search

TritonDataCenter / smartos-live

For more information, please see http://smartos.org/ For any questions that aren't answered there, please join the SmartOS discussion list: https://smartos.topicbox.com/groups/smartos-discuss
1.57k stars 246 forks source link

reconcile different DHCP flags and spoof protection handling #1051

Closed numericillustration closed 2 years ago

numericillustration commented 2 years ago

In the zone state change handling the instance nic flags dhcp_server and allow_dhcp_spoofing are treated the same way https://github.com/TritonDataCenter/illumos-joyent/blob/master/usr/src/lib/brand/jcommon/statechange#L398-L436 in that when either is set in the instance, neither of the the protection properties dhcp-nospoof ip-nospoof will be applied to the instance's link.

But in the vmadm code for managing these same settings at https://github.com/TritonDataCenter/smartos-live/blob/master/src/vm/node_modules/VM.js#L15392-L15403 there is a difference such that if one sets allow_dhcp_spoofing via vmapi, only the dhcp-nospoof protection will be dropped from the link while the instance is running.

Once it is restarted both protections will not have been applied.

test 1: add allow_dhcp_spoofing to a new instance via vmapi

New instance created via triton cli:

~ 🂁 triton -p iad001 instance create --name=dhcp-test base-64-lts g4-fastdisk-2G
Creating instance dhcp-test (4851875c-f792-4663-b0bf-1039471e69f0, base-64-lts@21.4.0)
~ 🂁 triton -p iad001 instance get dhcp-test  | json -Ha id compute_node nics.0
4851875c-f792-4663-b0bf-1039471e69f0 00000000-0000-0000-0000-ac1f6b7365d8 {
  "mac": "90:b8:d0:33:cf:50",
  "ip": "64.30.132.90",
  "primary": true,
  "gateway": "64.30.128.1",
  "netmask": "255.255.248.0",
  "network": "2c087b08-2ded-4a5a-b368-e796aa3c5f81"
}

instance nic info via vmadm on the CN

$ vmadm get 4851875c-f792-4663-b0bf-1039471e69f0 | json -Ha nics.0
{
  "interface": "net0",
  "mac": "90:b8:d0:33:cf:50",
  "vlan_id": 1004,
  "nic_tag": "external",
  "gateway": "64.30.128.1",
  "gateways": [
    "64.30.128.1"
  ],
  "netmask": "255.255.248.0",
  "ip": "64.30.132.90",
  "ips": [
    "64.30.132.90/21"
  ],
  "network_uuid": "2c087b08-2ded-4a5a-b368-e796aa3c5f81",
  "mtu": 1500,
  "primary": true
}

link protection props

$ dladm show-linkprop -p protection -z 4851875c-f792-4663-b0bf-1039471e69f0 net0
LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
net0         protection      rw   mac-nospoof,   --             mac-nospoof,
                                  restricted,                   restricted,
                                  ip-nospoof,                   ip-nospoof,
                                  dhcp-nospoof                  dhcp-nospoof
[mhicks@JC827359 (iad001) ~]$

instance info in vmapi:

[mhicks@headnode (iad001) ~]$ sdc-vmapi /vms/4851875c-f792-4663-b0bf-1039471e69f0 | json -Ha nics.0
{
  "interface": "net0",
  "mac": "90:b8:d0:33:cf:50",
  "vlan_id": 1004,
  "nic_tag": "external",
  "gateway": "64.30.128.1",
  "gateways": [
    "64.30.128.1"
  ],
  "netmask": "255.255.248.0",
  "ip": "64.30.132.90",
  "ips": [
    "64.30.132.90/21"
  ],
  "network_uuid": "2c087b08-2ded-4a5a-b368-e796aa3c5f81",
  "mtu": 1500,
  "primary": true
}

nic in napi:

[mhicks@headnode (iad001) ~]$ sdc-napi /nics/90:b8:d0:33:cf:50
HTTP/1.1 200 OK
Etag: 5CC311CE
Content-Type: application/json
Content-Length: 553
Date: Fri, 22 Jul 2022 23:09:21 GMT
Server: SmartDataCenter Networking API
x-request-id: 6903bd3a-a1d2-4797-a2b3-38f7680ab76b
x-response-time: 179
x-server-name: ca6b3ec2-d32d-4f9d-b438-b754e574bec3
Connection: keep-alive

