Please unsubscribe me
-----Original Message-----
From: openstack-requ...@lists.openstack.org
[mailto:openstack-requ...@lists.openstack.org]
Sent: Wednesday, September 09, 2015 5:00 AM
To: openstack@lists.openstack.org
Subject: Openstack Digest, Vol 27, Issue 8
Send Openstack mailing list submissions to
openstack@lists.openstack.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
or, via email, send a message with subject or body 'help' to
openstack-requ...@lists.openstack.org
You can reach the person managing the list at
openstack-ow...@lists.openstack.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Openstack digest..."
Today's Topics:
1. Console via NoVNC showing garbled screen for Windows XP guest
(Silvano Cirujano Cuesta)
2. port-delete issue (Yngvi P?ll ?orfinnsson)
3. Re: Query regarding contribution for monitoring of Nova and
Swift (John Dickinson)
4. Re: Query regarding contribution for monitoring of Nova and
Swift (Erik McCormick)
5. Re: port-delete issue (Brian Haley)
6. Re: port-delete issue (Yngvi P?ll ?orfinnsson)
7. Re: port-delete issue (Yngvi P?ll ?orfinnsson)
8. Re: port-delete issue (Brian Haley)
9. Re: port-delete issue (Yngvi P?ll ?orfinnsson)
10. [OSSA 2015-018] Neutron firewall rules bypass through port
update (CVE-2015-5240) (Tristan Cacqueray)
11. Devstack multinode setup integration with Opendaylight
(saurabh suman)
12. Re: port-delete issue (Yngvi P?ll ?orfinnsson)
13. [openstack][swift]Got error when installing swift all in one.
(hao wang)
14. Re: [openstack][swift]Got error when installing swift all in
one. (Kota TSUYUZAKI)
15. Cannot Attach Volumes Via Horizon (Ludwig Tirazona)
16. Neutron with apache2 wsgi module don't ack rabbitMQ messages
(Heiko Kr?mer)
----------------------------------------------------------------------
Message: 1
Date: Tue, 8 Sep 2015 17:25:14 +0200
From: Silvano Cirujano Cuesta <silvano.cirujano-cue...@siemens.com>
To: openstack@lists.openstack.org
Subject: [Openstack] Console via NoVNC showing garbled screen for
Windows XP guest
Message-ID: <55eefdda.4040...@siemens.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi,
We have a test installation of OpenStack where we can instantiate VMs via
Horizon without problems.
But when we try to view the graphical console of VMs hosting a WindowsXP
installation we get the garbled screen that you can see in the screenshot.
Did anybody observed something similar? I couldn't find anybody describing
similar effects in the internet...
The graphical console via virt-manager looks good, so the QEMU VNC server is
working fine.
The boot-up splash screen also looks good with Horizon, so the VNC
web-client (right now NoVNC) works at least partially.
Since other VNC clients work fine, I think it's an issue with the NoVNC
client.
Some information about our environment:
- OpenStack version: Kilo
- OpenStack nodes running as VMs in a server that is behind a gateway,
therefore network latencies can be high
Any help first to find out the origin of the issue and then to fix it will
be appreciated!
Regards,
Silvano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: novnc.png
Type: image/png
Size: 46222 bytes
Desc: not available
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150908/79cc1aa
5/attachment-0001.png>
------------------------------
Message: 2
Date: Tue, 8 Sep 2015 16:01:11 +0000
From: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>
To: "openstack@lists.openstack.org" <openstack@lists.openstack.org>
Subject: [Openstack] port-delete issue
Message-ID: <1397f802959543b18f1339ac11738...@simi-mbx-04.siminn.is>
Content-Type: text/plain; charset="iso-8859-1"
HI
I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ), because
one port is still in use.
root@opst-ctrl1-dev:/# neutron subnet-delete
f505a109-07a7-420a-ae6b-aa5995126be7
Unable to complete operation on subnet f505a109-07a7-420a-ae6b-aa5995126be7.
One or more ports have an IP allocation from this subnet. (HTTP 409)
(Request-ID: req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
This is the port in use:
root@opst-ctrl1-dev:/# neutron port-list | grep
f505a109-07a7-420a-ae6b-aa5995126be7
| 220f1ad2-10bb-4d17-8cc5-3ad4f86f0b00 | | fa:16:3e:15:20:59 |
{"subnet_id": "f505a109-07a7-420a-ae6b-aa5995126be7", "ip_address":
"157.157.8.114"} |
root@opst-ctrl1-dev:/#
But I can't delete the port
root@opst-ctrl1-dev:/# neutron port-delete
220f1ad2-10bb-4d17-8cc5-3ad4f86f0b00
Port 220f1ad2-10bb-4d17-8cc5-3ad4f86f0b00 has owner network:floatingip and
therefore cannot be deleted directly via the port API. (HTTP 409)
(Request-ID: req-4823d685-6dd2-4f31-aa8c-0c8b8aa624a0)
There are no floating ip's left on the system (I've already deleted them)
root@opst-ctrl1-dev:/# neutron floatingip-list
thus the list is empty.
