diff -Nru neutron-13.0.2/debian/changelog neutron-13.0.2/debian/changelog --- neutron-13.0.2/debian/changelog 2019-05-31 13:43:01.000000000 +0000 +++ neutron-13.0.2/debian/changelog 2019-06-17 13:09:27.000000000 +0000 @@ -1,4 +1,4 @@ -neutron (2:13.0.2-0ubuntu3.3) cosmic-security; urgency=medium +neutron (2:13.0.2-0ubuntu3.4) cosmic-security; urgency=medium * SECURITY UPDATE: iptables security group rules issue - debian/patches/CVE-2019-9735.patch: when converting sg rules to @@ -7,7 +7,14 @@ neutron/tests/unit/agent/linux/test_iptables_firewall.py. - CVE-2019-9735 - -- Marc Deslauriers Fri, 31 May 2019 09:43:01 -0400 + -- Marc Deslauriers Mon, 17 Jun 2019 09:09:27 -0400 + +neutron (2:13.0.2-0ubuntu3.3) cosmic; urgency=medium + + * d/p/bug1826419.patch: Cherry pick fix to revert incorrect changes to + internal DNS behaviour (LP: #1826419). + + -- James Page Tue, 04 Jun 2019 09:40:48 +0100 neutron (2:13.0.2-0ubuntu3.2) cosmic; urgency=medium diff -Nru neutron-13.0.2/debian/patches/bug1826419.patch neutron-13.0.2/debian/patches/bug1826419.patch --- neutron-13.0.2/debian/patches/bug1826419.patch 1970-01-01 00:00:00.000000000 +0000 +++ neutron-13.0.2/debian/patches/bug1826419.patch 2019-06-04 08:40:48.000000000 +0000 @@ -0,0 +1,457 @@ +commit 664b11197e0a9797f4269dee2586ee902c6e0de8 +Author: James Page +Date: Mon Jun 3 09:39:58 2019 +0100 + + Revert "Pass network's dns_domain to dnsmasq conf" + + The dns_domain attribute of a network is intended for use + by neutron when creating DNS records in an external DNS + system such as Designate. + + By using the networks dns_domain, the configured search + path on booted instances mismatches with the generated + dns assignments for instance ports in the hosts file + for dnsmasq which creates a mismatched forward/reverse + lookup behaviour. + + This reverts commit b7796f6c91b74440780056712060da5da69e583f. + and commit 137a6d61053fb1cfb9a0a583b5a5c0f6253c75e6. + + Closes-Bug: 1826419 + Depends-On: I145144c042b100f7e12a02a8ac7e0fbbe41e984d + +--- a/neutron/agent/linux/dhcp.py ++++ b/neutron/agent/linux/dhcp.py +@@ -130,7 +130,6 @@ class DhcpBase(object): + version=None, plugin=None): + self.conf = conf + self.network = network +- self.dns_domain = self.network.get('dns_domain', self.conf.dns_domain) + self.process_monitor = process_monitor + self.device_manager = DeviceManager(self.conf, plugin) + self.version = version +@@ -420,8 +419,8 @@ class Dnsmasq(DhcpLocalProcess): + for server in self.conf.dnsmasq_dns_servers: + cmd.append('--server=%s' % server) + +- if self.dns_domain: +- cmd.append('--domain=%s' % self.dns_domain) ++ if self.conf.dns_domain: ++ cmd.append('--domain=%s' % self.conf.dns_domain) + + if self.conf.dhcp_broadcast_reply: + cmd.append('--dhcp-broadcast') +@@ -611,8 +610,8 @@ class Dnsmasq(DhcpLocalProcess): + hostname = 'host-%s' % alloc.ip_address.replace( + '.', '-').replace(':', '-') + fqdn = hostname +- if self.dns_domain: +- fqdn = '%s.%s' % (fqdn, self.dns_domain) ++ if self.conf.dns_domain: ++ fqdn = '%s.