yahoo-eng-team team mailing list archive

[Rodolfo Alonso <1951074@xxxxxxxxxxxxxxxxxx>]

Hello Jens:

This is the expected behaviour for OVN, as documented here [1]. When
building the DHCP options, the DNS servers option is populated first
with the subnet "dns_nameservers". If empty, the "OVN.dns_servers"
option will be used. If empty, the OVN mech driver will use the local
DNS resolver (reading from "/etc/resolv.conf") [2].

Admin/user can always provide a valid DNS nameserver if needed.

Regards.

[1]https://github.com/openstack/neutron/blob/90b5456b8c11011c41f2fcd53a8943cb45fb6479/neutron/conf/plugins/ml2/drivers/ovn/ovn_conf.py#L158-L164
[2]https://github.com/openstack/neutron/blob/90b5456b8c11011c41f2fcd53a8943cb45fb6479/neutron/plugins/ml2/drivers/ovn/mech_driver/ovsdb/ovn_client.py#L1916-L1918


** Changed in: neutron
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1951074

Title:
  [OVN] default setting leak nameserver config from the host to
  instances

Status in neutron:
  Opinion

Bug description:
  Using the default settings, i.e. without [ovn]dns_servers being
  specified in ml2_conf.ini, OVN will send the nameserver addresses that
  are specified in /etc/resolv.conf on the host in DHCP responses. This
  may lead to unexpected leaks about the host infrastructure and thus
  should at least be well documented. In most cases it will also lead to
  broken DNS resolution for the instances, since when systemd-resolve is
  being used, the host's nameserver address will be 127.0.0.53, and an
  instance will not be able to resolve anything using that address.

  Possibly a better approach would be to not send any nameserver
  information via DHCP in this scenario.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1951074/+subscriptions