[openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged during Kilo. I'm wondering if we think we have identified a root cause and have merged an appropriate long-term fix, or if https://review.openstack.org/148718 was merged just so there's at least a fix available while we investigate other alternatives. Does anyone have an update to provide? -Ryan __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
> On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan wrote: > > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged during > Kilo. I'm wondering if we think we have identified a root cause and have > merged an appropriate long-term fix, or if > https://review.openstack.org/148718 was merged just so there's at least a fix > available while we investigate other alternatives. Does anyone have an > update to provide? > > -Ryan The fix works in environments we’ve tested in. Are you still seeing problems? mark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
Not seeing this on Kilo, we're seeing this on Juno builds (that's expected). I'm interested in a Juno backport, but mainly wanted to be see if others had confidence in the fix. The discussion in the bug report also seemed to indicate there were other alternative solutions others might be looking into that didn't involve an iptables rule. -Ryan -Original Message- From: Mark McClain [mailto:m...@mcclain.xyz] Sent: Monday, June 01, 2015 6:47 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan wrote: > > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged during > Kilo. I'm wondering if we think we have identified a root cause and have > merged an appropriate long-term fix, or if > https://review.openstack.org/148718 was merged just so there's at least a fix > available while we investigate other alternatives. Does anyone have an > update to provide? > > -Ryan The fix works in environments we’ve tested in. Are you still seeing problems? mark __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
I would propose a back-port of it and then continue the discussion on the patch. I don't see any major blockers for back-porting it. On Mon, Jun 1, 2015 at 7:01 PM, Tidwell, Ryan wrote: > Not seeing this on Kilo, we're seeing this on Juno builds (that's > expected). I'm interested in a Juno backport, but mainly wanted to be see > if others had confidence in the fix. The discussion in the bug report also > seemed to indicate there were other alternative solutions others might be > looking into that didn't involve an iptables rule. > > -Ryan > > -Original Message- > From: Mark McClain [mailto:m...@mcclain.xyz] > Sent: Monday, June 01, 2015 6:47 PM > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP > lease due packet has no checksum > > > > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan wrote: > > > > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged > during Kilo. I'm wondering if we think we have identified a root cause and > have merged an appropriate long-term fix, or if > https://review.openstack.org/148718 was merged just so there's at least a > fix available while we investigate other alternatives. Does anyone have an > update to provide? > > > > -Ryan > > The fix works in environments we’ve tested in. Are you still seeing > problems? > > mark > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Kevin Benton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
The fix should work fine. It is technically a workaround for the way checksums work in virtualised systems, and the unfortunate fact that some DHCP clients check checksums on packets where the hardware has checksum offload enabled. (This doesn't work due to an optimisation in the way QEMU treats packet checksums. You'll see the problem if your machine is running the VM on the same host as its DHCP server and the VM has a vulnerable client.) I haven't tried it myself but I have confidence in it and would recommend a backport. -- Ian. On 1 June 2015 at 21:32, Kevin Benton wrote: > I would propose a back-port of it and then continue the discussion on the > patch. I don't see any major blockers for back-porting it. > > On Mon, Jun 1, 2015 at 7:01 PM, Tidwell, Ryan wrote: > >> Not seeing this on Kilo, we're seeing this on Juno builds (that's >> expected). I'm interested in a Juno backport, but mainly wanted to be see >> if others had confidence in the fix. The discussion in the bug report also >> seemed to indicate there were other alternative solutions others might be >> looking into that didn't involve an iptables rule. >> >> -Ryan >> >> -Original Message- >> From: Mark McClain [mailto:m...@mcclain.xyz] >> Sent: Monday, June 01, 2015 6:47 PM >> To: OpenStack Development Mailing List (not for usage questions) >> Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP >> lease due packet has no checksum >> >> >> > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan wrote: >> > >> > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged >> during Kilo. I'm wondering if we think we have identified a root cause and >> have merged an appropriate long-term fix, or if >> https://review.openstack.org/148718 was merged just so there's at least >> a fix available while we investigate other alternatives. Does anyone have >> an update to provide? >> > >> > -Ryan >> >> The fix works in environments we’ve tested in. Are you still seeing >> problems? >> >> mark >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Kevin Benton > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
