Nova role may leave libvirt default network enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Undecided
|
Damian Dąbrowski |
Bug Description
Short description
=================
Currently, nova playbook disables autostart for default libvirt network only if this network is currently active[1].
In some cases, this network may not be active during playbook execution, but it is still required to disable autostart to prevent accidentally enabling it in the future(host reboot, package upgrade etc.)
If all 3 requirements are met, then virtual machine will have broken networking:
- libvirt default network is active
- neutron is using iptables firewall driver
- VM's subnet is the same as libvirt default subnet(
Detailed description
=======
As mentioned above, it's super important to keep libvirt default network disabled, especially when iptables firewall driver is used in neutron.
Disabling libvirt default network was working fine in os_nova role if dnsmasq-base was available during nova playbook execution. In that case, libvirt default network was automatically started, hence nova was able to disable it[1].
It was a default behavior to install dnsmasq-base during nova playbook execution because it's a recommended package of libvirt-
We disabled installation of recommended packages in Yoga[2].
After this change, this is what happens during typical compute node deployment:
1. [os_nova_role] installs libvirt-
2. [libvirt] is not able to start default network because dnsmasq-base package is missing
3. [os_nova_role] does not disable autostart on libvirt default network because this network is not active(it's not visible on `virsh net-list` output)[1]
4. [os_neutron_role] installs dnsmasq-base[3]
5. User reboots the server
6. [libvirt] Default libvirt network is getting activated because it has autostart enabled and dnsmasq-base is available now
7. [libvirt] Creates masquerade iptables rules for 192.168.122.0/24
Steps to reproduce the issue
=======
(tested on ubuntu 22.04 and 20.04)
```
# apt install libvirt-
# virsh net-list # should return empty list
# reboot
# virsh net-list # should return empty list
# apt install dnsmasq-base
# reboot
# virsh net-list # default virsh network is active
```
Security Risk
=============
If default libvirt network is active, neutron is using iptables firewall driver and VM's subnet is the same as libvirt default subnet(
It opens potential security risk. For ex. it may allow a VM to communicate with openstack's mgmt network.
Proposed solution
=================
Always disable autostart for default libvirt network, even if network is not active at the moment.
Links
=====
[1] https:/
[2] https:/
[3] https:/
[4] https:/
Changed in openstack-ansible: | |
assignee: | nobody → Damian Dąbrowski (damiandabrowski) |
Changed in openstack-ansible: | |
status: | New → In Progress |
information type: | Private Security → Public Security |
Changed in openstack-ansible: | |
status: | In Progress → Fix Released |
Reviewed: https:/ /review. opendev. org/c/openstack /openstack- ansible- os_nova/ +/900190 /opendev. org/openstack/ openstack- ansible- os_nova/ commit/ 5af16d68655a3ee 8c2c32808311be4 c480aa824c
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.1
commit 5af16d68655a3ee 8c2c32808311be4 c480aa824c
Author: Damian Dabrowski <email address hidden>
Date: Wed Nov 1 00:38:01 2023 +0100
Always disable libvirt default network
Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369 534ce1b6ab186fa 98f83179ee8 dfa2c670c55a6d0 f4c95c5ad7)
Change-Id: I697234bda1601b
(cherry picked from commit feb15af75b1d38f