[Yahoo-eng-team] [Bug 1861493] [NEW] Nova sends an "X-Service-Token" header when "send_service_user_token" is disabled
Public bug reported: Description === In the interaction between nova-api and cinder, it is possible to enable the required check of service_user tokens. When I try to explicitly turn off the sending of the user’s service token and enable the mandatory check of its availability on the receiving side, I do not get the expected error because the X-Service-Token header is still sent by nova-api. Steps to reproduce == cinder includes required token checking: [keystone_authtoken] ... service_token_roles = admin service_token_roles_required = true in nova, token sending is explicitly disabled and the user service is not set: [service_user] send_service_user_token = false verification is performed on the example of the operation of volume attach: openstack server add volume 0801102f-f9ba-42c5-b32a-85b4a7465122 a7fd514c-c871-4f69-a89f-bd44864a5814 --device /dev/vdb Expected result === with this configuration, error 401 is expected Actual result = no errors occur and the attach operation is successful. multiple checks were made including the option to completely restart the servers Environment === CentOS 7 release: train nova: 15.1.0 cinder: 5.0.0 Logs & Configs == we intercept requests that go to the cinder port (8776) and we see that 192.168.50.81.49226 (which is the nova-api process) sends requests with the X-Service-Token header (which we previously disabled in nova.conf). Full log (req/res) of adding volume in attachment. [root@centos ~]# tcpdump -i enp2s0f0 -n -S -s 1024 -A 'tcp dst port 8776' 06:20:21.870330 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696694971:1696695677, ack 922604522, win 58, options [nop,nop,TS val 3747722 ecr 3644290], length 706 E5@.@.2Q..2P.J"He!..6..:... .9/..7..GET /v3/27c47772a3f442e4a81decb6b68e8376/volumes/a7fd514c-c871-4f69-a89f-bd44864a5814 HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 06:20:22.184182 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922606483, win 65, options [nop,nop,TS val 3748036 ecr 3644604], length 0 E..4.6@.@.2Q..2P.J"He!.}6..A... .90..7.. 06:20:22.547486 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696695677:1696696271, ack 922606483, win 65, options [nop,nop,TS val 3748399 ecr 3644604], length 594 E7@.@..H..2Q..2P.J"He!.}6..AG.. .92/.7..GET / HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: nova-api keystoneauth1/3.17.1 python-requests/2.21.0 CPython/2.7.5 X-Service-Token: gABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg 06:20:22.553939 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [.], ack 922607474, win 71, options [nop,nop,TS val 3748405 ecr 3644974], length 0 E..4.8@.@.2Q..2P.J"He!..6..r...G... .925.7.. 06:20:22.564940 IP 192.168.50.81.49226 > 192.168.50.80.8776: Flags [P.], seq 1696696271:1696697181, ack 922607474, win 71, options [nop,nop,TS val 3748416 ecr 3644974], length 910 E9@.@.. ..2Q..2P.J"He!..6..r...G... .9...@.7..post /v3/27c47772a3f442e4a81decb6b68e8376/attachments HTTP/1.1 Host: 192.168.50.80:8776 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: application/json User-Agent: python-cinderclient X-Service-Token: gABeMrv1SxDwllx8lrDYiP6o0kMlr1hJu34q2N7WgTcsQ15GXU7s2EDG91DX0XOUz0YTS9Q-_nxuRJ5lbZfWDBgk2spJr9csJ1VhNWQhrZUZWhkBk3KMU6GwgC0X3kO5o4dIw41rj1VmH4TfIdV9bSEWjA3qMLjVYKdryyUzhCN1gZQISl0 X-Auth-Token: gABeMrv0vSJ6P8pLF7BDLimZ_LxhvKYCvEzWk_TZ62hIaDNnlFHRMx1rrIvDNl6Z78mv6C-EYWRqvURHCP6x9FCuhd16-i25gO4AUVi2Qo2-N-wpxO6dnbOHuuI6G8gtYu3ZPMuaHkn3uk-aaf7zh3PZ__OQy4mtZir6Qt7b5xqPb4QJcGg OpenStack-API-Version: volume 3.44 Content-Type: application/json X-OpenStack-Request-ID: req-a4ad6f8b-3f49-44d0-99b4-b7fa026017c6 Content-Length: 147 ** Affects: nova Importance: Undecided Status: New ** Attachment added: "with_disabled_service_user.log" https://bugs.launchpad.net/bugs/1861493/+attachment/5324405/+files/with_disabled_service_user.log -- You received
[Yahoo-eng-team] [Bug 1526818] Re: Install guide: Add arp_ignore (sysctl.conf) to the other IP options
** Changed in: openstack-manuals Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1526818 Title: Install guide: Add arp_ignore (sysctl.conf) to the other IP options Status in neutron: New Status in OpenStack Compute (nova): Invalid Status in openstack-manuals: Fix Released Bug description: We are facing a very strange behaviour of ARP in tenant networks, causing Windows guests to incorrectly decline DHCP addresses. These VMs apparently do an ARP request for the address they have been offered, discarding them in case a different MAC is reporting to own that IP already. We are using openvswitch-agent with ml2 plugin. Investigating this issue using Linux guests. Please look at the following example. A VM with the fixed-ip 192.168.1.15 reports the following ARP cache: root@michael-test2:~# arp Address HWtype HWaddress Flags Mask Iface host-192-168-1-2.openst ether fa:16:3e:de:ab:ea C eth0 192.168.1.13 