Listing this up in the db shows nothing either:
MariaDB [neutron]> select * from floatingips; Empty set (0.00 sec)
Can anyone help on this matter, i.e. how can I delete the port ( and also
the subnet) ?
Best regards
Yngvi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150908/e6d5024
b/attachment-0001.html>
------------------------------
Message: 3
Date: Tue, 08 Sep 2015 09:26:18 -0700
From: "John Dickinson" <m...@not.mn>
To: "pragya jain" <prag_2...@yahoo.co.in>
Cc: Aparna Datt <aparna.d...@gmail.com>, OpenStack Mailing List
<openstack@lists.openstack.org>, Anita Goel <goel.an...@gmail.com>
Subject: Re: [Openstack] Query regarding contribution for monitoring
of Nova and Swift
Message-ID: <bd31ea44-72b4-4510-b36a-5525c3cae...@not.mn>
Content-Type: text/plain; charset="utf-8"
I'm the Project Technical Lead for Swift, and I'd be happy to look over a
summary of your work about monitoring Swift. Feel free to email me directly
or find me in #openstack-swift on IRC (I'm notmyname).
--John
On 8 Sep 2015, at 3:20, pragya jain wrote:
> ?Hello all
> Me and my colleague, aparna are carrying out research in the area of
> cloud computing under Department of CS, University f Delhi.? We would
> like to contribute our research work regarding monitoring of Nova and
> Swift. We would appreciate if we can find the appropriate link with
> whom we can connect to know if our work is relevant for contribution.
> -----RegardsPragya JainDepartment of Computer ScienceUniversity of
> DelhiDelhi, India_______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150908/4fd06d1
f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Tue, 8 Sep 2015 12:42:33 -0400
From: Erik McCormick <emccorm...@cirrusseven.com>
To: pragya jain <prag_2...@yahoo.co.in>
Cc: Aparna Datt <aparna.d...@gmail.com>, OpenStack Mailing List
<openstack@lists.openstack.org>, Anita Goel <goel.an...@gmail.com>
Subject: Re: [Openstack] Query regarding contribution for monitoring
of Nova and Swift
Message-ID:
<cahui5cpo4q351bezn1xbwkxwg0rxnkl06ja6ci1utevveca...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
On Tue, Sep 8, 2015 at 6:20 AM, pragya jain <prag_2...@yahoo.co.in> wrote:
> Hello all
>
> Me and my colleague, aparna are carrying out research in the area of
> cloud computing under Department of CS, University f Delhi. We would
> like to contribute our research work regarding monitoring of Nova and
> Swift. We would appreciate if we can find the appropriate link with
> whom we can connect to know if our work is relevant for contribution.
You may want to cross-post this to openstack-operators. There is a Tools &
Monitoring working group to help define best practices and share tools and
configurations. Here's a link to the WG wiki and some of the stuff they've
been working on.
https://wiki.openstack.org/wiki/Tools_and_Monitoring_WG
https://wiki.openstack.org/wiki/Operations/Monitoring
https://wiki.openstack.org/wiki/Operations/Tools
> -----
> Regards
> Pragya Jain
> Department of Computer Science
> University of Delhi
> Delhi, India
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-Erik
------------------------------
Message: 5
Date: Tue, 8 Sep 2015 12:45:27 -0400
From: Brian Haley <brian.ha...@hp.com>
To: openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
Message-ID: <55ef10a7.5080...@hp.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
>
> I can?t delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
> because one port is still in use.
>
> root@opst-ctrl1-dev:/# neutron subnet-delete
> f505a109-07a7-420a-ae6b-aa5995126be7
>
> Unable to complete operation on subnet
> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
Do you have a router on the subnet? Try deleting it.