%s' % (fqdn, self.conf.dns_domain) + yield (port, alloc, hostname, fqdn, no_dhcp, no_opts) + + def _get_port_extra_dhcp_opts(self, port): +@@ -963,9 +962,9 @@ class Dnsmasq(DhcpLocalProcess): + # dns-server submitted by the server + subnet_index_map[subnet.id] = i + +- if self.dns_domain and subnet.ip_version == 6: ++ if self.conf.dns_domain and subnet.ip_version == 6: + options.append('tag:tag%s,option6:domain-search,%s' % +- (i, ''.join(self.dns_domain))) ++ (i, ''.join(self.conf.dns_domain))) + + gateway = subnet.gateway_ip + host_routes = [] +--- a/neutron/tests/unit/agent/linux/test_dhcp.py ++++ b/neutron/tests/unit/agent/linux/test_dhcp.py +@@ -461,14 +461,7 @@ class FakeV4SubnetAgentWithNoDnsProvided + self.host_routes = [] + + +-class FakeNetworkBase(object): +- dns_domain = 'openstacklocal' +- +- def get(self, attr, default=None): +- return getattr(self, attr) or default +- +- +-class FakeV4MultipleAgentsWithoutDnsProvided(FakeNetworkBase): ++class FakeV4MultipleAgentsWithoutDnsProvided(object): + def __init__(self): + self.id = 'ffffffff-ffff-ffff-ffff-ffffffffffff' + self.subnets = [FakeV4SubnetMultipleAgentsWithoutDnsProvided()] +@@ -477,7 +470,7 @@ class FakeV4MultipleAgentsWithoutDnsProv + self.namespace = 'qdhcp-ns' + + +-class FakeV4AgentWithoutDnsProvided(FakeNetworkBase): ++class FakeV4AgentWithoutDnsProvided(object): + def __init__(self): + self.id = 'ffffffff-ffff-ffff-ffff-ffffffffffff' + self.subnets = [FakeV4SubnetMultipleAgentsWithoutDnsProvided()] +@@ -486,7 +479,7 @@ class FakeV4AgentWithoutDnsProvided(Fake + self.namespace = 'qdhcp-ns' + + +-class FakeV4AgentWithManyDnsProvided(FakeNetworkBase): ++class FakeV4AgentWithManyDnsProvided(object): + def __init__(self): + self.id = 'ffffffff-ffff-ffff-ffff-ffffffffffff' + self.subnets = [FakeV4SubnetAgentWithManyDnsProvided()] +@@ -495,7 +488,7 @@ class FakeV4AgentWithManyDnsProvided(Fak + self.namespace = 'qdhcp-ns' + + +-class FakeV4AgentWithNoDnsProvided(FakeNetworkBase): ++class FakeV4AgentWithNoDnsProvided(object): + def __init__(self): + self.id = 'ffffffff-ffff-ffff-ffff-ffffffffffff' + self.subnets = [FakeV4SubnetAgentWithNoDnsProvided()] +@@ -510,7 +503,7 @@ class FakeV4SubnetMultipleAgentsWithDnsP + self.host_routes = [] + + +-class FakeV4MultipleAgentsWithDnsProvided(FakeNetworkBase): ++class FakeV4MultipleAgentsWithDnsProvided(object): + def __init__(self): + self.id = 'ffffffff-ffff-ffff-ffff-ffffffffffff' + self.subnets = [FakeV4SubnetMultipleAgentsWithDnsProvided()] +@@ -628,7 +621,7 @@ class FakeV4SubnetNoRouter(FakeV4Subnet) + self.dns_nameservers = [] + + +-class FakeV4Network(FakeNetworkBase): ++class FakeV4Network(object): + def __init__(self): + self.id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' + self.subnets = [FakeV4Subnet()] +@@ -636,7 +629,7 @@ class FakeV4Network(FakeNetworkBase): + self.namespace = 'qdhcp-ns' + + +-class FakeV4NetworkClientId(FakeNetworkBase): ++class FakeV4NetworkClientId(object): + def __init__(self): + self.id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' + self.subnets = [FakeV4Subnet()] +@@ -644,7 +637,7 @@ class FakeV4NetworkClientId(FakeNetworkB + self.namespace = 'qdhcp-ns' + + +-class FakeV4NetworkClientIdNum(FakeNetworkBase): ++class FakeV4NetworkClientIdNum(object): + def __init__(self): + self.id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' + self.subnets = [FakeV4Subnet()] +@@ -652,7 +645,7 @@ class FakeV4NetworkClientIdNum(FakeNetwo + self.namespace = 'qdhcp-ns' + + +-class FakeV4NetworkClientIdNumStr(FakeNetworkBase): ++class FakeV4NetworkClientIdNumStr(object): + def __init__(self): + self.id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' + self.subnets = [FakeV4Subnet()] +@@ -660,7 +653,7 @@ class FakeV4NetworkClientIdNumStr(FakeNe + self.namespace = 'qdhcp-ns' + + +-class FakeV6Network(FakeNetworkBase): ++class FakeV6Network(object): + def __init__(self): + self.id = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb' + self.subnets = [FakeV6Subnet()] +@@ -668,7 +661,7 @@ class