[Openstack-security] [Bug 1360260] [NEW] 'allow_same_net_traffic=true' has no effect
danieru
1360260 at bugs.launchpad.net
Fri Aug 22 13:19:15 UTC 2014
Public bug reported:
environment: Ubuntu trusty, icehouse from repos.
Setup per 'Openstack Installation Guide for Ubuntu 12.04/14.04 LTS'
**brief**
two instances X and Y are members of security group A. Despite the
following explicit setting in nova.conf:
allow_same_net_traffic=True
...the instances are only allowed to communicate according to the rules
defined in security group A.
**detail**
I first noticed this attempting to run iperf between two instances on
the same security network; they were unable to connect via the default
TCP port 5001.
They were able to ping...looking at rules for the security group they
are are associated with, ping was allowed, so I then suspected the
security group rules were being applied to all communication, despite
them being on the same security group.
To test, I added rules to group A that allowed all communication, and
associated the rules with itself (i.e. security group A) and voila, they
could talk!
I then thought I had remembered incorrectly that by default all traffic
is allowed between instances on the same security group, so I double-
checked the documentation, but according to the documentation I had
remembered correctly:
allow_same_net_traffic = True (BoolOpt) Whether to allow network traffic
from same network
...I searched through my nova.conf files, but there was no
'allow_same_net_traffic' entry, so the default ought to be True, right?
Just to be sure, I explicitly added:
allow_same_net_traffic = True
to nova.conf and restarted nova services, but the security group rules
are still being applied to communication between instances that are
associated with the same security group.
I thought the 'default' security group might be a special case, so I
tested on another security group, but still get the same behaviour.
** Affects: nova
Importance: Undecided
Status: New
** Tags: allowsamenettraffic nova security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1360260
Title:
'allow_same_net_traffic=true' has no effect
Status in OpenStack Compute (Nova):
New
Bug description:
environment: Ubuntu trusty, icehouse from repos.
Setup per 'Openstack Installation Guide for Ubuntu 12.04/14.04 LTS'
**brief**
two instances X and Y are members of security group A. Despite the
following explicit setting in nova.conf:
allow_same_net_traffic=True
...the instances are only allowed to communicate according to the
rules defined in security group A.
**detail**
I first noticed this attempting to run iperf between two instances on
the same security network; they were unable to connect via the default
TCP port 5001.
They were able to ping...looking at rules for the security group they
are are associated with, ping was allowed, so I then suspected the
security group rules were being applied to all communication, despite
them being on the same security group.
To test, I added rules to group A that allowed all communication, and
associated the rules with itself (i.e. security group A) and voila,
they could talk!
I then thought I had remembered incorrectly that by default all
traffic is allowed between instances on the same security group, so I
double-checked the documentation, but according to the documentation I
had remembered correctly:
allow_same_net_traffic = True (BoolOpt) Whether to allow network
traffic from same network
...I searched through my nova.conf files, but there was no
'allow_same_net_traffic' entry, so the default ought to be True,
right? Just to be sure, I explicitly added:
allow_same_net_traffic = True
to nova.conf and restarted nova services, but the security group rules
are still being applied to communication between instances that are
associated with the same security group.
I thought the 'default' security group might be a special case, so I
tested on another security group, but still get the same behaviour.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1360260/+subscriptions
More information about the Openstack-security
mailing list