a62dd42c0d
os-vif 1.15.0 added the ability to create an OVS port during plugging by specifying the 'create_port' attribute in the 'port_profile' field. By delegating port creation to os-vif, we can rely on it's 'isolate_vif' config option [1] that will temporarily configure the VLAN to 4095 (0xfff), which is reserved for implementation use [2] and is used by neutron to as a dead VLAN [3]. By doing this, we ensure VIFs are plugged securely, preventing guests from accessing other tenants' networks before the neutron OVS agent can wire up the port. This change requires a little dance as part of the live migration flow. Since we can't be certain the destination host has a version of os-vif that supports this feature, we need to use a sentinel to indicate when it does. Typically we would do so with a field in 'LibvirtLiveMigrateData', such as the 'src_supports_numa_live_migration' and 'dst_supports_numa_live_migration' fields used to indicate support for NUMA-aware live migration. However, doing this prevents us backporting this important fix since o.vo changes are not backportable. Instead, we (somewhat evilly) rely on the free-form nature of the 'VIFMigrateData.profile_json' string field, which stores JSON blobs and is included in 'LibvirtLiveMigrateData' via the 'vifs' attribute, to transport this sentinel. This is a hack but is necessary to work around the lack of a free-form "capabilities" style dict that would allow us do backportable fixes to live migration features. Note that this change has the knock on effect of modifying the XML generated for OVS ports: when hybrid plug is false will now be of type 'ethernet' rather than 'bridge' as before. This explains the larger than expected test damage but should not affect users. [1] https://opendev.org/openstack/os-vif/src/tag/2.4.0/vif_plug_ovs/ovs.py#L90-L93 [2] https://en.wikipedia.org/wiki/IEEE_802.1Q#Frame_format [3] https://answers.launchpad.net/neutron/+question/231806 Change-Id: I11fb5d3ada7f27b39c183157ea73c8b72b4e672e Depends-On: Id12486b3127ab4ac8ad9ef2b3641da1b79a25a50 Closes-Bug: #1734320 Closes-Bug: #1815989
29 lines
1.6 KiB
YAML
29 lines
1.6 KiB
YAML
---
|
|
security:
|
|
- |
|
|
In this release OVS port creation has been delegated to os-vif when the
|
|
``noop`` or ``openvswitch`` security group firewall drivers are
|
|
enabled in Neutron. Those options, and others that disable the
|
|
``hybrid_plug`` mechanism, will now use os-vif instead of libvirt to plug
|
|
VIFs into the bridge. By delegating port plugging to os-vif we can use the
|
|
``isolate_vif`` config option to ensure VIFs are plugged securely preventing
|
|
guests from accessing other tenants' networks before the neutron ovs agent
|
|
can wire up the port. See `bug #1734320`_ for details.
|
|
Note that OVN, ODL and other SDN solutions also use
|
|
``hybrid_plug=false`` but they are not known to be affected by the security
|
|
issue caused by the previous behavior. As such the ``isolate_vif``
|
|
os-vif config option is only used when deploying with ml2/ovs.
|
|
fixes:
|
|
- |
|
|
In this release we delegate port plugging to os-vif for all OVS interface
|
|
types. This allows os-vif to create the OVS port before libvirt creates
|
|
a tap device during a live migration therefore preventing the loss of
|
|
the MAC learning frames generated by QEMU. This resolves a long-standing
|
|
race condition between Libvirt creating the OVS port, Neutron wiring up
|
|
the OVS port and QEMU generating RARP packets to populate the vswitch
|
|
MAC learning table. As a result this reduces the interval during a live
|
|
migration where packets can be lost. See `bug #1815989`_ for details.
|
|
|
|
.. _`bug #1734320`: https://bugs.launchpad.net/neutron/+bug/1734320
|
|
.. _`bug #1815989`: https://bugs.launchpad.net/neutron/+bug/1815989
|