yahoo-eng-team team mailing list archive

[Eugene Nikanorov <enikanorov@xxxxxxxxxxxx>]

** Project changed: neutron => openstack-manuals

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1391360

Title:
  DHCP response drops not documented

Status in OpenStack Manuals:
  New

Bug description:
  DHCP responses coming from instances are prohibited and dropped, but
  there is no mention about that in the official documentation.  Users
  planning to use netbooting need to be informed, since netbooting
  relies on DHCP.

  Here are 2 citations from the web explaining that.

  "Rule 3 will prevent a VM from acting as a DHCP server since it will
  drop any packets coming from UDP source port 67 going to UDP port 68
  (usually a response to a DHCP request)" from
  https://developer.rackspace.com/blog/software-defined-networks-in-the-
  havana-release-of-openstack-part-2/

  "The security groups implementation automatically adds iptables rules
  to prevent instances running DHCP servers on a Quantum network." from
  https://ask.openstack.org/en/question/6967/how-to-allow-vm-to-manage-
  dhcp-itself/?answer=28135#post-id-28135

  The code implementing that is in /usr/lib/python2.6/site-packages/neutron/agent/linux/iptables_firewall.py
  Look for 
      def _drop_dhcp_rule(self):
          #Note(nati) Drop dhcp packet from VM
          return ['-p udp -m udp --sport 67 --dport 68 -j DROP']

  One could say that it is a feature of the security groups, since _drop_dhcp_rule is called by _add_rule_by_security_group.
  One could also say that prohibiting "Bring your own DHCP server" is a more high level design detail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1391360/+subscriptions