[Openstack-security] [Bug 1582185] Re: when vm detaches security group with remote_group_id, vm's ip address don't be deleted from ipset member.
Armando Migliaccio
1582185 at bugs.launchpad.net
Wed Feb 1 01:09:12 UTC 2017
This bug is > 180 days without activity. We are unsetting assignee and
milestone and setting status to Incomplete in order to allow its expiry
in 60 days.
If the bug is still valid, then update the bug status.
** Changed in: neutron
Assignee: ugvddm (271025598-9) => (unassigned)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1582185
Title:
when vm detaches security group with remote_group_id, vm's ip address
don't be deleted from ipset member.
Status in neutron:
Incomplete
Bug description:
There is default security group, and have been attached two vms, the
security group as below:
| 204844ae-6939-44d3-a375-1999cd44c942 | default | egress, IPv4 |
| | | egress, IPv4, 22/tcp, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 |
| | | egress, IPv6 |
| | | ingress, IPv4, 22/tcp |
| | | ingress, IPv4, 3389/tcp |
| | | ingress, IPv4, icmp, remote_ip_prefix: 0.0.0.0/0 |
| | | ingress, IPv4, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 |
| | | ingress, IPv6, 22/tcp |
| | | ingress, IPv6, 3389/tcp |
| | | ingress, IPv6, icmp |
| | | ingress, IPv6, remote_group_id: 204844ae-6939-44d3-a375-1999cd44c942 |
[root at openstack ~(keystone_admin)]# nova list
+--------------------------------------+-------+--------+------------+-------------+-------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+-------+--------+------------+-------------+-------------------+
| 4558881d-2784-40b8-a0fc-a8238196ca47 | vm1 | ACTIVE | - | Running | dddd=172.16.0.9 |
| e67ba1de-305d-4915-a2bc-bb24b0389546 | vm2 | ACTIVE | - | Running | test=192.168.12.6 |
+--------------------------------------+-------+--------+------------+-------------+-------------------+
Reproduce:
step 1: vm1 attaches the default security group
step 2: vm2 attaches the default security group, we can see the ipset member:
[root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a
Name: NETIPv4204844ae-6939-44d3-a
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16880
References: 6
Members:
192.168.12.6
172.16.0.9
step3: vm2 detaches the default, now we can see "192.168.12.6" still over there:
[root at openstack ~]# ipset list NETIPv4204844ae-6939-44d3-a
Name: NETIPv4204844ae-6939-44d3-a
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16880
References: 5
Members:
192.168.12.6
172.16.0.9
Expected:
"192.168.12.6" should be removed from ipset member.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1582185/+subscriptions
More information about the Openstack-security
mailing list