[Bug 2121564] Re: [MIR] neutron
Giampaolo Fresi Roglia
2121564 at bugs.launchpad.net
Wed Apr 15 09:26:21 UTC 2026
I reviewed neutron 2:28.0.0~b2+git20260121.28.762694d1bd-0ubuntu1 as
checked into resolute. This shouldn't be considered a full audit but
rather a quick gauge of maintainability.
neutron is the core networking service for OpenStack. It is a
Networking as a Service (NaaS) provider that allows users to create
and manage virtual network resources.
- CVE History
- 30 CVEs since 2013
So far the CVEs have been promplty addressed by upstream.
- Build-Depends
- debhelper-compat (= 13),
- dh-apache2,
- dh-python,
- apache2-dev,
- openstack-pkg-tools (>= 119ubuntu1~),
- python3-all,
- python3-pbr (>= 4.0.0),
- python3-setuptools,
- crudini,
- iproute2,
- python3-alembic (>= 1.6.5),
- python3-astroid (>= 2.3.3),
- python3-bandit (>= 1.1.0),
- python3-bashate (>= 0.5.1),
- python3-ddt (>= 1.2.1),
- python3-debtcollector (>= 1.19.0),
- python3-decorator (>= 4.1.0),
- python3-designateclient (>= 2.7.0),
- python3-eventlet (>= 0.36.1),
- python3-fixtures (>= 3.0.0),
- python3-futurist (>= 1.2.0),
- python3-hacking,
- python3-httplib2 (>= 0.22.0),
- python3-isort (>= 4.3.21),
- python3-jinja2 (>= 2.10),
- python3-keystoneauth1 (>= 3.14.0),
- python3-keystonemiddleware (>= 5.1.0),
- python3-netaddr (>= 0.7.18),
- python3-netifaces (>= 0.10.4),
- python3-neutron-lib (>= 3.17.0),
- python3-neutronclient (>= 1:7.8.0),
- python3-novaclient (>= 2:9.1.0),
- python3-openssl (>= 17.1.0),
- python3-openstackdocstheme (>= 2.2.1),
- python3-openstacksdk (>= 0.31.2),
- python3-openvswitch (>= 2.12.0),
- python3-os-ken (>= 3.0.0),
- python3-os-resource-classes (>= 1.1.0),
- python3-os-testr (>= 1.0.0),
- python3-os-vif (>= 3.1.0),
- python3-oslo.cache (>= 1.26.0),
- python3-oslo.concurrency (>= 3.26.0),
- python3-oslo.config (>= 1:9.4.0),
- python3-oslo.context (>= 1:2.22.0),
- python3-oslo.db (>= 4.44.0),
- python3-oslo.i18n (>= 3.20.0),
- python3-oslo.log (>= 5.3.0),
- python3-oslo.messaging (>= 7.0.0),
- python3-oslo.middleware (>= 3.31.0),
- python3-oslo.policy (>= 4.5.0),
- python3-oslo.privsep (>= 2.3.0),
- python3-oslo.reports (>= 1.18.0),
- python3-oslo.rootwrap (>= 5.15.0),
- python3-oslo.serialization (>= 5.5.0),
- python3-oslo.service (>= 3.5.0),
- python3-oslo.upgradecheck (>= 1.3.0),
- python3-oslo.utils (>= 7.3.0),
- python3-oslo.versionedobjects (>= 1.35.1),
- python3-oslotest (>= 1:3.2.0),
- python3-osprofiler (>= 2.3.0),
- python3-ovsdbapp (>= 2.11.0),
- python3-paste (>= 2.0.2),
- python3-pastedeploy (>= 1.5.0),
- python3-pecan (>= 1.4.0),
- python3-psutil (>= 5.3.0),
- python3-pycodestyle (>= 2.0.0),
- python3-pymysql (>= 0.7.6),
- python3-pyroute2 (>= 0.7.3),
- python3-requests (>= 2.32.3),
- python3-routes (>= 2.3.1),
- python3-sphinx (>= 2.2.0),
- python3-sphinx-feature-classification (>= 1.0.0),
- python3-sqlalchemy (>= 1.4.23),
- python3-stestr (>= 1.0.0),
- python3-stevedore (>= 1:2.0.1),
- python3-subunit (>= 1.0.0),
- python3-tempest (>= 1:16.1.0),
- python3-tenacity (>= 6.0.0),
- python3-testrepository (>= 0.0.18),
- python3-testresources (>= 2.0.0),
- python3-testscenarios (>= 0.4),
- python3-testtools (>= 2.2.0),
- python3-tooz (>= 1.58.0),
- python3-webob (>= 1:1.8.2),
- python3-webtest (>= 2.0.27),
- rename,
- pre/post inst/rm scripts
- they seem to be fine.
