[Openstack-security] [Bug 1491307] Re: secgroup rules doesn't work for instance immediately

Tristan Cacqueray tdecacqu at redhat.com
Wed Sep 23 14:23:33 UTC 2015 

Matt, that is fine to me, this bug describe the security impact of bug
1484738, and I propose to use it for the OSSA tasks. The advisory can
reference the former bug 1484738.

@suntao, can you confirm your attribution is correct:

Title: Nova network security group changes are not applied to running instances
Reporter: Sreekumar S and Suntao
Products: Nova
Affects: versions through 2014.2.3, and 2015.1 versions through 2015.1.1

Description:
Sreekumar S and Suntao independently reported a vulnerability in Nova network. Security group changes silently fails to be applied to already running instances, potentially resulting in instances not being protected by security group. All Nova network setups are affected.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1491307

Title:
  secgroup rules doesn't work for instance immediately

Status in OpenStack Compute (nova):
  Fix Committed
Status in OpenStack Security Advisory:
  Triaged

Bug description:
  I have an OpenStack kilo setup on RHEL7.1 with a controller and a
  compute node (network-compute + network-network),the config is
  following:

  # /etc/nova.nova.conf on contrller node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova

  # /etc/nova/nova.conf on compute node
  [DEFAULT]
  network_api_class = nova.network.api.API
  security_group_api = nova
  firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
  network_manager = nova.network.manager.FlatDHCPManager
  network_size = 254
  allow_same_net_traffic = False
  multi_host = True
  send_arp_for_ha = True
  share_dhcp_address = True
  force_dhcp_release = True
  flat_network_bridge = br100
  flat_interface = eth0
  public_interface = eth0

  steps for test 1:
  1) create and start VM instance-1 with secgroup default;
  2) VM instance-1 ping br100:  OK;  
  3) br100 ping VM instance-1: operation not permitted (because of no secgroup-rules for ICMP)
  4) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
  5) br100 ping VM instance-1: i got the same wrong message, not expected.

  steps for test 2:
  1) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0;
  2) create and start VM instance-2 with secgroup default;
  3) br100 ping instance-2: OK

  It seems that command "nova secgroup-add-rule ..." doesn't work
  immediately for the existed or running VM instances?

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1491307/+subscriptions

More information about the Openstack-security mailing list