{
  "belongs_to_type": "zone",
  "belongs_to_uuid": "4851875c-f792-4663-b0bf-1039471e69f0",
  "mac": "90:b8:d0:33:cf:50",
  "owner_uuid": "a0aed498-09e7-4fe5-ba6b-bd1c0ffe6c73",
  "primary": true,
  "state": "running",
  "created_timestamp": "2022-07-22T23:03:32.221Z",
  "modified_timestamp": "2022-07-22T23:04:36.205Z",
  "ip": "64.30.132.90",
  "gateway": "64.30.128.1",
  "mtu": 1500,
  "netmask": "255.255.248.0",
  "nic_tag": "external",
  "resolvers": [
    "64.30.138.10",
    "64.30.138.11"
  ],
  "vlan_id": 1004,
  "network_uuid": "2c087b08-2ded-4a5a-b368-e796aa3c5f81",
  "cn_uuid": "00000000-0000-0000-0000-ac1f6b7365d8"
}

add the allow_dhcp_spoofing via vmapi:

[mhicks@headnode (iad001) ~]$ sdc-vmapi /vms/4851875c-f792-4663-b0bf-1039471e69f0?action=update_nics -d '{ "nics": [ { "mac": "90:b8:d0:33:cf:50", "allow_dhcp_spoofing": true }]}' | sdc-waitforjob
HTTP/1.1 202 Accepted
Connection: close
workflow-api: http://workflow.iad001.joyent.us
Content-Type: application/json
Content-Length: 100
Date: Fri, 22 Jul 2022 23:10:45 GMT
Server: VMAPI/9.14.1
x-request-id: 6967b6b3-884d-477f-8c69-21456ac254c2
x-response-time: 92
x-server-name: acc02ac7-af77-4f6a-9fb6-8fabb292715a

{
  "vm_uuid": "4851875c-f792-4663-b0bf-1039471e69f0",
  "job_uuid": "98baa22c-6893-48f3-80f0-a72ec05f93f1"
}

Wait for job 98baa22c-6893-48f3-80f0-a72ec05f93f1 to complete (timeout=none)
...
Job 98baa22c-6893-48f3-80f0-a72ec05f93f1 succeeded (elapsed=6s)

link props change to

$ dladm show-linkprop -p protection -z 4851875c-f792-4663-b0bf-1039471e69f0 net0
LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
net0         protection      rw   mac-nospoof,   --             mac-nospoof,
                                  restricted,                   restricted,
                                  ip-nospoof                    ip-nospoof,
                                                                dhcp-nospoof

vmadm logs show:

{"name":"vmadm","req_id":"6967b6b3-884d-477f-8c69-21456ac254c2","hostname":"JC827359","pid":360030,"action":"update","vm":"4851875c-f792-4663-b0bf-1039471e69f0","stack":"vmadm.update.update-vnic-properties","level":20,"msg":"/usr/sbin/dladm set-linkprop -t -z 4851875c-f792-4663-b0bf-1039471e69f0 -p protection=ip-nospoof,mac-nospoof,restricted net0","time":"2022-07-22T23:10:48.134Z","v":0}

stop start and check link props again:

$ vmadm stop 4851875c-f792-4663-b0bf-1039471e69f0
Successfully completed stop for VM 4851875c-f792-4663-b0bf-1039471e69f0
$ vmadm start 4851875c-f792-4663-b0bf-1039471e69f0
Successfully started VM 4851875c-f792-4663-b0bf-1039471e69f0
$ dladm show-linkprop -p protection -z 4851875c-f792-4663-b0bf-1039471e69f0 net0
LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
net0         protection      rw   mac-nospoof,   --             mac-nospoof,
                                  restricted                    restricted,
                                                                ip-nospoof,
                                                                dhcp-nospoof

