From 67330cbb13773b6150cbbfb6a286faea803760b0 Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Feb 2016 10:08:26 +0000 Subject: [PATCH 1/5] Disable arp spoofing if neutron_security_groups are not enabled --- templates/liberty/ml2_conf.ini | 46 ++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 templates/liberty/ml2_conf.ini diff --git a/templates/liberty/ml2_conf.ini b/templates/liberty/ml2_conf.ini new file mode 100644 index 00000000..6f5edc76 --- /dev/null +++ b/templates/liberty/ml2_conf.ini @@ -0,0 +1,46 @@ +# liberty +############################################################################### +# [ WARNING ] +# Configuration file maintained by Juju. Local changes may be overwritten. +# Config managed by neutron-openvswitch charm +############################################################################### +[ml2] +type_drivers = gre,vxlan,vlan,flat +tenant_network_types = gre,vxlan,vlan,flat +mechanism_drivers = openvswitch,hyperv,l2population + +[ml2_type_gre] +tunnel_id_ranges = 1:1000 + +[ml2_type_vxlan] +vni_ranges = 1001:2000 + +[ml2_type_vlan] +network_vlan_ranges = {{ vlan_ranges }} + +[ml2_type_flat] +flat_networks = {{ network_providers }} + +[ovs] +enable_tunneling = True +local_ip = {{ local_ip }} +bridge_mappings = {{ bridge_mappings }} + +[agent] +tunnel_types = {{ overlay_network_type }} +l2_population = {{ l2_population }} +enable_distributed_routing = {{ distributed_routing }} +{% if veth_mtu -%} +veth_mtu = {{ veth_mtu }} +{% endif %} +{% if not neutron_security_groups -%} +prevent_arp_spoofing = False +{% endif -%} + +[securitygroup] +{% if neutron_security_groups -%} +enable_security_group = True +firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver +{% else -%} +enable_security_group = False +{% endif -%} From 689efea2343de8928be65b5a51b979faaf36a61c Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Feb 2016 10:19:10 +0000 Subject: [PATCH 2/5] Tweak formatting --- templates/liberty/ml2_conf.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/liberty/ml2_conf.ini b/templates/liberty/ml2_conf.ini index 6f5edc76..32d2d8a4 100644 --- a/templates/liberty/ml2_conf.ini +++ b/templates/liberty/ml2_conf.ini @@ -32,10 +32,10 @@ l2_population = {{ l2_population }} enable_distributed_routing = {{ distributed_routing }} {% if veth_mtu -%} veth_mtu = {{ veth_mtu }} -{% endif %} +{% endif -%} {% if not neutron_security_groups -%} prevent_arp_spoofing = False -{% endif -%} +{% endif %} [securitygroup] {% if neutron_security_groups -%} From e27ef245fbb6a6f49317b3d398b74616be53c9b5 Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Feb 2016 10:30:30 +0000 Subject: [PATCH 3/5] Make this a configuration knob --- config.yaml | 9 +++++++++ hooks/neutron_ovs_context.py | 1 + templates/liberty/ml2_conf.ini | 4 +--- unit_tests/test_neutron_ovs_context.py | 5 ++++- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/config.yaml b/config.yaml index a8346f4b..a42fe5a1 100644 --- a/config.yaml +++ b/config.yaml @@ -111,3 +111,12 @@ options: which do not include a neutron-gateway (do not require l3, lbaas or vpnaas services) and should only be used in-conjunction with flat or VLAN provider networks configurations. + prevent-arp-spoofing: + type: boolean + default: true + description: | + Enable suppression of ARP responses that don't match an IP address that belongs + to the port from which they originate. + . + Only supported in OpenStack Liberty or newer, which as the required minimum version + of Open vSwitch. diff --git a/hooks/neutron_ovs_context.py b/hooks/neutron_ovs_context.py index 1ba8a84a..f2b0a7cc 100644 --- a/hooks/neutron_ovs_context.py +++ b/hooks/neutron_ovs_context.py @@ -58,6 +58,7 @@ class OVSPluginContext(context.NeutronContext): ovs_ctxt['use_syslog'] = conf['use-syslog'] ovs_ctxt['verbose'] = conf['verbose'] ovs_ctxt['debug'] = conf['debug'] + ovs_ctxt['prevent_arp_spoofing'] = conf['prevent-arp-spoofing'] net_dev_mtu = neutron_api_settings.get('network_device_mtu') if net_dev_mtu: diff --git a/templates/liberty/ml2_conf.ini b/templates/liberty/ml2_conf.ini index 32d2d8a4..08d52fad 100644 --- a/templates/liberty/ml2_conf.ini +++ b/templates/liberty/ml2_conf.ini @@ -30,12 +30,10 @@ bridge_mappings = {{ bridge_mappings }} tunnel_types = {{ overlay_network_type }} l2_population = {{ l2_population }} enable_distributed_routing = {{ distributed_routing }} +prevent_arp_spoofing = {{ prevent_arp_spoofing }} {% if veth_mtu -%} veth_mtu = {{ veth_mtu }} {% endif -%} -{% if not neutron_security_groups -%} -prevent_arp_spoofing = False -{% endif %} [securitygroup] {% if neutron_security_groups -%} diff --git a/unit_tests/test_neutron_ovs_context.py b/unit_tests/test_neutron_ovs_context.py index 85692811..43755fe0 100644 --- a/unit_tests/test_neutron_ovs_context.py +++ b/unit_tests/test_neutron_ovs_context.py @@ -95,7 +95,8 @@ class OVSPluginContextTest(CharmTestCase): 'verbose': True, 'debug': True, 'bridge-mappings': "physnet1:br-data physnet2:br-data", - 'flat-network-providers': 'physnet3 physnet4'} + 'flat-network-providers': 'physnet3 physnet4', + 'prevent-arp-spoofing': False} def mock_config(key=None): if key: @@ -140,6 +141,7 @@ class OVSPluginContextTest(CharmTestCase): 'network_providers': 'physnet3,physnet4', 'bridge_mappings': 'physnet1:br-data,physnet2:br-data', 'vlan_ranges': 'physnet1:1000:1500,physnet2:2000:2500', + 'prevent_arp_spoofing': False, } self.assertEquals(expect, napi_ctxt()) @@ -204,6 +206,7 @@ class OVSPluginContextTest(CharmTestCase): 'overlay_network_type': 'gre', 'bridge_mappings': 'physnet1:br-data', 'vlan_ranges': 'physnet1:1000:2000', + 'prevent_arp_spoofing': True, } self.assertEquals(expect, napi_ctxt()) From 68e41105487fe67c946844f0d52f1da0a4806edf Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Feb 2016 15:42:35 +0000 Subject: [PATCH 4/5] Fixup typo --- config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.yaml b/config.yaml index a42fe5a1..cf1b506f 100644 --- a/config.yaml +++ b/config.yaml @@ -118,5 +118,5 @@ options: Enable suppression of ARP responses that don't match an IP address that belongs to the port from which they originate. . - Only supported in OpenStack Liberty or newer, which as the required minimum version + Only supported in OpenStack Liberty or newer, which has the required minimum version of Open vSwitch. From 75efa4a0d8872125aab96362952e7f4143a7c3b5 Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 10 Feb 2016 15:45:50 +0000 Subject: [PATCH 5/5] Update README for this change --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e88bf414..a02030c9 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ WARNING: this feature allows you to effectively disable security on your cloud! This charm has a configuration option to allow users to disable any per-instance security group management; this must used with neutron-security-groups enabled in the neutron-api charm and could be used to turn off security on selected set of compute nodes: juju deploy neutron-openvswitch neutron-openvswitch-insecure - juju set neutron-openvswitch-insecure disable-security-groups=True + juju set neutron-openvswitch-insecure disable-security-groups=True prevent-arp-spoofing=False juju deploy nova-compute nova-compute-insecure juju add-relation nova-compute-insecure neutron-openvswitch-insecure ...