yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1100435] Re: Small window of access to kvmhost with l3 driver and floating ips

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 21 Feb 2013 08:58:52 -0000
Reply-to: Bug 1100435 <1100435@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Fix Committed => Fix Released

** Changed in: nova
    Milestone: None => grizzly-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1100435

Title:
  Small window of access to kvmhost with l3 driver and floating ips

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  We noticed that when floating IP addresses were being assigned to
  instances, the L3 driver binds the IP to the kvmhost’s public
  interface first, and then setup the NAT rules.  This gives a window of
  opportunity for traffic for floating IP to go to the kvmhost instead
  of the instance.  I traced the issue to nova/network/l3.py,
  add_floating_ip method:

  Original:
      def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
          linux_net.bind_floating_ip(floating_ip, l3_interface_id)
          linux_net.ensure_floating_forward(floating_ip, fixed_ip)

  Modified:
      def add_floating_ip(self, floating_ip, fixed_ip, l3_interface_id):
          linux_net.ensure_floating_forward(floating_ip, fixed_ip)
          linux_net.bind_floating_ip(floating_ip, l3_interface_id)

  
  I think setting up the NAT rules first then binding the IP should be okay.  I tested and it seems to work.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1100435/+subscriptions