ether a6:b2:dc:d8:39:c1 C eth0 192.168.1.119(incomplete) eth0 host-192-168-1-20.opens ether fa:16:3e:76:43:ce C eth0 host-192-168-1-19.opens ether fa:16:3e:0d:a6:0b C eth0 host-192-168-1-1.openst ether fa:16:3e:2a:81:ff C eth0 192.168.1.14 ether 0e:bf:04:b7:ed:52 C eth0 Both 192.168.1.13 and 192.168.1.14 do not exist in this subnet, and their MAC addresses a6:b2:dc:d8:39:c1 and 0e:bf:04:b7:ed:52 actually belong to other instance qbr* and qvb* devices, living on their respective hypervisor hosts! Looking at 0e:bf:04:b7:ed:52, for example, yields # ip link list | grep -C1 -e 0e:bf:04:b7:ed:52 59: qbr9ac24ac1-e1:mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 0e:bf:04:b7:ed:52 brd ff:ff:ff:ff:ff:ff 60: qvo9ac24ac1-e1: mtu 1500 qdisc pfifo_fast master ovs-system state UP mode DEFAULT group default qlen 1000 -- 61: qvb9ac24ac1-e1: mtu 1500 qdisc pfifo_fast master qbr9ac24ac1-e1 state UP mode DEFAULT group default qlen 1000 link/ether 0e:bf:04:b7:ed:52 brd ff:ff:ff:ff:ff:ff 62: tap9ac24ac1-e1: mtu 1500 qdisc pfifo_fast master qbr9ac24ac1-e1 state UNKNOWN mode DEFAULT group default qlen 500 on the compute node. Using tcpdump on qbr9ac24ac1-e1 on the host and triggering a fresh ARM lookup from the guest results in # tcpdump -i qbr9ac24ac1-e1 -vv -l | grep ARP tcpdump: WARNING: qbr9ac24ac1-e1: no IPv4 address assigned tcpdump: listening on qbr9ac24ac1-e1, link-type EN10MB (Ethernet), capture size 65535 bytes 14:00:32.089726 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.14 tell 192.168.1.15, length 28 14:00:32.089740 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.14 is-at 0e:bf:04:b7:ed:52 (oui Unknown), length 28 14:00:32.090141 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.14 is-at 7a:a5:71:63:47:94 (oui Unknown), length 28 14:00:32.090160 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.14 is-at 02:f9:33:d5:04:0d (oui Unknown), length 28 14:00:32.090168 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.14 is-at 9a:a0:46:e4:03:06 (oui Unknown), length 28 Four different devices are claiming to own the non-existing IP address! Looking them up in neutron shows they are all related to existing ports on the subnet, but different ones: # neutron port-list | grep -e 47fbb8b5-55 -e 46647cca-32 -e e9e2d7c3-7e -e 9ac24ac1-e1 | 46647cca-3293-42ea-8ec2-0834e19422fa | | fa:16:3e:7d:9c:45 | {"subnet_id": "25dbbdc0-f438-4f89-8663-1772f9c7ef36", "ip_address": "192.168.1.8"} | | 47fbb8b5-5549-46e4-850e-bd382375e0f8 | | fa:16:3e:fa:df:32 | {"subnet_id": "25dbbdc0-f438-4f89-8663-1772f9c7ef36", "ip_address": "192.168.1.7"} | | 9ac24ac1-e157-484e-b6a2-a1dded4731ac | | fa:16:3e:2a:80:6b | {"subnet_id": "25dbbdc0-f438-4f89-8663-1772f9c7ef36", "ip_address": "192.168.1.15"} | | e9e2d7c3-7e58-4bc2-a25f-d48e658b2d56 | | fa:16:3e:0d:a6:0b | {"subnet_id": "25dbbdc0-f438-4f89-8663-1772f9c7ef36", "ip_address": "192.168.1.19"} | Environment: Host: Ubuntu server 14.04 Kernel: linux-image-generic-lts-vivid, 3.19.0-39-generic #44~14.04.1-Ubuntu SMP Wed Dec 2 10:00:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux OpenStack
[Yahoo-eng-team] [Bug 1620835] Re: Add timestamp fields for neutron ext resources
This document is autogenerated. ** Changed in: openstack-manuals Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1620835 Title: Add timestamp fields for neutron ext resources Status in neutron: Invalid Status in openstack-manuals: Fix Released Bug description: https://review.openstack.org/312873 Dear bug triager. This bug was created since a commit was marked with DOCIMPACT. Your project "openstack/neutron" is set up so that we directly report the documentation bugs against it. If this needs changing, the docimpact-group option needs to be added for the project. You can ask the OpenStack infra team (#openstack-infra on freenode) for help if you need to. commit 17b88cd4539cd5fa096115b76fd4a21036395360 Author: ZhaoBoDate: Thu May 5 17:16:23 2016 +0800 Add timestamp fields for neutron ext resources Propose a new extension named "timestamp_ext" to add timestamp to neutron ext resources like router/floatingip/security_group/security_group_rule. APIImpact DocImpact: Neutron ext resources now contain 'timestamp' fields like 'created_at' and 'updated_at' Implements: blueprint add-neutron-extension-resource-timestamp Change-Id: I78b00516e31ce83376d37f57299b2229b6fb8fcf To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1620835/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1400814] Re: Libvirt: SMB volume driver
