[openstack-dev] Able to ping/ssh from source group VM to the target group VM using public IP when both the VMs are hosted on same compute node

Sirisha Devineni Sirisha_Devineni at persistent.co.in
Fri Aug 24 05:52:12 UTC 2012


Hi Lloyd,

Yea "group" in the sense of security group here. Step3 is we need to add a source group rule to target security group by mentioning "source_group" as our first created source group as follows:

1. Create two security groups
	nova secgroup-create srcsecgrp "Source Security Group"
	nova secgroup-create tgtsecgrp "Target Security Group"
2. Spawn VMs in both the groups separately.
	nova boot --flavor=100 --image=120 --key_name=key1 --security_group=srcsecgrp srcvm
	nova boot --flavor=100 --image=120 --key_name=key1 --security_group=tgtsecgrp tgtvm
3. Add source group as a source to the target group.
	nova secgroup-add-group-rule --ip_proto=icmp --from_port=-1 --to_port=-1 tgtgrp srcgrp
	nova secgroup-add-group-rule --ip_proto=tcp --from_port=22 --to_port=22 tgtgrp srcgrp
4. Add rules to allow ssh/ping into source group.
	nova secgroup-add-rule srcgrp tcp 22 22 0.0.0.0/0
	nova secgroup-add-rule srcgrp icmp -1 -1 0.0.0.0/0

5. Now ssh into the source group and ping/ssh to target group vm using private IP - should be successful
6. Now try to ping/ssh to target group vm using its public ip- This will be successful when both VMs are onto same host and it is failing when both VMs are onto different compute nodes.

Here both the VMs are under different security groups(which has different rules associated to them). I checked these scenarios with distro.

Please let me know if you need any additional information.

Thanks & Regards,
Sirisha Devineni.     


-----Original Message-----
From: Lloyd Dewolf [mailto:lloydostack at gmail.com] 
Sent: Thursday, August 23, 2012 4:50 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Able to ping/ssh from source group VM to the target group VM using public IP when both the VMs are hosted on same compute node

On Thu, Aug 23, 2012 at 3:52 AM, Sirisha Devineni
<Sirisha_Devineni at persistent.co.in> wrote:
>
> 3. Add source group as a source to the target group.

What does "group" mean in your steps? Security group would be my
guess, but I'm still having trouble understanding step 3. Would you
provide a concrete example?

Does the way you've presented it suggest that in your environment that
if the VMs are in the same security group you don't see this symptom?
ie. you've confirmed the expected behavior in the simpler scenario.

When you say you've checked this scenario in stable Diablo version and
as well as Folsom is that using devstack, or a distro?

Thank you,
--
@lloyddewolf
http://www.pistoncloud.com/

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.



More information about the OpenStack-dev mailing list