The backport seems reasonable IMO. Is this tested in a multihost environment?. I ask, because given the Ian explanation (which probably I got wrong), the issue is in the NET->NIC->VM path while the patch fixes the path in the network node (this is ran in the dhcp agent). dhcp->NIC->NET. Best, Miguel Ángel Ajo On Tuesday, 2 de June de 2015 at 9:32, Ian Wells wrote: > The fix should work fine. It is technically a workaround for the way > checksums work in virtualised systems, and the unfortunate fact that some > DHCP clients check checksums on packets where the hardware has checksum > offload enabled. (This doesn't work due to an optimisation in the way QEMU > treats packet checksums. You'll see the problem if your machine is running > the VM on the same host as its DHCP server and the VM has a vulnerable > client.) > > I haven't tried it myself but I have confidence in it and would recommend a > backport. > -- > Ian. > > On 1 June 2015 at 21:32, Kevin Benton (mailto:blak...@gmail.com)> wrote: > > I would propose a back-port of it and then continue the discussion on the > > patch. I don't see any major blockers for back-porting it. > > > > On Mon, Jun 1, 2015 at 7:01 PM, Tidwell, Ryan > (mailto:ryan.tidw...@hp.com)> wrote: > > > Not seeing this on Kilo, we're seeing this on Juno builds (that's > > > expected). I'm interested in a Juno backport, but mainly wanted to be > > > see if others had confidence in the fix. The discussion in the bug > > > report also seemed to indicate there were other alternative solutions > > > others might be looking into that didn't involve an iptables rule. > > > > > > -Ryan > > > > > > -----Original Message- > > > From: Mark McClain [mailto:m...@mcclain.xyz] > > > Sent: Monday, June 01, 2015 6:47 PM > > > To: OpenStack Development Mailing List (not for usage questions) > > > Subject: Re: [openstack-dev] [Neutron] virtual machine can not get DHCP > > > lease due packet has no checksum > > > > > > > > > > On Jun 1, 2015, at 7:26 PM, Tidwell, Ryan > > > (mailto:ryan.tidw...@hp.com)> wrote: > > > > > > > > I see a fix for https://bugs.launchpad.net/neutron/+bug/1244589 merged > > > > during Kilo. I'm wondering if we think we have identified a root cause > > > > and have merged an appropriate long-term fix, or if > > > > https://review.openstack.org/148718 was merged just so there's at least > > > > a fix available while we investigate other alternatives. Does anyone > > > > have an update to provide? > > > > > > > > -Ryan > > > > > > The fix works in environments we’ve tested in. Are you still seeing > > > problems? > > > > > > mark > > > __ > > > OpenStack Development Mailing List (not for usage questions) > > > Unsubscribe: > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > > (http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe) > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __ > > > OpenStack Development Mailing List (not for usage questions) > > > Unsubscribe: > > > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > > (http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe) > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > > -- > > Kevin Benton > > __ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > (http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe) > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > (mailto:openstack-dev-requ...@lists.openstack.org?subject:unsubscribe) > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/02/2015 10:10 AM, Miguel Ángel Ajo wrote: > The backport seems reasonable IMO. > > Is this tested in a multihost environment?. > > I ask, because given the Ian explanation (which probably I got > wrong), the issue is in the NET->NIC->VM path while the patch fixes > the path in the network node (this is ran in the dhcp agent). > dhcp->NIC->NET. > If a packet goes out of your real NIC, then it gets a proper checksum attached. So the issue is single host only. Ihar -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJVbZSjAAoJEC5aWaUY1u57nWQIAImV2DxUIK1f1NPvuKkm/Del lfi90sDNSo8sIOmkLzey8n/1Dyrb9QTzZlb5XpJlG+HLmuRa+AwaWuyNswKJvHEu MlMBNPawdimlmyn0uLs+QwQOjL31HOb4SD76DOHGc8X2LVOz4PXf0KO2s0PbjU2v bfm+Yo+lhC7ZMAeebEcjNO6s28TSzRhOzQ7H1ItlPcJFrchcYCRJ1l2vdmcL69DO FzndWaAQ1R8xGKy2giOt4dc2x/cEad3ZTI/v573aOTJg3UWfHp6GbFfwkuWZzHbW U+UAezEogg3P++cv0eEwnQEeNhyN/eO2aV928kpPgJaw4T/6HFBGmp+yhOINXjQ= =fQ24 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
Ooook, fully understood now. Thanks Ihar & Ian for the clarification :) Miguel Ángel Ajo On Tuesday, 2 de June de 2015 at 13:33, Ihar Hrachyshka wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 06/02/2015 10:10 AM, Miguel Ángel Ajo wrote: > > The backport seems reasonable IMO. > > > > Is this tested in a multihost environment?. > > > > I ask, because given the Ian explanation (which probably I got > > wrong), the issue is in the NET->NIC->VM path while the patch fixes > > the path in the network node (this is ran in the dhcp agent). > > dhcp->NIC->NET. > > > > > If a packet goes out of your real NIC, then it gets a proper checksum > attached. So the issue is single host only. > > Ihar > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJVbZSjAAoJEC5aWaUY1u57nWQIAImV2DxUIK1f1NPvuKkm/Del > lfi90sDNSo8sIOmkLzey8n/1Dyrb9QTzZlb5XpJlG+HLmuRa+AwaWuyNswKJvHEu > MlMBNPawdimlmyn0uLs+QwQOjL31HOb4SD76DOHGc8X2LVOz4PXf0KO2s0PbjU2v > bfm+Yo+lhC7ZMAeebEcjNO6s28TSzRhOzQ7H1ItlPcJFrchcYCRJ1l2vdmcL69DO > FzndWaAQ1R8xGKy2giOt4dc2x/cEad3ZTI/v573aOTJg3UWfHp6GbFfwkuWZzHbW > U+UAezEogg3P++cv0eEwnQEeNhyN/eO2aV928kpPgJaw4T/6HFBGmp+yhOINXjQ= > =fQ24 > -END PGP SIGNATURE- > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] virtual machine can not get DHCP lease due packet has no checksum
On 06/02/2015 12:32 AM, Ian Wells wrote: The fix should work fine. It is technically a workaround for the way checksums work in virtualised systems, and the unfortunate fact that some DHCP clients check checksums on packets where the hardware has checksum offload enabled. (This doesn't work due to an optimisation in the way QEMU treats packet checksums. You'll see the problem if your machine is running the VM on the same host as its DHCP server and the VM has a vulnerable client.) Is that specific to DHCP clients, or does this issue affect UDP traffic in general? rick jones __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev