[Openstack] [OSSA 2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)
= OSSA-2016-005: Potential reuse of revoked Identity tokens = :Date: January 29, 2016 :CVE: CVE-2015-7546 Affects ~~~ - Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1 - Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2 Description ~~~ Liu Sheng reported a vulnerability in Keystone. By manipulating a token content, an authenticated user may prevent its revocation. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker. Only keystone setups using PKI or PKIZ token are affected Patches ~~~ - https://review.openstack.org/266045 (keystone) (Kilo) - https://review.openstack.org/266607 (keystonemiddleware) (Kilo) - https://review.openstack.org/266022 (keystone) (Liberty) - https://review.openstack.org/265988 (keystonemiddleware) (Liberty) - https://review.openstack.org/258141 (keystone) (Mitaka) - https://review.openstack.org/258143 (keystonemiddleware) (Mitaka) Credits ~~~ - Liu Sheng from Huawei (CVE-2015-7546) References ~~ - https://bugs.launchpad.net/bugs/1490804 - https://wiki.openstack.org/wiki/OSSN/OSSN-0062 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546 Notes ~ - The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future 8.0.2 (Liberty) releases. - The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3 (Liberty) releases. - Both keystone and keystonemiddleware needs to be updated -- Tristan Cacqueray OpenStack Vulnerability Management Team signature.asc Description: OpenPGP digital signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] OpenStack Liberty + Nexus 9000 + VXLAN
2016. 01. 29. 19:34 keltezéssel, Michael Gale írta: With liberty do I need to get the drivers myself? I'm not 100% sure, but i remember something about cisco neutron modul in liberty changelog... I suggest you, to check it out, maybe it's help... Regards: Peter ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
On 01/29/2016 10:32 AM, Clint Byrum wrote: Excerpts from Rick Jones's message of 2016-01-29 09:41:05 -0800: That the control plane (aggregate?) bandwidth for 1000 simulated nodes is "just" 100 Mbit/s is good, but I suspect it is rather "chatty" and as Clint somewhat warned, trying to run that across a WAN with non-trivial latency may be "interesting." It's not something I'd try lightly. However, we do want to try it over city-wide WAN links (so, 20 miles or so), which shouldn't add too much latency, but certainly isn't _free_. I would think that netem could be your inexpensive friend here. Either in the control nodes themselves, or in a linux box configured to route/bridge between them. rick jones ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] OpenStack Liberty + Nexus 9000 + VXLAN
Hello Brian and everyone else, I went through the docs and they have the information I need for configuration but I am having issues finding the drivers. On my Kilo environment under the neutron install the cisco drivers exists under the ml2 plugins however on my Liberty install the cisco drivers seem to be missing. If I check the neutron source, the stable/kilo branch has the drivers and the stable/liberty branch do not. I posted the question here: https://ask.openstack.org/en/question/88047/where-are-the-cisco-drivers-in-stableliberty/ With liberty do I need to get the drivers myself? Thanks Michael On Wed, Jan 27, 2016 at 5:16 PM, Brian Bowen (brbowen) wrote: > > VxLAN is supported by the Nexus plug-in from Kilo, check out the main page > http://docwiki.cisco.com/wiki/OpenStack > > Will get you to > http://docwiki.cisco.com/wiki/Neutron_ML2_Driver_For_Cisco_Nexus_Devices_Kilo_Release > > Brian B. > > From: Michael Gale > Date: Wednesday, January 27, 2016 at 6:54 PM > To: "openstack@lists.openstack.org" > Subject: [Openstack] OpenStack Liberty + Nexus 9000 + VXLAN > > Hello, > > Is anyone running an OpenStack Kilo or Liberty release with Nexus 9K > integration for VXLAN support? > > We would like to use the hardware acceleration on the N9K for VXLAN and > are currently using linuxbridge in our OpenStack implementation. > > We are not using OpenVSwitch, in looking through the Cisco docs I can only > find references to the Juno's release with OpenVSwitch and DevStack. > > Any info or docs that someone can point me in would be greatly appreciated. > > Thanks > Michael Gale > -- “The Man who says he can, and the man who says he can not.. Are both correct” ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
