From 4bdfd6235c0224ec51a411478d949525aeb37b02 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Tue, 10 Feb 2015 14:45:00 +0100 Subject: [PATCH] Refreshed patches. --- ...d-iptables-rules-to-protect-dnsmasq-.patch | 246 ------------------ debian/patches/better-config-default.patch | 194 -------------- .../defaults-closer-to-install-guide.patch | 16 +- debian/patches/series | 2 - 4 files changed, 10 insertions(+), 448 deletions(-) delete mode 100644 debian/patches/0001-Add-parameter-and-iptables-rules-to-protect-dnsmasq-.patch delete mode 100644 debian/patches/better-config-default.patch diff --git a/debian/patches/0001-Add-parameter-and-iptables-rules-to-protect-dnsmasq-.patch b/debian/patches/0001-Add-parameter-and-iptables-rules-to-protect-dnsmasq-.patch deleted file mode 100644 index 5014fc8b2..000000000 --- a/debian/patches/0001-Add-parameter-and-iptables-rules-to-protect-dnsmasq-.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 4dde0ffdddeaddef219d0ff6d131d474ec190167 Mon Sep 17 00:00:00 2001 -From: Sylvain Afchain -Date: Thu, 12 Dec 2013 23:20:17 +0100 -Subject: [PATCH] Add parameter and iptables rules to protect dnsmasq ports - -Add a paramater to the configuration file of the dhcp -agent. With this new param set as true, iptables rules -are inserted to limit dns requests to dnsmasq only to -the clients which are on the same subnet. - -Change-Id: Iac3635326cb81d5de51b903510ff31cb6164aa86 -Closes-bug: #1260731 -Last-Update: 2014-06-30 ---- - etc/dhcp_agent.ini | 5 + - neutron/agent/linux/dhcp.py | 159 ++++++++++++++++++++ - neutron/tests/unit/test_linux_dhcp.py | 259 ++++++++++++++++++++++++++++++++- - 3 files changed, 421 insertions(+), 2 deletions(-) - -Index: neutron/etc/dhcp_agent.ini -=================================================================== ---- neutron.orig/etc/dhcp_agent.ini 2014-09-19 18:00:01.000000000 +0800 -+++ neutron/etc/dhcp_agent.ini 2014-09-19 18:10:15.000000000 +0800 -@@ -86,3 +86,8 @@ - # Timeout for ovs-vsctl commands. - # If the timeout expires, ovs commands will fail with ALARMCLOCK error. - # ovs_vsctl_timeout = 10 -+ -+# Limits the dns requests to dnsmasq only to clients which are on its subnet. -+# Useful when a subnet is routed to another one or in the case of an -+# external network. -+# isolate_dns_requests = False -Index: neutron/neutron/agent/linux/dhcp.py -=================================================================== ---- neutron.orig/neutron/agent/linux/dhcp.py 2014-09-19 18:09:42.000000000 +0800 -+++ neutron/neutron/agent/linux/dhcp.py 2014-09-19 18:10:15.000000000 +0800 -@@ -26,6 +26,7 @@ - import six - - from neutron.agent.linux import ip_lib -+from neutron.agent.linux import iptables_manager - from neutron.agent.linux import utils - from neutron.common import constants - from neutron.common import exceptions -@@ -57,6 +58,9 @@ - 'dnsmasq_lease_max', - default=(2 ** 24), - help=_('Limit number of leases to prevent a denial-of-service.')), -+ cfg.BoolOpt('isolate_dns_requests', default=False, -+ help=_("Allow dns requests to dnsmasq only from clients " -+ "on its subnet.")), - ] - - IPV4 = 4 -@@ -73,6 +77,7 @@ - METADATA_PORT = 80 - WIN2k3_STATIC_DNS = 249 - NS_PREFIX = 'qdhcp-' -+DNS_CHAIN_PREFIX = 'dns-' - - - class DictModel(dict): -@@ -775,7 +780,67 @@ - sock.close() - - -+class NamespaceIptablesManagerCache(object): -+ def __init__(self): -+ self.iptables_managers = {} -+ self.subnets = {} -+ -+ def get_or_create(self, network, root_helper): -+ ns = network.namespace -+ -+ im = self.iptables_managers.get(ns) -+ if not im: -+ im = iptables_manager.IptablesManager( -+ root_helper=root_helper, -+ use_ipv6=True, -+ namespace=network.namespace) -+ self.iptables_managers[ns] = im -+ -+ return im -+ -+ def is_up_to_date(self, network): -+ subnets = self.subnets.get(network.id) -+ current_subnets = set([subnet.id for subnet in network.subnets]) -+ return subnets == current_subnets -+ -+ def get(self, network): -+ return self.iptables_managers.get(network.namespace) -+ -+ def remove(self, network): -+ self.subnets.pop(network.id, None) -+ self.iptables_managers.pop(network.namespace, None) -+ -+ def apply(self, network): -+ im = self.iptables_managers.get(network.namespace) -+ if not im: -+ LOG.warn(_("apply called on a non existant iptables_manager " -+ "for network %s, get_or_create has to be called " -+ "before"), network.id) -+ return -+ -+ self.subnets[network.id] = set([subnet.id -+ for subnet in network.subnets]) -+ -+ im.apply() -+ -+ -+class InterfaceNameCache(object): -+ def __init__(self): -+ self.interface_names = {} -+ -+ def set(self, network, interface_name): -+ self.interface_names[network.id] = interface_name -+ -+ def get(self, network): -+ return self.interface_names.get(network.id) -+ -+ def remove(self, network): -+ self.interface_names.pop(network.id, None) -+ -+ - class DeviceManager(object): -+ iptables_manager_cache = NamespaceIptablesManagerCache() -+ interface_name_cache = InterfaceNameCache() - - def __init__(self, conf, root_helper, plugin): - self.conf = conf -@@ -924,6 +989,87 @@ - - return dhcp_port - -+ @staticmethod -+ def _get_isolation_rule(proto, chain, interface): -+ return ('-p %(proto)s -m %(proto)s ' -+ '--dport %(port)s -i %(interface)s ' -+ '-j $%(chain)s') % {'port': DNS_PORT, -+ 'proto': proto, -+ 'chain': chain, -+ 'interface': interface} -+ -+ def _remove_dns_isolation(self, network): -+ interface_name = DeviceManager.interface_name_cache.get(network) -+ if not interface_name: -+ LOG.warn(_("Error unable to get interface name for network: %s"), -+ network.id) -+ return -+ -+ im = DeviceManager.iptables_manager_cache.get(network) -+ if not im: -+ LOG.error(_("Error unable get the iptables manager created " -+ "for network %s"), network.id) -+ return -+ -+ rules_chain = iptables_manager.get_chain_name(DNS_CHAIN_PREFIX + -+ network.id) -+ -+ for tables in [im.ipv4, im.ipv6]: -+ tables['filter'].remove_chain(rules_chain) -+ -+ im.apply() -+ -+ DeviceManager.iptables_manager_cache.remove(network) -+ -+ def _apply_dns_isolation(self, network, interface_name=None): -+ if DeviceManager.iptables_manager_cache.is_up_to_date( -+ network): -+ return -+ -+ im = DeviceManager.iptables_manager_cache.get_or_create( -+ network, self.root_helper) -+ if not im: -+ LOG.error(_("Error unable to create or get an iptables manager " -+ "for network %s"), network.id) -+ return -+ -+ if not interface_name: -+ interface_name = DeviceManager.interface_name_cache.get(network) -+ if not interface_name: -+ LOG.error(_("Error unable to get interface name for network: %s"), -+ network.id) -+ return -+ -+ rules_chain = iptables_manager.get_chain_name(DNS_CHAIN_PREFIX + -+ network.id) -+ -+ for tables in [im.ipv4, im.ipv6]: -+ tables['filter'].add_chain(rules_chain) -+ -+ # empty_chain has to be called since a previous subnet -+ # could be now removed, with an empty chain only current subnet -+ # rules will be present. -+ tables['filter'].empty_chain(rules_chain) -+ tables['filter'].add_rule(rules_chain, '-j DROP') -+ -+ for proto in [UDP, TCP]: -+ rule = self._get_isolation_rule(proto, rules_chain, -+ interface_name) -+ tables['filter'].add_rule('INPUT', rule) -+ -+ # allow traffic from subnets everything else will be denied -+ for subnet in network.subnets: -+ if not