-Brian
------------------------------
Message: 6
Date: Tue, 8 Sep 2015 17:08:16 +0000
From: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>
To: Brian Haley <brian.ha...@hp.com>, "openstack@lists.openstack.org"
<openstack@lists.openstack.org>
Subject: Re: [Openstack] port-delete issue
Message-ID: <e10fa1372973473fbe8d8f6ff1282...@simi-mbx-04.siminn.is>
Content-Type: text/plain; charset="iso-8859-1"
HI
I don't see a router attached :
root@opst-ctrl1-dev:/# neutron subnet-show ext-subnet
+-------------------+----------------------------------------------------+
| Field | Value |
+-------------------+----------------------------------------------------+
| allocation_pools | {"start": "157.157.8.100", "end": "157.157.8.200"} |
| cidr | 157.157.8.0/24 |
| dns_nameservers | 212.30.200.199 |
| | 212.30.200.200 |
| enable_dhcp | True |
| gateway_ip | 157.157.8.1 |
| host_routes | |
| id | f505a109-07a7-420a-ae6b-aa5995126be7 |
| ip_version | 4 |
| ipv6_address_mode | |
| ipv6_ra_mode | |
| name | ext-subnet |
| network_id | 523721c5-ea5d-42a1-8920-8bc75010f273 |
| tenant_id | 1dda2478e30d44dda0ca752c6047725d |
+-------------------+----------------------------------------------------+
root@opst-ctrl1-dev:/#
best regards
Yngvi
-----Original Message-----
From: Brian Haley [mailto:brian.ha...@hp.com]
Sent: 8. september 2015 16:45
To: openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
>
> I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
> because one port is still in use.
>
> root@opst-ctrl1-dev:/# neutron subnet-delete
> f505a109-07a7-420a-ae6b-aa5995126be7
>
> Unable to complete operation on subnet
> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
Do you have a router on the subnet? Try deleting it.
-Brian
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
------------------------------
Message: 7
Date: Tue, 8 Sep 2015 17:17:04 +0000
From: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>
To: Brian Haley <brian.ha...@hp.com>, "openstack@lists.openstack.org"
<openstack@lists.openstack.org>
Subject: Re: [Openstack] port-delete issue
Message-ID: <60bec238c4b042acadc1c57a57011...@simi-mbx-04.siminn.is>
Content-Type: text/plain; charset="iso-8859-1"
HI
I have cleared the gateway on all routers, but it did not help
root@opst-ctrl1-dev:/# neutron router-list
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| id | name |
external_gateway_info | distributed | ha |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| 164ad471-5ab0-4109-acf5-f88de1e4b5f3 | gw | null
| False | False |
| 2371ae6e-8a07-464c-9b3e-3d7d35e96a59 | gw | null
| False | False |
| 45ab4a9a-c7fc-4cf6-844c-6265b5620121 | gw | null
| False | False |
| 50d16aec-adaf-431d-9b42-f8aff78ea5b8 | gw1 | null
| False | False |
| 546456aa-a312-48d5-8a3b-6031b1dcb3a9 | OskarTestRouter | null
| False | False |
| 78feb17a-9a29-4ddb-9477-914850d8f5d2 | ElasticRouter | null
| False | False |
| 7a06a85c-826a-4f00-a62f-5ae8586ea1fb | adminTest | null
| False | False |
| 7ba38ec5-49d9-4fc8-b77f-ef8a38e79af3 | Safni?-router | null
| False | False |
| 9e367dd6-ab2c-4949-a5e4-4d8d2787d84b | gw | null
| False | False |
| f05c4cc8-724e-4731-bea3-6ef68d794137 | gw1 | null
| False | False |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
But it did not help.
best regards
Yngvi
-----Original Message-----
From: Brian Haley [mailto:brian.ha...@hp.com]
Sent: 8. september 2015 16:45
To: openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
>
> I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
> because one port is still in use.
>
> root@opst-ctrl1-dev:/# neutron subnet-delete
> f505a109-07a7-420a-ae6b-aa5995126be7
>
> Unable to complete operation on subnet
> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
Do you have a router on the subnet? Try deleting it.
-Brian
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
------------------------------
Message: 8
Date: Tue, 8 Sep 2015 13:32:43 -0400
From: Brian Haley <brian.ha...@hp.com>
To: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>,
"openstack@lists.openstack.org" <openstack@lists.openstack.org>
Subject: Re: [Openstack] port-delete issue
Message-ID: <55ef1bbb.2030...@hp.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
My only other suggestion is to do a port-list with admin privs and look. I
can't tell if you're doing that as root != admin necessarily.
-Brian
On 09/08/2015 01:08 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
> I don't see a router attached :
>
> root@opst-ctrl1-dev:/# neutron subnet-show ext-subnet
> +-------------------+----------------------------------------------------+
> | Field | Value |
> +-------------------+----------------------------------------------------+
> | allocation_pools | {"start": "157.157.8.100", "end": "157.157.8.200"} |
> | cidr | 157.157.8.0/24 |
> | dns_nameservers | 212.30.200.199 |
> | | 212.30.200.200 |
> | enable_dhcp | True |
> | gateway_ip | 157.157.8.1 |
> | host_routes | |
> | id | f505a109-07a7-420a-ae6b-aa5995126be7 |
> | ip_version | 4 |
> | ipv6_address_mode | |
> | ipv6_ra_mode | |
> | name | ext-subnet |
> | network_id | 523721c5-ea5d-42a1-8920-8bc75010f273 |
> | tenant_id | 1dda2478e30d44dda0ca752c6047725d |
> +-------------------+----------------------------------------------------+
> root@opst-ctrl1-dev:/#
>
> best regards
> Yngvi
>
>
> -----Original Message-----
> From: Brian Haley [mailto:brian.ha...@hp.com]
> Sent: 8. september 2015 16:45
> To: openstack@lists.openstack.org
> Subject: Re: [Openstack] port-delete issue
>
> On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
>> HI
>>
>> I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
>> because one port is still in use.