Excerpts from Hinds, Luke (Nokia - GB/Bristol)'s message of 2016-01-29 01:35:38 -0800: > From: EXT Tomas Vondra [von...@czech-itc.cz] > Sent: Friday, January 29, 2016 9:04 AM > To: openstack@lists.openstack.org > Subject: Re: [Openstack] Cells: *how* experimental? > > Clint Byrum writes: > > > > However, if you have some requirement to have everything under that > > > one region, I can say that even in a 1000 hypervisor simulation I don't > > > see more than 100Mbit of traffic to the control plane that all of the > > > nodes share. I'd expect 30 nodes to be quite a bit less traffic. > > > Hmm, simulation you say? What do you use to simulate an OpenStack? > > Tomas > > I am also genuinely intrigued about this. Are your test results publically > available Clint? We will be publishing our results, definitely, though I'm not sure where or when, hopefully soon. The experiments are ongoing. I will be submitting a talk to the next summit to present them as well, so we can hope it is accepted too. Basically we've spun up 1000 docker containers with the nova "fake" virt driver, which doesn't actually start vms or plumb networks, but lies to the control plane that it has done so. Then we're slamming that with many client threads and seeing what it does to the control plane, and what effect various configuration changes have on it. Ideally we also land a smaller scale of this simulation as a test in the openstack CI system so we can maintain progress on improving handling such scale, similarly to the way the largeops job has prevented breaking larger scale operations. Stay tuned, I'll try to remember to reply to this thread when we publish. ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
Excerpts from Rick Jones's message of 2016-01-29 09:41:05 -0800: > On 01/29/2016 01:35 AM, Hinds, Luke (Nokia - GB/Bristol) wrote: > > I am also genuinely intrigued about this. Are your test results publically > > available Clint? > > And does this simulation happen to include the effect of WAN latency?-) > Negative. :) > That the control plane (aggregate?) bandwidth for 1000 simulated nodes > is "just" 100 Mbit/s is good, but I suspect it is rather "chatty" and as > Clint somewhat warned, trying to run that across a WAN with non-trivial > latency may be "interesting." > It's not something I'd try lightly. However, we do want to try it over city-wide WAN links (so, 20 miles or so), which shouldn't add too much latency, but certainly isn't _free_. ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
On 01/29/2016 01:35 AM, Hinds, Luke (Nokia - GB/Bristol) wrote: I am also genuinely intrigued about this. Are your test results publically available Clint? And does this simulation happen to include the effect of WAN latency?-) That the control plane (aggregate?) bandwidth for 1000 simulated nodes is "just" 100 Mbit/s is good, but I suspect it is rather "chatty" and as Clint somewhat warned, trying to run that across a WAN with non-trivial latency may be "interesting." rick jones From: EXT Tomas Vondra [von...@czech-itc.cz] Sent: Friday, January 29, 2016 9:04 AM To: openstack@lists.openstack.org Subject: Re: [Openstack] Cells: *how* experimental? Clint Byrum writes: However, if you have some requirement to have everything under that one region, I can say that even in a 1000 hypervisor simulation I don't see more than 100Mbit of traffic to the control plane that all of the nodes share. I'd expect 30 nodes to be quite a bit less traffic. Hmm, simulation you say? What do you use to simulate an OpenStack? Tomas ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] OpenStack Liberty - can't ping router gateway ip
Dear list,
i found the mistake by myself. i just had an inconsistent mapping in the
section [linux_bridge] in the configuration option
'physical_interface_mappings'. changed it to the correct settings. Now
everything works as expected.
Am 29.01.2016 um 15:16 schrieb Joerg Streckfuss:
Dear list,
i got problems with a virtual router gateway ip.
I setup a 3-node openstack-setup (one controller, two compute nodes),
using liberty on centos7 carefully following the instructions under
http://docs.openstack.org/liberty/install-guide-rdo/.
I'm using self-service networks with one flat provider-network for
external communication. I use VXLAN for overlay-networks. As mechanism
drivers I use linuxbridge and l2population.
I can create project-networks and initiate instances, with will get ips
from the dhcp-server.
So far, so good. When I try to create a virtual router to ssh to my vm,
i can't ping the external gateway ip of the router on the controller node.
