Bug 1555001
| Summary: | ifup ovs-bridge enables OVS internal port which leaks BUM traffic to the kernel | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Andreas Karis <akaris> |
| Component: | initscripts | Assignee: | Jan Macku <jamacku> |
| Status: | CLOSED ERRATA | QA Contact: | Daniel Rusek <drusek> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.2 | CC: | akaris, amuller, atragler, ctrautma, cww, dsneddon, fiezzi, initscripts-maint-list, kwalker, lnykryn, qding, rkhan, skramaja, supadhya, till, tredaelli, vcojot |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | 8.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | initscripts-10.00.11-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:56:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1628900 | ||
| Bug Blocks: | 1628227, 1916632 | ||
|
Description
Andreas Karis
2018-03-13 18:29:31 UTC
We may also make a bad assumption here:
~~~
113 # When dhcp is not enabled, it is possible that someone may want
114 # a standalone bridge (i.e it may not have any ports). Configure it.
115 if [ "${OVSBOOTPROTO}" != "dhcp" ] && [ -z "${OVSINTF}" ] && \
116 [ "${OVSBRIDGECONFIGURED}" != "yes" ]; then
117 ${OTHERSCRIPT} ${CONFIG}
118 fi
119 exit 0
120 ;;
~~~
By the way, another workaround - set OVSBRIDGECONFIGURED="yes".
~~~
[root@overcloud-compute-0 network-scripts]# tail -1 ifcfg-br-test
OVSBRIDGECONFIGURED="yes"
[root@overcloud-compute-0 network-scripts]# ifdown br-test
if[root@overcloud-compute-0 network-scripts]# ifup br-test
[root@overcloud-compute-0 network-scripts]# ip link ls dev br-test
32: br-test: <BROADCAST,PROMISC> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 66:a9:d8:73:d7:49 brd ff:ff:ff:ff:ff:ff
[root@overcloud-compute-0 network-scripts]#
~~~
(In reply to Andreas Karis from comment #2) > By the way, another workaround - set OVSBRIDGECONFIGURED="yes". Andreas, what do you think about the possibility of making changes to os-net-config to add OVSBRIDGECONFIGURED="yes" to OVS bridge ifcfg files? Is there a better way to go about fixing this, or is that a satisfactory solution? I'm not aware of the implications of disabling the execution of /etc/sysconfig/network-scripts/ifup-eth altogether. ~~~ [root@overcloud-compute-0 network-scripts]# wc -l /etc/sysconfig/network-scripts/ifup-eth 350 /etc/sysconfig/network-scripts/ifup-eth ~~~ That's a rather long script. If it does nothing in our case, fine. But I think it did some steps related to Networkmanager, it also sets the MTU (yes, the inteface should be down, but somebody could configure an interface as down with a given MTU, sets some things for firewall-cmd. Added `-x` to ifup-eth and ran `ifup br-test` again: ~~~ [root@overcloud-compute-0 network-scripts]# ifup br-test + . /etc/init.d/functions ++ TEXTDOMAIN=initscripts ++ umask 022 ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin ++ export PATH ++ '[' 90058 -ne 1 -a -z '' ']' ++ '[' -d /run/systemd/system ']' ++ case "$0" in ++ '[' -z '' ']' ++ COLUMNS=80 ++ '[' -z '' ']' ++ '[' -c /dev/stderr -a -r /dev/stderr ']' +++ /sbin/consoletype ++ CONSOLETYPE=pty ++ '[' -z '' ']' ++ '[' -z '' ']' ++ '[' -f /etc/sysconfig/i18n -o -f /etc/locale.conf ']' ++ . /etc/profile.d/lang.sh ++ unset LANGSH_SOURCED ++ '[' -z '' ']' ++ '[' -f /etc/sysconfig/init ']' ++ . /etc/sysconfig/init +++ BOOTUP=color +++ RES_COL=60 +++ MOVE_TO_COL='echo -en \033[60G' +++ SETCOLOR_SUCCESS='echo -en \033[0;32m' +++ SETCOLOR_FAILURE='echo -en \033[0;31m' +++ SETCOLOR_WARNING='echo -en \033[0;33m' +++ SETCOLOR_NORMAL='echo -en \033[0;39m' ++ '[' pty = serial ']' ++ __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' ++ '[' '' = 1 ']' +++ cat /proc/cmdline ++ strstr 'BOOT_IMAGE=/boot/vmlinuz-3.10.0-693.17.1.el7.x86_64 root=UUID=fa414390-f78d-49d4-a164-54615a32977b ro console=tty0 console=ttyS0,115200n8 crashkernel=auto rhgb quiet default_hugepagesz=1GB hugepagesz=1G hugepages=32 iommu=pt intel_iommu=on isolcpus=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 nohz=on nohz_full=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 rcu_nocbs=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 tuned.non_isolcpus=00300003 intel_pstate=disable nosoftlockup' rc.debug ++ '[' 'BOOT_IMAGE=/boot/vmlinuz-3.10.0-693.17.1.el7.x86_64 root=UUID=fa414390-f78d-49d4-a164-54615a32977b ro console=tty0 console=ttyS0,115200n8 crashkernel=auto rhgb quiet default_hugepagesz=1GB hugepagesz=1G hugepages=32 iommu=pt intel_iommu=on isolcpus=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 nohz=on nohz_full=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 rcu_nocbs=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 tuned.non_isolcpus=00300003 intel_pstate=disable nosoftlockup' = 'BOOT_IMAGE=/boot/vmlinuz-3.10.0-693.17.1.el7.x86_64 root=UUID=fa414390-f78d-49d4-a164-54615a32977b ro console=tty0 console=ttyS0,115200n8 