openstack/os-vif
Code Issues Proposed changes
c9b2077786
os-vif/releasenotes/notes/always-plug-vifs-for-ovs-1d033fc49a9c6c4e.yaml
Sean Mooney d291213f1e add isolate_vif config option 
- This change add a new isolate_vif config
  option to the OVS plugin.

- The isolate_vif option defaults to False
  for backwards compatiblity with SDN-based
  deployments.

- This change is a partial mitigation of bug
  1734320, when isolate_vif is set to True
  os-vif will assign VIFs to the neutron
  l2 agent dead VLAN 4095. This should only
  be set when using the ml2/ovs neutron
  backend.

Change-Id: I87ee9626cc6b4a01465a6b1908bc66bc7be0a4bc
Partial-Bug: #1734320
2018-12-07 12:21:44 +00:00

38 lines
2.0 KiB
YAML
Raw Blame History

---
features:
- |
In this release the OVS plugin was extended to always plug VIFs even when
libvirt could plug the vif. This will enable faster migration leveraging
the multiple port bindings work completed in the Rocky release.
security:
- |
In this release an edgecase where libvirt plugged the VIF instead of os-vif
was addressed. Previously if ``ovs_hybrid_plug`` was set to ``False`` in
the port binding details, os-vif would only ensure the ovs bridge existed
and the plugging would be done by libvirt. As a result during live
migration, there was a short interval where a guest could receive tagged
broadcast, multicast, or flooded traffic to/from another tenant.
This vulnerability is described in `bug 1734320`_. By ensuring that
os-vif always creates the OVS port as part of vif plugging we enable
neutron to isolate the port prior to nova resuming the VM on the
destination node. Note that as Nova cannot rely on Neutron to send
``network-vif-plugged`` events on completion of wiring up an interface
it cannot wait to receive a notification before proceeding with the
migration. As a result this is a partial mitigation and additional changes
will be required to fully address this bug.
.. _bug 1734320: https://bugs.launchpad.net/neutron/+bug/1734320
- |
A new config option was introduced for the OVS VIF plugin.
The ``isolate_vif`` option was added as a partial mitigation of
`bug 1734320`_. The ``isolate_vif`` option defaults to ``False`` for
backwards compatibility with SDN controller based OpenStack deployments.
For all deployments using the reference implementation of ML2/OVS with
the neutron L2 agents, ``isolate_vif`` should be set to ``True``.
This option instructs the OVS plugin to assign the VIF to the
Neutron dead VLAN (4095) when attaching the interface to OVS. By setting
the VIF's VLAN to this dead VLAN number, we eliminate the small attack
vector that exists for other tenants to read packets during the VIF's
bring up.
View Git Blame Copy Permalink