As you can see the router has a gateway-port with an external ip
(10.11.200.1). The second one is the ip from the project network:
[root@controller ~]# source admin-openrc.sh
[root@controller ~]# neutron router-port-list router
+--+--+---++
| id | name | mac_address |
fixed_ips
|
+--+--+---++
| 89724c5b-d8eb-45ed-a45d-051412d9cf2d | | fa:16:3e:71:d2:7c |
{"subnet_id": "ec0d4301-53b2-4eab-90c9-a03e1b784717", "ip_address":
"10.11.200.1"} |
| b1aeaf23-1bae-4f63-899d-30a50513c3c1 | | fa:16:3e:d1:df:2e |
{"subnet_id": "fc6a8af9-c510-4665-a083-b190989f75de", "ip_address":
"172.16.1.1"} |
+--+--+---++
This ip is not pingable neither from outside nor on the controller node.
The needed netnamespaces are available:
[root@controller ~]# ip netns show
qrouter-7236dab3-6653-4df7-90cc-b441df2ae75d
qdhcp-1ff83e09-1777-4d53-95d8-bc3251eddbb1
qdhcp-b7e5b2dd-0b8c-43ab-911a-107bf23858d6
But I can ping the ip inside the router namespace:
[root@controller ~]# ip netns exec
qrouter-7236dab3-6653-4df7-90cc-b441df2ae75d ping -c1 10.11.200.1
PING 10.11.200.1 (10.11.200.1) 56(84) bytes of data.
64 bytes from 10.11.200.1: icmp_seq=1 ttl=64 time=0.049 ms
In /var/log/neutron/server.log I found the following interesting logs
when creating the external provider network:
2016-01-29 13:35:58.842 8337 ERROR neutron.plugins.ml2.managers
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Failed to bind port
041d3057-44a1-4aa5-ba00-aa97a28b3d64 on host
controller.openstack.dfn-cert.de
2016-01-29 13:35:58.842 8337 ERROR neutron.plugins.ml2.managers
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Failed to bind port
041d3057-44a1-4aa5-ba00-aa97a28b3d64 on host
controller.openstack.dfn-cert.de
2016-01-29 13:35:58.864 8337 INFO neutron.plugins.ml2.plugin
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Attempt 2 to bind
port 041d3057-44a1-4aa5-ba00-aa97a28b3d64
2016-01-29 13:36:00.230 8337 WARNING neutron.plugins.ml2.rpc
[req-de947767-5bba-43f9-9313-26941c0a24d9 - - - - -] Device
tap041d3057-44 requested by agent lb00221954bc3f on network
1ff83e09-1777-4d53-95d8-bc3251eddbb1 not
bound, vif_type: binding_failed
Here are the relevant configs:
# cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = testnet
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = True
# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = testnet:eth0
[vxlan]
enable_vxlan = True
local_ip = 192.168.0.1
l2_population = True
[agent]
prevent_arp_spoofing = True
[securitygroup]
enable_security_group = True
firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
I guess there is somthing broken with a missing bridge. Perhaps a bridge
which connects to the external, physical interface eth0.
When list the bridges on the controller I got this:
[root@controller ~]# brctl show
bridge name bridge id STP enabled interfaces
brqb7e5b2dd-0b 8000.0285d4793974 no tap1f5c2967-bd
tapb1aeaf23-1b
vxlan-55
As I mentioned I'm missing the external device eth0, which points to the
external net.
somebody has an idea about this?
Many thanks in advance!
___
Mailing list: http://lis
[Openstack] OpenStack Liberty - can't ping router gateway ip
Dear list,
i got problems with a virtual router gateway ip.
I setup a 3-node openstack-setup (one controller, two compute nodes),
using liberty on centos7 carefully following the instructions under
http://docs.openstack.org/liberty/install-guide-rdo/.
I'm using self-service networks with one flat provider-network for
external communication. I use VXLAN for overlay-networks. As mechanism
drivers I use linuxbridge and l2population.
I can create project-networks and initiate instances, with will get ips
from the dhcp-server.
So far, so good. When I try to create a virtual router to ssh to my vm,
i can't ping the external gateway ip of the router on the controller node.