crashkernel=auto rhgb quiet default_hugepagesz=1GB hugepagesz=1G hugepages=32 iommu=pt intel_iommu=on isolcpus=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 nohz=on nohz_full=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 rcu_nocbs=2,4,6,8,10,12,14,16,18,22,24,26,28,30,32,34,36,38,3,5,7,9,11,13,15,17,19,23,25,27,29,31,33,35,37,39 tuned.non_isolcpus=00300003 intel_pstate=disable nosoftlockup' ']' ++ return 1 ++ return 0 + cd /etc/sysconfig/network-scripts + . ./network-functions ++ PATH=/sbin:/usr/sbin:/bin:/usr/bin ++ export PATH +++ hostname ++ HOSTNAME=overcloud-compute-0 ++ '[' -z '/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' ']' + '[' -f ../network ']' + . ../network ++ NOZEROCONF=yes + CONFIG=ifcfg-br-test + need_config ifcfg-br-test + local nconfig + CONFIG=ifcfg-ifcfg-br-test + '[' -f ifcfg-ifcfg-br-test ']' + CONFIG=ifcfg-br-test + '[' -f ifcfg-br-test ']' + return + source_config + CONFIG=ifcfg-br-test + DEVNAME=br-test + . /etc/sysconfig/network-scripts/ifcfg-br-test ++ DEVICE=br-test ++ ONBOOT=yes ++ HOTPLUG=no ++ NM_CONTROLLED=no ++ PEERDNS=no ++ DEVICETYPE=ovs ++ TYPE=OVSUserBridge ++ MTU=2000 ++ OVS_EXTRA='set bridge br-test fail_mode=standalone' + '[' -r keys-br-test ']' + case "$TYPE" in + DEVICETYPE=ovs + '[' -n '' ']' + '[' -n '' ']' + '[' -z br-test -a -n '' ']' + '[' -z ovs ']' + '[' -z '' -a -n '' ']' + '[' -z '' ']' + REALDEVICE=br-test + '[' -z '' ']' + SYSCTLDEVICE=br-test + '[' br-test '!=' br-test ']' + ISALIAS=no + is_nm_running + dbus-send --system --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.freedesktop.NetworkManager + '[' br-test '!=' lo ']' + nm_con_load ifcfg-br-test + dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings org.freedesktop.NetworkManager.Settings.LoadConnections array:string:/etc/sysconfig/network-scripts/ifcfg-br-test + is_false no + case "$1" in + return 0 + '[' '' = bootp -o '' = dhcp ']' + is_available br-test + '[' -z br-test ']' + '[' -d /sys/class/net/br-test ']' + return 0 + '[' -n '' ']' + '[' OVSUserBridge = Bridge ']' + '[' OVSUserBridge = Tap ']' + '[' -n '' ']' + is_available_wait br-test + '[' -z br-test ']' + local retry= + is_available br-test + '[' -z br-test ']' + '[' -d /sys/class/net/br-test ']' + return 0 + return 0 + '[' -n '' ']' + '[' -n 2000 ']' + ip link set dev br-test mtu 2000 + is_wireless_device br-test + '[' -x /usr/sbin/iw ']' + return 1 + '[' -n '' ']' + '[' '' = yes -a no = no -a '' '!=' '' ']' + '[' no = no ']' + is_bonding_device br-test + '[' -f /sys/class/net/br-test/bonding/slaves ']' + '[' -n '' ']' + '[' -n '' ']' + '[' -z '' -a -z '' -a -z '' -a -z '' ']' + ip link set dev br-test up + ethtool_set + oldifs=' ' + IFS=';' + '[' -n '' ']' + IFS=' ' + '[' -n '' ']' + '[' -z yes -a no = no -a br-test '!=' lo ']' + '[' -x /usr/bin/firewall-cmd -a br-test '!=' lo ']' + /usr/bin/firewall-cmd --zone= --change-interface=br-test + '[' OVSUserBridge = Bridge ']' + /etc/sysconfig/network-scripts/ifup-ipv6 ifcfg-br-test + is_true '' + case "$1" in + return 1 + exec /etc/sysconfig/network-scripts/ifup-post ifcfg-br-test ~~~ Otherwise, yes, we could push that with os-net-config. I guess the final solution, though, would best be a change to the init scripts (adding a flag) and then with os-net-config enabling or disabling the flag as desired. But I'm really unsure. Hi, I think by far the best workaround is to use a hook: https://access.redhat.com/solutions/8694 ~~~ cat <<'EOF'>/sbin/ifup-local #!/bin/bash if=$1 if `/bin/ovs-vsctl show | grep Bridge | egrep -q " ${if}\$"`; then shutdown_interface=true if [ `/sbin/ip a ls dev $if | grep 'inet ' | wc -l` -ge 1 ]; then shutdown_interface=false elif [ `/sbin/ip a ls dev $if | grep 'inet6 ' | wc -l` -ge 2 ]; then shutdown_interface=false fi if $shutdown_interface ; then /sbin/ip link set dev $if down fi fi EOF chmod +x /sbin/ifup-local ~~~ I'll have to test the above script a bit more, but quick and dirty and with some minimal testing, this seems to work and to be the way to go. Workaround for the time being: https://access.redhat.com/solutions/3383521 Just a small update, I need to sync with NM guys to find out, how they are solving this issue. This bug depends on bug 1628900 for NetworkManager and bug 1650221 provides an alternative solution. Can you please confirm whether that would work for you and update the blocks field if it does. Thanks. Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7. From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. From the RHEL life cycle page: https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase "During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes: https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns. [0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (initscripts bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1624 |