yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1475058] Re: Host and device info need to get migrated to the VM host paired port that is found on the FIP table

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Thu, 16 Jul 2015 01:03:32 -0000
Reply-to: Bug 1475058 <1475058@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm assuming you switched this from public to public security because
you feel there is a significant risk this bug could be leveraged by a
malicious user to create a denial of service for systems in other
tenants. Can you describe an exploit scenario wherein this is leveraged
as a vulnerability impacting more tenants than the one to which the
initiating user has access?

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1475058

Title:
  Host and device info need to get migrated to the VM host paired port
  that is found on the FIP table

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  When an unbound port gets associated with an FIP entry in DVR
  environment, this port needs to be identified as a DVR service port
  in order for DVR schedulers to know it is serviceable by DVR routers.
  If a FIP port is paired with a VM hosted port, which falls into the
  unbound port case, its host and device info needs to get updated. 
  Once the paired port's host and device info get updated, it is tagged
  as a DVR service port. There are use cases the tenant will use the
  unbound port in DVR environment such as "VRRP".

  Without this fix, there is a chance that FIP agent gateway port will
  get deleted on the DVR host as the system would think there is no
  DVR service port presented, because this port is not tagged as DVR
  serviceable. This would happen when a port is disassociated from
  floating IP entry. At that point, system performs the check if FIP
  agent gateway port is DVR serviceable on the host based on the device
  owner type. If it is not, the port get deleted. However, in reality,
  this port should not get deleted.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1475058/+subscriptions

References

[Bug 1475058] [NEW] Update device info for FIP paired port w/unbound
From: Lynn, 2015-07-16