- init scripts
- neutron-dhcp-agent
- neutron-l3-agent
- neutron-macvtap-agent
- neutron-metadata-agent
- neutron-metering-agent
- neutron-openvswitch-agent
- neutron-ovs-cleanup
- neutron-ovn-agent
- neutron-ovn-maintenance-worker
- neutron-ovn-metadata-agent
- neutron-periodic-workers
- neutron-rpc-server
- neutron-sriov-agent
- systemd units
- neutron-dhcp-agent.service
- neutron-l3-agent.service
- neutron-macvtap-agent.service
- neutron-metadata-agent.service
- neutron-metering-agent.service
- neutron-openvswitch-agent.service
- neutron-ovs-cleanup.service
- neutron-ovn-agent.service
- neutron-ovn-maintenance-worker.service
- neutron-ovn-metadata-agent.service
- neutron-periodic-workers.service
- neutron-rpc-server.service
- neutron-sriov-agent.service
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- /usr/bin/ml2ovn-trace
- /usr/bin/neutron-db-manage
- /usr/bin/neutron-dhcp-agent
- /usr/bin/neutron-ipset-cleanup
- /usr/bin/neutron-keepalived-state-change
- /usr/bin/neutron-l3-agent
- /usr/bin/neutron-macvtap-agent
- /usr/bin/neutron-metadata-agent
- /usr/bin/neutron-metering-agent
- /usr/bin/neutron-netns-cleanup
- /usr/bin/neutron-openvswitch-agent
- /usr/bin/neutron-ovn-agent
- /usr/bin/neutron-ovn-db-sync-util
- /usr/bin/neutron-ovn-maintenance-worker
- /usr/bin/neutron-ovn-metadata-agent
- /usr/bin/neutron-ovn-migration-mtu
- /usr/bin/neutron-ovs-cleanup
- /usr/bin/neutron-periodic-workers
- /usr/bin/neutron-remove-duplicated-port-bindings
- /usr/bin/neutron-rootwrap
- /usr/bin/neutron-rootwrap-daemon
- /usr/bin/neutron-rpc-server
- /usr/bin/neutron-sanitize-port-binding-profile-allocation
- /usr/bin/neutron-sanitize-port-mac-addresses
- /usr/bin/neutron-sanity-check
- /usr/bin/neutron-sriov-nic-agent
- /usr/bin/neutron-status
- /usr/bin/neutron-usage-audit
- sudo fragments
- neutron-common
- etc/sudoers.d/neutron_sudoers
contains an entry to allow the neutron user to run the
neutron-rootwrap command. The command is a wrapper that allows
execution of commands present in a pre-approved list.
The filtering system seems robust, as I did not find any way to
bypass it.
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- autopkgtests
the autopkgtests perform a few smoke tests.
- unit tests
the package contains an extensive test suite.
the test suite is run at build time and the build fails in case of
any test failure.
- cron jobs
- none
- Build logs
- Some deprecation warnings are present but nothing to be worried
about.
- Processes spawned
- some functions make use of subprocess.Popen(). As far as I can
tell no user input is involved in building the commands to be
executed by Popen().
- Memory management
- N/A
- File IO
- If we exclude the unit tests, file names are generally derived
from constants and configuration values. I did not see any user
input involved in deriving file names. No issues here.
- Logging
- Logging appears to be done safely through the logger packaged in
the python3-oslo.log package.
- Environment variable usage
- No, only in some tests.
- Use of privileged functions
- the agent uses setuid, setgid and setgroups for the purpose of
dropping privileges as part of the daemonizing process.
- Use of cryptography / random number sources etc
- No signs of custom cryptography functions. The neutron server can
use ssl to connect to its agents. The certificates are verified,
although the host field is not.
- Use of temp files
- only in tests.
- Use of networking
- For its nature neutron extensively uses networking functions. The
code seems to be well written and tested. I did not see anything
critical here.
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- None
- Any significant shellcheck results
- A lot of warnings but nothing worth reporting.
- Any significant bandit results
- The vast majority of the findings involves the testsuite. The few
that impact neutron seem to be false positives.
- Any significant govulncheck results
- None
- Any significant Semgrep results
- just false positives.
The package is complex but it appears to be well written and tested.
Upstream appears to be responsive with respect to fixing bugs. The
outcome of the review is positive.
Security team ACK for promoting neutron to main.
** Changed in: neutron (Ubuntu)
Status: New => In Progress
** Changed in: neutron (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron in Ubuntu.
https://bugs.launchpad.net/bugs/2121564
Title:
[MIR] neutron
Status in neutron package in Ubuntu:
In Progress
Bug description:
Please note this is a re-review for an OpenStack package already in
main. An effort is being made to retroactively perform MIRs for
packages that predate the modern process. This is a low priority task.
[Availability]
The package neutron is already in Ubuntu main. This review is intended to be a re-review for a package that predates the current MIR process.
The package neutron builds for the architectures it is designed to work on.
It currently builds and works for architectures: all - amd64 build: https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
Link to package https://launchpad.net/ubuntu/+source/neutron
[Rationale]
- The package neutron is required in Ubuntu main as part of the OpenStack software suite on Ubuntu.