>>
>> root@opst-ctrl1-dev:/# neutron subnet-delete
>> f505a109-07a7-420a-ae6b-aa5995126be7
>>
>> Unable to complete operation on subnet
>> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
>> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
>
> Do you have a router on the subnet? Try deleting it.
>
> -Brian
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
------------------------------
Message: 9
Date: Tue, 8 Sep 2015 17:42:09 +0000
From: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>
To: Brian Haley <brian.ha...@hp.com>, "openstack@lists.openstack.org"
<openstack@lists.openstack.org>
Subject: Re: [Openstack] port-delete issue
Message-ID: <d2b7f0b84a664e88b340d120d923b...@simi-mbx-04.siminn.is>
Content-Type: text/plain; charset="iso-8859-1"
Those are the routers in the system (admin sees this)
root@opst-ctrl1-dev:/# neutron router-list
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| id | name |
external_gateway_info | distributed | ha |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| 164ad471-5ab0-4109-acf5-f88de1e4b5f3 | gw | null
| False | False |
| 2371ae6e-8a07-464c-9b3e-3d7d35e96a59 | gw | null
| False | False |
| 45ab4a9a-c7fc-4cf6-844c-6265b5620121 | gw | null
| False | False |
| 50d16aec-adaf-431d-9b42-f8aff78ea5b8 | gw1 | null
| False | False |
| 546456aa-a312-48d5-8a3b-6031b1dcb3a9 | OskarTestRouter | null
| False | False |
| 78feb17a-9a29-4ddb-9477-914850d8f5d2 | ElasticRouter | null
| False | False |
| 7a06a85c-826a-4f00-a62f-5ae8586ea1fb | adminTest | null
| False | False |
| 7ba38ec5-49d9-4fc8-b77f-ef8a38e79af3 | Safni?-router | null
| False | False |
| 9e367dd6-ab2c-4949-a5e4-4d8d2787d84b | gw | null
| False | False |
| f05c4cc8-724e-4731-bea3-6ef68d794137 | gw1 | null
| False | False |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
root@opst-ctrl1-dev:/#
but the port does not show up, when I list ports for each router with:
neutron router-port-list ROUTER-ID
but it does show up in the general port-list , like
root@opst-ctrl1-dev:/# neutron port-list | grep 157
| 220f1ad2-10bb-4d17-8cc5-3ad4f86f0b00 | | fa:16:3e:15:20:59 |
{"subnet_id": "f505a109-07a7-420a-ae6b-aa5995126be7", "ip_address":
"157.157.8.114"} |
Best regards
Yngvi
-----Original Message-----
From: Brian Haley [mailto:brian.ha...@hp.com]
Sent: 8. september 2015 17:33
To: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>;
openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
My only other suggestion is to do a port-list with admin privs and look. I
can't tell if you're doing that as root != admin necessarily.
-Brian
On 09/08/2015 01:08 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
> I don't see a router attached :
>
> root@opst-ctrl1-dev:/# neutron subnet-show ext-subnet
> +-------------------+----------------------------------------------------+
> | Field | Value |
> +-------------------+----------------------------------------------------+
> | allocation_pools | {"start": "157.157.8.100", "end": "157.157.8.200"} |
> | cidr | 157.157.8.0/24 |
> | dns_nameservers | 212.30.200.199 |
> | | 212.30.200.200 |
> | enable_dhcp | True |
> | gateway_ip | 157.157.8.1 |
> | host_routes | |
> | id | f505a109-07a7-420a-ae6b-aa5995126be7 |
> | ip_version | 4 |
> | ipv6_address_mode | |
> | ipv6_ra_mode | |
> | name | ext-subnet |
> | network_id | 523721c5-ea5d-42a1-8920-8bc75010f273 |
> | tenant_id | 1dda2478e30d44dda0ca752c6047725d |
> +-------------------+----------------------------------------------------+
> root@opst-ctrl1-dev:/#
>
> best regards
> Yngvi
>
>
> -----Original Message-----
> From: Brian Haley [mailto:brian.ha...@hp.com]
> Sent: 8. september 2015 16:45
> To: openstack@lists.openstack.org
> Subject: Re: [Openstack] port-delete issue
>
> On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
>> HI
>>
>> I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
>> because one port is still in use.