subnet.enable_dhcp: -+ continue -+ -+ tables = im.ipv4 if subnet.ip_version == IPV4 else im.ipv6 -+ -+ rule = '-s ' + subnet.cidr + ' -j RETURN' -+ tables['filter'].add_rule(rules_chain, -+ rule, top=True) -+ -+ DeviceManager.iptables_manager_cache.apply(network) -+ - def setup(self, network): - """Create and initialize a device for network's DHCP on this host.""" - port = self.setup_dhcp_port(network) -@@ -962,6 +1108,9 @@ - if self.conf.use_namespaces: - self._set_default_route(network, interface_name) - -+ if self.conf.isolate_dns_requests: -+ self._apply_dns_isolation(network, interface_name) -+ - return interface_name - - def update(self, network, device_name): -@@ -969,9 +1118,17 @@ - if self.conf.use_namespaces: - self._set_default_route(network, device_name) - -+ if self.conf.isolate_dns_requests: -+ self._apply_dns_isolation(network) -+ - def destroy(self, network, device_name): - """Destroy the device used for the network's DHCP on this host.""" -+ if self.conf.isolate_dns_requests: -+ self._remove_dns_isolation(network) -+ - self.driver.unplug(device_name, namespace=network.namespace) - - self.plugin.release_dhcp_port(network.id, - self.get_device_id(network)) -+ -+ DeviceManager.interface_name_cache.remove(network) diff --git a/debian/patches/better-config-default.patch b/debian/patches/better-config-default.patch deleted file mode 100644 index b674adba9..000000000 --- a/debian/patches/better-config-default.patch +++ /dev/null @@ -1,194 +0,0 @@ -Description: Better config default - This patch makes it possible for the config file to be parsed and edited with - sed and grep. -Author: Thomas Goirand -Forwarded: not-needed -Last-Update: 2014-10-04 - -Index: neutron/etc/l3_agent.ini -=================================================================== ---- neutron.orig/etc/l3_agent.ini 2014-10-03 19:07:30.000000000 +0800 -+++ neutron/etc/l3_agent.ini 2014-10-03 19:11:29.000000000 +0800 -@@ -4,11 +4,10 @@ - - # L3 requires that an interface driver be set. Choose the one that best - # matches your plugin. --# interface_driver = - - # Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC) - # that supports L3 agent --# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver -+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver - - # Use veth for an OVS interface or not. - # Support kernels with limited namespace support -Index: neutron/etc/neutron.conf -=================================================================== ---- neutron.orig/etc/neutron.conf 2014-10-03 19:07:30.000000000 +0800 -+++ neutron/etc/neutron.conf 2014-10-03 19:11:29.000000000 +0800 -@@ -60,8 +60,8 @@ - # previous versions, the class name of a plugin can be specified instead of its - # entrypoint name. - # --# core_plugin = - # Example: core_plugin = ml2 -+core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin - - # (ListOpt) List of service plugin entrypoints to be loaded from the - # neutron.service_plugins namespace. See setup.cfg for the entrypoint names of -@@ -69,8 +69,8 @@ - # with previous versions, the class name of a plugin can be specified instead - # of its entrypoint name. - # --# service_plugins = - # Example: service_plugins = router,firewall,lbaas,vpnaas,metering -+service_plugins = neutron.services.loadbalancer.plugin.LoadBalancerPlugin,neutron.services.metering.metering_plugin.MeteringPlugin,neutron.services.l3_router.l3_router_plugin.L3RouterPlugin - - # Paste configuration file - # api_paste_config = api-paste.ini -@@ -340,7 +340,7 @@ - - # The RabbitMQ broker address where a single node is used. - # (string value) --#rabbit_host=localhost -+rabbit_host=localhost - - # The RabbitMQ broker port where a single node is used. - # (integer value) -@@ -353,10 +353,10 @@ - #rabbit_use_ssl=false - - # The RabbitMQ userid. (string value) --#rabbit_userid=guest -+rabbit_userid=guest - - # The RabbitMQ password. (string value) --#rabbit_password=guest -+rabbit_password=guest - - # the RabbitMQ login method (string value) - #rabbit_login_method=AMQPLAIN -@@ -543,7 +543,7 @@ - # Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real - # root filter facility. - # Change to "sudo" to skip the filtering and just run the comand directly --# root_helper = sudo -+root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf - - # =========== items for agent management extension ============= - # seconds between nodes reporting state to server; should be less than -@@ -563,14 +563,13 @@ - [database] - # This line MUST be changed to actually run the plugin. - # Example: --# connection = mysql://root:pass@127.0.0.1:3306/neutron - # Replace 127.0.0.1 above with the IP address of the database used by the - # main neutron server. (Leave it as is if the database runs on this host.) --# connection = sqlite:// - # NOTE: In deployment the [database] section and its connection attribute may - # be set in the corresponding core plugin '.ini' file. However, it is suggested - # to put the [database] section and its connection attribute in this - # configuration file. -+connection = sqlite:///var/lib/neutron/neutrondb - - # Database engine for which script will be generated when using offline - # migration -Index: neutron/etc/lbaas_agent.ini -=================================================================== ---- neutron.orig/etc/lbaas_agent.ini 2014-10-03 19:03:50.000000000 +0800 -+++ neutron/etc/lbaas_agent.ini 2014-10-03 19:11:29.000000000 +0800 -@@ -9,11 +9,10 @@ - - # LBaas requires an interface driver be set. Choose the one that best - # matches your plugin. --# interface_driver = - - # Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC, NVP, - # BigSwitch/Floodlight) --# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver -+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver - - # Use veth for an OVS interface or not. - # Support kernels with limited namespace support -Index: neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini -=================================================================== ---- neutron.orig/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini 2014-10-03 19:03:50.000000000 +0800 -+++ neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini 2014-10-03 19:11:29.000000000 +0800 -@@ -30,22 +30,22 @@ - # point setting tunnel_type below will be required to enable - # tunneling. - # --# enable_tunneling = False -+enable_tunneling = True - - # (StrOpt) The type of tunnel network, if any, supported by the plugin. If - # this is set, it will cause tunneling to be enabled. If this is not set and - # the option enable_tunneling is set, this will default to 'gre'. - # --# tunnel_type = - # Example: tunnel_type = gre - # Example: tunnel_type = vxlan -+tunnel_type = gre - - # (ListOpt) Comma-separated list of : tuples - # enumerating ranges of GRE or VXLAN tunnel IDs that are available for - # tenant network allocation if tenant_network_type is 'gre' or 'vxlan'. - # --# tunnel_id_ranges = - # Example: tunnel_id_ranges = 1:1000 -+tunnel_id_ranges = 1:1000 - - # Do not change this parameter unless you have a good reason to. - # This is the name of the OVS integration bridge. There is one per hypervisor. -@@ -70,7 +70,7 @@ - # empty for the server. Set local-ip to be the local IP address of - # this hypervisor. - # --# local_ip = -+local_ip = 127.0.0.1 - - # (ListOpt) Comma-separated list of : tuples - # mapping physical network names to the agent's node-specific OVS -@@ -151,40 +151,10 @@ - - [securitygroup] - # Firewall driver for realizing neutron security group function. --# firewall_driver = neutron.agent.firewall.NoopFirewallDriver - # Example: firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver -+# Example2: neutron.agent.firewall.NoopFirewallDriver -+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver - - # Controls if neutron security group is enabled or not. - # It should be false when you use nova security group. - # enable_security_group = True -- --#----------------------------------------------------------------------------- --# Sample Configurations. --#----------------------------------------------------------------------------- --# --# 1. With VLANs on eth1. --# [ovs] --# network_vlan_ranges = default:2000:3999 --# tunnel_id_ranges = --# integration_bridge = br-int --# bridge_mappings = default:br-eth1 --# --# 2. With GRE tunneling. --# [ovs] --# network_vlan_ranges = --# tunnel_id_ranges = 1:1000 --# integration_bridge = br-int --# tunnel_bridge = br-tun --# local_ip = 10.0.0.3 --# --# 3. With VXLAN tunneling. --# [ovs] --# network_vlan_ranges = --# tenant_network_type = vxlan --# tunnel_type = vxlan --# tunnel_id_ranges = 1:1000 --# integration_bridge = br-int --# tunnel_bridge = br-tun --# local_ip = 10.0.0.3 --# [agent] --# tunnel_types = vxlan diff --git a/debian/patches/defaults-closer-to-install-guide.patch b/debian/patches/defaults-closer-to-install-guide.patch index ea3591de1..3cc6c26e5 100644 --- a/debian/patches/defaults-closer-to-install-guide.patch +++ b/debian/patches/defaults-closer-to-install-guide.patch @@ -6,9 +6,11 @@ Author: Thomas Goirand Forwarded: no Last-Update: 2014-10-23 ---- neutron-2014.2.orig/etc/l3_agent.ini -+++ neutron-2014.2/etc/l3_agent.ini -@@ -19,7 +19,7 @@ interface_driver = neutron.agent.linux.i +Index: neutron/etc/l3_agent.ini +=================================================================== +--- neutron.orig/etc/l3_agent.ini 2015-02-09 20:14:20.000000000 +0100 ++++ neutron/etc/l3_agent.ini 2015-02-10 14:44:50.000000000 +0100 +@@ -20,7 +20,7 @@ # Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and # iproute2 package that supports namespaces). @@ -17,7 +19,7 @@ Last-Update: 2014-10-23 # If use_namespaces is set as False then the agent can only configure one router. -@@ -42,7 +42,7 @@ interface_driver = neutron.agent.linux.i +@@ -43,7 +43,7 @@ # Name of bridge used for external network traffic. This should be set to # empty value for the linux bridge. when this parameter is set, each L3 agent # can be associated with no more than one external network. @@ -26,8 +28,10 @@ Last-Update: 2014-10-23 # TCP Port used by Neutron metadata server # metadata_port = 9697 ---- neutron-2014.2.orig/etc/dhcp_agent.ini -+++ neutron-2014.2/etc/dhcp_agent.ini +Index: neutron/etc/dhcp_agent.ini +=================================================================== +--- neutron.orig/etc/dhcp_agent.ini 2015-02-09 20:13:12.000000000 +0100 ++++ neutron/etc/dhcp_agent.ini 2015-02-10 14:44:50.000000000 +0100 @@ -9,11 +9,10 @@ # The DHCP agent requires an interface driver be set. Choose the one that best diff --git a/debian/patches/series b/debian/patches/series index 72d5d2003..b504169f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,5 +1,3 @@ -0001-Add-parameter-and-iptables-rules-to-protect-dnsmasq-.patch -better-config-default.patch fix-alembic-migrations-with-sqlite.patch working-ml2-defaults.patch defaults-closer-to-install-guide.patch -- 2.45.2