Icehouse is EOL, Kilo is close (2 months), from http://releases.openstack.org/
and all but one have been back-ported to Liberty.
https://review.openstack.org/#/c/268373/ might be the only one not back-ported,
I'll try that cherry-pick today.
-Brian
On 03/04/2016 10:39 AM, Vincent Godin wrote:
I saw this behaviour on Icehouse and on Kilo releases
Vincent
2016-03-03 14:45 GMT+01:00 Brian Haley <brian.ha...@hpe.com
<mailto:brian.ha...@hpe.com>>:
On 3/3/16 4:48 AM, Vincent Godin wrote:
If you install Openstack using ipv4 but without disabling ipv6 (like
almost all distrib) a VM in any tenant is able to connect to every
daemon listening in ipv6 on the compute (ssh, libvirt and ...). This is
du to the interfaces in the linux bridge attach to the VM which have
ipv6 adresses by default and then are listening like all interfaces of
the host. To do this, you just have to configure an ipv6 address on a VM
of a tenant.
To protect, you can just disable ipv6 or configure all daemon on the
compute to listen only on ipv4 adresses
You didn't say which version you are running, but we did address this issue
in Liberty, with additional patches in Mitaka. Most changes have been
backported to the stable branches.
https://bugs.launchpad.net/nova/+bug/1470931
https://bugs.launchpad.net/neutron/+bug/1302080
https://bugs.launchpad.net/neutron/+bug/1534652
https://review.openstack.org/#/c/198054/
https://review.openstack.org/#/c/241076
https://review.openstack.org/#/c/268373/
https://review.openstack.org/#/c/275293/
Those reviews should have links to the changes that were cherry-picked to
stable.
-Brian
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