>>
>> root@opst-ctrl1-dev:/# neutron subnet-delete
>> f505a109-07a7-420a-ae6b-aa5995126be7
>>
>> Unable to complete operation on subnet
>> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
>> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
>
> Do you have a router on the subnet? Try deleting it.
>
> -Brian
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
------------------------------
Message: 10
Date: Tue, 8 Sep 2015 23:42:38 +0000
From: Tristan Cacqueray <tdeca...@redhat.com>
To: openstack-annou...@lists.openstack.org,
openstack@lists.openstack.org
Subject: [Openstack] [OSSA 2015-018] Neutron firewall rules bypass
through port update (CVE-2015-5240)
Message-ID: <55ef726e.9040...@redhat.com>
Content-Type: text/plain; charset="utf-8"
================================================================
OSSA-2015-018: Neutron firewall rules bypass through port update
================================================================
:Date: September 08, 2015
:CVE: CVE-2015-5240
Affects
~~~~~~~
- Neutron: versions through 2014.2.3 and
2015.1 versions through 2015.1.1
Description
~~~~~~~~~~~
Kevin Benton from Mirantis reported a vulnerability in Neutron. By changing
the device owner of an instance's port right after it is created, an
authenticated user may prevent application of firewall rules and so avoid IP
anti-spoofing controls. All Neutron setups using the ML2 plugin or a plugin
that relies on the security groups AMQP API are affected.
Patches
~~~~~~~
- https://review.openstack.org/221345 (Juno)
- https://review.openstack.org/221344 (Kilo)
- https://review.openstack.org/221342 (Liberty)
Credits
~~~~~~~
- Kevin Benton from Mirantis (CVE-2015-5240)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1489111
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5240
Notes
~~~~~
- This fix will be included in future 2014.2.4 (juno) and
2015.1.2 (kilo) releases.
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150908/de7365a
0/attachment-0001.pgp>
------------------------------
Message: 11
Date: Wed, 9 Sep 2015 12:09:04 +0530
From: saurabh suman <90.su...@gmail.com>
To: openstack@lists.openstack.org
Subject: [Openstack] Devstack multinode setup integration with
Opendaylight
Message-ID:
<cahosm6jfnkifmvv_g3z56ir9zlj8u6bsconmzkqs5zscdxn...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
I have a working 2 node openstack setup through devstack. Controller +
Compute + Opendaylight -> 192.168.10.1 and Compute -> 192.168.10.2
I have br-int and br-tun on both compute and controller node with their
manager set to ODL and each bridge is connected to controller, as evident
from ODL GUI.
*On controller node*:
[image: Inline image 1]
On Compute node
[image: Inline image 1]
I am able to create a network.But when I launch a cirros VM, in the logs I
see, *udhcpc (v1.21.1) started Sending discover... Sending discover...
Sending discover...*
My DHCP server is running with IP 10.20.30.2 (IP allocated from network
created) and corresponding tap device is attached to br-int. when I run
ovs-ofctl dump-ports br-int , I do not see any traffic going to dhcp tap
though tap device created for VM is sending packets.
After few minutes "lease fail" message is displayed and IP is not allocated
to VM.
Can anyone help me out here.
