Open Stack

** Summary changed:

- secgroup rules doesn't work for instance immediately
+ secgroup rules doesn't work for instance immediately (CVE-2015-7713)

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1491307

Title:
  secgroup rules doesn't work for instance immediately (CVE-2015-7713)

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Security Advisory:
  In Progress

Bug description:
  I have an OpenStack kilo setup on RHEL7.1 with a controller and a
  compute node (network-compute + network-network)，the config is
  following:

  # /etc/nova.nova.conf on contrller node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova

  # /etc/nova/nova.conf on compute node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova
  firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
  network_manager = nova.network.manager.FlatDHCPManager
  network_size = 254
  allow_same_net_traffic = False
  multi_host = True
  send_arp_for_ha = True
  share_dhcp_address = True
  force_dhcp_release = True
  flat_network_bridge = br100
  flat_interface = eth0
  public_interface = eth0

  steps for test 1:
  1) create and start VM instance-1 with secgroup default;
  2) VM instance-1 ping br100:  OK;  
  3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
  4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  5) br100 ping VM instance-1: i got the same wrong message, not expected.

  steps for test 2:
  1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
  2) create and start VM instance-2 with secgroup default;
  3) br100 ping instance-2: OK

  It seems that command "nova secgroup-add-rule ..." doesn't work
  immediately for the existed or running VM instances?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions