Bug 1459960 - ipfailover keepalived image lacks IP Address validation
Summary: ipfailover keepalived image lacks IP Address validation
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.7.0
Assignee: Ben Bennett
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2017-06-08 16:48 UTC by Ricardo Medina
Modified: 2017-11-28 21:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: No validation of IP addresses Consequence: Bad IP addresses could be specified and break the ipfailover container Fix: Validate the addresses Result: Less brittle config
Clone Of:
Last Closed: 2017-11-28 21:56:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Origin (Github) 14527 0 None None None 2017-06-22 17:30:54 UTC
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Ricardo Medina 2017-06-08 16:48:54 UTC
Description of problem:

The current ipfailover keepalived image doesn't support IPv6 addresses or ranges nor IP address validation. For example, adding an IPv6 address to the `oadm ipfailover` command will result in a new vrrp section pertaining to an address that only contains the numeric components of the address (for example, if using 2001:DB8:1ABC::1F39, one would end up with 200181139 as an IP address).

Version-Release number of selected component (if applicable):

How reproducible:
Always. Just pass any IPv6 address (or an invalid IPv4 address) to the `oadm ipfailover` command

Steps to Reproduce:
1. oadm ipfailover --virtual-ips=",2001:DB8:1ABC::1F39"
2. PODNAME=$(oc get pods |grep -o "^ipfailover[0-9a-zA-Z-]*") && oc exec ${PODNAME} cat /etc/keepalived/keepalived.conf 
3. Verify that one of the virtual_ipaddress section contains "200181139"

Actual results:

Address 2001:DB8:1ABC::1F39 is represented as 200181139

Expected results:

Address 2001:DB8:1ABC::1F39 is represented as 2001:DB8:1ABC::1F39

Additional info:

I have a working patch for the image, for which I'll create a pull request referencing this bug.

Comment 1 Ricardo Medina 2017-06-09 19:57:51 UTC
Additional information: The github pull request for this BZ is:



Comment 3 zhaozhanqi 2017-07-05 06:41:55 UTC
Verified this bug on openshift v3.6.131

when input invalid ipv4/ipv6 address when creating ipfailover pod. it will return the error:

# oadm ipfailover ipf1 --virtual-ips=2001:DB8::39FB:2::2
error: Invalid IP address: 2001:DB8::39FB:2::2
[root@host-8-175-105 ~]# oadm ipfailover ipf1 --virtual-ips=
error: Invalid IP address:

Comment 7 errata-xmlrpc 2017-11-28 21:56:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.