Regards,
Saurav
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150909/eb80ffd
3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Compute_OVS.JPG
Type: image/jpeg
Size: 54795 bytes
Desc: not available
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150909/eb80ffd
3/attachment-0002.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: controller_OVS.JPG
Type: image/jpeg
Size: 79960 bytes
Desc: not available
URL:
<http://lists.openstack.org/pipermail/openstack/attachments/20150909/eb80ffd
3/attachment-0003.jpe>
------------------------------
Message: 12
Date: Wed, 9 Sep 2015 09:24:24 +0000
From: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>
To: Brian Haley <brian.ha...@hp.com>, "openstack@lists.openstack.org"
<openstack@lists.openstack.org>
Subject: Re: [Openstack] port-delete issue
Message-ID: <9ca3e2f111064ecf8eccd3fcf1ef3...@simi-mbx-04.siminn.is>
Content-Type: text/plain; charset="iso-8859-1"
Hi
This is the solution ;-)
https://ask.openstack.org/en/question/67752/unable-to-delete-port/
best regards
Yngvi
-----Original Message-----
From: Yngvi P?ll ?orfinnsson
Sent: 8. september 2015 17:42
To: Brian Haley <brian.ha...@hp.com>; openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
Those are the routers in the system (admin sees this)
root@opst-ctrl1-dev:/# neutron router-list
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| id | name |
external_gateway_info | distributed | ha |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
| 164ad471-5ab0-4109-acf5-f88de1e4b5f3 | gw | null
| False | False |
| 2371ae6e-8a07-464c-9b3e-3d7d35e96a59 | gw | null
| False | False |
| 45ab4a9a-c7fc-4cf6-844c-6265b5620121 | gw | null
| False | False |
| 50d16aec-adaf-431d-9b42-f8aff78ea5b8 | gw1 | null
| False | False |
| 546456aa-a312-48d5-8a3b-6031b1dcb3a9 | OskarTestRouter | null
| False | False |
| 78feb17a-9a29-4ddb-9477-914850d8f5d2 | ElasticRouter | null
| False | False |
| 7a06a85c-826a-4f00-a62f-5ae8586ea1fb | adminTest | null
| False | False |
| 7ba38ec5-49d9-4fc8-b77f-ef8a38e79af3 | Safni?-router | null
| False | False |
| 9e367dd6-ab2c-4949-a5e4-4d8d2787d84b | gw | null
| False | False |
| f05c4cc8-724e-4731-bea3-6ef68d794137 | gw1 | null
| False | False |
+--------------------------------------+-----------------+------------------
-----+-------------+-------+
root@opst-ctrl1-dev:/#
but the port does not show up, when I list ports for each router with:
neutron router-port-list ROUTER-ID
but it does show up in the general port-list , like
root@opst-ctrl1-dev:/# neutron port-list | grep 157
| 220f1ad2-10bb-4d17-8cc5-3ad4f86f0b00 | | fa:16:3e:15:20:59 |
{"subnet_id": "f505a109-07a7-420a-ae6b-aa5995126be7", "ip_address":
"157.157.8.114"} |
Best regards
Yngvi
-----Original Message-----
From: Brian Haley [mailto:brian.ha...@hp.com]
Sent: 8. september 2015 17:33
To: Yngvi P?ll ?orfinnsson <yngv...@siminn.is>;
openstack@lists.openstack.org
Subject: Re: [Openstack] port-delete issue
My only other suggestion is to do a port-list with admin privs and look. I
can't tell if you're doing that as root != admin necessarily.
-Brian
On 09/08/2015 01:08 PM, Yngvi P?ll ?orfinnsson wrote:
> HI
> I don't see a router attached :
>
> root@opst-ctrl1-dev:/# neutron subnet-show ext-subnet
> +-------------------+----------------------------------------------------+
> | Field | Value |
> +-------------------+----------------------------------------------------+
> | allocation_pools | {"start": "157.157.8.100", "end": "157.157.8.200"} |
> | cidr | 157.157.8.0/24 |
> | dns_nameservers | 212.30.200.199 |
> | | 212.30.200.200 |
> | enable_dhcp | True |
> | gateway_ip | 157.157.8.1 |
> | host_routes | |
> | id | f505a109-07a7-420a-ae6b-aa5995126be7 |
> | ip_version | 4 |
> | ipv6_address_mode | |
> | ipv6_ra_mode | |
> | name | ext-subnet |
> | network_id | 523721c5-ea5d-42a1-8920-8bc75010f273 |
> | tenant_id | 1dda2478e30d44dda0ca752c6047725d |
> +-------------------+----------------------------------------------------+
> root@opst-ctrl1-dev:/#
>
> best regards
> Yngvi
>
>
> -----Original Message-----
> From: Brian Haley [mailto:brian.ha...@hp.com]
> Sent: 8. september 2015 16:45
> To: openstack@lists.openstack.org
> Subject: Re: [Openstack] port-delete issue
>
> On 09/08/2015 12:01 PM, Yngvi P?ll ?orfinnsson wrote:
>> HI
>>
>> I can't delete a subnet (id f505a109-07a7-420a-ae6b-aa5995126be7 ),
>> because one port is still in use.
>>
>> root@opst-ctrl1-dev:/# neutron subnet-delete
>> f505a109-07a7-420a-ae6b-aa5995126be7
>>
>> Unable to complete operation on subnet
>> f505a109-07a7-420a-ae6b-aa5995126be7. One or more ports have an IP
allocation from this subnet. (HTTP 409) (Request-ID:
>> req-fbd64f19-2888-4d87-8e60-bc2cc920cd12)
>
> Do you have a router on the subnet? Try deleting it.
>
> -Brian
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
------------------------------
Message: 13
Date: Wed, 9 Sep 2015 17:26:59 +0800
From: hao wang <sxmatch1...@gmail.com>
To: "openstack@lists.openstack.org" <openstack@lists.openstack.org>
Subject: [Openstack] [openstack][swift]Got error when installing swift
all in one.
