
    Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443

Changed in openstack-ansible:
status: In Progress → Fix Committed
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Upstream bug: https://launchpad.net/bugs/1274034

stable/kilo backport: https://review.openstack.org/209705
stable/juno backport: https://review.openstack.org/209708

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on os-ansible-deployment (kilo)

Change abandoned by Hugh Saunders (<email address hidden>) on branch: kilo
Review: https://review.openstack.org/217103

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (juno)

Related fix proposed to branch: juno
Review: https://review.openstack.org/226861

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (kilo)

Related fix proposed to branch: kilo
Review: https://review.openstack.org/226890

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (juno)

Reviewed: https://review.openstack.org/226861
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=aba68033386c9bfc0be409c2496dc395ea944d04
Submitter: Jenkins
Branch: juno

commit aba68033386c9bfc0be409c2496dc395ea944d04
Author: Jesse Pretorius <email address hidden>
Date: Wed Sep 23 16:45:31 2015 +0100

    Update juno SHA's - 23 Sep 2015

    This patch updates all the repository SHA's for the stable/juno branch.

    It also removes oslo.log as this is not used anywhere in juno.

    This patch includes the following fixes:

     - ARP Spoofing protection for the LinuxBridge Agent
       https://review.openstack.org/209708

     - OSSA-2015-019: Glance image status manipulation
       https://security.openstack.org/ossa/OSSA-2015-019.html

    Change-Id: Idb7eb4ee8416b0493faf1abf79d151a502366231
    Related-Bug: #1482756

tags: added: in-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/226890
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=50960b81d9fde8ee629ab95e9fd54658cc851873
Submitter: Jenkins
Branch: kilo

commit 50960b81d9fde8ee629ab95e9fd54658cc851873
Author: Jesse Pretorius <email address hidden>
Date: Wed Sep 23 18:30:28 2015 +0100

    Update kilo SHA's - 23 Sep 2015

    This patch updates all the repository SHA's for the stable/kilo branch.

    This patch includes the following fixes:

     - ARP Spoofing protection for the LinuxBridge Agent
       https://review.openstack.org/209705

     - OSSA-2015-019: Glance image status manipulation
       https://security.openstack.org/ossa/OSSA-2015-019.html

    Change-Id: Idb991dda15a7ad05a96095409d21eb8dd8404ec4
    Related-Bug: #1482756

tags: added: in-kilo
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/227721

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/217103
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9f197d628df22b621185aa1dd1b6b3a34ced9c7c
Submitter: Jenkins
Branch: kilo

commit 9f197d628df22b621185aa1dd1b6b3a34ced9c7c
Author: Jesse Pretorius <email address hidden>
Date: Fri Aug 7 20:57:02 2015 +0100

    Add ebtables to neutron agent configuration

    Neutron now uses ebtables as an extra security layer for ARP
    spoof filtering. This patch adds the ebtables package and
    rootwrap to the neutron role to ensure that the agent is able
    to use this subsystem. Without it the networking from the
    instances to the L3 router will fail.

    Co-Authored-By: Evan Callicoat <email address hidden>
    Closes-Bug: #1482756
    Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443
    (cherry picked from commit a1eebe6afd0f042eaa161d41d9bab4ac3c2bfe77)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (juno)

Fix proposed to branch: juno
Review: https://review.openstack.org/227963

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/227721
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=8cb3b190a1a8d5186fb0366141d4656f1acad919
Submitter: Jenkins
Branch: kilo

commit 8cb3b190a1a8d5186fb0366141d4656f1acad919
Author: Jesse Pretorius <email address hidden>
Date: Fri Sep 25 09:47:40 2015 +0100

    Allow Neutron Agent prevent_arp_spoofing to be configurable

    This patch makes the neutron agent prevent_arp_spoofing conf option
    configurable. It sets the default value to False to match upstream
    and also to prevent a change in behaviour from previous Kilo
    deployments.

    Change-Id: I77dfe5504ae716d5a28647d606cece60484581dc
    Closes-Bug: #1482756

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (juno)

Reviewed: https://review.openstack.org/227963
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=a9a7485dcafce2e3fe14008a46ede41c70799ca1
Submitter: Jenkins
Branch: juno

commit a9a7485dcafce2e3fe14008a46ede41c70799ca1
Author: Jesse Pretorius <email address hidden>
Date: Fri Sep 25 17:56:12 2015 +0100

    Add ebtables to neutron agent configuration

    Neutron now uses ebtables as an extra security layer for ARP spoof filtering.
    This patch adds the ebtables package and rootwrap to the neutron role to
    ensure that the agent is able to use this subsystem. Without it the networking
    from the instances to the L3 router will fail.

    The neutron agent prevent_arp_spoofing conf option is configurable, but is set
    with the default value of False to match upstream and also to prevent a change
    in behaviour from previous Juno deployments.

    Co-Authored-By: Evan Callicoat <email address hidden>
    Closes-Bug: #1482756
    Change-Id: Ibc960564a3acfbb10cfbc3cfe0ad60d3366d2443

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Added documentation regarding config_overrides to master: https://review.openstack.org/230368

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

Config overrides documentation implemented. This is the preferred method of setting this for master/Liberty.

http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-openstack.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/234926

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/234926
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9a9f74e79ee1f2dde1db102ee61c198d6a53f076
Submitter: Jenkins
Branch: master

commit 9a9f74e79ee1f2dde1db102ee61c198d6a53f076
Author: Jesse Pretorius <email address hidden>
Date: Wed Oct 14 19:35:45 2015 +0100

    Update Neutron Configuration for Liberty

    This patch includes the updates to the configuration files for
    Neutron for the Liberty release.

    Files Removed:
     - rootwrap.d/nec-plugin.filters
     - rootwrap.d/ryu-plugin.filters

    Variables removed due to upstream deprecation:
     - neutron_l3_router_delete_namespaces
     - neutron_dhcp_delete_namespaces

    Defaults changed to match new upstream defaults:
     - neutron_driver_network_scheduler
     - neutron_driver_quota

    Upgrade Notes:
     - The LinuxBridge configuration has been seperated out from
       plugins/ml2/ml2_conf.ini to plugins/ml2/linuxbridge_agent.ini
     - prevent_arp_spoofing is now set to the upstream default, which
       is True.

    DocImpact
    UpgradeImpact
    Closes-Bug: #1482756
    Implements: blueprint liberty-release
    Change-Id: I879fd37db2e699bc3d48bcdd65ec7888b0f3f1a9

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.11

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.12

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.