29 lines
1.6 KiB
YAML
29 lines
1.6 KiB
YAML
---
|
|
security:
|
|
- |
|
|
In this release OVS port creation has been delegated to os-vif when the
|
|
``noop`` or ``openvswitch`` security group firewall drivers are
|
|
enabled in Neutron. Those options, and others that disable the
|
|
``hybrid_plug`` mechanism, will now use os-vif instead of libvirt to plug
|
|
VIFs into the bridge. By delegating port plugging to os-vif we can use the
|
|
``isolate_vif`` config option to ensure VIFs are plugged securely preventing
|
|
guests from accessing other tenants' networks before the neutron ovs agent
|
|
can wire up the port. See `bug #1734320`_ for details.
|
|
Note that OVN, ODL and other SDN solutions also use
|
|
``hybrid_plug=false`` but they are not known to be affected by the security
|
|
issue caused by the previous behavior. As such the ``isolate_vif``
|
|
os-vif config option is only used when deploying with ml2/ovs.
|
|
fixes:
|
|
- |
|
|
In this release we delegate port plugging to os-vif for all OVS interface
|
|
types. This allows os-vif to create the OVS port before libvirt creates
|
|
a tap device during a live migration therefore preventing the loss of
|
|
the MAC learning frames generated by QEMU. This resolves a long-standing
|
|
race condition between Libvirt creating the OVS port, Neutron wiring up
|
|
the OVS port and QEMU generating RARP packets to populate the vswitch
|
|
MAC learning table. As a result this reduces the interval during a live
|
|
migration where packets can be lost. See `bug #1815989`_ for details.
|
|
|
|
.. _`bug #1734320`: https://bugs.launchpad.net/neutron/+bug/1734320
|
|
.. _`bug #1815989`: https://bugs.launchpad.net/neutron/+bug/1815989
|