- The package neutron will generally be useful for a large part of
our user base - all users of OpenStack on Ubuntu.
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- Package was in main before. It appears that neutron pre-dates the modern MIR process and no MIR was ever filed for this package. It has been in Ubuntu main since at least 2014.
- All binary packages built by neutron need to be in main to achieve supported Ubuntu OpenStack deployments with neutron covering all OVS/OVN backends and optional agents. The following binaries are built by neutron:
- neutron-api
- neutron-common
- neutron-dhcp-agent
- neutron-l3-agent
- neutron-macvtap-agent
- neutron-metadata-agent
- neutron-metering-agent
- neutron-openvswitch-agent
- neutron-ovn-agent
- neutron-ovn-maintenance-worker
- neutron-ovn-metadata-agent
- neutron-periodic-workers
- neutron-plugin-ml2
- neutron-rpc-server
- neutron-server (transitional - being replaced by neutron-rpc-server)
- neutron-sriov-agent
- python3-neutron
This is a re-review of a package already in main so there is no
definitive deadline for approval.
[Security]
- Had 30 security issues in the past between 2013 and 2025
- https://ubuntu.com/security/cves?package=neutron
- These CVEs are typically promptly addressed by the upsteam or Debian team and comments are made by the Ubuntu Security Team as to a plan of action for addressing them.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
- native systemd units: neutron-openvswitch-agent.service, neutron-ovs-cleanup.service
- SysV init templates exposed by systemd as services: neutron-dhcp-agent.service, neutron-l3-agent.service, neutron-macvtap-agent.service, neutron-metadata-agent.service, neutron-metering-agent.service, neutron-openvswitch-agent.service, neutron-ovn-agent.service, neutron-ovn-maintenance-worker.service, neutron-ovn-metadata-agent.service, neutron-periodic-workers.service, neutron-rpc-server.service, neutron-sriov-agent.service, neutron-ovs-cleanup.service
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
- Runs as dedicated neutron user; privileged operations go through oslo.privsep helper replacing sudo/rootwrap usage
- Systemd units drop privileges to the service user; packaging follows Debian layout with unit files under /usr/lib/systemd/system.
- DHCP is provided by dnsmasq processes spawned within per-network namespaces by neutron-dhcp-agent, keeping DHCP exposure scoped to those namespaces.
- Package daemons do not open privileged ports (ports < 1024) but but when the DHCP agent is used, the spawned dnsmasq binds UDP 67 within the DHCP namespace by design.
- Package does expose an external endpoint, it is TCP 9696 for public/internal/admin endpoints (neutron-api).
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/neutron/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=neutron
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
- The package runs an autopkgtest, and is currently passing on amd64, link to test logs: https://autopkgtest.ubuntu.com/results/autopkgtest-questing/questing/amd64/n/neutron/20250822_152714_3de7b@/log.gz
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works - looks for updates in tarballs.opendev.org, pulls correct version when running uscan.
- debian/control defines a correct Maintainer field - Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpadlibrarian.net/812643973/buildlog_ubuntu-questing-amd64.neutron_2%3A26.0.1+git2025070714.71962255de-0ubuntu2_BUILDING.txt.gz
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging is relatively complex, but that is ok because this is a complex piece of software with many binaries that is meant to interact with complex OpenStack deployments. d/rules is fairly simple though the debian directory contains many .init.in, postinst, .install, etc. files.
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because this file is only meant to be accessed through the CLI or an OpenStack web dashboard.
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
all dependencies or recommends are in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team is already ubuntu-openstack and I have their acknowledgment for
that commitment
- The owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/neutron/2:26.0.1+git2025070714.71962255de-0ubuntu2/+build/31098638
[Background information]
The Package description explains the package well
Upstream Name is neutron
Link to upstream project: https://opendev.org/openstack/neutron
Lintian –pedantic output:
ubuntu at questing-vm:~$ lintian --pedantic neutron_26.0.1+git2025070714.71962255de-0ubuntu2.dsc
W: neutron source: obsolete-runtime-tests-restriction needs-recommends [debian/tests/control:23]
W: neutron source: obsolete-runtime-tests-restriction needs-recommends [debian/tests/control:9]
W: neutron source: superfluous-file-pattern tools/rfc.sh [debian/copyright:26]
P: neutron source: maintainer-manual-page [debian/mans/neutron-openvswitch-agent.8]
P: neutron source: maintainer-manual-page [debian/mans/neutron-rootwrap.8]
P: neutron source: maintainer-manual-page [debian/mans/neutron-server.8]
P: neutron source: trailing-whitespace [debian/changelog:1140]
P: neutron source: trailing-whitespace [debian/changelog:1175]
P: neutron source: trailing-whitespace [debian/changelog:1176]
P: neutron source: trailing-whitespace ... use "--tag-display-limit 0" to see all (or pipe to a file/program)
P: neutron source: unversioned-copyright-format-uri http://dep.debian.net/deps/dep5 [debian/copyright]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron/+bug/2121564/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list