yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26787
[Bug 1393925] Re: Race condition adding a security group rule when another is in-progress
Confirmed class D, security-related bug which is not an exploitable
vulnerability.
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1393925
Title:
Race condition adding a security group rule when another is in-
progress
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
I've come across a race condition where I sometimes see a security
group rule is never added to iptables, if the OVS agent is in the
middle of applying another security group rule when the RPC arrives.
Here's an example scenario:
nova boot --flavor 1 --image $nova_image dev_server1
sleep 4
neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 1111 --port_range_max 1111 default
neutron security-group-rule-create --direction ingress --protocol tcp --port_range_min 1112 --port_range_max 1112 default
Wait for VM to complete booting, then check iptables:
$ sudo iptables-save | grep 111
-A neutron-openvswi-i741ff910-1 -p tcp -m tcp --dport 1111 -j RETURN
The second rule is missing, and will only get added if you either add
another rule, or restart the agent.
My config is just devstack, running with the latest openstack bits as
of today. OVS agent w/vxlan and DVR enabled, nothing fancy.
I've been able to track this down to the following code (i'll attach
the complete log as a file due to line wraps):
OVS agent receives RPC to setup port
Port info is gathered for devices and filters for security groups are created
Iptables "apply" is called
New security group rule is added, triggering RPC message
RPC received, and agent seems to add device to list that needs refresh
Security group rule updated on remote: [u'5f0f5036-d14c-4b57-a855-ed39deaea256'] security_groups_rule_updated
Security group rule updated [u'5f0f5036-d14c-4b57-a855-ed39deaea256']
Adding [u'741ff910-12ba-4c1e-9dc9-38f7cbde0dc4'] devices to the list of devices for which firewall needs to be refreshed _security_group_updated
Iptables "apply" is finished
rpc_loop() in OVS agent does not notice there is more work to do on
next loop, so rule never gets added
At this point I'm thinking it could be that self.devices_to_refilter
is modified in both _security_group_updated() and setup_port_filters()
without any lock/semaphore, but the log doesn't explicity implicate it
(perhaps we trust the timestamps too much?).
I will continue to investigate, but if someone has an "aha!" moment
after reading this far please add a note.
A colleague here has also been able to duplicate this on his own
devstack install, so it wasn't my fat-fingering that caused it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1393925/+subscriptions
References