Enable multicast in the "kvm" kernels

Bug #1946672 reported by Slawek Kaplonski
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
cloud-images
Undecided
Unassigned
linux-kvm (Ubuntu)
Undecided
Unassigned
Focal
Medium
Unassigned

Bug Description

I work in the OpenStack Neutron project and recently I wanted to optimize our CI scenario jobs by using Ubuntu minimal image as guest image for some tests (see patch https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/813195)
Unfortunately it seems that there is problem with one multicast scenario test while using ubuntu-minimal image (https://cloud-images.ubuntu.com/minimal/releases/focal/release/ubuntu-20.04-minimal-cloudimg-amd64.img). The problem is that VM booted from that image don't subscribes properly to the IGMP multicast group thus test is failing.
All works fine when image https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img is used in the same test.

The problem is that in the minimal image kernel linux-image-kvm (vs. linux-image-generic in the "regular" cloud image) and that "-kvm" image has disabled MULTICAST:

# CONFIG_IP_MULTICAST is not set

Would it be maybe possible to enable this option in the kernel used in the "minimal" cloud images?

CVE References

Revision history for this message
John Chittum (jchittum) wrote :

Thanks for opening this. We'll take this to the kernel team as well.

For completeness, do you want us to investigate this on all currently support KVM kernels and images?

Stefan Bader (smb)
Changed in linux-kvm (Ubuntu Focal):
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-kvm/5.4.0-1051.53 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Kelsey Skunberg (kelsey-skunberg) wrote :

verified CONFIG_IP_MULTICAST is enabled on focal/kvm in proposed. switching verification testing to done.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (19.5 KiB)

This bug was fixed in the package linux-kvm - 5.4.0-1051.53

---------------
linux-kvm (5.4.0-1051.53) focal; urgency=medium

  * focal/linux-kvm: 5.4.0-1051.53 -proposed tracker (LP: #1952303)

  * Support builtin revoked certificates (LP: #1932029)
    - [Config] kvm: Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  * Re-enable DEBUG_INFO_BTF where it was disabled (LP: #1945632)
    - [Config] kvm: Enable CONFIG_DEBUG_INFO_BTF on all arches

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md

  * Enable multicast in the "kvm" kernels (LP: #1946672)
    - [config] Enable CONFIG_IP_MULTICAST

  [ Ubuntu: 5.4.0-92.103 ]

  * focal/linux: 5.4.0-92.103 -proposed tracker (LP: #1952316)
  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.29)
  * CVE-2021-4002
    - tlb: mmu_gather: add tlb_flush_*_range APIs
    - hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  * Re-enable DEBUG_INFO_BTF where it was disabled (LP: #1945632)
    - [Config] Enable CONFIG_DEBUG_INFO_BTF on all arches
  * Focal linux-azure: Vm crash on Dv5/Ev5 (LP: #1950462)
    - KVM: VMX: eVMCS: make evmcs_sanitize_exec_ctrls() work again
    - jump_label: Fix usage in module __init
  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about
      cert lists that aren't present."
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table
  * Focal update: v5.4.157 upstream stable release (LP: #1951883)
    - ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
    - ARM: 9134/1: remove duplicate memcpy() definition
    - ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
    - ARM: 9141/1: only warn about XIP address when not compile testing
    - ipv6: use siphash in rt6_exception_hash()
    - ipv4: use siphash instead of Jenkins in fnhe_hashfun()
    - usbnet: sanity check for maxpacket
    - usbnet: fix error return code...

Changed in linux-kvm (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers