dhcp-agent and l3-agent should not run without namespace

Bug #1099837 reported by Akihiro Motoki
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
High
Gary Kotton

Bug Description

I have noticed that there is a case two subnets not connected each other via a router can communicate each other by changing default gateway to the IP address of the DHCP servers in a setup where l3-agent and dhcp-agent run on a same host without namespace. This may lead to a security issue.

We should document that l3-agent and dhcp-agent should be run on different hosts.

Tags: quantum
Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → High
status: Confirmed → Triaged
Akihiro Motoki (amotoki)
summary: - dhcp-agent and l3-agent should run without namespace
+ dhcp-agent and l3-agent should not run without namespace
dan wendlandt (danwent)
Changed in openstack-manuals:
assignee: nobody → Gary Kotton (garyk)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21961

Changed in openstack-manuals:
status: Triaged → In Progress
Revision history for this message
Gary Kotton (garyk) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/21961
Committed: http://github.com/openstack/openstack-manuals/commit/7e70c11537570ddca860072db12f2f86d0bb161e
Submitter: Jenkins
Branch: master

commit 7e70c11537570ddca860072db12f2f86d0bb161e
Author: Gary Kotton <email address hidden>
Date: Thu Feb 14 12:48:37 2013 +0000

    Document namespace limitation for l3agent and dhcp agent

    Fixes bug 1099837

    Change-Id: I0ffc19cb920154b0248bbe71490155725e707f9b

Changed in openstack-manuals:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.