FakeV6Network(FakeNetworkBase): + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetwork(FakeNetworkBase): ++class FakeDualNetwork(object): + def __init__(self, domain='openstacklocal'): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV6SubnetDHCPStateful()] +@@ -676,10 +669,9 @@ class FakeDualNetwork(FakeNetworkBase): + self.ports = [FakePort1(domain=domain), FakeV6Port(domain=domain), + FakeDualPort(domain=domain), + FakeRouterPort(domain=domain)] +- self.dns_domain = domain + + +-class FakeDeviceManagerNetwork(FakeNetworkBase): ++class FakeDeviceManagerNetwork(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV6SubnetDHCPStateful()] +@@ -690,7 +682,7 @@ class FakeDeviceManagerNetwork(FakeNetwo + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkReserved(FakeNetworkBase): ++class FakeDualNetworkReserved(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV6SubnetDHCPStateful()] +@@ -699,7 +691,7 @@ class FakeDualNetworkReserved(FakeNetwor + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkReserved2(FakeNetworkBase): ++class FakeDualNetworkReserved2(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV6SubnetDHCPStateful()] +@@ -709,7 +701,7 @@ class FakeDualNetworkReserved2(FakeNetwo + self.namespace = 'qdhcp-ns' + + +-class FakeNetworkDhcpPort(FakeNetworkBase): ++class FakeNetworkDhcpPort(object): + def __init__(self): + self.id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa' + self.subnets = [FakeV4Subnet()] +@@ -717,7 +709,7 @@ class FakeNetworkDhcpPort(FakeNetworkBas + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkGatewayRoute(FakeNetworkBase): ++class FakeDualNetworkGatewayRoute(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4SubnetGatewayRoute(), FakeV6SubnetDHCPStateful()] +@@ -725,7 +717,7 @@ class FakeDualNetworkGatewayRoute(FakeNe + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkSingleDHCP(FakeNetworkBase): ++class FakeDualNetworkSingleDHCP(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV4SubnetNoDHCP()] +@@ -733,7 +725,7 @@ class FakeDualNetworkSingleDHCP(FakeNetw + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkSingleDHCPBothAttaced(FakeNetworkBase): ++class FakeDualNetworkSingleDHCPBothAttaced(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + # dhcp-agent actually can't get the subnet with dhcp disabled +@@ -742,7 +734,7 @@ class FakeDualNetworkSingleDHCPBothAttac + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkDualDHCP(FakeNetworkBase): ++class FakeDualNetworkDualDHCP(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV4Subnet2()] +@@ -750,7 +742,7 @@ class FakeDualNetworkDualDHCP(FakeNetwor + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkDualDHCPOnLinkSubnetRoutesDisabled(FakeNetworkBase): ++class FakeDualNetworkDualDHCPOnLinkSubnetRoutesDisabled(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV4SubnetSegmentID()] +@@ -758,7 +750,7 @@ class FakeDualNetworkDualDHCPOnLinkSubne + self.namespace = 'qdhcp-ns' + + +-class FakeNonLocalSubnets(FakeNetworkBase): ++class FakeNonLocalSubnets(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4SubnetSegmentID2()] +@@ -767,7 +759,7 @@ class FakeNonLocalSubnets(FakeNetworkBas + self.namespace = 'qdhcp-ns' + + +-class FakeDualNetworkTriDHCPOneOnLinkSubnetRoute(FakeNetworkBase): ++class FakeDualNetworkTriDHCPOneOnLinkSubnetRoute(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV4Subnet2(), +@@ -777,28 +769,28 @@ class FakeDualNetworkTriDHCPOneOnLinkSub + self.namespace = 'qdhcp-ns' + + +-class FakeV4NoGatewayNetwork(FakeNetworkBase): ++class FakeV4NoGatewayNetwork(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4SubnetNoGateway()] + self.ports = [FakePort1()] + + +-class FakeV4NetworkNoRouter(FakeNetworkBase): ++class FakeV4NetworkNoRouter(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4SubnetNoRouter()] + self.ports = [FakePort1()] + + +-class FakeV4MetadataNetwork(FakeNetworkBase): ++class FakeV4MetadataNetwork(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4MetadataSubnet()] + self.ports = [FakeRouterPort(ip_address='169.254.169.253')] + + +-class FakeV4NetworkDistRouter(FakeNetworkBase): ++class FakeV4NetworkDistRouter(object): + def __init__(self): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet()] +@@ -807,7 +799,7 @@ class FakeV4NetworkDistRouter(FakeNetwor + dev_owner=constants.DEVICE_OWNER_DVR_INTERFACE)] + + +-class FakeDualV4Pxe3Ports(FakeNetworkBase): ++class FakeDualV4Pxe3Ports(object): + def __init__(self, port_detail="portsSame"): + self.id = 'cccccccc-cccc-cccc-cccc-cccccccccccc' + self.subnets = [FakeV4Subnet(), FakeV4SubnetNoDHCP()] +@@ -841,7 +833,7 @@ class FakeDualV4Pxe3Ports(FakeNetworkBas + DhcpOpt(opt_name='bootfile-name', opt_value='pxelinux3.0')] + + +-class FakeV4NetworkPxe2Ports(FakeNetworkBase): ++class FakeV4NetworkPxe2Ports(object): + def __init__(self, port_detail="portsSame"): + self.id = 'dddddddd-dddd-dddd-dddd-dddddddddddd' + self.subnets = [FakeV4Subnet()] +@@ -867,7 +859,7 @@ class FakeV4NetworkPxe2Ports(FakeNetwork + DhcpOpt(opt_name='bootfile-name', opt_value='pxelinux.0')] + + +-class FakeV4NetworkPxe3Ports(FakeNetworkBase): ++class FakeV4NetworkPxe3Ports(object): + def __init__(self, port_detail="portsSame"): + self.id = 'dddddddd-dddd-dddd-dddd-dddddddddddd' + self.subnets = [FakeV4Subnet()] +@@ -901,7 +893,7 @@ class FakeV4NetworkPxe3Ports(FakeNetwork + DhcpOpt(opt_name='bootfile-name', opt_value='pxelinux3.0')] + + +-class FakeV6NetworkPxePort(FakeNetworkBase): ++class FakeV6NetworkPxePort(object): + def __init__(self): + self.id = 'dddddddd-dddd-dddd-dddd-dddddddddddd' + self.subnets = [FakeV6SubnetDHCPStateful()] +@@ -914,7 +906,7 @@ class FakeV6NetworkPxePort(FakeNetworkBa + ip_version=6)] + + +-class FakeV6NetworkPxePortWrongOptVersion(FakeNetworkBase): ++class FakeV6NetworkPxePortWrongOptVersion(object): + def __init__(self): + self.id = 'dddddddd-dddd-dddd-dddd-dddddddddddd' + self.subnets = [FakeV6SubnetDHCPStateful()] +@@ -927,14 +919,14 @@ class FakeV6NetworkPxePortWrongOptVersio + ip_version=6)] + + +-class FakeDualStackNetworkSingleDHCP(FakeNetworkBase): ++class FakeDualStackNetworkSingleDHCP(object): + def __init__(self): + self.id = 'eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee' + self.subnets = [FakeV4Subnet(), FakeV6SubnetSlaac()] + self.ports = [FakePort1(), FakePort4(), FakeRouterPort()] + + +-class FakeDualStackNetworkingSingleDHCPTags(FakeNetworkBase): ++class FakeDualStackNetworkingSingleDHCPTags(object): + def __init__(self): + self.id = 'eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee' + self.subnets = [FakeV4Subnet(), FakeV6SubnetSlaac()] +@@ -945,7 +937,7 @@ class FakeDualStackNetworkingSingleDHCPT + opt_value='pxelinux.0')] + + +-class FakeV4NetworkMultipleTags(FakeNetworkBase): ++class FakeV4NetworkMultipleTags(object): + def __init__(self): + self.id = 'dddddddd-dddd-dddd-dddd-dddddddddddd' + self.subnets = [FakeV4Subnet()] +@@ -955,7 +947,7 @@ class FakeV4NetworkMultipleTags(FakeNetw + DhcpOpt(opt_name='tag:ipxe,bootfile-name', opt_value='pxelinux.0')] + + +-class FakeV6NetworkStatelessDHCP(FakeNetworkBase): ++class FakeV6NetworkStatelessDHCP(object): + def __init__(self): + self.id = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb' + self.subnets = [FakeV6SubnetStateless()] +@@ -963,7 +955,7 @@ class FakeV6NetworkStatelessDHCP(FakeNet + self.namespace = 'qdhcp-ns' + + +-class FakeV6NetworkStatelessDHCPNoDnsProvided(FakeNetworkBase): ++class FakeV6NetworkStatelessDHCPNoDnsProvided(object): + def __init__(self): + self.id = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb' + self.subnets = [FakeV6SubnetStatelessNoDnsProvided()] +@@ -971,7 +963,7 @@ class FakeV6NetworkStatelessDHCPNoDnsPro + self.namespace = 'qdhcp-ns' + + +-class FakeV6NetworkStatelessDHCPBadPrefixLength(FakeNetworkBase): ++class FakeV6NetworkStatelessDHCPBadPrefixLength(object): + def __init__(self): + self.id = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb' + self.subnets = [FakeV6SubnetStatelessBadPrefixLength()] +@@ -979,7 +971,7 @@ class FakeV6NetworkStatelessDHCPBadPrefi + self.namespace = 'qdhcp-ns' + + +-class FakeNetworkWithV6SatelessAndV4DHCPSubnets(FakeNetworkBase): ++class FakeNetworkWithV6SatelessAndV4DHCPSubnets(object): + def __init__(self): + self.id = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb' + self.subnets = [FakeV6SubnetStateless(), FakeV4Subnet()] +@@ -1329,23 +1321,11 @@ class TestDnsmasq(TestBase): + (exp_host_name, exp_host_data, + exp_addn_name, exp_addn_data) = self._test_no_dns_domain_alloc_data + self.conf.set_override('dns_domain', '') +- network = FakeDualNetwork(domain='') ++ network = FakeDualNetwork(domain=self.conf.dns_domain) + self._test_spawn(['--conf-file='], network=network) + self.safe.assert_has_calls([mock.call(exp_host_name, exp_host_data), + mock.call(exp_addn_name, exp_addn_data)]) + +- def test_spawn_with_dns_domain_conf(self): +- self.conf.set_override('dns_domain', 'starwars.local') +- network = FakeDualNetwork(domain=None) +- self._test_spawn( +- ['--conf-file=', '--domain=starwars.local'], network=network) +- +- def test_spawn_with_dns_domain_api(self): +- self.conf.set_override('dns_domain', 'wrong.answer') +- network = FakeDualNetwork(domain='right.answer') +- self._test_spawn( +- ['--conf-file=', '--domain=right.answer'], network=network) +- + def test_spawn_no_dhcp_range(self): + network = FakeV6Network() + subnet = FakeV6SubnetSlaac() +--- a/releasenotes/notes/dns_domain-6f0e628aeb3c650c.yaml ++++ /dev/null +@@ -1,13 +0,0 @@ +---- +-fixes: +- - | +- Previously a network's dns_domain attribute was ignored by the DHCP agent. +- With this release, OpenStack deployments using Neutron's DHCP agent will +- be able to specify a per network dns_domain and have instances configure +- that domain in their dns resolver configuration files (Linux's +- /etc/resolv.conf) to allow for local partial DNS lookups. The per-network +- dns_domain value will override the DHCP agent's default dns_domain +- configuration value. Note that it's also possible to update a network's +- dns_domain, and that new value will be propogated to new instances +- or when instances renew their DHCP lease. However, existing leases will +- live on with the old dns_domain value. diff -Nru neutron-13.0.2/debian/patches/series neutron-13.0.2/debian/patches/series --- neutron-13.0.2/debian/patches/series 2019-05-31 13:42:56.000000000 +0000 +++ neutron-13.0.2/debian/patches/series 2019-06-17 13:09:21.000000000 +0000 @@ -4,4 +4,5 @@ fix-KeyError-in-OVS-firewall.patch bug1823038.patch Spawn-metadata-proxy-on-dvr-ha-standby-routers.patch +bug1826419.patch CVE-2019-9735.patch