[Bug 2121564] Re: [MIR] neutron
Pushkar Kulkarni
2121564 at bugs.launchpad.net
Tue Nov 25 06:48:36 UTC 2025
MIR: src:neutron
[Summary]
Neutron is an OpenStack project that provides “network-connectivity as a
service” between interface devices (e.g vNICs) that are managed by other
services like nova. It implements the OpenStack networking API.
Neutron is already in main. This is a re-review.
MIR team ACK under the constraint to, as much as possible, having a look at the
recommended TODOs.
This does need a security review, so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main: All
Specific binary packages built, but NOT to be promoted to main: None
Notes:
#0 - The neutron packaging on Ubuntu seems to be independent of neutron on Debian. There is no evidence of periodic syncing (or merging).
#1 - The latest upstream release (v27.0.1) is not packaged yet.
Recommended TODOs:
#2 - Neutron includes SysV templates that are run as systemd units. What User are these run as? Please confirm that they are run as a non-root user. Please refer to the Security section.
#3 - Though the neutron package seems to build successfully on resolute
on Launchpad, I experienced a test hang twice, while building in a local
resolute chroot. Please see the Common Blockers section below. Could
this be an infrastructure/environment issue?
#4 - There are a significant number of lintian warnings that need to be
addressed. Please refer to the Packaging Red Flags section.
#5 - There are uses of setuid/setgid outside of tests, as noted in the
Upstream Red Flags section. Can this be addressed vis-a-vis the MIR
requirement of not using setuid/setgid?
#6 - The dhcp agent runs dnsmasq as user nobody. Can this be addressed
in regard to the MIR requirement of not using user `nobody` outside of
tests.
[Rationale, Duplication, Ownership]
OK:
- There is no other package in main providing the same functionality.
- A team is committed to own long term maintenance of this package.
- The rationale given in the report seems valid and useful for Ubuntu.
Problems: None
[Dependencies]
OK:
- no other runtime Dependencies to MIR due to this
- no other build-time Dependencies with active code in the final binaries to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring more tests now.
Problems: None
[Embedded Sources and Static Linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- does not run a daemon as root
=> Includes two native systemd units that are run with User=neutron.
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
=> the API does parse JSON, but only on authorization
- does not expose any external endpoint (port/socket/... or similar)
=> exposes port TCP 9696 for public/internal/admin endpoints (neutron-api)
=> when the DHCP agent is used, the spawned dnsmasq binds UDP 67 within the DHCP namespace by design
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (dropping permissions, using temporary environments,
restricted users/groups, seccomp, systemd isolation features,
apparmor, ...)
=> oslo.privsep is used to run privileged operations.
Problems:
- does not run a daemon as root
=> Neutron includes SysV init templates that are exposed as systemd units. What User are these run as?
- history of CVEs does look concerning
=> Neutron has received 30 CVE reports. Though these have been medium-low in priority, I would request a Security review of them.
[Common Blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python
Problems:
- FTBFS in a resolute chroot on my laptop intermittently
=> https://pastebin.ubuntu.com/p/fChQ2Hv2KC/
[Packaging Red Flags]
OK:
- symbol tracking not relevant for this package
- debian/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
=> this is already in main
- debian/rules is rather clean
- It is not on the lto-disabled list
(fix, or the workaround should be directly in the package,
see https://launchpad.net/ubuntu/+source/lto-disabled-list)
Problems:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
=> The neutron packaging on Ubuntu seems to be independent of the same on Debian
https://salsa.debian.org/openstack-team/services/neutron.
- the current release is not packaged
=> 27.0.1 seems to be the latest release.
- lintian warnings
=> there are quite a few lintian warnings reported.
See https://pastebin.ubuntu.com/p/f3frVDwYf3/
[Upstream Red Flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests)
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?
Problems:
- use of setuid/setgid
=> Is this justified?
neutron/agent/linux/daemon.py:46:def setuid(user_id_or_name):
neutron/agent/linux/daemon.py:53: os.setuid(new_uid)
neutron/agent/linux/daemon.py:60:def setgid(group_id_or_name):
neutron/agent/linux/daemon.py:67: os.setgid(new_gid)
neutron/agent/linux/daemon.py:111: setgid(group)
neutron/agent/linux/daemon.py:114: setuid(user)
- possible use of user 'nobody' outside of tests
=> if the dhcp agent is used, dnsmasq runs as nobody.
** Changed in: neutron (Ubuntu)
Assignee: Pushkar Kulkarni (pushkarnk) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/2121564
Title:
[MIR] neutron
Status in neutron package in Ubuntu:
New
Bug description:
Please note this is a re-review for an OpenStack package already in
main. An effort is being made to retroactively perform MIRs for
packages that predate the modern process. This is a low priority task.
[Availability]
The package neutron is already in Ubuntu main. This review is intended to be a re-review for a package that predates the current MIR process.
The package neutron builds for the architectures it is designed to work on.