Message-ID:
<CAOEh+o0714WzHCM1YFkoKS=o2bjpgh6t7cdcvhos+lzn0pr...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi, all
I was installing swift all-in-one in my virtual machine, OS is ubuntu 14.04.
But I got errors when I start the swift service by using "startmain" script:
liberasurecode[2969]: liberasurecode_backend_open: dynamic linking error
libJerasure.so: cannot open shared object file: No such file or directory
Traceback (most recent call last):
File "/usr/local/bin/swift-object-server", line 6, in <module>
exec(compile(open(__file__).read(), __file__, 'exec'))
File "/swift/bin/swift-object-server", line 19, in <module>
from swift.common.wsgi import run_wsgi
File "/swift/swift/common/wsgi.py", line 39, in <module>
from swift.common.storage_policy import BindPortsCache
File "/swift/swift/common/storage_policy.py", line 738, in <module>
reload_storage_policies()
File "/swift/swift/common/storage_policy.py", line 730, in
reload_storage_policies
_POLICIES = parse_storage_policies(policy_conf)
File "/swift/swift/common/storage_policy.py", line 686, in
parse_storage_policies
policy = policy_cls.from_config(policy_index, config_options)
File "/swift/swift/common/storage_policy.py", line 251, in from_config
return cls(policy_index, **policy_options)
File "/swift/swift/common/storage_policy.py", line 387, in __init__
ec_type=self._ec_type)
File "/usr/local/lib/python2.7/dist-packages/pyeclib/ec_iface.py",
line 172, in __init__
chksum_type=self.chksum_type)
File "/usr/local/lib/python2.7/dist-packages/pyeclib/utils.py", line 73,
in create_instance
instance = object_class(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/pyeclib/core.py", line 61, in
__init__
self.algsig_chksum)
pyeclib.Error: Invalid arguments passed to liberasurecode_instance_create
I'm sure the libjerasure2 has been installed. So is there a solution to fix
this issue?
Thanks.
--
Best Wishes For You!
------------------------------
Message: 14
Date: Wed, 09 Sep 2015 18:40:42 +0900
From: Kota TSUYUZAKI <tsuyuzaki.k...@lab.ntt.co.jp>
To: hao wang <sxmatch1...@gmail.com>
Cc: "openstack@lists.openstack.org" <openstack@lists.openstack.org>
Subject: Re: [Openstack] [openstack][swift]Got error when installing
swift all in one.
Message-ID: <55effe9a.7030...@lab.ntt.co.jp>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi, Hao
Did you already do the setting for where shared jerasure library located?
The log message looks that Linux system doesn't have a seach path for that.
Like:
- Add /usr/local/lib path (if you installed libJerasure.so in another
location, you should set the path here) into /etc/ld.so.conf
- sudo ldconfig
That helps Linux system to search shared object library.
Details is described in here. [1]
1: https://bitbucket.org/kmgreen2/pyeclib
Best
Kota
(2015/09/09 18:26), hao wang wrote:
> Hi, all
>
> I was installing swift all-in-one in my virtual machine, OS is ubuntu
14.04.
>
> But I got errors when I start the swift service by using "startmain"
script:
>
> liberasurecode[2969]: liberasurecode_backend_open: dynamic linking
> error libJerasure.so: cannot open shared object file: No such file or
> directory
> Traceback (most recent call last):
> File "/usr/local/bin/swift-object-server", line 6, in <module>
> exec(compile(open(__file__).read(), __file__, 'exec'))
> File "/swift/bin/swift-object-server", line 19, in <module>
> from swift.common.wsgi import run_wsgi
> File "/swift/swift/common/wsgi.py", line 39, in <module>
> from swift.common.storage_policy import BindPortsCache
> File "/swift/swift/common/storage_policy.py", line 738, in <module>
> reload_storage_policies()
> File "/swift/swift/common/storage_policy.py", line 730, in
> reload_storage_policies
> _POLICIES = parse_storage_policies(policy_conf)
> File "/swift/swift/common/storage_policy.py", line 686, in
> parse_storage_policies
> policy = policy_cls.from_config(policy_index, config_options)
> File "/swift/swift/common/storage_policy.py", line 251, in from_config
> return cls(policy_index, **policy_options)
> File "/swift/swift/common/storage_policy.py", line 387, in __init__
> ec_type=self._ec_type)
> File "/usr/local/lib/python2.7/dist-packages/pyeclib/ec_iface.py",
> line 172, in __init__
> chksum_type=self.chksum_type)
> File "/usr/local/lib/python2.7/dist-packages/pyeclib/utils.py", line
> 73, in create_instance
> instance = object_class(*args, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyeclib/core.py", line
> 61, in __init__
> self.algsig_chksum)
> pyeclib.Error: Invalid arguments passed to liberasurecode_instance_create
>
>
> I'm sure the libjerasure2 has been installed. So is there a solution
> to fix this issue?
