[Openstack] Ocata -> Pike security groups changed default behaviour?
Volodymyr Litovka
doka.ua at gmx.com
Fri Sep 22 09:23:28 UTC 2017
Hi colleagues,
after upgrade from Ocata to Pike I noticed change in security groups
behaviour.
In Ocata, I was using a combination of default security group + custom
group (which matches ingress ethertype both IPv4 and IPv6) on a port and
this was allowing ingress traffic to VM.
In Pike this doesn't work anymore, i.e. having two security groups in
project
$ openstack security group list
[ ... ]
| 53ede63e-b08f-4c95-b5fe-29cd21ed442a | default | Default security
group | d8051a3ff3ad4c4bb380f828992b8178 |
| cd0bd222-78e1-42b2-b8a5-51d655c49a8f | jex-esg
| | d8051a3ff3ad4c4bb380f828992b8178 |
and using both on port disables any traffic from outside (e.g. ping):
$ openstack port show jex-n1-wan
[ ... ]
| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security_group_ids | 53ede63e-b08f-4c95-b5fe-29cd21ed442a,
cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
while keeping only custom group allows traffic from outside:
$ openstack port show jex-n1-wan
| fixed_ips | ip_address='x.x.x.246',
subnet_id='5cfcb94e-5865-4cbd-83e3-56e397a436ec' |
| security_group_ids | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
*I didn't find any notices on this in Pike release notes. Can anybody
point me to the pla**ce**where I can find information on this and,
possibly, other implicit changes?*
For additional information, rules of jex-esg are these:
$ openstack security group show jex-esg
+-----------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| created_at | 2017-09-21T13:25:53Z |
| description | |
| id | cd0bd222-78e1-42b2-b8a5-51d655c49a8f |
| name | jex-esg |
| project_id | d8051a3ff3ad4c4bb380f828992b8178 |
| revision_number | 4 |
| rules | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv4', id='1b979cd7- |
| | created_at='2017-09-21T13:25:53Z',
direction='ingress', ethertype='IPv6', id='906ac4e2- |
| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv6', id='c8cc2114- |
| | created_at='2017-09-21T13:25:53Z',
direction='egress', ethertype='IPv4', id='ebb060f5- |
| updated_at | 2017-09-21T13:25:53Z |
+-----------------+-----------------------------------------------------------------------------------------+
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170922/27ef40e3/attachment.html>
More information about the Openstack
mailing list