@Brian, That is exactly what I want to know.
Cheers, S On Thu, Mar 3, 2016 at 10:45 PM, Brian Haley <brian.ha...@hpe.com> wrote: > On 3/3/16 4:48 AM, Vincent Godin wrote: >> >> If you install Openstack using ipv4 but without disabling ipv6 (like >> almost all distrib) a VM in any tenant is able to connect to every >> daemon listening in ipv6 on the compute (ssh, libvirt and ...). This is >> du to the interfaces in the linux bridge attach to the VM which have >> ipv6 adresses by default and then are listening like all interfaces of >> the host. To do this, you just have to configure an ipv6 address on a VM >> of a tenant. >> To protect, you can just disable ipv6 or configure all daemon on the >> compute to listen only on ipv4 adresses > > > You didn't say which version you are running, but we did address this issue > in Liberty, with additional patches in Mitaka. Most changes have been > backported to the stable branches. > > https://bugs.launchpad.net/nova/+bug/1470931 > https://bugs.launchpad.net/neutron/+bug/1302080 > https://bugs.launchpad.net/neutron/+bug/1534652 > > https://review.openstack.org/#/c/198054/ > https://review.openstack.org/#/c/241076 > https://review.openstack.org/#/c/268373/ > https://review.openstack.org/#/c/275293/ > > Those reviews should have links to the changes that were cherry-picked to > stable. > > -Brian > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Email: shin...@linux.com GitHub: shinobu-x Blog: Life with Distributed Computational System based on OpenSource _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
