165ed32591
- This change modifies the ovs plugin to always create the ovs interface in the ovs db. - This change enables the neutron l2 agent to configure the ovs interface by assigning a vlan tag and installing openflow rules as appropriate. - This change will reduce the live migration time for kernel ovs ports with hybrid plug false by creating the ovs port as part of plug before the migration starts. - This change adds the privsep decorator to delete_net_dev to account for it new usage via _unplug_vif_generic and address bug #1801072 Change-Id: Iaf15fa7a678ec2624f7c12f634269c465fbad930 Partial-Bug: #1734320 Closes-Bug: #1801072
24 lines
1.3 KiB
YAML
24 lines
1.3 KiB
YAML
---
|
|
features:
|
|
- |
|
|
In this release the OVS plugin was extended to always plug VIFs even when
|
|
libvirt could plug the vif. This will enable faster migration leveraging
|
|
the multiple port bindings work completed in the Rocky release.
|
|
security:
|
|
- |
|
|
In this release an edgecase where libvirt plugged the VIF instead of os-vif
|
|
was addressed. Previously if ``ovs_hybrid_plug`` was set to ``False`` in
|
|
the port binding details, os-vif would only ensure the ovs bridge existed
|
|
and the plugging would be done by libvirt. As a result during live
|
|
migration, there was a short interval where a guest could receive tagged
|
|
broadcast, multicast, or flooded traffic to/from another tenant.
|
|
This vulnerability is described in `bug 1734320`_. By ensuring that
|
|
os-vif always creates the OVS port as part of vif plugging we enable
|
|
neutron to isolate the port prior to nova resuming the VM on the
|
|
destination node. Note that as Nova cannot rely on Neutron to send
|
|
``network-vif-plugged`` events on completion of wiring up an interface
|
|
it cannot wait to receive a notification before proceeding with the
|
|
migration. As a result this is a partial mitigation and additional changes
|
|
will be required to fully address this bug.
|
|
|
|
.. _bug 1734320: https://bugs.launchpad.net/neutron/+bug/1734320 |