charm-ovn-central

Invalid calls to ufw when cms-client-bound-address contains IPv6

Bug #1966135 reported by Simon Déziel
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
charm-interface-ovsdb
Triaged
High
Unassigned
charm-ovn-central
Triaged
High
Unassigned

Bug Description

The ovsdb-cms interface requires providing the CMS' IP address in cms-client-bound-address [1]. This address is surrounded by square brackets ("[]") when it is an IPv6 one [2].

When doing so, ufw is called with the square brackets left in place causing an error:

2022-03-22 19:24:43 DEBUG unit.ovn-central/1.juju-log server.go:327 ovsdb-cms:21: ufw allow: ufw prepend allow from [2602:fc62:b:3002:0:1:0:2] to any port 6641 proto tcp comment charm-ovn-central
2022-03-22 19:24:44 ERROR unit.ovn-central/1.juju-log server.go:327 ovsdb-cms:21: Error running: ufw prepend allow from [2602:fc62:b:3002:0:1:0:2] to any port 6641 proto tcp comment charm-ovn-central, exit code: 1
2022-03-22 19:24:44 DEBUG unit.ovn-central/1.juju-log server.go:327 ovsdb-cms:21: ufw allow: ufw prepend allow from [2602:fc62:b:3002:0:1:0:2] to any port 16642 proto tcp comment charm-ovn-central
2022-03-22 19:24:44 ERROR unit.ovn-central/1.juju-log server.go:327 ovsdb-cms:21: Error running: ufw prepend allow from [2602:fc62:b:3002:0:1:0:2] to any port 16642 proto tcp comment charm-ovn-central, exit code: 1

However, omitting the square brackets cause failures somewhere else preventing ufw from even being called.

1: https://opendev.org/x/charm-interface-ovsdb/src/branch/master/src/ovsdb_cms/requires.py#L40-L41
2: https://opendev.org/x/charm-interface-ovsdb/src/branch/master/src/lib/ovsdb.py#L33-L61

Revision history for this message
Simon Déziel (sdeziel) wrote :

While chatting with Frode Nordahl, he suggested the following quick fix (that I have not tested):

diff --git a/src/lib/charm/openstack/ovn_central.py b/src/lib/charm/openstack/ovn_central.py
index d9cd65b..f5ba614 100644
--- a/src/lib/charm/openstack/ovn_central.py
+++ b/src/lib/charm/openstack/ovn_central.py
@@ -642,6 +642,7 @@ class BaseOVNCentralCharm(charms_openstack.charm.OpenStackCharm):
             _addrs = list(addrs or [])
             for port in ports:
                 for addr in _addrs:
+ addr = addr.replace('[', '').replace(']', '')
                     ch_ufw.modify_access(addr, port=port, proto='tcp',
                                          action='allow', prepend=True,
                                          comment=ufw_comment)

Frode Nordahl (fnordahl)
Changed in charm-ovn-central:
status: New → Triaged
Changed in charm-interface-ovsdb:
status: New → Triaged
importance: Undecided → High
Changed in charm-ovn-central:
importance: Undecided → High
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Thank you for reporting this issue.

There are multiple facets to the solution:

1) We need to ensure the on the wire relation protocol uses pure IPv4/IPv6 address strings so that the remote end is free to compose the data in any shape/form on their discretion.

The both good and bad news here is that the current implementation is broken, so that we do not need to worry about breaking any in the wild users when fixing the on the wire protocol as no one would be able to successfully use the charm when bound to a IPv6 space at the moment.

2) The interface code is used to render the on the wire data for use in configuration templates as well as arguments to command execution, we may need separate properties for representing the pure ipv6 address string and the ipv6 address string encapsulated in brackets (`[]`).

3) Functional testing.

The current automatic test gates do not provide IPv6 connectivity and we do have a few dependencies on other projects in order to reliably enable that.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.