[Openstack] Ocata -> Pike security groups changed default behaviour?

Volodymyr Litovka doka.ua at gmx.com
Fri Sep 22 09:23:28 UTC 2017 

Hi colleagues,

after upgrade from Ocata to Pike I noticed change in security groups 
behaviour.

In Ocata, I was using a  combination of default security group + custom 
group (which matches ingress ethertype both IPv4 and IPv6) on a port and 
this was allowing ingress traffic to VM.

In Pike this doesn't work anymore, i.e. having two security groups in 
project

$ openstack security group list
[ ... ]
| 53ede63e-b08f-4c95-b5fe-29cd21ed442a | default | Default security 
group | d8051a3ff3ad4c4bb380f828992b8178 |
| cd0bd222-78e1-42b2-b8a5-51d655c49a8f | jex-esg 
|                        | d8051a3ff3ad4c4bb380f828992b8178 |

and using both on port disables any traffic from outside (e.g. ping):

$ openstack port show jex-n1-wan
[ ... ]
| fixed_ips             | ip_address='x.x.x.246', 
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec'    |
| security_group_ids    | 53ede63e-b08f-4c95-b5fe-29cd21ed442a, 
cd0bd222-78e1-42b2-b8a5-51d655c49a8f  |

while keeping only custom group allows traffic from outside:

$ openstack port show jex-n1-wan
| fixed_ips             | ip_address='x.x.x.246', 
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security_group_ids    | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |

*I didn't find any notices on this in Pike release notes. Can anybody 
point me to the pla**ce**where I can find information on this and, 
possibly, other implicit changes?*

For additional information, rules of jex-esg are these:

$ openstack security group show jex-esg
+-----------------+-----------------------------------------------------------------------------------------+
| Field           | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| created_at      | 2017-09-21T13:25:53Z |
| description | |
| id              | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
| name            | jex-esg |
| project_id      | d8051a3ff3ad4c4bb380f828992b8178 |
| revision_number | 4 |
| rules           | created_at='2017-09-21T13:25:53Z', 
direction='ingress', ethertype='IPv4', id='1b979cd7- |
|                 | created_at='2017-09-21T13:25:53Z', 
direction='ingress', ethertype='IPv6', id='906ac4e2- |
|                 | created_at='2017-09-21T13:25:53Z', 
direction='egress', ethertype='IPv6', id='c8cc2114-  |
|                 | created_at='2017-09-21T13:25:53Z', 
direction='egress', ethertype='IPv4', id='ebb060f5-  |
| updated_at      | 2017-09-21T13:25:53Z |
+-----------------+-----------------------------------------------------------------------------------------+

Thank you.

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170922/27ef40e3/attachment.html>

More information about the Openstack mailing list