[PKG-Openstack-devel] Bug#773504: python-nova: nwfilter-problem with libvirt >= 1.2.7
Eckebrecht von Pappenheim
evp at heise.de
Fri Dec 19 09:27:34 UTC 2014
Package: python-nova
Version: 2014.1.3-6
Severity: grave
Tags: upstream
Justification: renders package unusable
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Running openstack on jessie. Starting or migrating VMs leads to errors like
libvirtError: operation failed: filter 'nova-instance-instance-00000012-fa163e8eb435' already exists with uuid 6b2b71c1-486c-4ef2-b0e3-1c0918bd317f
* What exactly did you do (or not do) that was effective (or
ineffective)?
Including patch from https://review.openstack.org/#/c/122721/
*** firewall.py.orig Thu Dec 18 14:20:43 2014
--- firewall.py Thu Dec 18 14:19:55 2014
***************
*** 15,20 ****
--- 15,23 ----
# License for the specific language governing permissions and limitations
# under the License.
+ import uuid
+
+ from lxml import etree
from oslo.config import cfg
from nova.cloudpipe import pipelib
***************
*** 59,89 ****
return self._libvirt_get_connection()
_conn = property(_get_connection)
! @staticmethod
! def nova_no_nd_reflection_filter():
"""This filter protects false positives on IPv6 Duplicate Address
Detection(DAD).
"""
return '''<filter name='nova-no-nd-reflection' chain='ipv6'>
<!-- no nd reflection -->
<!-- drop if destination mac is v6 mcast mac addr and
we sent it. -->
!
<rule action='drop' direction='in'>
<mac dstmacaddr='33:33:00:00:00:00'
dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
</rule>
! </filter>'''
! @staticmethod
! def nova_dhcp_filter():
"""The standard allow-dhcp-server filter is an <ip> one, so it uses
ebtables to allow traffic through. Without a corresponding rule in
iptables, it'll get blocked anyway.
"""
!
return '''<filter name='nova-allow-dhcp-server' chain='ipv4'>
! <uuid>891e4787-e5c0-d59b-cbd6-41bc3c6b36fc</uuid>
<rule action='accept' direction='out'
priority='100'>
<udp srcipaddr='0.0.0.0'
--- 62,91 ----
return self._libvirt_get_connection()
_conn = property(_get_connection)
! def nova_no_nd_reflection_filter(self):
"""This filter protects false positives on IPv6 Duplicate Address
Detection(DAD).
"""
+ uuid = self._get_filter_uuid('nova-no-nd-reflection')
return '''<filter name='nova-no-nd-reflection' chain='ipv6'>
<!-- no nd reflection -->
<!-- drop if destination mac is v6 mcast mac addr and
we sent it. -->
! <uuid>%s</uuid>
<rule action='drop' direction='in'>
<mac dstmacaddr='33:33:00:00:00:00'
dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
</rule>
! </filter>''' % uuid
! def nova_dhcp_filter(self):
"""The standard allow-dhcp-server filter is an <ip> one, so it uses
ebtables to allow traffic through. Without a corresponding rule in
iptables, it'll get blocked anyway.
"""
! uuid = self._get_filter_uuid('nova-allow-dhcp-server')
return '''<filter name='nova-allow-dhcp-server' chain='ipv4'>
! <uuid>%s</uuid>
<rule action='accept' direction='out'
priority='100'>
<udp srcipaddr='0.0.0.0'
***************
*** 97,103 ****
srcportstart='67'
dstportstart='68'/>
</rule>
! </filter>'''
def setup_basic_filtering(self, instance, network_info):
"""Set up basic filtering (MAC, IP, and ARP spoofing protection)."""
--- 99,105 ----
srcportstart='67'
dstportstart='68'/>
</rule>
! </filter>''' % uuid
def setup_basic_filtering(self, instance, network_info):
"""Set up basic filtering (MAC, IP, and ARP spoofing protection)."""
***************
*** 172,178 ****
--- 174,182 ----
nic_id = vif['address'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
parameters = self._get_instance_filter_parameters(vif)
+ uuid = self._get_filter_uuid(instance_filter_name)
xml = '''<filter name='%s' chain='root'>''' % instance_filter_name
+ xml += '<uuid>%s</uuid>' % uuid
for f in filters:
xml += '''<filterref filter='%s'>''' % f
xml += ''.join(parameters)
***************
*** 210,232 ****
filter_set = ['no-mac-spoofing',
'no-ip-spoofing',
'no-arp-spoofing']
! self._define_filter(self.nova_no_nd_reflection_filter)
filter_set.append('nova-no-nd-reflection')
self._define_filter(self._filter_container('nova-nodhcp', filter_set))
filter_set.append('allow-dhcp-server')
self._define_filter(self._filter_container('nova-base', filter_set))
self._define_filter(self._filter_container('nova-vpn',
['allow-dhcp-server']))
! self._define_filter(self.nova_dhcp_filter)
self.static_filters_configured = True
def _filter_container(self, name, filters):
! xml = '''<filter name='%s' chain='root'>%s</filter>''' % (
! name,
''.join(["<filterref filter='%s'/>" % (f,) for f in filters]))
return xml
def _define_filter(self, xml):
if callable(xml):
xml = xml()
--- 214,253 ----
filter_set = ['no-mac-spoofing',
'no-ip-spoofing',
'no-arp-spoofing']
!
! self._define_filter(self.nova_no_nd_reflection_filter())
filter_set.append('nova-no-nd-reflection')
self._define_filter(self._filter_container('nova-nodhcp', filter_set))
filter_set.append('allow-dhcp-server')
self._define_filter(self._filter_container('nova-base', filter_set))
self._define_filter(self._filter_container('nova-vpn',
['allow-dhcp-server']))
! self._define_filter(self.nova_dhcp_filter())
self.static_filters_configured = True
def _filter_container(self, name, filters):
! uuid = self._get_filter_uuid(name)
! xml = '''<filter name='%s' chain='root'>
! <uuid>%s</uuid>
! %s
! </filter>''' % (name, uuid,
''.join(["<filterref filter='%s'/>" % (f,) for f in filters]))
return xml
+ def _get_filter_uuid(self, name):
+ try:
+ flt = self._conn.nwfilterLookupByName(name)
+ xml = flt.XMLDesc(0)
+ doc = etree.fromstring(xml)
+ u = doc.find("./uuid").text
+ except Exception as e:
+ LOG.debug("Cannot find UUID for filter '%s': '%s'" % (name, e))
+ u = uuid.uuid4().hex
+
+ LOG.debug("UUID for filter '%s' is '%s'" % (name, u))
+ return u
+
def _define_filter(self, xml):
if callable(xml):
xml = xml()
* What was the outcome of this action?
libvirt 1.2.9 runs smoothly with openstack
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python-nova depends on:
ii dpkg 1.17.21
ii libpython2.7-stdlib [python-argparse] 2.7.8-11
ii openssh-client 1:6.7p1-3
ii openssl 1.0.1j-1
ii python 2.7.8-2
ii python-amqplib 1.0.2-1
ii python-anyjson 0.3.3-1
ii python-babel 1.3+dfsg.1-5
ii python-boto 2.34.0-2
ii python-cinderclient 1:1.0.8-2
ii python-daemon 1.5.5-1
ii python-eventlet 0.13.0-1
ii python-feedparser 5.1.3-3
ii python-glanceclient 1:0.12.0-1
ii python-greenlet 0.4.2-1+b2
ii python-iso8601 0.1.10-1
ii python-jinja2 2.7.3-1
ii python-jsonschema 2.3.0-1
ii python-keystoneclient 1:0.10.1-2
ii python-kombu 3.0.21-2
ii python-libxml2 2.9.1+dfsg1-4
ii python-lockfile 1:0.8-2
ii python-lxml 3.4.0-1
ii python-memcache 1.53+2014.06.08.git.918e88c496-1
ii python-migrate 0.9.1-1
ii python-mysqldb 1.2.3-2.1
ii python-netaddr 0.7.12-2
ii python-neutronclient 2.3.6-2
ii python-novaclient 2:2.18.1-1
ii python-oslo.config 1:1.3.0-2
ii python-oslo.messaging 1.4.0.0+really+1.3.1-2
ii python-oslo.rootwrap 1.2.0-3
ii python-paramiko 1.15.1-1
ii python-paste 1.7.5.1-6
ii python-pastedeploy 1.5.2-1
ii python-pbr 0.8.2-1
ii python-pyasn1 0.1.7-1
ii python-pycadf 0.5.1-1
ii python-pycurl 7.19.5-3
ii python-pyparsing 2.0.3+dfsg1-1
ii python-requests 2.4.3-4
ii python-routes 2.0-1
ii python-simplejson 3.6.5-1
ii python-six 1.8.0-1
ii python-sqlalchemy 0.9.8+dfsg-0.1
ii python-stevedore 0.14.1-1
ii python-subunit 0.0.18-4
ii python-suds 0.4.1-15
ii python-tempita 0.5.2-1
ii python-testrepository 0.0.20-1
ii python-webob 1.4-2
ii python-xattr 0.6.4-3
ii sudo 1.8.10p3-1
ii websockify 0.6.0+dfsg1-1
python-nova recommends no packages.
Versions of packages python-nova suggests:
ii python-suds 0.4.1-15
-- no debconf information
More information about the Openstack-devel
mailing list