Stein Series Release Notes

1.15.2

Security Issues

  • Prevent Linux Bridge from replying to ARP messages. It should reply only if the target IP address is a local address configured on the incoming interface and it should always use the best local address. See The ARP flux problem for more information.

Bug Fixes

  • As part of a bug #1715317, MAC ageing was disabled for the intermediate bridge created as part of the hybrid plug mechanism. During the removal of brctl, this behavior was inadvertently applied to all linux bridges created by os-vif including those used in the linuxbridge driver. As a result this can lead to packet flooding (see bug #1837252) when instances are migrated. This behavior has been reverted so that the default mac ageing is determined by the kernel and is not set when using the os-vif linux bridge plugin.

1.15.0

New Features

  • Added native implementation of OVSDB API in vif_plug_ovs. Both vsctl and native APIs could be selected by setting the configuration variable ovsdb_interface. A new configuration variable, ovsdb_connection, is added. This variable defines the connection string for the OVSDB backend.

Other Notes

  • Changed default value of ovsdb_connection to “tcp:127.0.0.1:6640”, to match the default value set in Neutron project. This connection string is needed by OVSDB native interface.

  • With this release, packagers of os-vif no longer need to create a dependency on brctl. brctl is largely considered obsolete and has been replaced with iproute2 by default in many linux distributions. RHEL 8 will not ship brctl in its default repos. As part of a larger effort to remove usage of brctl from OpenStack os-vif has replaced its usage of brctl with pyroute2. This does not introduce any new requirements as pyroute2 is already a requirement.

1.14.0

New Features

  • A new set of attributes to port profiles has been introduced, namely Datapath Offload Types, with DatapathOffloadRepresentor allowing os-vif to pass the required metadata for representors conforming to the kernel switchdev representor model.

Deprecation Notes

  • The API for VIFPortProfileOVSRepresentor has been frozen pending deprecation of the class. Users should transition to setting the datapath_offload of VIFPortProfileOpenVSwitch to a DatapathOffloadRepresentor object to pass representor information.

Security Issues

  • In 1.13.0 it was reported that bug #1734320 was partially resolved by change Iaf15fa7a678ec2624f7c12f634269c465fbad930. It has since emerged that that change introduced another bug due to an interaction with libvirt. It was understood that libvirt would not recreate the ovs port if it was present on the ovs bridge when spawning a vm however on inspection of the libvirt code this is not the case. In this release we have reverted the change to os-vif and libvirt will be the only entity to create the ovs port when vif_type is set to ovs and hybrid_plug is set to false in the neutron port binding details. Bug #1734320 is not expected to be present if hybrid_plug=true or vif_type vhost-user is used on linux. On windows if hybrid_plug is false on bug #1734320 is also not expected to be present. A new mitigation to bug #1734320 will be developed for the remaining case of hybrid_plug=false on linux.

1.13.0

New Features

  • In this release the OVS plugin was extended to always plug VIFs even when libvirt could plug the vif. This will enable faster migration leveraging the multiple port bindings work completed in the Rocky release.

Security Issues

  • In this release an edgecase where libvirt plugged the VIF instead of os-vif was addressed. Previously if ovs_hybrid_plug was set to False in the port binding details, os-vif would only ensure the ovs bridge existed and the plugging would be done by libvirt. As a result during live migration, there was a short interval where a guest could receive tagged broadcast, multicast, or flooded traffic to/from another tenant. This vulnerability is described in bug 1734320. By ensuring that os-vif always creates the OVS port as part of vif plugging we enable neutron to isolate the port prior to nova resuming the VM on the destination node. Note that as Nova cannot rely on Neutron to send network-vif-plugged events on completion of wiring up an interface it cannot wait to receive a notification before proceeding with the migration. As a result this is a partial mitigation and additional changes will be required to fully address this bug.

  • A new config option was introduced for the OVS VIF plugin. The isolate_vif option was added as a partial mitigation of bug 1734320. The isolate_vif option defaults to False for backwards compatibility with SDN controller based OpenStack deployments. For all deployments using the reference implementation of ML2/OVS with the neutron L2 agents, isolate_vif should be set to True. This option instructs the OVS plugin to assign the VIF to the Neutron dead VLAN (4095) when attaching the interface to OVS. By setting the VIF’s VLAN to this dead VLAN number, we eliminate the small attack vector that exists for other tenants to read packets during the VIF’s bring up.

1.12.0

New Features

  • Added an abstract OVSDB API in vif_plug_ovs. All calls to OVS database will de done using this unique API. Command line implementation using ovs-vsctl was refactored as a backend for this abstract API. A new configuration variable, ovsdb_interface, is added to select the interface for interacting with the OVS database.

Upgrade Notes

  • Removed IPTools implementation. IPTools driver was implemented to avoid a bug in pyroute2 library, currently solved. This implementation was marked as “deprecated” two releases ago. IP Linux commands now use Pyroute2.