[Openstack-security] [Bug 1582185] Change abandoned on neutron (master)

OpenStack Infra 1582185 at bugs.launchpad.net
Tue May 24 08:21:22 UTC 2016 

Change abandoned by Zhengguang Ou (zhengguangou at gmail.com) on branch: master
Review: https://review.openstack.org/317333

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1582185

Title:
  when vm detaches security group with remote_group_id,  vm's ip address
  don't be deleted from ipset member.

Status in neutron:
  Incomplete

Bug description:
  There is default security group, and have been attached two vms, the
  security group as below:

  | 204844ae-6939-44d3-a375-1999cd44c942 | default | egress, IPv4                                                                |
  |                                      |         | egress, IPv4, 22/tcp, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 |
  |                                      |         | egress, IPv6                                                                |
  |                                      |         | ingress, IPv4, 22/tcp                                                       |
  |                                      |         | ingress, IPv4, 3389/tcp                                                     |
  |                                      |         | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0                            |
  |                                      |         | ingress, IPv4, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942        |
  |                                      |         | ingress, IPv6, 22/tcp                                                       |
  |                                      |         | ingress, IPv6, 3389/tcp                                                     |
  |                                      |         | ingress, IPv6, icmp                                                         |
  |                                      |         | ingress, IPv6, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942        |

  [root at openstack ~(keystone_admin)]# nova list
  +--------------------------------------+-------+--------+------------+-------------+-------------------+
  | ID                                   | Name  | Status | Task State | Power State | Networks          |
  +--------------------------------------+-------+--------+------------+-------------+-------------------+
  | 4558881d-2784-40b8-a0fc-a8238196ca47 | vm1    | ACTIVE | -          | Running     | dddd=172.16.0.9   |
  | e67ba1de-305d-4915-a2bc-bb24b0389546 | vm2  | ACTIVE | -          | Running     | test=192.168.12.6 |
  +--------------------------------------+-------+--------+------------+-------------+-------------------+

  Reproduce:
  step 1: vm1 attaches the default security group
  step 2: vm2 attaches the default security group, we can see the ipset member:
  [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a
  Name: NETIPv4204844ae-6939-44d3-a
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16880
  References: 6
  Members:
  192.168.12.6
  172.16.0.9
  step3: vm2 detaches the default, now we can see "192.168.12.6" still over there:
  [root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a
  Name: NETIPv4204844ae-6939-44d3-a
  Type: hash:net
  Revision: 3
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 16880
  References: 5
  Members:
  192.168.12.6
  172.16.0.9

  Expected:
  "192.168.12.6" should be removed from ipset member.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1582185/+subscriptions

More information about the Openstack-security mailing list