** Project changed: openstack-manuals => nova ** Changed in: nova Milestone: liberty => None -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1400814 Title: Libvirt: SMB volume driver Status in OpenStack Compute (nova): Confirmed Bug description: https://review.openstack.org/131734 commit 561f8afa5fbc7d94cd65616225597850585d909f Author: Lucian PetrutDate: Tue Oct 28 14:49:26 2014 +0200 Libvirt: SMB volume driver Currently, there are Libvirt volume drivers that support network-attached file systems such as Gluster or NFS. This patch adds a new volume driver in order to support attaching volumes hosted on SMB shares. Co-Authored-By: Gabriel Samfira DocImpact Change-Id: I1db3d2a6d8ee94932348c63cc03698fdefff0b5c Implements: blueprint libvirt-smbfs-volume-support To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1400814/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1430365] Re: config drive table force_config_drive parameter values do not match Impl
** Changed in: openstack-manuals Status: Confirmed => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1430365 Title: config drive table force_config_drive parameter values do not match Impl Status in OpenStack Compute (nova): Invalid Status in openstack-manuals: Invalid Bug description: The config drive table [1] describes for the force_config_drive parameter the following options: Default: None Other Options: always But looking at the code [2], only the following values are allowed: always, True, False What does the current default 'None' mean? Is it really a value? Or desribes it the abscense of the parameter? I could not configure it for the force_config_drive option. The abscense of the parameter is the same as 'False', so I guess that's the correct default, isn't it? The docs should be updated accordingly. [1] https://github.com/openstack/openstack-manuals/blob/master/doc/common/tables/nova-configdrive.xml [2] https://github.com/openstack/nova/blob/master/nova/virt/configdrive.py To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1430365/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1477741] Re: Execute _poll_shelved_instances only if shelved_offload_time is > 0
** Project changed: openstack-manuals => nova ** Changed in: nova Milestone: liberty => None -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1477741 Title: Execute _poll_shelved_instances only if shelved_offload_time is > 0 Status in OpenStack Compute (nova): In Progress Bug description: https://review.openstack.org/201436 commit abf20cd57023039958091c39f6cdb775c912c9ac Author: abhishekkekaneDate: Thu Jul 9 02:58:30 2015 -0700 Execute _poll_shelved_instances only if shelved_offload_time is > 0 shelved_offload_time -1 means never offload shelved instance. Currently, the periodic task "_poll_shelved_instances" changes the vm state from SHELVED to SHELVED_OFFLOAD even when the shelved_offload_time is set to -1. Added check in _poll_shelved_instances to offload instances only if shelved_offload_time is greater than 0. DocImpact Closes-bug: #1472946 Change-Id: I55368e961b65a5ca73718fdcd42823680f7cbfa4 To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1477741/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1381017] Re: PCI passthrough_whitelist configuration option documentation
** Project changed: openstack-manuals => nova ** Changed in: nova Milestone: liberty => None -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1381017 Title: PCI passthrough_whitelist configuration option documentation Status in OpenStack Compute (nova): Confirmed Bug description: pci_passthrough_whitelist can be be specified in different ways, but current documentation of pci_passthrough_whitelist in nova.conf captured in OpenStack Configuration Reference guide, defines only limited option. There is a need to document available options as it is defined in the https://github.com/openstack/nova-specs/blob/master/specs/juno/implemented/pci-passthrough-sriov.rst specification. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1381017/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 986980] Re: No documentation about token backends
** Changed in: openstack-manuals Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/986980 Title: No documentation about token backends Status in OpenStack Identity (Keystone): Confirmed Status in OpenStack Manuals: Fix Released Bug description: Documentation lacks of information about token backends: backends available, options, memcached configuration for memcached backend,... To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/986980/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1307303] [NEW] Make Help link context-sensitive
Public bug reported: For future documentation requirements, can you please modify the functionality of the Help button in the top menu so that it performs a lookup of the current page URL, and can return a specific documentation URL as a result. Thanks. ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1307303 Title: Make Help link context-sensitive Status in OpenStack Dashboard (Horizon): New Bug description: For future documentation requirements, can you please modify the functionality of the Help button in the top menu so that it performs a lookup of the current page URL, and can return a specific documentation URL as a result. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1307303/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp