[Openstack] Security group rules not propagating to instances

Matt Kassawara mkassawara at gmail.com
Fri Dec 6 20:05:12 UTC 2013 

I installed Havana with Neutron on Scientific Linux 6.4 using the official
installation guide.  I added the following rules to the default security
group to enable inbound ping and secure shell access to my instances with
floating IPs:

nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

Output from "nova secgroup-list-rules default" shows the rules:

+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
|             |           |         |           | default      |
|             |           |         |           | default      |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

However, after launching an instance and assigning a floating IP, I cannot
ping the instance or access it via secure shell.  According to iptables on
the compute node, no rules exist from the security group applied to the
instance.

# iptables -S neutron-openvswi-i58a501c3-4
-N neutron-openvswi-i58a501c3-4
-A neutron-openvswi-i58a501c3-4 -m state --state INVALID -j DROP
-A neutron-openvswi-i58a501c3-4 -m state --state RELATED,ESTABLISHED -j
RETURN
-A neutron-openvswi-i58a501c3-4 -s 192.168.240.3/32 -p udp -m udp --sport
67 --dport 68 -j RETURN
-A neutron-openvswi-i58a501c3-4 -j neutron-openvswi-sg-fallback

Meanwhile, I'm also running a similar deployment of Havana on Ubuntu 12.04,
also built using the official installation guide.  According to iptables on
the compute node, rules from the security group applied to the instance
successfully propagate to it.  I can ping the instance and access it via
secure shell.

# iptables -S neutron-openvswi-ibd9ba559-2
-N neutron-openvswi-ibd9ba559-2
-A neutron-openvswi-ibd9ba559-2 -m state --state INVALID -j DROP
-A neutron-openvswi-ibd9ba559-2 -m state --state RELATED,ESTABLISHED -j
RETURN
-A neutron-openvswi-ibd9ba559-2 -p icmp -j RETURN
-A neutron-openvswi-ibd9ba559-2 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-ibd9ba559-2 -s 192.168.240.3/32 -p udp -m udp --sport
67 --dport 68 -j RETURN
-A neutron-openvswi-ibd9ba559-2 -j neutron-openvswi-sg-fallback

I haven't found any obvious errors in the logs on the Scientific Linux
deployment.  Has anyone else experienced this problem?

Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131206/dbb32e03/attachment.html>

More information about the Openstack mailing list