As you can see the router has a gateway-port with an external ip
(10.11.200.1). The second one is the ip from the project network:
[root@controller ~]# source admin-openrc.sh
[root@controller ~]# neutron router-port-list router
+--+--+---++
| id | name | mac_address |
fixed_ips
|
+--+--+---++
| 89724c5b-d8eb-45ed-a45d-051412d9cf2d | | fa:16:3e:71:d2:7c |
{"subnet_id": "ec0d4301-53b2-4eab-90c9-a03e1b784717", "ip_address":
"10.11.200.1"} |
| b1aeaf23-1bae-4f63-899d-30a50513c3c1 | | fa:16:3e:d1:df:2e |
{"subnet_id": "fc6a8af9-c510-4665-a083-b190989f75de", "ip_address":
"172.16.1.1"} |
+--+--+---++
This ip is not pingable neither from outside nor on the controller node.
The needed netnamespaces are available:
[root@controller ~]# ip netns show
qrouter-7236dab3-6653-4df7-90cc-b441df2ae75d
qdhcp-1ff83e09-1777-4d53-95d8-bc3251eddbb1
qdhcp-b7e5b2dd-0b8c-43ab-911a-107bf23858d6
But I can ping the ip inside the router namespace:
[root@controller ~]# ip netns exec
qrouter-7236dab3-6653-4df7-90cc-b441df2ae75d ping -c1 10.11.200.1
PING 10.11.200.1 (10.11.200.1) 56(84) bytes of data.
64 bytes from 10.11.200.1: icmp_seq=1 ttl=64 time=0.049 ms
In /var/log/neutron/server.log I found the following interesting logs
when creating the external provider network:
2016-01-29 13:35:58.842 8337 ERROR neutron.plugins.ml2.managers
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Failed to bind port
041d3057-44a1-4aa5-ba00-aa97a28b3d64 on host
controller.openstack.dfn-cert.de
2016-01-29 13:35:58.842 8337 ERROR neutron.plugins.ml2.managers
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Failed to bind port
041d3057-44a1-4aa5-ba00-aa97a28b3d64 on host
controller.openstack.dfn-cert.de
2016-01-29 13:35:58.864 8337 INFO neutron.plugins.ml2.plugin
[req-6502530b-eb91-4c1d-85db-c9820e62 - - - - -] Attempt 2 to bind
port 041d3057-44a1-4aa5-ba00-aa97a28b3d64
2016-01-29 13:36:00.230 8337 WARNING neutron.plugins.ml2.rpc
[req-de947767-5bba-43f9-9313-26941c0a24d9 - - - - -] Device
tap041d3057-44 requested by agent lb00221954bc3f on network
1ff83e09-1777-4d53-95d8-bc3251eddbb1 not
bound, vif_type: binding_failed
Here are the relevant configs:
# cat /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_flat]
flat_networks = testnet
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = True
# cat /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = testnet:eth0
[vxlan]
enable_vxlan = True
local_ip = 192.168.0.1
l2_population = True
[agent]
prevent_arp_spoofing = True
[securitygroup]
enable_security_group = True
firewall_driver =
neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
I guess there is somthing broken with a missing bridge. Perhaps a bridge
which connects to the external, physical interface eth0.
When list the bridges on the controller I got this:
[root@controller ~]# brctl show
bridge name bridge id STP enabled interfaces
brqb7e5b2dd-0b 8000.0285d4793974 no tap1f5c2967-bd
tapb1aeaf23-1b
vxlan-55
As I mentioned I'm missing the external device eth0, which points to the
external net.
somebody has an idea about this?
Many thanks in advance!
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
I am also genuinely intrigued about this. Are your test results publically available Clint? From: EXT Tomas Vondra [von...@czech-itc.cz] Sent: Friday, January 29, 2016 9:04 AM To: openstack@lists.openstack.org Subject: Re: [Openstack] Cells: *how* experimental? Clint Byrum writes: > However, if you have some requirement to have everything under that > one region, I can say that even in a 1000 hypervisor simulation I don't > see more than 100Mbit of traffic to the control plane that all of the > nodes share. I'd expect 30 nodes to be quite a bit less traffic. Hmm, simulation you say? What do you use to simulate an OpenStack? Tomas ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Cells: *how* experimental?
Clint Byrum writes: > However, if you have some requirement to have everything under that > one region, I can say that even in a 1000 hypervisor simulation I don't > see more than 100Mbit of traffic to the control plane that all of the > nodes share. I'd expect 30 nodes to be quite a bit less traffic. Hmm, simulation you say? What do you use to simulate an OpenStack? Tomas ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
