yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #37212
[Bug 1488362] Re: Network ports are not down when network admin-state is made down
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1488362
Title:
Network ports are not down when network admin-state is made down
Status in neutron:
New
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Neutron ports continue to be admin-state up and operational. It is
expected that when network admin-state is made down, the ports of it
should also be brought down and should not work.
$ neutron net-create net2
Created a new network:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| name | net2 |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1020 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+---------------------------+--------------------------------------+
$ neutron subnet-create net2 192.168.2.0/24
Created a new subnet:
+-------------------+--------------------------------------------------+
| Field | Value |
+-------------------+--------------------------------------------------+
| allocation_pools | {"start": "192.168.2.2", "end": "192.168.2.254"} |
| cidr | 192.168.2.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 192.168.2.1 |
| host_routes | |
| id | f29a5119-ba5c-4092-8d00-71d53c668d89 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | |
| network_id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+-------------------+--------------------------------------------------+
$ nova boot --image cirros-0.3.2-x86_64-uec --flavor 1 --nic net-id=860bd682-74cc-4864-8b12-e756dfcd9475 i3
+--------------------------------------+----------------------------------------------------------------+
| Property | Value |
+--------------------------------------+----------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | - |
| OS-EXT-SRV-ATTR:hypervisor_hostname | - |
| OS-EXT-SRV-ATTR:instance_name | instance-00000003 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | - |
| OS-SRV-USG:terminated_at | - |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | UT2jcpsSSiQQ |
| config_drive | |
| created | 2015-08-25T07:01:44Z |
| flavor | m1.tiny (1) |
| hostId | |
| id | 350c66d3-2817-408e-85d9-9cd1b4c47e39 |
| image | cirros-0.3.2-x86_64-uec (98a6a3ee-4008-4dac-a634-534bb457a5f7) |
| key_name | - |
| metadata | {} |
| name | i3 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| security_groups | default |
| status | BUILD |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
| updated | 2015-08-25T07:01:44Z |
| user_id | b4f34210995d44bba288e0559f68b18d |
+--------------------------------------+----------------------------------------------------------------+
$ neutron router-interface-add router1 f29a5119-ba5c-4092-8d00-71d53c668d89
Added interface ea75f789-628a-4341-94ae-0d55bc1d6244 to router router1.
$ neutron net-update net2 --admin-state-up False
Updated network: net2
juno@Juno:~$ neutron net-show net2
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | False |
| id | 860bd682-74cc-4864-8b12-e756dfcd9475 |
| name | net2 |
| provider:network_type | vxlan |
| provider:physical_network | |
| provider:segmentation_id | 1020 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | f29a5119-ba5c-4092-8d00-71d53c668d89 |
| tenant_id | b3a57548ddf54b57a2f40411843b6c92 |
+---------------------------+--------------------------------------+
$ sudo ip netns exec qrouter-03931f82-98ef-43bb-a7e0-66875b9558bb ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.083 ms
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.083/0.101/0.119/0.018 ms
$ sudo ip netns exec qrouter-03931f82-98ef-43bb-a7e0-66875b9558bb ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2) 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=4 ttl=64 time=4.41 ms
64 bytes from 192.168.2.2: icmp_seq=5 ttl=64 time=1.06 ms
64 bytes from 192.168.2.2: icmp_seq=6 ttl=64 time=1.11 ms
64 bytes from 192.168.2.2: icmp_seq=7 ttl=64 time=1.11 ms
^C
--- 192.168.2.2 ping statistics ---
7 packets transmitted, 4 received, 42% packet loss, time 6027ms
rtt min/avg/max/mdev = 1.062/1.925/4.412/1.436 ms
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1488362/+subscriptions