It currently builds and works for architectures: all - amd64 build: https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
Link to package https://launchpad.net/ubuntu/+source/neutron
[Rationale]
- The package neutron is required in Ubuntu main as part of the OpenStack software suite on Ubuntu.
- The package neutron will generally be useful for a large part of
our user base - all users of OpenStack on Ubuntu.
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- Package was in main before. It appears that neutron pre-dates the modern MIR process and no MIR was ever filed for this package. It has been in Ubuntu main since at least 2014.
- All binary packages built by neutron need to be in main to achieve supported Ubuntu OpenStack deployments with neutron covering all OVS/OVN backends and optional agents. The following binaries are built by neutron:
- neutron-api
- neutron-common
- neutron-dhcp-agent
- neutron-l3-agent
- neutron-macvtap-agent
- neutron-metadata-agent
- neutron-metering-agent
- neutron-openvswitch-agent
- neutron-ovn-agent
- neutron-ovn-maintenance-worker
- neutron-ovn-metadata-agent
- neutron-periodic-workers
- neutron-plugin-ml2
- neutron-rpc-server
- neutron-server (transitional - being replaced by neutron-rpc-server)
- neutron-sriov-agent
- python3-neutron
This is a re-review of a package already in main so there is no
definitive deadline for approval.
[Security]
- Had 30 security issues in the past between 2013 and 2025
- https://ubuntu.com/security/cves?package=neutron
- These CVEs are typically promptly addressed by the upsteam or Debian team and comments are made by the Ubuntu Security Team as to a plan of action for addressing them.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
- native systemd units: neutron-openvswitch-agent.service, neutron-ovs-cleanup.service
- SysV init templates exposed by systemd as services: neutron-dhcp-agent.service, neutron-l3-agent.service, neutron-macvtap-agent.service, neutron-metadata-agent.service, neutron-metering-agent.service, neutron-openvswitch-agent.service, neutron-ovn-agent.service, neutron-ovn-maintenance-worker.service, neutron-ovn-metadata-agent.service, neutron-periodic-workers.service, neutron-rpc-server.service, neutron-sriov-agent.service, neutron-ovs-cleanup.service
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
- Runs as dedicated neutron user; privileged operations go through oslo.privsep helper replacing sudo/rootwrap usage
- Systemd units drop privileges to the service user; packaging follows Debian layout with unit files under /usr/lib/systemd/system.
- DHCP is provided by dnsmasq processes spawned within per-network namespaces by neutron-dhcp-agent, keeping DHCP exposure scoped to those namespaces.
- Package daemons do not open privileged ports (ports < 1024) but but when the DHCP agent is used, the spawned dnsmasq binds UDP 67 within the DHCP namespace by design.
- Package does expose an external endpoint, it is TCP 9696 for public/internal/admin endpoints (neutron-api).
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/neutron/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=neutron
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
- The package runs an autopkgtest, and is currently passing on amd64, link to test logs: https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/n/neutron/20250822_152714_3de7b@/log.gz
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works - looks for updates in tarballs.opendev.org, pulls correct version when running uscan.
- debian/control defines a correct Maintainer field - Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpadlibrarian.net/812643973/buildlog_ubuntu-questing-amd64.neutron_2%3A26.0.1+git2025070714.71962255de-0ubuntu2_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging is relatively complex, but that is ok because this is a complex piece of software with many binaries that is meant to interact with complex OpenStack deployments. d/rules is fairly simple though the debian directory contains many .init.in, postinst, .install, etc. files.
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because this file is only meant to be accessed through the CLI or an OpenStack web dashboard.
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
all dependencies or recommends are in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team is already ubuntu-openstack and I have their acknowledgment for
that commitment
- The owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
[Background information]
The Package description explains the package well
Upstream Name is neutron
Link to upstream project: https://opendev.org/openstack/neutron
Lintian –pedantic output:
ubuntu at questing-vm:~$ lintian --pedantic neutron_26.0.1+git2025070714.71962255de-0ubuntu2.dsc
W: neutron source: obsolete-runtime-tests-restriction needs-recommends [debian/tests/control:23]
W: neutron source: obsolete-runtime-tests-restriction needs-recommends [debian/tests/control:9]
W: neutron source: superfluous-file-pattern tools/rfc.sh [debian/copyright:26]
P: neutron source: maintainer-manual-page [debian/mans/neutron-openvswitch-agent.8]
P: neutron source: maintainer-manual-page [debian/mans/neutron-rootwrap.8]
P: neutron source: maintainer-manual-page [debian/mans/neutron-server.8]
P: neutron source: trailing-whitespace [debian/changelog:1140]
P: neutron source: trailing-whitespace [debian/changelog:1175]
P: neutron source: trailing-whitespace [debian/changelog:1176]
P: neutron source: trailing-whitespace ... use "--tag-display-limit 0" to see all (or pipe to a file/program)
P: neutron source: unversioned-copyright-format-uri http://dep.debian.net/deps/dep5 [debian/copyright]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/2121564/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list