← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #13343

[Bug 1303711] Re: nova/neutron : tenant can boot a VM on a net with the flag router:external=True

  Thread PreviousDate PreviousThread Next 
LP doesn't want me to mark it as duplicate, sigh. Marking it invalid
instead

** Information type changed from Private Security to Public

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1303711

Title:
  nova/neutron : tenant can boot a VM on a net with the flag
  router:external=True

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  I'm using ML2 plugin with linuxbridge MD (i don't think it's relevant
  here)

  I create a external net and subnet, with admin credentials :

  #ext_net=$(neutron net-create "$PUBLIC_NETWORK_NAME" --router:external=True --provider:network_type flat --provider:physical_network "$PHYSICAL_NETWORK" | awk '$2~/^id$/ {print $4}')
  #ext_subnet=$(neutron subnet-create --ip_version 4 --gateway 192.168.123.1 --allocation-pool start=192.168.123.100,end=192.168.123.120 --name ext-subnet "$ext_net" 192.168.123.0/24  | awk '$2~/^id$/ {print $4}')

  then I swith to demo credentials.

  if i want to create a port on the public network, it fails with error
  telling i'm not allowed to do this.

  # neutron port-create c4ef8c3a-455a-4e69-8a26-433d041940f1
  Tenant beaaf0508b7c44429fb676579749a2d2 not allowed to create port on this network

  but if I boot a VM with the nova client, not error is raised, and the
  VM is booted :

  #NET_ID=$(neutron --os-username demo --os-password pass --os-tenant-name demo --os-auth-url http://192.168.122.254:5000/v2.0/ net-list | awk "/ public / { print \$2 }")
  #IMAGE_ID=$(glance --os-username demo --os-password pass --os-tenant-name demo --os-auth-url http://192.168.122.254:5000/v2.0/ image-list | grep ami | head -n 1 | awk '{print $2}')
  #INSTANCE_ID=$(nova --os-username demo --os-password pass --os-tenant-name demo --os-auth-url http://192.168.122.254:5000/v2.0/ boot --image=$IMAGE_ID --flavor=42 --nic net-id=$NET_ID
   vm3 | awk "/ id / { print \$4 }")

  The VM gets an IP in the public subnet on which neutron has launched
  a DHCP.

  I think this is a security issue because of this bug : 
  https://bugs.launchpad.net/neutron/+bug/1274034

  with a deployment based on neutron only capcity (dhcp/filtering),
  which is the goal of cloud providers which  use neutron, it's would be
  very easy to create a DOS by using ARP poisoning to tell every tenant
  router plugged on the ext_net, that the VM is the ext_net gateway.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1303711/+subscriptions
  Thread PreviousDate PreviousThread Next