tripleo

Rogue DHCP validator almost always fails

Bug #1620332 reported by Udi Kalifon on 2016-09-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Tomas Sedovic

Bug Description

The validator listens for rogue dhcp servers on all networks it finds in the default routes in "ip r". The undercloud typically has a routable IP on the corporate's network and the validator then fails because of the corporate dhcp. The validator should probably listen on the control plane only.

Tags:

Jason E. Rist (jason-rist) on 2016-09-08

Changed in tripleo:
importance:	Undecided → High

Revision history for this message

Tomas Sedovic (tsedovic) wrote on 2016-09-09:

Right, makes sense. Can you think of a way how to detect which interface is for the controlplane? Ideally, validations should be automatic.

Tomas Sedovic (tsedovic) on 2016-09-12

Changed in tripleo:
status:	New → Triaged

Revision history for this message

Tomas Sedovic (tsedovic) wrote on 2016-09-14:

So, we're using this validation for 2 purposes:

1. to make sure the introspected nodes don't get an unexpected DHCP response

To do that, we need to get the introspection interface which is defined in: /etc/ironic-inspector/inspector.conf.

It's the "dnsmasq_interface" value under the "firewall" (deprecated) or "discoverd" section. The default value is: "br-ctlplane".

Or we could read it from /etc/ironic-inspector/dnsmasq.conf

2. On the pacemaker network: if the nodes get an IP address from an unexpected DHCP server, Pacemaker will consider the node dead and will fence it.

I'm not sure where to find out that interface/network, though.

OpenStack Infra (hudson-openstack) on 2016-09-29

Changed in tripleo:
assignee:	nobody → Tomas Sedovic (tsedovic)
status:	Triaged → In Progress

Revision history for this message

Tomas Sedovic (tsedovic) wrote on 2016-09-29:

CR: https://review.openstack.org/#/c/353973/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-17: Fix merged to tripleo-validations (master)

Reviewed: https://review.openstack.org/353973
Committed: https://git.openstack.org/cgit/openstack/tripleo-validations/commit/?id=0a608f83bd9cd59b8744fc69807b8f0c7c9fc028
Submitter: Jenkins
Branch: master

commit 0a608f83bd9cd59b8744fc69807b8f0c7c9fc028
Author: Tomas Sedovic <email address hidden>
Date: Thu Aug 11 12:42:42 2016 +0200

Validate rogue DHCP servers

This adds two validations that check for unexpected DHCP servers in the
networks used for hardware introspection and provisioning.

    Both validations depend on a file that sends a DHCP request for each
    interface specified in its arguments and fails if there are any
    responses.

Closes-Bug: #1620332
Change-Id: I22d4bf31e8f528e345b1a0a3ec972beea13d4f52

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-02: Fix proposed to tripleo-validations (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/392858

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-03: Fix merged to tripleo-validations (stable/newton)

Reviewed: https://review.openstack.org/392858
Committed: https://git.openstack.org/cgit/openstack/tripleo-validations/commit/?id=24c6c9622f4f7c0b94acefa734e2048e9f21a6c6
Submitter: Jenkins
Branch: stable/newton

commit 24c6c9622f4f7c0b94acefa734e2048e9f21a6c6
Author: Tomas Sedovic <email address hidden>
Date: Thu Aug 11 12:42:42 2016 +0200

Validate rogue DHCP servers

This adds two validations that check for unexpected DHCP servers in the
networks used for hardware introspection and provisioning.

    Both validations depend on a file that sends a DHCP request for each
    interface specified in its arguments and fails if there are any
    responses.

    Closes-Bug: #1620332
    Change-Id: I22d4bf31e8f528e345b1a0a3ec972beea13d4f52
    (cherry picked from commit 0a608f83bd9cd59b8744fc69807b8f0c7c9fc028)