> Correction! The fix *is* includeda in the current/last Kilo release
> 2015.1.4, and therefore also in the Ubuntu Cloud Archive.
I'm sorry, but I have to correct myself again. The problem is still
present in the latest (and presumably last! Kilo is EOL) Kilo release.
The bug is documented in https://bugs.launchpad.net/nova/+bug/1470931
for qbr* devices (as used with the ML2 OVS mechanism driver).
It was fixed in master pre-Mitaka in https://review.openstack.org/198054.
The fix was backported to Liberty in https://review.openstack.org/274796.
But it was never backported to Kilo!
Therefore if you have qbr* interfaces, you will find that they have
(link-local) IPv6 addresses, and that those can be used to talk to the
hypervisor from instances.
The fix can be backported easily to Kilo:
--- /usr/lib/python2.7/dist-packages/nova/virt/libvirt/vif.py.BAK 2016-09-12 22:12:50.029797432 +0200
+++ /usr/lib/python2.7/dist-packages/nova/virt/libvirt/vif.py 2016-09-12 22:14:21.265444930 +0200
@@ -419,6 +419,13 @@
process_input='0',
run_as_root=True,
check_exit_code=[0, 1])
+ disv6 = '/proc/sys/net/ipv6/conf/%s/disable_ipv6' % br_name
+ if os.path.exists(disv6):
+ utils.execute('tee',
+ disv6,
+ process_input='1',
+ run_as_root=True,
+ check_exit_code=[0, 1])
if not linux_net.device_exists(v2_name):
linux_net._create_veth_pair(v1_name, v2_name)
This needs to be applied on all nova-compute nodes, then compiled with
something like
sudo python -m py_compile /usr/lib/python2.7/dist-packages/nova/virt/libvirt/vif.py
Then restart the nova-compute service, and new qbr* ports will have
IPv6 disabled as it should be.
Existing ports can be fixed by migrating them (or the instances they
are attached to) to a host that has the fix installed.
The fact that we use an OpenStack release that doesn't even get security
fixes anymore is a bit worrying to me...
Best regards,
--
Simon.
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy