[Openstack-security] [Bug 1491307] Re: secgroup rules doesn't work for instance immediately

Matt Riedemann mriedem at us.ibm.com
Fri Sep 11 13:59:10 UTC 2015 

Per comment 5, this sounds like a duplicate of bug 1484738.  Before
comment 5 I was going to ask if there were any errors in the logs, but
comment 5 seems to confirm that.  So I wouldn't consider this a security
issue per se, it's just a code bug that was preventing things from
working properly and is now fixed in master (liberty) and backport to
stable/kilo and stable/juno.  As of this morning it's merged in
stable/juno and the fix in stable/kilo is going through the gate.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1491307

Title:
  secgroup rules doesn't work for instance immediately

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  I have an OpenStack kilo setup on RHEL7.1 with a controller and a
  compute node (network-compute + network-network),the config is
  following:

  # /etc/nova.nova.conf on contrller node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova

  # /etc/nova/nova.conf on compute node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova
  firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
  network_manager = nova.network.manager.FlatDHCPManager
  network_size = 254
  allow_same_net_traffic = False
  multi_host = True
  send_arp_for_ha = True
  share_dhcp_address = True
  force_dhcp_release = True
  flat_network_bridge = br100
  flat_interface = eth0
  public_interface = eth0

  steps for test 1:
  1) create and start VM instance-1 with secgroup default;
  2) VM instance-1 ping br100:  OK;  
  3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
  4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  5) br100 ping VM instance-1: i got the same wrong message, not expected.

  steps for test 2:
  1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
  2) create and start VM instance-2 with secgroup default;
  3) br100 ping instance-2: OK

  It seems that command "nova secgroup-add-rule ..." doesn't work
  immediately for the existed or running VM instances?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions

More information about the Openstack-security mailing list