6124f60297
Currently the metadata proxy binds to default 0.0.0.0, which does not add any advantage (metadata requests are not sent to random IP addresses), and may allow access to cloud information from third parties. This changes the generated configuration to bind to METADATA_DEFAULT_IP address instead. This is not enabled in other metadata proxy configuration (in the L3 agent), as this would require net.ipv4.ip_nonlocal_bind everywhere (currently only enabled for DVR) or transparent mode in haproxy (which requires net.ipv4.ip_nonlocal_bind anyway) Changed set_ip_nonlocal_bind_for_namespace() to support setting the value in both the given and root namespace correctly, since it was only used from inside the neutron codebase according to codesearch. Change-Id: I388391cf697dade1a163d15ab568b33134f7b2d9 Co-Authored-By: Andrey Arapov <andrey.arapov@nixaid.com> Closes-Bug: #1745618
63 lines
2.5 KiB
Python
63 lines
2.5 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from neutron_lib import constants
|
|
from oslo_log import log as logging
|
|
|
|
from neutron.agent.l3 import namespaces
|
|
from neutron.agent.linux import ip_lib
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
SNAT_NS_PREFIX = 'snat-'
|
|
|
|
|
|
class SnatNamespace(namespaces.Namespace):
|
|
|
|
def __init__(self, router_id, agent_conf, driver, use_ipv6):
|
|
self.router_id = router_id
|
|
name = self.get_snat_ns_name(router_id)
|
|
super(SnatNamespace, self).__init__(
|
|
name, agent_conf, driver, use_ipv6)
|
|
|
|
def create(self):
|
|
super(SnatNamespace, self).create()
|
|
# This might be an HA router namespaces and it should not have
|
|
# ip_nonlocal_bind enabled
|
|
ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 0)
|
|
# Set nf_conntrack_tcp_loose to 0 to ensure mid-stream
|
|
# TCP conversations aren't taken over by SNAT
|
|
cmd = ['net.netfilter.nf_conntrack_tcp_loose=0']
|
|
ip_lib.sysctl(cmd, namespace=self.name)
|
|
|
|
@classmethod
|
|
def get_snat_ns_name(cls, router_id):
|
|
return namespaces.build_ns_name(SNAT_NS_PREFIX, router_id)
|
|
|
|
@namespaces.check_ns_existence
|
|
def delete(self):
|
|
ns_ip = ip_lib.IPWrapper(namespace=self.name)
|
|
for d in ns_ip.get_devices():
|
|
if d.name.startswith(constants.SNAT_INT_DEV_PREFIX):
|
|
LOG.debug('Unplugging DVR device %s', d.name)
|
|
self.driver.unplug(d.name, namespace=self.name,
|
|
prefix=constants.SNAT_INT_DEV_PREFIX)
|
|
elif d.name.startswith(namespaces.EXTERNAL_DEV_PREFIX):
|
|
self.driver.unplug(
|
|
d.name,
|
|
bridge=self.agent_conf.external_network_bridge,
|
|
namespace=self.name,
|
|
prefix=namespaces.EXTERNAL_DEV_PREFIX)
|
|
|
|
# TODO(mrsmith): delete ext-gw-port
|
|
LOG.debug('DVR: destroy snat ns: %s', self.name)
|
|
super(SnatNamespace, self).delete()
|