Disable IPv6 on bridge devices

The qbr bridge should not have any IPv6 addresses, either
link-local, or on the tenant's private network due to the
bridge processing Router Advertisements from Neutron and
auto-configuring addresses, since it will allow access to
the hypervisor from a tenant VM.

The bridge only exists to allow the Neutron security group
code to work with OVS, so we can safely disable IPv6 on it.

Closes-bug: 1470931
Partial-bug: 1302080

Conflicts:
	nova/tests/unit/virt/libvirt/test_vif.py

Change-Id: Ideecab1c21b240bcca71973ed74b0374afb20e5e
(cherry picked from commit 5ab1b1b1c4)
This commit is contained in:
Adam Kacmarsky 2015-07-02 10:13:16 -06:00 committed by Rawlin Peters
parent e5a7f28d59
commit 4440172723
2 changed files with 40 additions and 10 deletions

View File

@ -13,6 +13,7 @@
# under the License.
import contextlib
import os
from lxml import etree
import mock
@ -659,7 +660,7 @@ class LibvirtVifTestCase(test.NoDBTestCase):
delete.side_effect = processutils.ProcessExecutionError
d.unplug_ivs_ethernet(None, self.vif_ovs)
def test_plug_ovs_hybrid(self):
def _test_plug_ovs_hybrid(self, ipv6_exists):
calls = {
'device_exists': [mock.call('qbrvif-xxx-yyy'),
mock.call('qvovif-xxx-yyy')],
@ -674,23 +675,33 @@ class LibvirtVifTestCase(test.NoDBTestCase):
mock.call('tee', ('/sys/class/net/qbrvif-xxx-yyy'
'/bridge/multicast_snooping'),
process_input='0', run_as_root=True,
check_exit_code=[0, 1]),
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
run_as_root=True),
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
'qvbvif-xxx-yyy', run_as_root=True)],
check_exit_code=[0, 1])],
'create_ovs_vif_port': [mock.call('br0',
'qvovif-xxx-yyy', 'aaa-bbb-ccc',
'ca:fe:de:ad:be:ef',
'instance-uuid')]
}
# The disable_ipv6 call needs to be added in the middle, if required
if ipv6_exists:
calls['execute'].extend([
mock.call('tee', ('/proc/sys/net/ipv6/conf'
'/qbrvif-xxx-yyy/disable_ipv6'),
process_input='1', run_as_root=True,
check_exit_code=[0, 1])])
calls['execute'].extend([
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
run_as_root=True),
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
'qvbvif-xxx-yyy', run_as_root=True)])
with contextlib.nested(
mock.patch.object(linux_net, 'device_exists',
return_value=False),
mock.patch.object(utils, 'execute'),
mock.patch.object(linux_net, '_create_veth_pair'),
mock.patch.object(linux_net, 'create_ovs_vif_port')
) as (device_exists, execute, _create_veth_pair, create_ovs_vif_port):
mock.patch.object(linux_net, 'create_ovs_vif_port'),
mock.patch.object(os.path, 'exists', return_value=ipv6_exists)
) as (device_exists, execute, _create_veth_pair, create_ovs_vif_port,
path_exists):
d = vif.LibvirtGenericVIFDriver()
d.plug_ovs_hybrid(self.instance, self.vif_ovs)
device_exists.assert_has_calls(calls['device_exists'])
@ -698,6 +709,12 @@ class LibvirtVifTestCase(test.NoDBTestCase):
execute.assert_has_calls(calls['execute'])
create_ovs_vif_port.assert_has_calls(calls['create_ovs_vif_port'])
def test_plug_ovs_hybrid_ipv6(self):
self._test_plug_ovs_hybrid(ipv6_exists=True)
def test_plug_ovs_hybrid_no_ipv6(self):
self._test_plug_ovs_hybrid(ipv6_exists=False)
def test_unplug_ovs_hybrid(self):
calls = {
'device_exists': [mock.call('qbrvif-xxx-yyy')],
@ -793,6 +810,10 @@ class LibvirtVifTestCase(test.NoDBTestCase):
'/bridge/multicast_snooping'),
process_input='0', run_as_root=True,
check_exit_code=[0, 1]),
mock.call('tee', ('/proc/sys/net/ipv6/conf'
'/qbrvif-xxx-yyy/disable_ipv6'),
process_input='1', run_as_root=True,
check_exit_code=[0, 1]),
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
run_as_root=True),
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
@ -806,8 +827,10 @@ class LibvirtVifTestCase(test.NoDBTestCase):
return_value=False),
mock.patch.object(utils, 'execute'),
mock.patch.object(linux_net, '_create_veth_pair'),
mock.patch.object(linux_net, 'create_ivs_vif_port')
) as (device_exists, execute, _create_veth_pair, create_ivs_vif_port):
mock.patch.object(linux_net, 'create_ivs_vif_port'),
mock.patch.object(os.path, 'exists', return_value=True)
) as (device_exists, execute, _create_veth_pair, create_ivs_vif_port,
path_exists):
d = vif.LibvirtGenericVIFDriver()
d.plug_ivs_hybrid(self.instance, self.vif_ivs)
device_exists.assert_has_calls(calls['device_exists'])

View File

@ -503,6 +503,13 @@ class LibvirtGenericVIFDriver(object):
process_input='0',
run_as_root=True,
check_exit_code=[0, 1])
disv6 = '/proc/sys/net/ipv6/conf/%s/disable_ipv6' % br_name
if os.path.exists(disv6):
utils.execute('tee',
disv6,
process_input='1',
run_as_root=True,
check_exit_code=[0, 1])
if not linux_net.device_exists(v2_name):
linux_net._create_veth_pair(v1_name, v2_name)