[jamespage, r=thedac] Disable arp spoofing if neutron_security_groups are not enabled

2016-02-11 13:35:53 -08:00 · 2016-02-11 13:35:53 -08:00 · 6731719837
commit 6731719837
parent 1198407356 75efa4a0d8
5 changed files with 59 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -35,7 +35,7 @@ WARNING: this feature allows you to effectively disable security on your cloud!
 This charm has a configuration option to allow users to disable any per-instance security group management; this must used with neutron-security-groups enabled in the neutron-api charm and could be used to turn off security on selected set of compute nodes:

    juju deploy neutron-openvswitch neutron-openvswitch-insecure
-    juju set neutron-openvswitch-insecure disable-security-groups=True
+    juju set neutron-openvswitch-insecure disable-security-groups=True prevent-arp-spoofing=False
    juju deploy nova-compute nova-compute-insecure
    juju add-relation nova-compute-insecure neutron-openvswitch-insecure
    ...
--- a/config.yaml
+++ b/config.yaml
@ -111,3 +111,12 @@ options:
      which do not include a neutron-gateway (do not require l3, lbaas or vpnaas
      services) and should only be used in-conjunction with flat or VLAN provider
      networks configurations.
+  prevent-arp-spoofing:
+    type: boolean
+    default: true
+    description: |
+      Enable suppression of ARP responses that don't match an IP address that belongs
+      to the port from which they originate.
+      .
+      Only supported in OpenStack Liberty or newer, which has the required minimum version
+      of Open vSwitch.
--- a/hooks/neutron_ovs_context.py
+++ b/hooks/neutron_ovs_context.py
@ -58,6 +58,7 @@ class OVSPluginContext(context.NeutronContext):
        ovs_ctxt['use_syslog'] = conf['use-syslog']
        ovs_ctxt['verbose'] = conf['verbose']
        ovs_ctxt['debug'] = conf['debug']
+        ovs_ctxt['prevent_arp_spoofing'] = conf['prevent-arp-spoofing']

        net_dev_mtu = neutron_api_settings.get('network_device_mtu')
        if net_dev_mtu:
--- a/templates/liberty/ml2_conf.ini
+++ b/templates/liberty/ml2_conf.ini
@ -0,0 +1,44 @@
+# liberty
+###############################################################################
+# [ WARNING ]
+# Configuration file maintained by Juju. Local changes may be overwritten.
+# Config managed by neutron-openvswitch charm
+###############################################################################
+[ml2]
+type_drivers = gre,vxlan,vlan,flat
+tenant_network_types = gre,vxlan,vlan,flat
+mechanism_drivers = openvswitch,hyperv,l2population
+
+[ml2_type_gre]
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+vni_ranges = 1001:2000
+
+[ml2_type_vlan]
+network_vlan_ranges = {{ vlan_ranges }}
+
+[ml2_type_flat]
+flat_networks = {{ network_providers }}
+
+[ovs]
+enable_tunneling = True
+local_ip = {{ local_ip }}
+bridge_mappings = {{ bridge_mappings }}
+
+[agent]
+tunnel_types = {{ overlay_network_type }}
+l2_population = {{ l2_population }}
+enable_distributed_routing = {{ distributed_routing }}
+prevent_arp_spoofing = {{ prevent_arp_spoofing }}
+{% if veth_mtu -%}
+veth_mtu = {{ veth_mtu }}
+{% endif -%}
+
+[securitygroup]
+{% if neutron_security_groups -%}
+enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+{% else -%}
+enable_security_group = False
+{% endif -%}
--- a/unit_tests/test_neutron_ovs_context.py
+++ b/unit_tests/test_neutron_ovs_context.py
@ -95,7 +95,8 @@ class OVSPluginContextTest(CharmTestCase):
                  'verbose': True,
                  'debug': True,
                  'bridge-mappings': "physnet1:br-data physnet2:br-data",
-                  'flat-network-providers': 'physnet3 physnet4'}
+                  'flat-network-providers': 'physnet3 physnet4',
+                  'prevent-arp-spoofing': False}

        def mock_config(key=None):
            if key:
@ -140,6 +141,7 @@ class OVSPluginContextTest(CharmTestCase):
            'network_providers': 'physnet3,physnet4',
            'bridge_mappings': 'physnet1:br-data,physnet2:br-data',
            'vlan_ranges': 'physnet1:1000:1500,physnet2:2000:2500',
+            'prevent_arp_spoofing': False,
        }
        self.assertEquals(expect, napi_ctxt())

@ -204,6 +206,7 @@ class OVSPluginContextTest(CharmTestCase):
            'overlay_network_type': 'gre',
            'bridge_mappings': 'physnet1:br-data',
            'vlan_ranges': 'physnet1:1000:2000',
+            'prevent_arp_spoofing': True,
        }
        self.assertEquals(expect, napi_ctxt())