>
> Thanks.
------------------------------
Message: 15
Date: Wed, 09 Sep 2015 18:24:31 +0800
From: Ludwig Tirazona <ljtiraz...@codebridge.com.ph>
To: openstack@lists.openstack.org
Subject: [Openstack] Cannot Attach Volumes Via Horizon
Message-ID: <55f008df.9040...@codebridge.com.ph>
Content-Type: text/plain; charset=utf-8
Hello Everyone,
I devstacked a deployment, just for PoC purposes. I have a problem
wherein I can't attach volumes to instances via Horizon, but can do so
via the nova CLI tool, so it seems that Cinder and Nova are set up
properly. Right after attempting to attach a volume, Horizon gives me
this error: "Error: Unable to attach volume."
I took a look at the nova API logs, and I see this log:
2015-09-09 18:01:00.704 DEBUG nova.api.openstack.wsgi
[req-8bde1423-b8cf-4a7f-a743-92c2a5a26ae4 admin admin] Returning 400 to
user: Invalid input for field/attribute device. Value: . u'' does not
match '(^/dev/x{0,1}[a-z]{0,1}d{0,1})([a-z]+)[0-9]*$' from (pid=25349)
__call__ /opt/stack/nova/nova/api/openstack/wsgi.py:1175
It looks like nova-api is looking for a "/dev/something" value for u,
but Horizon only passes a blank value.
The following link has the logs for Horizon.
http://pastebin.com/DiwzW0tD
What can I do to fix this? Inelegant solutions are very much welcome, I
just want this to get working as soon as possible.
Help would be greatly appreciated. Thanks!
------------------------------
Message: 16
Date: Wed, 9 Sep 2015 13:41:00 +0200
From: Heiko Kr?mer <hkrae...@anynines.com>
To: "openstack@lists.openstack.org" <openstack@lists.openstack.org>
Subject: [Openstack] Neutron with apache2 wsgi module don't ack
rabbitMQ messages
Message-ID: <55f01acc.8060...@anynines.com>
Content-Type: text/plain; charset=utf-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
another day, another problem :).
* Icehouse
* Apache2.4
* Ubuntu 14.04
I'm scaling our Neutron API endpoints to different servers to reach more
throughput. In this case i decided to use apache2 with WSGI module to
run the server in multi threaded mode to use optimal all CPU cores and
handle more parallel requests.
I create a vHost and a wsgi startup script file
script:
|from neutron.openstack.common import log as logging
from neutron.common import config
logging.setup('neutron')
config.parse(['--config-file', '/etc/neutron/neutron.conf',
'--config-file', '/etc/neutron/plugins/ml2/ml2_conf.ini'])
application = config.load_paste_app("neutron")|
vhost:
|Listen *:9696
<VirtualHost *:9696>
WSGIScriptAlias / /var/www/cgi-bin/neutron
WSGIDaemonProcess neutron-public user=neutron group=neutron
processes=3 threads=10
WSGIProcessGroup neutron-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLog /var/log/apache2/neutron-error.log
CustomLog /var/log/apache2/neutron-access.log combined
</VirtualHost>|
So the server is running well, all requests are working well but i see
on the messaging bus (rabbitmq) unack messages in two queues as far as
the apache2 is running. The unack messages on both queues
(n-lbaas-plugin & q-metering-plugin) is increasing over time. As soon as
i switch to the build-IN webserver of Neutron all messages on both
queues will ack and deliver.
Is there any trick or is that a problem with multi thread ?
Cheers and thanks
Heiko
- --
anynines.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJV8BrMAAoJELxFogM4ixOF8WIH/Aw+nXtaIAzZIyHn6XdvDQqf
P2qDnGO460CtnKVYUBtLxxeTqOj0w2/g7A5ijvAXY97D0dSKmE08xwXFj1XA8zq9
kTT5IKOf6M6OhXkYnNJWVWD+qNSseL8svRrUOhjVCu+PQBlm2k7EDRtyG3OySWQo
M6RR9UvOUWZfnr8FJzA/p/K7Zha4POCoFjW3MxWJ9TC/Gv8+jhhO2HRBHz3H+OTE
abq1CFv8f7/RwDJ1z05ZVoy7QolACLCd2mEAjaUmvAGp+iqy7gU/NRwNagDjExHw
imwEO/DMYppz7//FUWCWQwNlu731sKIKBTx8DX2WeZz//rip0fi4vD8sys8NSsQ=
=HQfo
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Openstack mailing list
openstack@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
End of Openstack Digest, Vol 27, Issue 8
****************************************
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
