Disable IPv6 on bridge devices
The qbr bridge should not have any IPv6 addresses, either
link-local, or on the tenant's private network due to the
bridge processing Router Advertisements from Neutron and
auto-configuring addresses, since it will allow access to
the hypervisor from a tenant VM.
The bridge only exists to allow the Neutron security group
code to work with OVS, so we can safely disable IPv6 on it.
Closes-bug: 1470931
Partial-bug: 1302080
Conflicts:
nova/tests/unit/virt/libvirt/test_vif.py
Change-Id: Ideecab1c21b240bcca71973ed74b0374afb20e5e
(cherry picked from commit 5ab1b1b1c4
)
This commit is contained in:
parent
e5a7f28d59
commit
4440172723
|
@ -13,6 +13,7 @@
|
|||
# under the License.
|
||||
|
||||
import contextlib
|
||||
import os
|
||||
|
||||
from lxml import etree
|
||||
import mock
|
||||
|
@ -659,7 +660,7 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
delete.side_effect = processutils.ProcessExecutionError
|
||||
d.unplug_ivs_ethernet(None, self.vif_ovs)
|
||||
|
||||
def test_plug_ovs_hybrid(self):
|
||||
def _test_plug_ovs_hybrid(self, ipv6_exists):
|
||||
calls = {
|
||||
'device_exists': [mock.call('qbrvif-xxx-yyy'),
|
||||
mock.call('qvovif-xxx-yyy')],
|
||||
|
@ -674,23 +675,33 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
mock.call('tee', ('/sys/class/net/qbrvif-xxx-yyy'
|
||||
'/bridge/multicast_snooping'),
|
||||
process_input='0', run_as_root=True,
|
||||
check_exit_code=[0, 1]),
|
||||
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
|
||||
run_as_root=True),
|
||||
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
|
||||
'qvbvif-xxx-yyy', run_as_root=True)],
|
||||
check_exit_code=[0, 1])],
|
||||
'create_ovs_vif_port': [mock.call('br0',
|
||||
'qvovif-xxx-yyy', 'aaa-bbb-ccc',
|
||||
'ca:fe:de:ad:be:ef',
|
||||
'instance-uuid')]
|
||||
}
|
||||
# The disable_ipv6 call needs to be added in the middle, if required
|
||||
if ipv6_exists:
|
||||
calls['execute'].extend([
|
||||
mock.call('tee', ('/proc/sys/net/ipv6/conf'
|
||||
'/qbrvif-xxx-yyy/disable_ipv6'),
|
||||
process_input='1', run_as_root=True,
|
||||
check_exit_code=[0, 1])])
|
||||
calls['execute'].extend([
|
||||
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
|
||||
run_as_root=True),
|
||||
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
|
||||
'qvbvif-xxx-yyy', run_as_root=True)])
|
||||
with contextlib.nested(
|
||||
mock.patch.object(linux_net, 'device_exists',
|
||||
return_value=False),
|
||||
mock.patch.object(utils, 'execute'),
|
||||
mock.patch.object(linux_net, '_create_veth_pair'),
|
||||
mock.patch.object(linux_net, 'create_ovs_vif_port')
|
||||
) as (device_exists, execute, _create_veth_pair, create_ovs_vif_port):
|
||||
mock.patch.object(linux_net, 'create_ovs_vif_port'),
|
||||
mock.patch.object(os.path, 'exists', return_value=ipv6_exists)
|
||||
) as (device_exists, execute, _create_veth_pair, create_ovs_vif_port,
|
||||
path_exists):
|
||||
d = vif.LibvirtGenericVIFDriver()
|
||||
d.plug_ovs_hybrid(self.instance, self.vif_ovs)
|
||||
device_exists.assert_has_calls(calls['device_exists'])
|
||||
|
@ -698,6 +709,12 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
execute.assert_has_calls(calls['execute'])
|
||||
create_ovs_vif_port.assert_has_calls(calls['create_ovs_vif_port'])
|
||||
|
||||
def test_plug_ovs_hybrid_ipv6(self):
|
||||
self._test_plug_ovs_hybrid(ipv6_exists=True)
|
||||
|
||||
def test_plug_ovs_hybrid_no_ipv6(self):
|
||||
self._test_plug_ovs_hybrid(ipv6_exists=False)
|
||||
|
||||
def test_unplug_ovs_hybrid(self):
|
||||
calls = {
|
||||
'device_exists': [mock.call('qbrvif-xxx-yyy')],
|
||||
|
@ -793,6 +810,10 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
'/bridge/multicast_snooping'),
|
||||
process_input='0', run_as_root=True,
|
||||
check_exit_code=[0, 1]),
|
||||
mock.call('tee', ('/proc/sys/net/ipv6/conf'
|
||||
'/qbrvif-xxx-yyy/disable_ipv6'),
|
||||
process_input='1', run_as_root=True,
|
||||
check_exit_code=[0, 1]),
|
||||
mock.call('ip', 'link', 'set', 'qbrvif-xxx-yyy', 'up',
|
||||
run_as_root=True),
|
||||
mock.call('brctl', 'addif', 'qbrvif-xxx-yyy',
|
||||
|
@ -806,8 +827,10 @@ class LibvirtVifTestCase(test.NoDBTestCase):
|
|||
return_value=False),
|
||||
mock.patch.object(utils, 'execute'),
|
||||
mock.patch.object(linux_net, '_create_veth_pair'),
|
||||
mock.patch.object(linux_net, 'create_ivs_vif_port')
|
||||
) as (device_exists, execute, _create_veth_pair, create_ivs_vif_port):
|
||||
mock.patch.object(linux_net, 'create_ivs_vif_port'),
|
||||
mock.patch.object(os.path, 'exists', return_value=True)
|
||||
) as (device_exists, execute, _create_veth_pair, create_ivs_vif_port,
|
||||
path_exists):
|
||||
d = vif.LibvirtGenericVIFDriver()
|
||||
d.plug_ivs_hybrid(self.instance, self.vif_ivs)
|
||||
device_exists.assert_has_calls(calls['device_exists'])
|
||||
|
|
|
@ -503,6 +503,13 @@ class LibvirtGenericVIFDriver(object):
|
|||
process_input='0',
|
||||
run_as_root=True,
|
||||
check_exit_code=[0, 1])
|
||||
disv6 = '/proc/sys/net/ipv6/conf/%s/disable_ipv6' % br_name
|
||||
if os.path.exists(disv6):
|
||||
utils.execute('tee',
|
||||
disv6,
|
||||
process_input='1',
|
||||
run_as_root=True,
|
||||
check_exit_code=[0, 1])
|
||||
|
||||
if not linux_net.device_exists(v2_name):
|
||||
linux_net._create_veth_pair(v1_name, v2_name)
|
||||
|
|
Loading…
Reference in New Issue