OpenStack Compute (nova)

sanitize_hostname is not alligned with idna2 specification

Bug #2033401 reported by Vasyl Saienko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Opinion
Undecided
Unassigned

Bug Description

DNSmask was switched to IDN2 specification more than 4 year ago Debian package [0]
According to specification name with -- in 3rd and 4th characters is not allowed. See RFC 5891 [1]
As result hostnames for example (rf--xx), generates error on DNSmasq side, and no longer works

Aug 29 10:55:32 dnsmasq[243]: bad DHCP host name at line 2 of /var/lib/neutron/dhcp/6531ba54-0aa1-4b3b-b098-49bb0cfd586b/host

cat /var/lib/neutron/dhcp/6531ba54-0aa1-4b3b-b098-49bb0cfd586b/host
fa:16:3e:d9:ba:17,amphora-ccee6c76-e565-496d-b841-f485a99dc865.openstack.internal.,10.10.10.142
fa:16:3e:c8:93:56,re--test-database-7ezitojxojun-server-01-lrdygbkrxkho.openstack.internal.,10.10.10.209
fa:16:3e:29:dc:fc,host-10-10-10-45.openstack.internal.,10.10.10.45
fa:16:3e:1a:be:3f,host-10-10-10-103.openstack.internal.,10.10.10.103
fa:16:3e:bd:ab:2a,host-10-10-10-1.openstack.internal.,10.10.10.1
fa:16:3e:df:b7:c1,host-10-10-10-118.openstack.internal.,10.10.10.118

[0] https://github.com/imp/dnsmasq/commit/5a9133498562a0b69b287ad675ed3946803ea90c
[1] https://www.rfc-editor.org/rfc/rfc5891#section-4.2.3.1

See original description
Vasyl Saienko (vsaienko)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/893072

Changed in nova:
status: New → In Progress
Revision history for this message
sean mooney (sean-k-mooney) wrote :

Nova does not support internationalised hostnames so it does not support
https://www.rfc-editor.org/rfc/rfc5891

the conversion of the display name to a hostname is the best effort and we make no guarantee of its validity for DNS.

the conversion utility is intended to produce a valid hostname name but it not intended to ba a domain name

nova could be enhanced to provide that functionality but i would be more inclined to remove the defautlign of the host name by converting the displayname and instead use the other fallback we already have which is to default to server-<uuid> in a new API microversion.

Changed in nova:
status: In Progress → Opinion
Revision history for this message
sean mooney (sean-k-mooney) wrote :

basically instead of callling sanatize_hostname

https://github.com/openstack/nova/blob/7a7427691e0bd4818bb7a2c5f5371e0244addbbb/nova/compute/api.py#L2054-L2056

we should just use the fallback to setting it to f'Server-{instance.uuid}'

that would require a new API micro version as it is a non-backward compatible change in the semantics of the API even if the request remains the same but any change to the semantics of sanitize_hostname should be considered the same.

we previously considered the details fo the normalization to be a detail of nova not an API contact when we made a simpler change in https://bugs.launchpad.net/nova/+bug/1581977 and severely years later operator were unhappy when the finally update to the change as some had built product integration that depend in the details of the semantics wich required use to add a new API feature https://specs.openstack.org/openstack/nova-specs/specs/2023.1/implemented/fqdn-in-hostname.html

as such I'm reluctant to change the semantics again without a wider disuscssion and or a spec

Revision history for this message
Pavlo Shchelokovskyy (pshchelo) wrote :

> Nova does not support internationalised hostnames so it does not support

What matters is what dnsmasq supports.

I posit that as of now, if you take openstack + ml2/ovs networking on ubuntu 22.04 (with that 'new' dnsmasq version), you can't get working dhcp networking for instance named "fo--o", because dnsmasq won't work for such a host name.
How we found it is that with nested enough Heat templates, there's a chance you get such name auto-generated eventually.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.