test 2: add dhcp_server to a nic via vmadm

create instance via triton cli

~ 🂁 triton -p iad001 instance create --name=dhcp-test2 base-64-lts g4-fastdisk-2G
Creating instance dhcp-test2 (b088299d-e976-4104-929f-c1c0cc7718b1, base-64-lts@21.4.0)
~ 🂁 triton -p iad001 instance get dhcp-test2  | json -Ha id compute_node nics.0
b088299d-e976-4104-929f-c1c0cc7718b1 00000000-0000-0000-0000-ac1f6b7365d8 {
  "mac": "90:b8:d0:e0:3e:54",
  "ip": "64.30.132.91",
  "primary": true,
  "gateway": "64.30.128.1",
  "netmask": "255.255.248.0",
  "network": "2c087b08-2ded-4a5a-b368-e796aa3c5f81"
}

examine the nics on the CN

$ dladm show-linkprop -p protection -z b088299d-e976-4104-929f-c1c0cc7718b1 net0
LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
net0         protection      rw   mac-nospoof,   --             mac-nospoof,
                                  restricted,                   restricted,
                                  ip-nospoof,                   ip-nospoof,
                                  dhcp-nospoof                  dhcp-nospoof
$ vmadm get b088299d-e976-4104-929f-c1c0cc7718b1 | json -Ha nics
[
  {
    "interface": "net0",
    "mac": "90:b8:d0:e0:3e:54",
    "vlan_id": 1004,
    "nic_tag": "external",
    "gateway": "64.30.128.1",
    "gateways": [
      "64.30.128.1"
    ],
    "netmask": "255.255.248.0",
    "ip": "64.30.132.91",
    "ips": [
      "64.30.132.91/21"
    ],
    "network_uuid": "2c087b08-2ded-4a5a-b368-e796aa3c5f81",
    "mtu": 1500,
    "primary": true
  },
  {
    "interface": "net1",
    "mac": "90:b8:d0:4b:80:da",
    "vlan_id": 1006,
    "nic_tag": "internal",
    "netmask": "255.255.248.0",
    "ip": "10.33.25.196",
    "ips": [
      "10.33.25.196/21"
    ],
    "network_uuid": "3f052e07-2fe9-4eb9-9bed-abb035745126",
    "mtu": 1500
  }
]

update the instance nic with dhcp_server param

$ cat  /var/tmp/b088299d-e976-4104-929f-c1c0cc7718b1.json
{
  "update_nics": [
    {
      "mac": "90:b8:d0:e0:3e:54",
      "dhcp_server": true
    }
  ]
}
$ vmadm update  b088299d-e976-4104-929f-c1c0cc7718b1 -f /var/tmp/b088299d-e976-4104-929f-c1c0cc7718b1.json
Successfully updated VM b088299d-e976-4104-929f-c1c0cc7718b1
$ vmadm get b088299d-e976-4104-929f-c1c0cc7718b1 | json -Ha nics
[
  {
    "interface": "net0",
    "mac": "90:b8:d0:e0:3e:54",
    "vlan_id": 1004,
    "nic_tag": "external",
    "gateway": "64.30.128.1",
    "gateways": [
      "64.30.128.1"
    ],
    "netmask": "255.255.248.0",
    "ip": "64.30.132.91",
    "ips": [
      "64.30.132.91/21"
    ],
    "network_uuid": "2c087b08-2ded-4a5a-b368-e796aa3c5f81",
    "dhcp_server": true,
    "mtu": 1500,
    "primary": true
  },
  {
    "interface": "net1",
    "mac": "90:b8:d0:4b:80:da",
    "vlan_id": 1006,
    "nic_tag": "internal",
    "netmask": "255.255.248.0",
    "ip": "10.33.25.196",
    "ips": [
      "10.33.25.196/21"
    ],
    "network_uuid": "3f052e07-2fe9-4eb9-9bed-abb035745126",
    "mtu": 1500
  }
]
$ dladm show-linkprop -p protection -z b088299d-e976-4104-929f-c1c0cc7718b1 net0
LINK         PROPERTY        PERM VALUE          DEFAULT        POSSIBLE
net0         protection      rw   mac-nospoof,   --             mac-nospoof,
                                  restricted                    restricted,
                                                                ip-nospoof,
                                                                dhcp-nospoof
bahamat commented 2 years ago

OK, to summarize this: